[SecurityRatty] tag: shadowserver

IT Security In The News: DLP, Zombies And Busted Myths

Wed, 10 Sep 2008 14:26:58 +0000

Zombie Jamboree Are you 'fraid of zombies? You should be! According to the Shadowserver Foundation, which tracks zombie numbers worldwide, in the last three months a plague has broken out - a thre...

Come! Join our BotNet Human!

Thu, 04 Sep 2008 10:46:38 +0000

Just in time for the Holiday season.
Its driving me Botty!

clipped from www.vnunet.com

Dramatic rise in botnet-controlled PCs

Recent
figures recorded by the Shadowserver Foundation reveal that the number of
computers infected by botnets has quadrupled in the past 90 days.

The Number Of Infected Machines In Botnets Quadrupled In Last 3 Months

Tue, 02 Sep 2008 18:49:12 +0000

According to Shadowserver Foundation, the number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear [...]

Cyberattack Against Georgia Preceded Real Attack

Mon, 18 Aug 2008 09:11:09 +0000

This is interesting:

Exactly who was behind the cyberattack is not known. The Georgian government blamed Russia for the attacks, but the Russian government said it was not involved. In the end, Georgia, with a population of just 4.6 million and a relative latecomer to the Internet, saw little effect beyond inaccessibility to many of its government Web sites, which limited the government's ability to spread its message online and to connect with sympathizers around the world during the fighting with Russia.
[...]

In Georgia, media, communications and transportation companies were also attacked, according to security researchers. Shadowserver saw the attack against Georgia spread to computers throughout the government after Russian troops entered the Georgian province of South Ossetia. The National Bank of Georgia's Web site was defaced at one point. Images of 20th-century dictators as well as an image of Georgia's president, Mr. Saakashvili, were placed on the site. "Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically," said Gadi Evron, an Israeli network security expert. "The nature of what's going on isn't clear," he said.

[...]

In addition to D.D.O.S. attacks that crippled Georgia's limited Internet infrastructure, researchers said there was evidence of redirection of Internet traffic through Russian telecommunications firms beginning last weekend. The attacks continued on Tuesday, controlled by software programs that were located in hosting centers controlled by a Russian telecommunications firms. A Russian-language Web site, stopgeorgia.ru, also continued to operate and offer software for download used for D.D.O.S. attacks.

Welcome to 21st century warfare.

"It costs about 4 cents per machine," Mr. Woodcock said. "You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to."

Website For The President Of Georgia Under Distributed Denial Of Service Attack

Sun, 20 Jul 2008 18:08:02 +0000

Steven Adair from Shadowserver reports a multi-pronged distributed denial of service (DDoS) attack against the website of President of Georgia, Mikhail Saakashvili (www.president.gov.ge). For over 24 hours the website has been rendered unavailable. The attack began very early Saturday morning (Georgian time). Shadowserver has observed at least one web-based command and control (C&C) server taking [...]

Malware Domains Used in the SQL Injection Attacks

Thu, 22 May 2008 04:49:38 +0000

Whereas the value of these malicious domains lies in the historical preservation of evidence, as long as hundreds of thousands of sites continue operating with outdated and unpatched web applications, the list is prone to grow on a daily basis, thanks to copycats and the Asprox botnet. The Shadowserver Foundation's list of malicious domains used in the SQL injection attacks :

nihaorr1.com
free.hostpinoy.info
xprmn4u.info
nmidahena.com
winzipices.cn
sb.5252.ws
aspder.com
11910.net
bbs.jueduizuan.com
bluell.cn
2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
qiqi111.cn
banner82.com s
meisp.cn
okey123.cn
b.kaobt.cn
nihao112.com
al.99.vc
aidushu.net
chliyi.com
free.edivid.info
52-o.cn
actualization.cn
d39.6600.org
h28.8800.org
ucmal.com
t.uc8010.com
dota11.cn
bc0.cn
adword71.com
killpp.cn
w11.6600.org
usuc.us
msshamof.com
newasp.com.cn
wowgm2.cn
mm.jsjwh.com.cn
17ge.cn
adword72.com
117275.cn
vb008.cn
wow112.cn
nihaoel3.com

Some new additions that I'm tracking :

a.13175.com
r.you30.cn
d39.6600.org
001yl.com
free.edivid.info
aaa.1l1l1l.Com/error/404.html
cc.buhaoyishi.com/one/hao5.htm?015
aaa.77xxmm.cn/new858.htm?075
llSging.com/ww/new05.htm?075
shIjIedIyI.net/one/hao8.htm?005
congtouzaIlaI.net/one/hao8.htm?005
aa.llsging.com/ww/new05.hTm?075

The rough number of SQL injected sites is around 1.5 million pages, in reality the number is much bigger, and there are several ongoing campaigns injecting obfuscated characters making it a bit more time consuming to track down. Who's behind these attacks? Besides the automation courtesy of botnets, the short answer is everyone with a decent SQL injector, and today's SQL injectors have a built-in reconnaissance capabilities, like this one which I assessed in a previous post.