[SecurityRatty] tag: zombies

IT Security In The News: DLP, Zombies And Busted Myths

Wed, 10 Sep 2008 14:26:58 +0000

Zombie Jamboree Are you 'fraid of zombies? You should be! According to the Shadowserver Foundation, which tracks zombie numbers worldwide, in the last three months a plague has broken out - a thre...

Obama, Al Qaeda recruit for Rustock

Thu, 24 Jul 2008 20:00:00 +0000

Barack Obama has left the presidential campaign trail and joined George W Bush, Al Qaeda and Microsoft to recruit zombies for the world's second largest botnet, Rustock.

Baby Bubba Finds A New Mummy: A Zombie Children's Book

Tue, 22 Jul 2008 19:53:37 +0000

Ok, this one is not security related, but those of you who know me know I have a thing for zombie movies. See my LAN Of The Dead article on computer zombies to see what I mean. Pascalle Ballard and I started to work on our own children's book, with a baby zombie as the lead character. Follow the link, I hope you will enjoy it.

Baby Bubba Finds A New Mummy: A Zombie Children's Book

Tue, 22 Jul 2008 19:53:37 +0000

Baby Bubba Finds A New Mummy: A Zombie Children's Book

Tue, 22 Jul 2008 19:53:37 +0000

Engate sniffs bots with new mail rules

Wed, 02 Jul 2008 20:00:00 +0000

ISPs and large enterprises are being offered a novel way to stop spam that goes beyond the mere filtering of e-mail messages - detect and block the botnet zombies that generate much of the problem in the first place.

Wednesday Zombie PostNerd Zombies

Wed, 21 May 2008 13:49:02 +0000

Fantastic cartoon strip and maybe a future movie at zombiesdontrun.com.

“If vulcans are driven solely by logic, how come T’Pol has a boob job?”

Bookmark to:

Phishing Emails Generating Botnet Scaling

Fri, 18 Apr 2008 10:57:30 +0000

A bigger and much more detailed picture is starting to emerge, with yet another spammed malware campaign courtesy of the botnet that is so far responsible for a massive flood of fake Windows updates, phishing emails targeting the usual diverse set of brands, fake yahoo greeting cards, and most recently delivering "executable news items", through Backdoor.Agent.AJU malware infected hosts.

Within the first five minutes, thirty three (33) phishing emails attempted to be delivered out of a sample infected host, all of them targeting NatWest or The National Westminster Bank Plc. Here are some samples, that of course never made it out to their recipient :

- Sender Address: "NatWest Internet Banking '2008"

to Recipient: <@fs1.ge.man.ac.uk>Subject: Natwest Bank Bankline: Confirm Your Login Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D19ecygtKZDzrozrznhOzn These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "NatWest Bank On-line Banking'2008"

to Recipient: <@bbc.co.uk> Subject: Natwest OnLine Banking Important Notice From Technical Department Id: 9044 Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D15urOBFDffkOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "Natwest Bank Internet Banking Support"

to Recipient: <@yahoo.co.uk> Subject: NatWest Private and Corporate: Confirm Your Login Password Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D24ecyuczfscwzbDtcwhhOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved.

- Sender Address: "Natwest Private and Corporate Support"

to Recipient: <@yahoo.co.uk> Subject: Natwest Bankline Internet Banking Important: Submit Your Records id: 1191 Email Content: //pool32-nwolb20.com/customerupdate?cid=3D27kwszewcenzdFECKDtcwhhOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@56bridgwater.fsnet.co.uk> Subject: Natwest Internet Banking: Please Update Your Internet Banking Details Email Content: //pool32-nwolb20.com/customerupdate?cid=3D37kwszewcnnhrrDRCfszlaucndsOoerdnOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

What is making an impression besides the malicious economies of scale achieved on behalf of the malware infected hosts used for sending, and as we've already seen, hosting and phishing pages and the malware itslef? It's the campaing's targeted nature in respect to the segmented emails database used for achieving a better response rate. The National Westminster Bank Plcis a U.K bank, and 10 out of 15 email recepient are of U.K citizens, the rest are targeting Italian users. Malware variants signal their presence to 66.199.241.98/forum.php and try to obtain campaigns to participate in, this is a sample detection rate for the latest fake news items one, and more details on the domains and nameservers used in the latest campaign :

news_report-pdf_content.exe

Scanners result : 14/31 (45.17%)

Backdoor.Win32.Agent.gvk; Backdoor:Win32/Agent.ACG

File size: 45056 bytes

MD5...: c4849207a94d1db4a0211f88e84b0b59

SHA1..: 32ef2a074d563370f46738565ecf9bb53c75909c

SHA256: 12a124cc2352f3ef68ddf06e0ed111c617d95cffd807dc502ae474960a60411c

An internal nameservers ecosystem within the botnet, active and resolving :

ns1.ns4.ns2.ns3.id759.com

ns3.ns1.id759.com

ns1.ns2.ns1.ns4.ns2.ns3.id759.com

ns1.ns2.ns3.id759.com

ns1.ns2.ns4.id759.com

ns1.ns4.ns4.ns2.ns3.id759.com

ns2.id759.com

ns2.ns1.ns2.ns3.id759.com

ns2.ns1.ns2.ns4.id759.com

ns3.ns2.ns1.ns2.ns3.id759.com

ns4.ns1.ns1.ns2.ns3.id759.com

Yet another internal nameservers ecosystem within the botnet :

ns1.serial43.in

ns2.serial43.in

ns3.serial43.in

ns4.serial43.in

ns1.ns1.ns1.serial43.in

ns1.ns2.ns1.ns1.serial43.in

ns1.ns2.ns2.serial43.in

ns1.ns4.ns1.ns1.serial43.in

ns2.ns1.ns2.serial43.in

ns2.ns1.ns4.ns1.ns1.serial43.in

ns2.ns2.ns1.ns1.serial43.in

To sum up - these are all of the domains currently active and used for the malware/spam/phishing campaigns on behalf of this botnet :

server52.org

set45.net

site83.net

sid95.com

shell54.com

siteid64.com

setup36.com

share73.com

service28.biz

There are several scenarious related to this particular botnet. Despite that it's the same piece of malware that's successfully adding new zombies to the infected population, the diversity of the campaigns, as well as the fact that for instance share73.com is registered by casta4000 @ mail.ru and is into the "reklama uslug" business which translates to advertising services, in this case spam and phishing emails sending on demand, access to the botnet could be either offered on demand, or the service itself performed in a typical managed spamming appliance outsourced business model. Are they also vertically integrating in respect to the fast-fluxing? Yes they are, since they're achieving it without the need to hire a managed fast-flux provider, which isn't excluding the possibility that they aren't in fact one themselves, as it's evident they've got the capability to become one.

Romanian Script Kiddies and the Screensavers Botnet

Mon, 07 Apr 2008 23:48:40 +0000

Shall we turn into zombies, and peek into the modest botnet courtesy of Romanian script kiddies, that are currently spamming postcard.scr greeting cards? Meet the script kiddies. This botnet is going nowhere mostly because knowing how to compile an IRC bot doesn't necessarily mean you posses a certain know-how, a know-how that experienced botnet masters have been outsourcing for years. Malware is obtained through links pointing to :

xhost.ro/filehost/phrame.php?action=saveDownload&fileId=15735
xhost.ro/filehost/phrame.php?action=editDownload&fileId=12923
xhost.ro/filehost/phrame.php?action=saveDownload&fileId=3656
xhost.ro/filehost/phrame.php?action=editDownload&fileId=10936

Scanners result : Result: 22/32 (68.75%)
Trojan.Zapchas.F; IRC/BackDoor.Flood; Backdoor.IRC.Zapchast
File size: 735139 bytes
MD5...: 015e5826084f2302b4b2c3237a62e244
SHA1..: 7d05949f6dfffdc58033c9d8b86210a9bd34897c

Sample traffic output :
"NICK Mq2kC01
USER las "" "pic.kauko.lt" :Px7aW6
USER las "" "Helsinki.FI.EU.Undernet.org" :Px7aW6
USERHOST Mq2kC01
NICK :Rk1zK50
AWAY :Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
MODE Mq2kC01 +i
ISON loverboy loveru SirDulce
JOIN #madarfakar
USER kzg "" "Helsinki.FI.EU.Undernet.org" :Ho5xI1
NICK :Vm3uF52
MODE Mq2kC01 +wx"

And in next couple of hours, the most interesting domain that joined the IRC channel was :

Ny2fW15 is fwuser@mails.legislature.maine.gov * Kg1jT7
Ny2fW15 on #madarfakar
Ny2fW15 using Noteam.Vs.undernet.org I'm too lazy to edit ircd.conf
Ny2fW15 is away: Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
Ny2fW15 has been idle 1min 31secs, signed on Fri Apr 04 12:05:17
Ny2fW15 End of /WHOIS list.

This botnet's futile attempt to scale is a great example of the growing importance of knowlege and experience empowered botnet masters, as a key success factor for sustainability, and also, basic understanding of economic forces, namely, when they're not making an investment there cannot be a return on investment on their efforts at the first place. Take a peek at the efficiency level of remote file inclusion achieved by another botnet, and at alternative botnet C&C channels courtesy of botnet masters realizing that diversity is vital.

How to Survive a Zombie Apocalypse

Thu, 03 Apr 2008 00:30:00 +0000

What happens when zombies try to take over the world? Here's what you should know.