There are two well-known groups that both use the name Dorkbot, one being a great group of organizations that sponsor grassroots meetings of artists, engineers, designers, scientists, inventors, and anyone else working under the very broad term ‘electronic art’. The other one is part of the dark side and it is, or rather was, a large bot network of worms that spread through instant messaging, USB drives, websites, and social media sites.
The Dorkbot network has been watched since 2011 and had over a million systems infected with 80,000 to 120,000 more each month according to Microsoft. But now the law enforcement agencies around the world have put a stop to it thanks to the FBI, European Cybercrime Center, and the Interpol Digital Crime Center while being assisted by Microsoft in tracking down the control servers.
The network was stealing pretty much anything it could get it hands on such as Facebook and Gmail credentials, Netflix accounts, but also PayPal and other payment credentials. This is just the latest in many botnets that have been cracked lately and it is nice to see the officials doing something about this nuisance of hackers that plague the internet. At the same time, senates and legislators are trying to push for harder penalties for operators and users of botnets.
At the time of writing, there was no news whether they had any leads on who was behind the network and controlling it or whether they just managed to take down the network itself.
It’s not exactly news that security cameras can be hacked, but turning a bunch of them into a botnet using malware is not exactly a regular occurrence. However, that’s exactly what has happened with about 900 Linux-based CCTV cameras, which were then used to attack an unnamed “large cloud service” that is being used by millions. It looks like the people responsible for this managed to break into cameras from several brands, all of which had weak out-of-the-box security measures.
The attack itself was actually a “regular” denial of service act, which could have been prevented without too much effort. Even though security cameras are meant to make us feel more “secure”, they can actually be used by hackers to spy on us or perform attacks on important online services. I think that several companies should definitely step up their game in order to prevent their products from being compromised. However, customers should also make an effort to buy only cameras that come with adequate protection, as hackers and malware are not going away anytime soon. Securing these products would most likely be costly for manufacturers, but their brand names would gain a substantial boost in trust and popularity as a result.
What do you think about closed-circuit security cameras and their vulnerabilities?
Malware. That one word which seems to inspire fear and dread in everybody who hears it, even more so when you’ve experienced it first hand on one of your many devices. Malicious Software, or Malware for short, is often used by people to spread itself over the internet or even WiFi in the hopes of creating openings for other malicious software, from a program that can redirect you when you go on the internet to one that encrypts your hard drive until you pay hundreds of pounds so that (if they are true to their word) they will release your files. The world has changed since those dark days, there is a new piece of software in the world; Wifatch is here.
Wifatch was found in late 2015 by Symantec and focuses on the bugs and security issues normally involved in routers (a piece of hardware we all use but rarely update). This malware doesn’t just infect your router and use it to spread to others, it closes off potentially dangerous loopholes and bugs on your router. That’s right, this malware, a piece of software that by its very nature breaches your security and trust, is trying to help stop you from being affected by … malware?
Not only does it block common points of danger for routers but it also tries to disinfect infected systems, even going so far as to reboot systems in the hopes of stopping any malware that is currently running.
The developer even left a funny message in its source code for those brave enough to browse it.
Is this the kind of software that we need? What do you think about this vigilante malware?
Hola, the peer-to-peer (P2P) VPN provider, was recently accused of allowing its customers’ network to be used to form botnets to launch malicious cyber-attacks. A group of researchers, under the banner Adios, discovered that up to 47 million people could have been inadvertently providing hackers with enough bandwidth to launch massive DDoS attacks. Now, Hola’s CEO Ofer Vilenski has spoken out about the controversy, insisting that accusations of negligence against the company are unfair, denying that its customers form part of a botnet, and that its policy for sharing user bandwidth through P2P was transparent from the start.
“There have been some terrible accusations against Hola which we feel are unjustified,” Vilenski said in a post on Hola’s website. He went on to explain what he calls the “three issues” regarding the allegations:
1. Hola is about sharing resources
We assumed that by stating that Hola is a P2P network, it was clear that people were sharing their bandwidth with the community network in return for their free service. After all, people have been doing that for years with services like Skype. It was not clear to all our users, and we want it to be completely clear.
We have changed our site and product installation flows to make it crystal clear that Hola is P2P, and that you are sharing your resources with others. This information is now “in your face” – and no longer appears only in the FAQ.
2. Does Hola make you part of a botnet?
No! Hola makes its money by selling its VPN service to businesses for legitimate commercial purposes, such as brand monitoring (checking the prices of their products in various stores), self test (checking how their corporate site looks from multiple countries), anti ad fraud (ensuring that the adverts are not inserted enroute to use), etc.
There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cyber criminal traffic that could get them in trouble (Thus the ‘botnet’ accusation). The reality is that we have a record of the real identification and traffic of the Luminati [Hola’s commercial name] users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified. This makes the Hola/Luminati network unattractive to criminals – as opposed to Tor for example, which provides them complete anonymity for free.
Last week a spammer used Luminati by posing as a corporation. He passed through our filters and was able to take advantage of our network. We analyzed the incident, and built the necessary measures in our processes to ensure that such incidents do not occur, and deactivated his service. We will cooperate with any investigation of the incident to ensure that he will be punished to the fullest extent.
3. Vulnerability of the Hola client
Part of the growing pains of creating a new service can be vulnerability to attack. It has happened to everyone (Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft…), and now, to Hola. Two vulnerabilities were found in our product this past week. This means that there was a risk of a hacker being able to operate remote code on some devices that Hola is installed on. The hackers who identified these issues did their job, and we did our job by fixing them. In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community. We are now undergoing an internal security review, as well as an external audit we have committed to with one of the big 4 auditing companies’ cyber auditing team.
Haven’t yet changed your router username and password from “admin/admin”? If so, then your router could be part of a massive botnet, possibly run by members of Anonymous, according to cybersecurity experts Incapsula.
The network of hacked routers discovered by Incapsula are mostly located in the US, Brazil, and Thailand – but could affect any router in the world – and were infected by a number of different malware builds that built a botnet responsible for multiple DDoS attacks during December 2014.
Incapsula found that a great number of the hijacked routers were reporting back to AnonOps.com, a site owned and visited by Anonymous activists, “indicating that Anonymous is one of the groups responsible for exploiting these under-protected devices,” according to the report.
The affected “units are remotely accessible via HTTP and SSH on their default ports,” the report continues. “On top of that, nearly all are configured with vendor-provided default login credentials.”
“For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective. Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.”
The botnet, similar to the one used by Lizard Squad for bespoke DDoS attacks since Christmas, used the MrBrick Trojan to insert as-yet-unidentified malware into the affected routers.
Sidma has been around for the past 6 months, causing pain to PC owners across the world. It infected 128,000 computers each month – a phenomenal rate for a botnet. The bot changed into a new undetectable form every few hours; making it almost impossible to detect with standard antivirus products.It controlled more than 777,000 computers across 190 countries, stealing people’s bank credentials and creating more backdoors to install other malware.
The creators used a variety of methods and utilities to infect targets across the internet. It made use of known vulnerabilities in software including Java, Adobe Flash and Silverlight. The exploits were coded into websites by injecting the code via even more vulnerabilities in their SQL software. Another method called Social Engineering was used, mainly in the form of Spam e-mails.
The US had the most infected machines with around 22% of the botnets infections, closely followed by the UK. Turkey with 5% and Canada and Russia with 4% of the infections.
The bot was surprisingly simple in terms of how it worked. The bot used the computer host file to change where the internet traffic of the infected device went. Normal websites such as Facebook, Google and Twitter’s traffic was being re-directed to servers under control of the hackers. In most cases the infected file remained after antivirus software had removed the infection; this meant that the hackers could still see information being sent to their servers.
The final blow against the creators of the botnet was when the Interpol Global Complex for Innovation co-ordinated based in Singapore. It involved the FBI, Dutch National High Tech Crime Unit and the Russian Ministry of the interiors crime department. The take down happened all over the globe last Thursday and Friday, resulting in 14 control servers being seized.
If you want to check if you have been infected by the Simda botnet then Kaspersky have a site available here to check.
The U.S. Department of Justice and the Department of State’s Transnational Organized Crime Rewards Program is offering a $3 million reward for information that leads to the arrest or conviction of Evgeniy Mikhailovich Bogachev, the man suspected of being the administrator of the devastating peer-to-peer botnet Gameover ZeuS.
The Gameover ZeuS botnet target banks and other financial establishments, infecting over 1 million computers and stealing more than $100 million. The DOJ managed to disrupt Gameover ZeuS last Summer.
Bogachev has made it to the FBI’s Cyber Most Wanted List and is thought to be still living in his Russian homeland. The DOJ suspect Bogachev of being the leader of a “tightly knit gang” of Russian cybercriminals, developing and operating the Gameover ZeuS and Cryptolocker malwares.
Assistant Attorney General Leslie Caldwell said, “One significant part of the puzzle remains incomplete, as Bogachev remains at large. Although we were able to significantly disrupt the Gameover Zeus and Cryptolocker criminal enterprise, we have not yet brought Bogachev himself to justice.”
Brian Krebs, an online security blogger, has found how hacker group Lizard Squad managed to amass the trafficking power to take down Xbox Live and PlayStation Network over Christmas, and the answer lies very close to home.
Krebs’ investigation – outlined on his blog, KrebsOnSecurity – led him to discover that Lizard Squad had used a recently discovered malware variant to take control of thousands of home routers. Together, the routers formed a botnet that was used to direct a high volume of junk internet traffic toward Xbox Live and PSN, putting them under so much stress that they collapsed, unable to cope.
Though Krebs asserts that the majority of Lizard Squad’s botnet hosts home routers, he claims that a significant number of commercial routers, used by companies, schools, and universities, had been compromised.
The times where Mac users were relatively safe from malicious attacks is long gone. As we all know, no system is secure and everything can be broken, it’s just a matter it being worth the effort. With the ever-growing number of people using Macs and the amount who still believe the old wives’ tale that Macs are safe, this is an obvious target.
The Russian security company Dr.Web has discovered a large and previous unknown botnet composed out of Mac OS X machines. The criminals are taking advantage of a security flaw in the system and effectively gain full control over the target system. From here the malware can attempt to infect more systems or carry out any other command sent by the botnet owners.
One of the interesting things about this piece of malware is that it communicates with its control servers via Reddit. It uses the search function to find comments left the criminals in a Minecraft discussion section, and it’s from there the network will get its commands.
The good news is, you can defend yourself against this. Dr.Web have already added the Mac.BackDoor.iWorm to their database and other security software creators are sure to follow soon. Botnets like these can do a lot of things, where the most common are to send out spam mails and run denial of service attacks. The second part of the good news is that it doesn’t look like the network is being used in any ongoing attacks. But that is of course a thing that could change at any time.
The main part of the infected systems are located in North America, but that isn’t really surprising. This is where the most systems are located, but the botnet is however worldwide and counted over 17.500 infected machines as of last Friday. This is a great reminder to everyone to run security software. It doesn’t matter if you’re using a mobile device or a PC running Mac OS, Linux/Unix or Windows. Everyone can be a target.
Thank you Dr.Web for providing us with these information
Security firm Trend Micro has apparently revealed new evidence of botnets and malware not only being hosted in the cloud, but also being remotely controlled from cloud servers. The main goal for hackers has been revealed to be disguising their malicious software as regular traffic between corporate end points and cloud services.
Trend Micro has revealed in a blog post a case where hackers were using DropBox in order to host the command and control instructions for malware and botnets, which eventually made it past corporate firewalls. While the news is not new, the cloud has apparently increased in popularity as well as security risk. In the past, small files needed to be controlled by a command and control (C&C) system, which was usually hosted by hackers or placed on servers easily identified as suspicious.
With cloud-based systems however, hackers can now place the C&C on cloud servers and communicate with the botnets and malware like ‘normal traffic’, making it harder to be identified. The company has emphasized that any cloud-based solution can eventually be used as a host for C&C software. Companies not using any type of cloud-based solution but receive traffic spikes from any of them have some type of warning and are encouraged to investigate the activity.
However, this does not mean that every company using cloud-based solutions is now infected. Trend Micro has just shed some light on how hackers are able to and could try infecting corporate systems using the technique described above. A good counter-technique for security specialists in order to prevent such hacking practices is to closely monitor all traffic between end-point users and cloud-based solution, marking anomalies and suspicious activities as threat until otherwise proven to be ‘safe’.
A new DDoS Botnet has the ability to infect both Microsoft Windows along with Linux-based systems, according to the Poland Computer Emergency Response Team (CERT). Unlike many cyber-based attacks, this botnet is only interested in launching DDoS attacks to knock certain servers and websites offline.
The Linux-based botnet reportedly handles dropping servers, while the Windows-based botnet easily hijacked consumer PCs. “Most servers that are injected with these various scripts are then used for a variety of tasks, including DDoS, vulnerability scanning, and exploiting,” according to security expert Andre Dimino, in a blog post. “The mining of virtual currency is now often seen running in the background during the attacker’s ‘downtime.'”
Seeing DDoS attacks to turn zombie PCs into an effective botnet isn’t Earth-shattering news, but this cross-platform attack is relatively unique. As bitcoin mining and launching attacks to impact certain companies is easily done when using unsuspecting machines.
Reports suggest that a Russian Botnet has managed to infiltrate and flood the Tor network. The number of Tor users has been slowly rising as people look to protect themselves from government surveillance and take more consideration for their own privacy but an increase of over 2 million users in less than a month is looking very strange. Apparently the reason for this is that most of these 2 million new users are nodes in a Russian Botnet. The Botnet apparently isn’t new either and is switching to Tor for communication with its command and control centre to make the location of the central servers much more difficult to discover.
Why would it want to hide its central servers? Well the Russian Botnet is probably actively involved in cyber crime of some nature – clickfraud, stealing bank account details, server ransomware and the like. By shielding and protecting the location of its central servers it makes it difficult for any police services to locate them and shut them down. Whether it is possible for the Tor network to be over-loaded with these Botnet nodes is another matter. I am sure we will find out in the coming weeks what the consequences of it are.
It has been reporting by hosting companies like HostGator and even CDN service ‘CloudFlare’ that there are unknown people behind highly distributed global attacks via brute force attempts using more than 90,000 IP addressing trying to crack in websites using content management software WordPress’s default or commonly used administrative credentials.
One of the hosting companies that have put up a warning about such attacks have warned that attackers are planning to build botnets using infected computers, even said that it will be stronger and more destructive than the attacks been done till now.
Matthew Prince, CEO of CloudFlare said in the company’s blog,”These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”
CloudFlare even added that the brute force botnet forces itself through the administrative login port of the WordPress powered website using names such as ‘admin’ and commonly used passwords. Attacks originate from thousands of IP addresses. Hostgator till now found more than 900,000 IP addresses being used to such a high scale brute force attack.
Even during October last year, six of the largest U.S. banks had their web servers compromised as they’ve been attacked by having their sites flooded with above average web traffic hits. It was then identified that the botnet ‘itsoknoproblembro’ and ‘Brobot’ have been using.