Posts Tagged ‘command-and-control servers’

Tuesday, January 14, 2014 @ 06:01 PM gHale

It wasn’t that long ago when the Flashback Trojan infected over 600,000 Macs, and even now there are at least 22,000 infected devices out there, researchers said.

Researchers found 14,248 unique identifiers of the latest version of the threat designed to allow attackers to steal information from infected devices, said officials at security firm Intego.

RELATED STORIES
Trojan Remains a Danger After Deleted
Fake Ads on the Attack
Europe Hit by Yahoo Hack
Webcams Can Watch Without User Knowing

Apple has taken some steps to disrupt the Flashback botnet, including the release of a malware removal tool and the shutdown of the domains utilized by the malware.

Intego owns some of the command and control (C&C) servers used by the Trojan. The security firm said it spotted connections from infected devices trying to contact the sinkhole servers.

As most security professionals will say, you might harness a botnet, but you can never say for sure it is gone. For the time being, Apple and security outfits are closely monitoring the servers so it’s difficult to revive the botnet. However, experts said the malware author could buy the C&C domain names in the future.

Furthermore, if at one point no one is supervising them, the domains could fall into the hands of other cybercriminals.

Tuesday, December 17, 2013 @ 06:12 PM gHale

A mobile botnet is so big it apparently has been in at least 64 spyware campaigns, researchers said.

The MisoSMS malware (Android.Spyware.MisoSMS) that powers the botnet is able to steal text messages and send them back via email to command and control (C&C) servers located in China, said researchers at FireEye. Over 450 unique email accounts have seen use by attackers.

RELATED STORIES
Despite Arrest, RAT Usage Grows
Global Effort to Bring Botnet Down
Botnets Hike Usage of Google Cloud
Researchers Debate Shrinking Botnet

Most of the devices infected with MisoSMS are in Korea. The attackers log in to the C&C servers that store the information from a number of locations, including Korea and mainland China.

FireEye has been collaborating with Korean law enforcement authorities and Web mail vendors from China in an effort to disrupt the threat’s C&C infrastructure.

All of the 450 email accounts spotted by researchers ended up deactivated. The good news is the attackers don’t seem to have attempted to register new ones. FireEye said it continues to monitor the evolution of the operation.

The MisoSMS malware goes out as an application called Google Vx. During installation, it requests administrative privileges to ensure it can hide its presence.

After the malware installs on Android devices, victims get an error message that says there is damage to the file and it can’t operate. It might appear to the victims that nothing ended up installed on their devices.

Once MisoSMS infects a device, it launches three services in the background. One of them is MisoService, from which the threat gets its name. The other two are RollService and BaseService. Each of them is responsible for certain tasks.

Click here for more details from FireEye.

Monday, July 22, 2013 @ 12:07 PM gHale

New variants of the PE_EXPIRO family are out and while they do contain file infectors, but they also have information theft files.

The attacks in which EXPIRO malware starts with users ending up convinced to visit websites that host an exploit kit, said researchers at Trend Micro.

RELATED STORIES
Targeted Malware Attacks in Asia, Europe
Chinese APT Worked through Cloud
Espionage Campaign Uncovered
Utility Blackouts as a Weapon

The exploit kit leverages Java and PDF vulnerabilities to push the main file infector (PE_EXPIRO.JX-O).

Once the infector installs on a computer, it infects the .exe files found in all the available drives.

Then, it starts stealing system and user information, including the Windows ID product, user login credentials, and FTP credentials for open source client FileZilla. The stolen information then uploads to command and control servers.

So far, 70 percent of the infections have been in the United States. Researchers at Trend Micro said the cybercriminals might be trying to steal information from organizations.

The FTP credentials can also see use in compromising websites.

“The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools,” researchers said.

Wednesday, May 29, 2013 @ 01:05 PM gHale

Patches, as mentioned countless times, should end up implemented or there could be consequences down the road.

Take Ruby on Rails as a case in point. A five-month-old security patch could secure the Web development framework now as exploit code has surfaced for CVE-2013-0156 that is in the process of building a botnet of compromised servers.

RELATED STORIES
Ruby on Rails Patches Holes
Botnet Comes Back with DGA Gusto
Botnets Attack Israeli Websites
BackDoor Botnet Taken Over

Exploit code has been publicly available since the vulnerability first came out in January on Github and Metasploit, yet the vulnerability had not suffered exploitation on a large scale until now, said security researcher Jeff Jarmoc.

“I don’t have much evidence as to what the actor may be doing with their compromised machines,” Jarmoc said.

Jarmoc said he found three command and control servers, all of which are down at the moment. The domains previously hosted Trojans and other malware targeting compromised machines.

The exploits set up an IRC chat relay bot that connects to 188[.]190[.]124[.]81 and joins a channel called #rails. The code will execute only once on an infected host.

“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc wrote on his blog. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”

A patch for the Ruby on Rails framework came out Jan. 8 and developers urged users to upgrade to versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15, all of which are no longer vulnerable. The advisory issued in January said the vulnerability allows attackers to bypass authentication systems, inject SQL commands, inject and execute code or crash a Rails application.

Despite the five-month window between the patch and the availability of exploit code, a number of Rails frameworks remain unpatched. Jarmoc said some organizations may not realize they are running vulnerable installations, in spite of security advisories on the matter.

“It’s not particularly hard to update Rails, but as with any update there’s a possibility of unintended effects on applications. This alone can cause hesitation in some cases,” Jarmoc said. “There’s a small amount of downtime needed to patch, but downtime-sensitive environments can rely on load balancing, redundant servers, etc. to mitigate that.”

“Given the deployed base of Rails, even a small percentage success rate is likely to compromise a significant number of servers,” Jarmoc said.

Tuesday, May 21, 2013 @ 05:05 PM gHale

A new, massive cyber espionage campaign is hitting as many as 71 victims each day, including government ministries, technology companies, academic research institutions, nongovernmental organizations and media outlets, researchers said.

The “Safe” campaign first came out in October 2012 and has resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to connect to two sets of command-and-control (C&C) infrastructures, but the actual number of targets seems to be smaller as some of these IP addresses ended up focused within specific network blocks so are probably used by the same organization, said Trend Micro researchers.

RELATED STORIES
Pakistan Hit by Targeted Attacks
Iran: Nuclear Sites Safe, Secure
APT Attacks Shut Down
Study: DDoS Attacks Jump 200%

“Investigating and monitoring the activities of the Safe campaign over time, we were able to take advantage of the mistakes the attackers made and thus gain a deeper understanding of their operations,” the researchers wrote in a whitepaper.

“One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.”

The attacks start via Tibetan- and Mongolian-themed spear-phishing emails containing a malicious MS Word file specifically designed to exploit a vulnerability (CVE-2012-0158) in older versions of the software.

The decoy document would open, and in the background malicious files would be dropped onto the system in preparation for the second stage of the attack: The downloading and running of additional malware and tools such as off-the-shelf programs that are able to extract saved passwords from Internet Explorer and Mozilla Firefox as well as any stored Remote Desktop Protocol (RDP) credentials.

The analysis of the IP addresses contacting the two C&C servers found most targeted systems were in Mongolia, India, the U.S., China, Pakistan and the Philippines. A closer look at the C&C servers allowed them also to identify the tools and source code the attackers used to create, distribute, and encrypt/decrypt data.

The malware author seems to be China-based and the researchers believe him to be a professional software engineer.

“The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers. These qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science,” they said.

“Apart from being significantly well-organized and well-commented, the code was also developed with defensive programming in mind. Each of the variables was named in a very obvious manner, helping other engineers easily distinguish functionality; again, a trait seen in the work of many professional software engineers. In addition to being heavily commented on and using intuitive variable naming conventions, the code also had an apparent slant toward usability. Each interface was very intuitive and well-designed, something not often seen in the code of a hobbyist.

“The use of terms like ‘bot,’ combined with the author’s posting of the malware code to code-sharing sites, indicate a degree of familiarity with the cybercriminal underground in China.”

But the campaign’s operators remain a mystery due to their use of VPNs and proxy tools.
Click here for a copy of the Trend Micro whitepaper.

Monday, May 20, 2013 @ 01:05 PM gHale

A family of information-stealing malware targeting Pakistan looks like it is coming out of India.

Unlike other known cyber espionage campaigns, this one appears oddly rudimentary in that it uses publicly available tools and basic obfuscation methods, and doesn’t encrypt its command-and-control communications, according to researchers at Eset, which posted its analysis of the malware and attack.

RELATED STORIES
Iran: Nuclear Sites Safe, Secure
APT Attacks Shut Down
Study: DDoS Attacks Jump 200%
After Israel, Now U.S. Sites Hit

“String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work,” said Jean-Ian Boutin, a malware researcher with Eset.

The malware campaign is at least two years old and spreads via phishing emails with rigged Word and PDF files, according to Eset. It steals sensitive information via keyloggers, screenshots, and uploading stolen documents, unencrypted. “The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation,” Boutin said.

The attack uses a code-signing certificate issued in 2011 to a New Delhi, India-based Technical and Commercial Consulting Pvt. Ltd., and it ensures the malware binaries could spread within the victim organization. The certificate ended up revoked in late March 2012, but was still in use. Eset contacted VeriSign, which revoked the certificate. Eset found more than 70 binary files signed with the malicious certificate.

Among the attachments was one that appears to be about Indian military secrets. “We do not have precise information as to which individuals or organizations were really specifically targeted by these files, but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted,” Boutin said.

Nearly 80 percent of the infections are in Pakistan, according to Eset. One version of the attack exploits a known and patched Microsoft Office flaw, CVE-2012-0158. The malware executes once the victim opens a malicious Word attachment; the other method used in the attack uses PE files that appear to be Word or PDF attachments.

The attackers used NirSoft’s WebPassView and Mail PassView tools for recovering passwords in email clients and browser stores; the tools ended up signed by the malicious cert.

Wednesday, March 27, 2013 @ 12:03 PM gHale

Back in July the command and control (C&C) servers utilized by Grum, a spam botnet that was the world’s third largest at the time, ended up shut down by Spamhaus, FireEye and CERT-GIB.

Just a few short months later, FireEye researchers found the botnet’s masters started reinstating its C&C servers . At the time, since there were only a couple of new servers, no major spam-related activities were coming out.

RELATED STORIES
Cookie Attack can Hijack Accounts
Huge Botnet Steals from Advertisers
Ramnit Malware Back, Better
Born Again Botnet Much Stronger

However, now, researchers from Trustwave’s Spider Labs found the volume of spam from Grum is constantly increasing.

So far, the spam volume is small compared to what it had been before the takedown, but it’s a clear sign that Grum is making a comeback. Grum’s main payload is to send out pharmaceutical spam.

“Perhaps bot herders behind Grum botnet are slowly rebuilding it again,” said Rodel Mendrez of SpiderLabs. “We’ve been involved in helping various botnet takedowns before, but most of the time, the effect is temporary. It seems this botnet is deeply rooted, that you couldn’t take it down by its branch and fruit, but by its roots.”

 
 
Archived Entries