botnet
Latest
Thousands of Macs infected with OS X botnet malware controlled via Reddit
Russian security researchers from anti-virus company Dr Web have discovered a new OS X botnet that has hijacked over 17,000 Macs worldwide. Macs recruited into the botnet are infected with Mac.BackDoor.iWorm malware, which is being spread by a yet-to-be-discovered method. Once infected, Mac computers can be controlled by hackers who are communicating with infected machines using a unique medium -- Reddit. The Mac.BackDoor.iWorm opens a port on the Mac and connects to other infected machines using information posted by the hackers in Reddit's forums. It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and - as a search query - specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd. The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals. According to their analysis, the United States has the most infected machines with 4,200 compromised OS X computers. The UK and Canada are also hotbeds with more than 1,200 botnet controlled machines in each country. [Via Graham Cluley]
Security firms help Cryptolocker malware victims get their files back
Remember Cryptolocker? It was a clever but terrible piece of malware that encrypted files on your PC, charging you a ransom to get them back. The leader of the gang behind to be behind the software is now awaiting trial, but that won't help around 500,000 people who still can't get at their prized documents. That's where FireEye and Fox IT, two of the companies who helped take the gang down, come in. Using the seized databases, the pair have built Decrypt Cryptolocker, a web portal where you supply your email address and one encrypted file, and it'll give you a recovery program and master key that'll restore control of your files.
Bitcoin and other cryptocurrencies compromised by Pony botnet
It looks like the Pony botnet that stole two million passwords in December has an even more egregious sibling galloping around. According to security firm Trustwave, this more advanced botnet has compromised 700,000 various online accounts up to date (it's been active since September), including 85 Bitcoin and other cryptocurrency wallets mostly from Europe. In the months since the equine-loving hackers got the wallets' private keys, a total of $220,000 have been transferred into and out of the accounts. Because anyone can take over a wallet with the appropriate private key (and cryptocurrencies' transactions go through anonymously), it's unclear whether that much money was actually stolen. Some of those transactions could very well be performed by the original owners themselves. Still, add this incident on top of the $1.2 million Input.io Bitcoin heist in 2013, and it's clear users need to start using (strong) transaction passwords and store their wallets offline. Those who've sadly been negligent in the security department can use Trustwave's Bitcoin tool to check if they own one of the 85 accounts. Considering popular Bitcoin exchange website Mt. Gox just went dark, as well, we hope nobody's retirement funds got wiped out.
Two million accounts compromised by 'Pony' botnet, bad passwords
Though most of us cast stones at large-scale corporate password thefts, we ought to be checking our own glass houses, according to a security company called Trustwave. It just revealed that a single attack from a Dutch-based server has resulted in 2 million passwords pilfered from individual users for sites like Facebook and Google. The ne'er-do-well did it using a botnet and hacker program called "Pony," which likely directed the stolen info through a gateway or so-called reverse proxy. Thieves also gained access to an unusually high number of accounts from a single payroll service, which could cause "direct financial repercussions," according to the site. Lest you imagine that complex hacks were involved, though, think again. A commonly used cracking method was "guessing," thanks to poorly chosen passwords like "123456" used by -- wait for it -- 15,820 of the victims.
Visualized: global DDoS attacks animated and mapped by Google
Earlier today, Google announced it had built Project Shield to help small websites stay online during DDoS (distributed denial of service) strikes, and it turns out the search giant also unveiled a frequently-updated online map of such assaults. Dubbed Digital Attack Map, the project was created in partnership with Arbor Networks, which updates the site every hour with anonymous DDoS events from over 270 internet service providers it counts as customers. Animations of inbound, outbound and internal volleys from countries across the globe fill the map, and are accompanied by data regarding duration, bandwidth and more. However, only a partial picture of the situation is painted, and the source of incursions can be incorrect. Not only does the effort rely on an incomplete data set -- though Mountain View argues this is the most fleshed out around -- but the origin of DDoS attacks are often forged, and are sometimes unwilling computers directed by foreign-controlled botnets. This affair is far from scientific, but feel free to play security researcher for a day at the source.
EU toughens penalties for internet-based crimes
Virtual crime can lead to very real damage, and the European Parliament knows this well enough to have just issued a draft directive toughening up the EU's penalties for internet-based violations. Get caught running a botnet and you'll face a minimum of three years in prison; dare to attack critical infrastructure and you may spend five years behind bars. Don't think of hiring someone for corporate espionage, either -- the directive makes whole companies liable for online offenses committed in their name. EU nations will have two years to adopt the directive as law, although an existing, unofficial agreement suggests that at least some countries won't wait that long to enforce the new rules.
Microsoft says it freed at least 2 million PCs from Citadel botnets
Earlier this month, Microsoft announced that it took down 1,400 Citadel botnets with the help of the FBI, and now Ballmer and Co. have divulged just how big of an impact the effort had. According to Richard Domingues Boscovich, the firm's Digital Crimes Unit assistant general counsel, the operation freed at least 2 million PCs across the globe from the malicious code -- and that's a conservative estimate by his reckoning. It's believed that more than $500 million has been stolen from bank accounts thanks to information gleaned from keystrokes logged by computers afflicted with the software. Though the chief botnet organizer is still on the loose and many machines are still burdened by Citadel, Domingues Boscovich says they "feel confident that we really got most of the ones that we were after." [Image credit: Edmund Tse, Flickr]
Microsoft teams up with financial services industry, FBI to take down hacker botnets
It turns out Microsoft was serious when it declared war on botnets: the company just announced that its Digital Crimes Unit has successfully disrupted more than 1,400 criminal networks. The company says the action was a coordinated effort between Microsoft and the financial services industry, noting that the FBI chipped in to help out with legal hurdles -- giving Redmond the leverage it needed to shut down malicious servers in both New Jersey and Pennsylvania. These machines had been infecting computers with Citadel malware, a keylogger that allowed cyber criminals to skim account information from victims. According to Reuters, authorities don't yet know the identities of the criminals involved, but Microsoft thinks the ringleader lives in eastern Europe, and may be working with 80 or more accomplices. The company has already filed a civil lawsuit, listing the lead hacker as "John Doe No. 1" in the complaint. Microsoft says it will use the data it collected from the operation to help ISPs find more efficient ways to detect and notify users if their computer is infected. The company also pledges to make the information available through its own cyber threat intelligence program. Check out the firm's full press announcement for yourself after the break.
McAfee shows how major Android scamware ticks, prevents us from learning first-hand
Most Android malware lives in the margins, away from Google Play and the more reliable app shops. It's nonetheless a good idea to be on the lookout for rogue code, and McAfee has stepped in with thorough explanations of how one of the most common scamware strains, Android.FakeInstaller, works its sinister ways. The bait is typically a search-optimized fake app market or website; the apps themselves not only present a legitimate-looking front but include dynamic code to stymie any reverse engineering. Woe be to anyone who's tricked long enough to finish the installation, as the malware often sends text messages to expensive premium phone numbers or links target devices to botnets. The safeguard? McAfee would like you to sign up for its antivirus suite, but you can also keep a good head on your shoulders -- stick to trustworthy shops and look for dodgy behavior before anything reaches your device.
Apple removes claim of virus immunity
As small as the threat may be, Mac users can no longer claim immunity from attack by malicious software online. Many Mac users are starting to recognize this new reality and now Apple does, too. As noted in a recent PC World article, Apple has quietly removed the claim "It doesn't get PC viruses" from its OS X website and replaced it with the phrase "It's built to be safe." Also changed is the paragraph header "Safeguard your data. By Doing Nothing," which now says "Safety. Built right in." It's a subtle difference, but it's enough to show that Apple recognizes the importance of Mac security. Mac OS X is growing as a desktop platform and increasingly will be the target of malicious attacks. Recently, the Flashback botnet infected over 670,000 computers worldwide, most of which were running Mac OS X. This botnet exploited a hole in Java that was patched by Apple in a subsequent update to OS X.
White House announces anti-botnet initiative
The White House has been drumming up momentum for tighter internet privacy laws for a while now, and today it's furthering that online safety agenda with a new initiative for combating botnets. Washington just announced a pilot program for fighting viruses, citing a whopping five million PCs infected worldwide this year. The program will use principles outlined by the Industry Botnet Group, with the main goal being to educate internet users on the dangers of cyberspace while preventing botnets from spreading by sharing data about infected computers. The White House is working with the Information Sharing and Analysis Center to develop and implement the "botnet pilot," presumably to enact those anti-virus principles.
Apple issues Leopard update with Flashback removal tool
Folks still rocking Apple's Leopard may have been feeling left out after Lion and Snow Leopard both got an update for addressing that Flashback malware. If you're one of them, you'll be glad to know that Apple has finally issued a Leopard fix that comes with a removal tool for the vulnerability afflicting its big cats. In addition to a 1.23MB Flashback update, Apple also released a second 1.11MB fix for Leopard that disables versions of Adobe Flash Player that don't have the requisite security updates. Both should further whittle down the number of Apple computers affected by the Flashback trojan. For the actual updates, feel free to pounce on the source links below.
Daily Update for May 1, 2012
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for daily listening through iTunes, click here. No Flash? Click here to listen. Subscribe via RSS
Apple publishes support page for Flashback malware, is working on a fix
After the Flashback / Flashfake Mac trojan was exposed by Russian site Dr. Web, Apple has finally responded by publishing a support page about the issue and promising a fix. If you haven't heard by now, the malware exploits a flaw in the Java Virtual Machine, which Oracle pushed a fix for back in February, but Apple didn't patch until a botnet consisting of as many as 650,000 Macs was identified on March 4th. Antivirus maker Kaspersky has confirmed the earlier findings, and released a free tool affected users can run to remove the trojan from their computers. Other than the update already delivered for computers running OS 10.6 and 10.7 Apple recommends users on 10.5 and earlier disable Java in their browser preferences. What isn't mentioned however, is when its fix is incoming or any timetable on its efforts with international ISPs to cut off the IP addresses used by the network. This is not the first time Macs have fallen prey to malware and as their market share grows will likely not be the last, so don't think just opting for OS X is automatically keeping you a step ahead security-wise. Check the links below for more information about what the malware does, and how to get rid of it.
Major ISPs agree to FCC's code of conduct on botnets, DNS attacks
The FCC's campaign to secure the internet gained new momentum last week, when a group of major ISPs signed on to a new code of conduct aimed at mitigating cybercrime. Adopted by the FCC's Communications, Security, Reliability and Interoperability Council (CSRIC), the new code targets three main security threats: botnets, DNS attacks and internet route hijacking. The Anti-Bot Code of Conduct invites ISPs to adopt sharper detection methods, and to notify and assist consumers whenever their computers are infected. The DNS code, meanwhile, offers a list of best practices by which ISPs can tighten security. Though it doesn't call for a full adoption of DNSSEC technology, the guidelines do represent a "first step" toward implementation, allowing web users to verify the authenticity of their online destinations. As for internet route attacks, the CSRIC calls for a similarly collective approach, asking ISPs to collaborate on new technologies within an industry-wide framework. In a statement, FCC chairman Julius Genachowski said that these practices "identify smart, practical, voluntary solutions that will materially improve the cyber security of commercial networks and bolster the broader endeavors of our federal partners." The industry apparently agrees, as heavyweights like AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, T-Mobile and Verizon have already signed on. For the FCC's full statement, check out the source link below.
US government to beat back botnets with a cybersecurity code of conduct
Old Uncle Sam seems determined to crack down on botnets, but he still needs a little help figuring out how to do so. On Wednesday, the Department of Homeland Security and National Institute of Standards and Technology (NIST) published a request for information, inviting companies from internet and IT companies to contribute their ideas to a voluntary "code of conduct" for ISPs to follow when facing a botnet infestation. The move comes as an apparent response to a June "Green Paper" on cybersecurity, in which the Department of Commerce's Internet Policy Task Force called for a unified code of best practices to help ISPs navigate through particularly treacherous waters. At this point, the NIST is still open to suggestions from the public, though Ars Technica reports that it's giving special consideration to two models adopted overseas. Australia's iCode program, for example, calls for providers to reroute requests from shady-looking systems to a site devoted to malware removal. The agency is also taking a hard look at an initiative (diagrammed above) from Japan's Cyber Clean Center, which has installed so-called "honeypot" devices at various ISPs, allowing them to easily detect and source any attacks, while automatically notifying their customers via e-mail. There are, however, some lingering concerns, as the NIST would need to find funding for its forthcoming initiative, whether it comes from the public sector, corporations or some sort of public-private partnership. Plus, some are worried that anti-botnet programs may inadvertently reveal consumers' personal information, while others are openly wondering whether OS-makers should be involved, as well. The code's public comment period will end on November 4th, but you can find more information at the source link, below.
Scientists build WiFi hunter-killer drone and call it SkyNET... Viene Tormenta!
You'd think scientists would proscribe certain names for their inventions -- you wouldn't be taken seriously if your supercomputer was called HAL 9000, WOPR or Proteus IV would you? Well, a team from the Stevens Institute of Technology isn't listening, because it's developing an aerial drone and calling it SkyNET. A Linux box, strapped to a Parrot A.R. Drone, can fly within range of your home wireless network and electronically attack it from the air. Whilst internet-only attacks are traceable to some extent, drone attacks are difficult to detect until it's too late -- you'd have to catch it in the act and chase it off with a long-handled pitchfork, or something. The team is working on refining the technology to make it cheaper than the $600 it currently costs and advise that people toughen up their domestic wireless security. We advise they stop pushing us ever closer towards the Robopocalypse.
Visualized: preconceived notions about personal computer security
See that chart up there? That's a beautiful visualization of a dozen folk models surrounding the idea of home computer security, devised by Michigan State's own Rick Wash. To construct it (as well pen the textual explanations to back it), he interviewed a number of computer users with varying levels of sophistication, with the goal being to find out how normal Earthlings interpreted potential threats to their PC. His findings? A vast amount of home PCs are frequently insecure because "they are administered by untrained, unskilled users." He also found that PCs remain largely at risk despite a blossoming network of preventative software and advice, and almost certainly received an A for his efforts. Hit the source link for more, but only after you've spiffed up, thrown on a pair of spectacles and kicked one foot up on the coffee table that sits in front of you.
Security experts unearth unpleasant flaws in webOS
Researchers from security firm SecTheory have described a handful of flaws in webOS, saying that the platform -- by its very nature -- is more prone to these sorts of things than its major competitors because Palm puts web technologies like JavaScript closer to webOS' core where system functions are readily accessible. At least one of the flaws, involving a data field in the Contacts app that can be exploited to run arbitrary code, has already been fixed in webOS 2.0 -- but the others are apparently still open, including a cross-site scripting problem, some sort of floating-point overflow issue, and a denial-of-service vector. We imagine Palm will get these all patched up sooner or later, but as SecTheory's guys point out, how long is it until mobile malware becomes a PC-sized problem?
Microsoft declares 'open season' on botnets, beats Waledac in court
When we heard that Microsoft was appealing to a higher power to shut down the Waledac botnet, we assumed that meant lighting candles at St. Francis Parish -- instead, the company went to the courts. At its prime, Waledac was estimated to have infected upwards of 90,000 machines, which in turn sent out approximately 1.5 billion pieces of spam a day (about one percent of the world's total). In February, District Court Judge Leonie Brinkema issued a temporary restraining order taking the 276 domains that the perps used for the network's command and control structure offline, and earlier this month the act was finalized with the U.S. District Court of Eastern Virginia granting a motion that, according to USA Today, "[effectively] gives Microsoft permanent ownership" of the domains. Although the defendants didn't come forward, Microsoft lawyers were able to prove that they were indeed aware of the case -- it seems that not only did they launch a DDOS attack against Microsoft's law firm, they also threatened a researcher involved in the case. Of course, since the worm can also operate in peer-to-peer mode there's no telling how many infected machines are still out there, but at the very least the botnet has been crippled -- and now companies like Microsoft have proven legal recourse if they are targeted by domains (at least ones registered in the US). "It's open season on botnets," said Microsoft senior attorney Richard Boscovich Sr. "The hunting licenses have been handed out, and we're coming back for more." Image: Privacy Canada (https://privacycanada.net).
