Jump to content

Search the Community

Showing results for tags 'botnet'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 22 results

  1. Once-unknown group uses a tunnel fetish and a chameleon's ability to blend in. It’s not the kind of security discovery that happens often. A previously unknown hacker group used a novel backdoor, top-notch tradecraft, and software engineering to create an espionage botnet that was largely invisible in many victim networks. The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including: The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult. Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device. A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible. An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol. A tunneling fetish with SOCKS In a post, Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, and Chris Gardner wrote: Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months. The SOCKS tunnel allowed the hackers to effectively connect their control servers to a victim’s network where they could then execute tools without leaving traces on any of the victims' computers. Mandiant A secondary backdoor provided an alternate means of access to infected networks. It was based on a version of the legitimate reGeorg webshell that had been heavily obfuscated to make detection harder. The threat actor used it in the event the primary backdoor stopped working. The researchers explained: Once inside the victim environment, the threat actor spent time to identify web servers in the victim environment and ensure they found one that was Internet accessible before copying REGEORG to it. They also took care to name the file so that it blended in with the application running on the compromised server. Mandiant also observed instances where UNC3452 used timestomping [referring to a tool available here for deleting or modifying timestamp-related information on files] to alter the Standard Information timestamps of the REGEORG web shell to match other files in the same directory. One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system. Eventually, Quietexit executes its final objective: accessing email accounts of executives and IT personnel in hopes of obtaining documents related to things like corporate development, mergers and acquisitions, and large financial transactions. “Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the Mandiant researchers wrote. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes….” Not your typical APT The Quietexit command-and-control infrastructure is among the most intricate in recent memory. In many cases, the attacker-operated servers to which infected machines connected were legacy conference room camera systems sold by Lifesize or, in at least one case, D-Link, which had been infected with the server component of Quietexit. This diagram shows how a Windows device infected with the Quietexit client version connected to a camera, router, or other IoT device that had been turned into a command-and-control server: Mandiant Also notable is the extra effort the threat actor put into obtaining control-server domain names that were chosen based on the specifics of its network environment. “We observed UNC3524 use C2 domains that intended to blend in with legitimate traffic originating from the infected appliances,” the researchers explained. “Using the example of an infected load balancer, the C2 domains contained strings that could plausibly relate to the device vendor and branded operating system name. This level of planning demonstrates that UNC3524 understands incident response processes and tried to make their C2 traffic appear as legitimate to anyone that might scroll through DNS or session logs.” The tactics and methodologies of UNC3524 overlap with those of the two Russian state hacker groups known as APT28, or Fancy Bear, and APT29, or Cozy Bear. Quietexit includes a technique that uses multiple credentials to move laterally that was also used by Fancy Bear during the SolarWinds breach campaign. Automated password spraying using Kubernetes, Exchange Exploitation, and reGeorg are things Cozy Bear has left behind in past hacks. Ultimately, Mandiant was unable to conclusively link UNC3524 to either group, or any other known one as well. People who are wondering if they have been hit by the threat can check the indicators of compromise section of Monday's post. Unpacking this threat group is difficult. From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524’s high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more. “Part of the group’s success at achieving such a long dwell time can be credited to their choice to install backdoors on appliances within victim environments that do not support security tools, such as antivirus or endpoint protection,” the researchers wrote. “The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the ‘advanced’ in Advanced Persistent Threat.” Botnet that hid for 18 months boasted some of the coolest tradecraft ever
  2. A new Golang-based botnet under active development has been ensnaring hundreds of Windows devices each time its operators deploy a new command and control (C2) server. First spotted in October 2021 by ZeroFox researchers who dubbed it Kraken, this previously unknown botnet uses the SmokeLoader backdoor and malware downloader to spread to new Windows systems. After infecting a new Windows device, the botnet adds a new Registry key to achieve persistence between system restarts. It will also add a Microsoft Defender exclusion to ensure that its installation directory is never scanned and hides its binary in Window Explorer using the hidden attribute. Kraken has a limited and simplistic feature set, allowing attackers to download and execute additional malicious payloads on compromised devices, including the RedLine Stealer malware. RedLine is currently the most widely deployed information stealer capable of harvesting victims' passwords, browser cookies, credit card info, and cryptocurrency wallet info. "Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer," ZeroFox said. "It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet." Built-in crypto wallet theft capabilities However, the botnet also features built-in information theft capabilities and can also steal crypto wallets before dropping other info stealers and cryptocurrency miners. According to ZeroFox, Kraken can steal info from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty crypto wallets. Based on info collected from the Ethermine cryptocurrency mining pool, this botnet seems to be adding roughly USD 3,000 every month to its masters' wallets. "While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP," the researchers added. Nevertheless, "by using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2." New Golang botnet empties Windows users’ cryptocurrency wallets
  3. Google announced today that it has taken action to disrupt the Glupteba botnet that now controls more than 1 million Windows PCs around the world, growing by thousands of new infected devices each day. Glupteba is a blockchain-enabled and modular malware that has been targeting Windows devices worldwide since at least 2011, including the US, India, Brazil, and countries from Southeast Asia. Threat actors behind this malware strain are mainly distributing payloads onto targets' devices via pay-per-install (PPI) networks and traffic purchased from traffic distribution systems (TDS) camouflaged as "free, downloadable software, videos, or movies." After infecting a host, it can mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices, which later get sold as 'residential proxies' to other cybercriminals. As part of Google's concerted effort to disrupt the botnet, the company took over Glupteba's key command and control (C2) infrastructure, which uses a Bitcoin blockchain backup mechanism to add resilience if the main C2 servers stop responding. "We believe this action will have a significant impact on Glupteba's operations," said Google Threat Analysis Group's Shane Huntley and Luca Nagy today. "However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain." Legal action towards botnet disruption Google also filed for a temporary restraining order and a complaint in the Southern District of New York against two Russian defendants (Dmitry Starovikov and Alexander Filippov) and 15 other unknown individuals. The complaint claims the 17 defendants were the ones operating and coordinating Glupteba attacks with the end goal of stealing user accounts and credit card info, selling ad placement and proxy access on infected devices, and mining for cryptocurrency in computer fraud and abuse, trademark infringement, and other schemes. Among the online services offered by Glupteba botnet's operators, Google mentioned "selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads." "Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations," Google's Vice President for Security Royal Hansen and General Counsel Halimah DeLaine Prado added. "The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it." On Monday, Microsoft also seized dozens of malicious sites used by the Nickel China-based hacking group (aka KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon) to target servers belonging to government orgs, diplomatic entities, and non-governmental organizations (NGOs) in the US and 28 other countries worldwide. Google disrupts massive Glupteba botnet, sues Russian operators
  4. DreamBus botnet targets enterprise apps running on Linux servers DreamBus botnet uses exploits and brute-force to target PostgreSQL, Redis, SaltStack, Hadoop, Spark, and others. Image: Zscaler Chances are that if you deploy a Linux server online these days and you leave even the tiniest weakness exposed, a cybercrime group will ensnare it as part of its botnet. The latest of these threats is named DreamBus. Analyzed in a report published last week by security firm Zscaler, the company said this new threat is a variant of an older botnet named SystemdMiner, first seen in early 2019. But current DreamBus versions have received several improvements compared to initial SystemdMiner sightings [1, 2, 3]. Currently, the botnet targets enterprise-level apps that run on Linux systems. Targets include a wide collection of apps, such as PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service. Some of these apps are targeted with brute-force attacks against their default administrator usernames, others with malicious commands sent to exposed API endpoints, or via exploits for older vulnerabilities. The idea is to give the DreamBus gang a foothold on a Linux server where they could later download and install an open-source app that mines the Monero (XMR) cryptocurrency to generate profits for the attackers. Furthermore, each of the infected servers is also used as a bot in the DreamBus operation to launch further brute-force attacks against other possible targets. Zscaler also said that DreamBus employed quite a few measures to prevent easy detection. One of them was that all systems infected with the malware communicated with the botnet's command and control (C&C) server via the new DNS-over-HTTPS (DoH) protocol. DoH-capable malware is very rare, as it's complex to set up. Furthermore, to prevent the C&C server from being taken down, the DreamBus gang hosted it on the Tor network; via a .onion address. But despite all these protective measures, Zscaler's Brett Stone-Gross believes we're seeing yet another botnet birthed and operated out of Russia, or Eastern Europe. "Updates and new commands are issued that typically start around 6:00 a.m. UTC or 9:00 a.m. Moscow Standard Time (MSK) and end approximately at 3:00 p.m. UTC or 6:00 p.m. MSK," the researcher said. But Stone-Gross also warned companies not to take this botnet lightly. Sure, the botnet delivers a cryptocurrency miner right now, but the Zscaler researcher believes operators could easily pivot to more dangerous payloads, such as ransomware, at any time they wanted. Source: DreamBus botnet targets enterprise apps running on Linux servers
  5. A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code. The advanced malware comes equipped with reverse shell and crypto-mining capabilities and exploits over 12 known vulnerabilities, therefore the moniker. Spreads via GitHub, attacks in 12 different ways Gitpaste-12 was first detected by Juniper Threat Labs lurking on GitHub around October 15th. However, commits reveal the malware has lived on GitHub since Jul 9th, 2020 until its shut down after Oct 27th, 2020. The worm attempts to crack passwords via brute-force and exploits known vulnerabilities on the systems it infects. 11 of these vulnerabilities are as follows, with the 12th one stemming from a Telnet brute force application used to spread Gitpaste-12: After the initial system compromise, Gitpaste-12 downloads a recursive script from a Pastebin URL which instructs the infected host to keep executing this very script every minute. This is a way for the malware to keep updating itself from the Command and Control (C2) source which is merely a paste URL: Gitpaste-12 initial payload on a pastebin URL which has since been removed Source: Juniper Further, the malware downloads the main shell script from GitHub. The URL where the shell script had lived has since been taken down: https://raw.githubusercontent[.]com/cnmnmsl-001/-/master/shadu1 "The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinux, apparmor, as well as common attack prevention and monitoring software," state Juniper Threat Labs researchers Alex Burt and Trevor Pott. Gitpaste-12 main shell script that begins attacking a host's defenses such as firewalls n fact, some of the commands and hostnames present in the script reveal Gitpaste-12 is designed to attack cloud computing infrastructure provided by Alibaba Cloud and Tencent. Additionally, the botnet is equipped with a Monero (XMR) cryptocurrency miner. But there's more: the worm spreads itself by targeting a list of randomly generated IP addresses within a subnet range. "The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try all addresses within that range," state Juniper's researchers. Gitpaste-12 has a low detection rate Considering the recency of its discovery, some files associated with the Gitpaste-12 botnet have quite a low detection rate. At the time of writing, BleepingComputer observed the hide.so payload which aids Gitpaste-12 in evading detection was itself undetectable by over 93% antivirus engines. Similarly, the crypto miner configuration file and the shell script has not yet been flagged by any antivirus engine listed on VirusTotal, as observed by BleepingComputer: Some files have a zero detection rate thus far Source: VirusTotal Juniper's report on a sophisticated malware present on GitHub follows shortly after Octopus Scanner had been discovered infiltrating over 26 open-source GitHub projects. And attacks leveraging the open-source ecosystem are only expected to grow further, given their ongoing development. "There is evidence of test code for possible future modules, indicating ongoing development for this malware. For now, however, targets are Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices," stated the report released by Juniper Threat Labs. The researchers noted some compromised systems had TCP ports 30004 and 30005 open for receiving commands via reverse shells. Gitpaste-12 Indicators of Compromise (IOCs) as provided below, and Juniper's detailed research can be found in their report. Miner: e67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9 hide.so: ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b Miner config: bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1 Shell script: 5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3 This malware has been dubbed Gitpaste-12 because of the usage of GitHub, Pastebin and 12 ways to compromise the system. The first GitPaste-12 first attacks were detected by Juniper Threat Labs on October 15, 2020. We’ve reported both the Pastebin URL and the git repo in question and the git repo was closed on October 30, 2020. This should stop the proliferation of this botnet. Source
  6. Android devices ensnared in DDoS botnet New Matryosh botnet is targeting Android systems that have left their ADB debug interface exposed on the internet. Netlab, the networking security division of Chinese security firm Qihoo 360, said it discovered this week a new fledgling malware operation that is currently infecting Android devices for the purpose of assembling a DDoS botnet. Named Matryosh, the botnet is going after Android devices where vendors have left a diagnostics and debugging interface known as Android Debug Bridge enabled and exposed on the internet. Active on port 5555, this interface has been a known source of problems for Android devices for years, and not only for smartphones but also smart TVs, set-top boxes, and other smart devices running the Android OS. Over the past few years, malware families like ADB.Miner, Ares, IPStorm, Fbot, and Trinity, have scanned the internet for Android devices where the ADB interface has been left active, connected to vulnerable systems, and downloaded and installed malicious payloads. According to a report published this week, Netlab said Matryosh is the latest in this long line of ADB-targeting botnets, but one that comes with its own twist. This uniqueness comes from using the Tor network to hide its command and control servers and the use of a multi-layered process for obtaining the address of this server —hence the botnet's name, inspired from the classic matryoshka Russian dolls. Netlab researchers, who are usually among the firsts to discover emerging botnets, said the botnet contains several clues to suggest this is the work of the same group which developed the Moobot botnet in 2019 and the LeetHozer botnet in 2020. Both botnets were essentially built and used for launching DDoS attacks, which also appears to be Matryosh's primary function, as well. The Netlab team says they found functions in the code specific to features that will use infected devices to launch DDoS attacks via protocols like TCP, UDP, and ICMP. VERY LITTLE THAT USERS CAN DO As it was stated in previous articles about the "ADB issue," there is very little that end users can do about it. While smartphone owners can easily turn off their ADB feature using a setting in the OS options, for other types of Android-based devices, such an option is not available on most devices. Hence, as a result, many systems will remain vulnerable and exposed to abuse for years to come, providing botnets like Matryosh and others with a solid mass of devices they can abuse for crypto-mining, DNS hijacking, or DDoS attacks. Source: Android devices ensnared in DDoS botnet
  7. D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant A new variant of the Gafgyt botnet – that’s actively targeting vulnerable D-Link and Internet of Things devices – is the first variant of the malware to rely on Tor communications, researchers say. Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network. Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15. In order to evade detection, Gafgyt_tor uses Tor to hide its command-and-control (C2) communications, and encrypts sensitive strings in the samples. The use of Tor by malware families is nothing new; however, researchers said they haven’t seen Gafgyt leveraging the anonymity network until now. “Compared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking,” said researchers with NetLab 360 on Thursday. “The Tor-based C2 communication mechanism has been seen in other families we have analyzed before… but this is the first time we encountered it in the Gafgyt family.” Gafgyt_tor Botnet: Propagation and New Functionalities The botnet is mainly propagated through weak Telnet passwords – a common issue on internet of things devices – and through exploiting three vulnerabilities. These vulnerabilities include a remote code execution flaw (CVE-2019-16920) in D-Link devices; a remote code execution vulnerability in Liferay enterprise portal software (for which no CVE is available); and a flaw (CVE-2019-19781) in Citrix Application Delivery Controller. Researchers said that the code structure of Gafgyt_tor’s main function – which adds the Tor proxy function to provide the IP server’s address – shows widespread changes. “The original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced by a large section of code responsible for establishing the Tor connection,” they said. New Tor Capabilities, Commands Within this large section of code exists tor_socket_init, a function that is responsible for initializing a list of proxy nodes with IP addresses and a port. Researchers said that over 100 Tor proxies can be built in in this way – and new samples are continually updating the proxy list. The new versus old code structure for the Gafgyt variant. Credit: NetLab 360 “After initializing the proxy list, the sample will select a random node from the list to enable Tor communication via tor_retrieve_addr and tor_retrieve_port,” said researchers. After it establishes a connection with the C2, the botnet requests wvp3te7pkfczmnnl.onion through the darknet, from which it then awaits commands. “The core function of Gafgyt_tor is still DDoS attacks and scanning, so it mostly follows the common Gafgyt directive,” said researchers. They noted, a new directive called LDSERVER has been added to the botnet, which allows the C2 to quickly specify servers from which the payloads are downloaded. This allows attackers to quickly switch courses should an attacker-owned download server be identified and blocked, said researchers. “This directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new download server to continue propagation if the current one is blocked,” said researchers, Links to Freak Threat Actor, Other Botnets Researchers said that the variant shares the same origin with the Gafgyt samples distributed by a threat group that NetLab 360 researchers call the keksec group, and that other researchers call the Freak threat actor. They said, the keksec group reuses code and IP addresses between various other bot families, including the Tsunami botnet as well as the Necro botnet family uncovered in January. “We think that Gafgyt_tor and Necro are very likely operated by the same group of people, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous development,” said researchers. “In actual operation, they form different families of botnets, but reuse infrastructure such as IP address.” Other Gafgyt Botnet Variants Gafgyt.tor is only the latest variant of the popular botnet to come to light. In 2019, researchers warned of a new Gafgyt variant adding vulnerable IoT devices to its botnet arsenal and using them to cripple gaming servers worldwide. In 2018, researchers said they discovered new variants for the Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in Apache Struts and SonicWall; as well as a separate attack actively launching two IoT/Linux botnet campaigns, exploiting the CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers. More recently, last year a botnet called Hoaxcalls emerged, as a variant of the Gafgyt family. The botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager. Source: D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant
  8. A newly-wormable Windows botnet is ballooning in size Image Credits: Bryce Durbin / TechCrunch Researchers say a botnet targeting Windows devices is rapidly growing in size, thanks to a new infection technique that allows the malware to spread from computer to computer. The Purple Fox malware was first spotted in 2018 spreading through phishing emails and exploit kits, a way for threat groups to infect machines using existing security flaws. But researchers Amit Serper and Ophir Harpaz at security firm Guardicore, which discovered and revealed the new infection effort in a new blog post, say the malware now targets internet-facing Windows computers with weak passwords, giving the malware a foothold to spread more rapidly. The malware does this by trying to guess weak Windows user account passwords by targeting the server message block, or SMB — a component that lets Windows talk with other devices, like printers and file servers. Once the malware gains access to a vulnerable computer, it pulls a malicious payload from a network of close to 2,000 older and compromised Windows web servers and quietly installs a rootkit, keeping the malware persistently anchored to the computer while also making it much harder to be detected or removed. Once infected, the malware then closes the ports in the firewall it used to infect the computer to begin with, likely to prevent reinfection or other threat groups hijacking the already-hacked computer, the researchers said. The malware then generates a list of internet addresses and scans the internet for vulnerable devices with weak passwords to infect further, creating a growing network of ensnared devices. Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel organizations with junk traffic with the aim of knocking them offline. But with control of these devices, criminal operators can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware on the infected computers. But this kind of wormable botnet presents a greater risk as it spreads largely on its own. Serper, Guardicore’s vice president of security research for North America, said the wormable infection technique is “cheaper” to run than its earlier phishing and exploit kit effort. “The fact that it’s an opportunistic attack that constantly scans the internet and looks for more vulnerable machines means that the attackers can sort of ‘set it and forget it’,” he said. It appears to be working. Purple Fox infections have rocketed by 600% since May 2020, according to data from Guardicore’s own network of internet sensors. The actual number of infections is likely to be far higher, amounting to more than 90,000 infections in the past year. Guardicore published indicators of compromise to help networks identify if they have been infected. The researchers do not know what the botnet will be used for but warned that its growing size presents a risk to organizations. “We assume that this is laying the groundwork for something in the future,” said Serper. Source: A newly-wormable Windows botnet is ballooning in size
  9. The bitcoin blockchain is helping keep a botnet from being taken down Wallet transactions camouflage the IP address of the botnet's control server. Enlarge Aurich Lawson / Ars Technica When hackers corral infected computers into a botnet, they take special care to ensure they don’t lose control of the server that sends commands and updates to the compromised devices. The precautions are designed to thwart security defenders who routinely dismantle botnets by taking over the command-and-control server that administers them in a process known as sinkholing. Recently, a botnet that researchers have been following for about two years began using a new way to prevent command-and-control server takedowns: by camouflaging one of its IP addresses in the bitcoin blockchain. Impossible to block, censor, or take down When things are working normally, infected machines will report to the hardwired control server to receive instructions and malware updates. In the event that server gets sinkholed, however, the botnet will find the IP address for the backup server encoded in the bitcoin blockchain, a decentralized ledger that tracks all transactions made using the digital currency. By having a server the botnet can fall back on, the operators prevent the infected systems from being orphaned. Storing the address in the blockchain ensures it can never be changed, deleted, or blocked, as is sometimes the case when hackers use more traditional backup methods. “What’s different here is that typically in those cases there’s some centralized authority that’s sitting on the top,” said Chad Seaman, a researcher at Akamai, the content delivery network that made the discovery. “In this case, they’re utilizing a decentralized system. You can’t take it down. You can’t censor it. It’s there.” Converting Satoshi values An Internet protocol address is a numerical label that maps the network location of devices connected to the Internet. An IP version 4 address is a 32-bit number that’s stored in four octets. The current IP address for arstechnica.com, for instance, is, with each octet separated by a dot. (IPv6 addresses are out of the scope of this post.) The botnet observed by Akamai stored the backup server IP address in the two most recent transactions posted to 1Hf2CKoVDyPj7dNn3vgTeFMgDqVvbVNZQq, a bitcoin wallet address selected by the operators. The most recent transaction provided the third and fourth octets, while the second most recent transaction provided the first and second octets. The octets are encoded in the transaction as a “Satoshi value,” which is one hundred millionth of a bitcoin (0.00000001 BTC) and currently the smallest unit of the bitcoin currency that can be recorded on the blockchain. To decode the IP address, the botnet malware converts each Satoshi value into a hexadecimal representation. The representation is then broken up into two bytes, with each one being converted to its corresponding integer. The image below depicts a portion of a bash script that the malware uses in the conversion process. aa shows the bitcoin wallet address chosen by the operators, bb contains the endpoint that looks up the two most recent transactions, and cc shows the commands that convert the Satoshi values to the IP address of the backup server. Enlarge Akamai If the script was converted into Python code, it would look like this: Enlarge Akamai The Satoshi values in the two most recent wallet transactions are 6957 and 36305. When converted, the IP address is: In a blog post being published on Tuesday, Akamai researchers explain it this way: Knowing this, let’s look at the values of these transactions and convert them into IP address octets. The most recent transaction has a value of 6,957 Satoshis, converting this integer value into its hexadecimal representation results in the value 0x1b2d. Taking the first byte (0x1b) and converting it into an integer results in the number 45—this will be the 3rd octet of our final IP address. Taking the second byte (0x2d) and converting it into an integer results in the number 27, which will become the 4th octet in our final IP address. The same process is done with the second transaction to obtain the first and second octets of the C2 IP address. In this case, the value of the second transaction is 36,305 Satoshis. This value converted to its hexadecimal representation results in the hex value of 0x8dd1. The first byte (0x8d), and the second byte (0xd1), are then converted into integers. This results in the decimal numbers 141 and 209 which are the second and first octets of the C2 IP address respectively. Putting the four generated octets together in their respective order results in the final C2 IP address of Here’s a representation of the conversion process: Akamai Not entirely new While Akamai researchers say they have never before seen a botnet in the wild using a decentralized blockchain to store server addresses, they were able to find this research that demonstrates a fully functional command server built on top of the blockchain for the Ethereum cryptocurrency. “By leveraging the blockchain as intermediate, the infrastructure is virtually unstoppable, dealing with most of the shortcoming of regular malicious infrastructures,” wrote Omer Zoha, the researcher who devised the proof-of-concept control server lookup. Criminals already had other covert means for infected bots to locate command servers. For example, VPNFilter, the malware that Russian government-backed hackers used to infect 500,000 home and small office routers in 2018, relied on GPS values stored in images stored on Photobucket.com to locate servers where later-stage payloads were available. In the event the images were removed, VPNFilter used a backup method that was embedded in a server at ToKnowAll.com. Malware from Turla, another hacking group backed by the Russian government, located its control server using comments posted in Britney Spears’ official Instagram account. The botnet Akamai analyzed uses the computing resources and electricity supply of infected machines to mine the Monero cryptocurrency. In 2019, researchers from Trend Micro published this detailed writeup on its capabilities. Akamai estimates that, at current Monero prices, the botnet has mined about $43,000 worth of the digital coin. Cheap to disrupt, costly to restore In theory, blockchain-based obfuscation of control server addresses can make takedowns much harder. In the case here, disruptions are simple, since sending a single Satoshi to the attacker’s wallet will change the IP address that the botnet malware calculates. With a Satoshi valued at .0004 cent (at the time of research, anyway), $1 would allow 2,500 disruption transactions to be placed in the wallet. The attackers, meanwhile, would have to deposit 43,262 Satoshis, or about $16.50, to recover control of their botnet. There’s yet another way to defeat the blockchain-based resilience measure. The fallback measure activates only when the primary control server fails to establish a connection or it returns an HTTP status code other than 200 or 405. “If sinkhole operators successfully sinkhole the primary infrastructure for these infections, they only need to respond with a 200 status code for all incoming requests to prevent the existing infection from failing over to using the BTC backup IP address,” Akamai researcher Evyatar Saias explained in Tuesday’s post. “There are improvements that can be made, which we’ve excluded from this write-up to avoid providing pointers and feedback to the botnet developers,” Saias added. “Adoption of this technique could be very problematic, and it will likely gain popularity in the near future.” Post updated to correct amount of Monero mined and to correct spelling of Saias. The bitcoin blockchain is helping keep a botnet from being taken down
  10. The MyKings botnet (aka Smominru or DarkCloud) is still actively spreading, making massive amounts of money in crypto, five years after it first appeared in the wild. Being one of the most analyzed botnets in recent history, MyKings is particularly interesting to researchers thanks to its vast infrastructure and versatile features, including bootkits, miners, droppers, clipboard stealers, and more. The latest team of researchers to look into MyKings is Avast Threat Labs, which gathered 6,700 unique samples to analyze since the beginning of 2020. During the same period, Avast actively prevented over 144,000 attacks MyKings against its clients, most of them based in Russia, India, and Pakistan. Victims heat map Source: Avast The botnet uses many cryptocurrency wallet addresses, with the balances in some of them being quite high. Avast believes that these wallets' cryptocurrency was amassed by the clipboard stealer and the crypto mining components. The earnings reflected in the wallet addresses linked to MyKings are approximately $24.7 million. However, since the botnet uses more than 20 cryptocurrencies in total, this amount is only a part of its total financial gains. Earnings concerning three cryptocurrencies Source: Avast To protect the hardcoded wallet address value from extraction and analysis, the malware encrypts it with a simple ROT cipher. In general, though, no notable upgrades have been spotted on that front in the recent samples. New URL substitution tricks Apart from the wallet address substitution that diverts transactions, Avast has also spotted a new monetization technique used by MyKings operators involving the Steam gaming platform. Victimized Steam users complaining about the trade link changes Source: Avast The latest versions of the malware also feature a new URL manipulation system in the clipboard stealer module, which the attackers created to hijack Steam item trade transactions. The module changes the trade offer URL, so the actor is placed at the receiving end, stealing valuable in-game items, etc. Similar functionality was added for the Yandex disk storage cloud service, with MyKing manipulating the URLs sent by users to their acquaintances. The modified links point to Yandex storage addresses containing RAR or ZIP archives named "photos," which deliver a copy of the MyKings malware to these machines. Fake 'photos' archive delivering malware Source: Avast In 2018, MyKings was growing steadily, with the malware reaching 520,000 infections and making millions of dollars for its operators. Today, it appears that the botnet has grown to new proportions while still managing to remain hidden and free from law enforcement crackdowns. MyKings botnet still active and making massive amounts of money
  11. A new distributed denial-of-service (DDoS) botnet that kept growing over the summer has been hammering Russian internet giant Yandex for the past month, the attack peaking at the unprecedented rate of 21.8 million requests per second. The botnet received the name Mēris, and it gets its power from tens of thousands of compromised devices that researchers believe to be primarily powerful networking equipment. Large and powerful botnet News about a massive DDoS attack hitting Yandex broke this week in the Russian media, which described it as being the largest in the history of the Russian internet, the so-called RuNet. Details have emerged today in joint research from Yandex and its partner in providing DDoS protection services, Qrator Labs. Information collected separately from several attacks deployed by the new Mēris (Latvian for ‘plague’) botnet, showed a striking force of more than 30,000 devices. From the data that Yandex observed, assaults on its servers relied on about 56,000 attacking hosts. However, the researchers have seen indications that the number of compromised devices may be closer to 250,000. “Yandex' security team members managed to establish a clear view of the botnet's internal structure. L2TP tunnels are used for internetwork communications. The number of infected devices, according to the botnet internals we’ve seen, reaches 250 000” - Qrator Labs The difference between the attacking force and the total number of infected hosts forming Mēris is explained by the fact that the administrators do not want to parade the full power of their botnet, Qrator Labs says in a blog post today. The researchers note that the compromised hosts in Mēris are “not your typical IoT blinker connected to WiFi” but highly capable devices that require an Ethernet connection. Mēris is the same botnet responsible for generating the largest volume of attack traffic that Cloudflare recorded and mitigated to date, as it peaked at 17.2 million requests per second (RPS). However, Mēris botnet broke that record when hitting Yandex, as its flux on September 5 reached a force of 21.8 million RPS. source: Qrator Labs The botnet’s history of attacks on Yandex begins in early August with a strike of 5.2 million RPS and kept increasing in strength: 2021-08-07 - 5.2 million RPS 2021-08-09 - 6.5 million RPS 2021-08-29 - 9.6 million RPS 2021-08-31 - 10.9 million RPS 2021-09-05 - 21.8 million RPS Technical data points to MikroTik devices To deploy an attack, the researchers say that Mēris relies on the SOCKS4 proxy at the compromised device, uses the HTTP pipelining DDoS technique, and port 5678. As for the compromised devices used, the researchers say that they are related to MikroTik, the Latvian maker of networking equipment for businesses of all sizes. Most of the attacking devices had open ports 2000 and 5678. The latter points to MikroTik equipment, which uses it for the neighbor discovery feature (MikroTik Neighbor Discovery Protocol). Qrator Labs found that while MikroTik provides its standard service through the User Datagram Protocol (UDP), compromised devices also have an open Transmission Control Protocol (TCP). This kind of disguise might be one of the reasons devices got hacked unnoticed by their owners,” Qrator Labs researchers believe. When searching the public internet for open TCP port 5678, more than 328,000 hosts responded. The number is not all MikroTik devices, though, as LinkSys equipment also uses TCP on the same port. source: Qrator Labs Port 2000 is for "Bandwidth test server," the researchers say. When open, it replies to the incoming connection with a signature that belongs to MikroTik’s RouterOS protocol. MikroTik has been informed of these findings. The vendor told Russian publication Vedomosti that it is not aware of a new vulnerability to compromise its products. The network equipment maker also said that many of its devices continue to run old firmware, vulnerable to a massively exploited security issue tracked as CVE-2018-14847 and patched in April 2018. However, the range of RouterOS versions that Yandex and Qrator Labs observed in attacks from Mēris botnet varies greatly and includes devices running newer firmware versions, such as the current stable one (6.48.4) and its predecessor, 6.48.3. source: Qrator Labs New Mēris botnet breaks DDoS record with 21.8 million RPS attack
  12. A Mirai-based botnet now targets a critical vulnerability in the software SDK used by hundreds of thousands of Realtek-based devices, encompassing 200 models from at least 65 vendors, including Asus, Belkin, D-Link, Netgear, Tenda, ZTE, and Zyxel. The security flaw that IoT Inspector security researchers found is now tracked as CVE-2021-35395 and was assigned a 9.8/10 severity rating. It impacts many Internet-exposed wireless devices ranging from residential gateways and travel routers to Wi-Fi repeaters, IP cameras, and smart lightning gateways or connected toys. Attacks began only two days after public disclosure Since the bug affects the management web interface, remote attackers can scan for and attempt to hack them to execute arbitrary code remotely on unpatched devices, allowing them to take over the impacted devices. While Realtek shipped a patched version of the vulnerable SDK on August 13, three days before IoT Inspector security researchers published their advisory, this gave very little time to vulnerable device owners to apply the patch. As network security firm SAM Seamless Network discovered, a Mirai botnet began searching for devices unpatched against CVE-2021-35395 on August 18, only two days after IoT Inspector shared details of the bug. "As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild," SAM said in a report published last week. SAM says that the most common devices using buggy Realtek SDK targeted by this botnet are Netis E1+ extender, Edimax N150 and N300 Wi-Fi routers, and Repotec RP-WR5444 router, mainly used to enhance Wi-Fi reception. Botnet updated to target new devices The threat actor behind this Mirai-based botnet also updated their scanners more than two weeks ago to exploit a critical authentication bypass vulnerability (CVE-2021-20090) impacting millions of home routers using Arcadyan firmware. As Juniper Threat Labs researchers revealed at the time, this threat actor has been targeting network and IoT devices since at least February. "This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly," said Omri Mallis, chief product architect at SAM Seamless Network. "These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react." The complete list of affected devices is too long to embed here, but it can be found at the end of the IoT Inspector report. Botnet targets hundreds of thousands of devices using Realtek SDK
  13. Emotet botnet resumes malspam operations after going silent for nearly four months. Emotet, one of today's largest and most dangerous malware botnets, has returned to life after a period of inactivity that lasted nearly four months, since the end of May this year. During that time, the botnet's command and control (C&C) servers had been shut down, and Emotet stopped sending out commands to infected infected bots, and new email spam campaigns to infect new victims. Some security researchers hoped that law enforcement had secretly found a way to shut down the prodigious botnet; however, it was not to be. New spam campaigns Emotet started spewing out new spam emails today, Raashid Bhat, a security researcher at SpamHaus, told ZDNet. According to Bhat, the emails contained malicious file attachments or links to malware-laced downloads. The spam campaign that started spewing today from Emotet's infrastructure is primarily aimed at Polish and German-speaking users. Users who receive these emails, and download and execute any of the malicious files are exposing themselves to getting infected with the Emotet malware. Once infected, computers are added to the Emotet botnet. The Emotet malware on infected computers acts as a downloader for other threats. Emotet is known to deliver modules that can extract passwords from local apps, spread laterally to other computers on the same network, and even steal entire email threads to later re-use in spam campaigns. In addition, the Emotet gang is also known to run their botnet as a Malware-as-a-Service (MaaS), where other criminal gangs can rent access to Emotet-infected computers and drop their own malware strains alongside Emotet. Some of Emotet's most well-known customers are the operators of the Bitpaymer and Ryuk ransomware strains, which have often rented access to Emotet-infected hosts to infect enterprise networks or local governments with their ransomware strains. Emotet revival was expected Today's Emotet revival was not a total surprise for security researchers. The Emotet C&C servers went down at the end of May, but they actually came back to life at the end of August. Initially, they didn't start sending out spam right away. For the past few weeks, the C&C servers have been sitting idly, serving binaries for the Emotet "lateral movement" and "credentials stealing" modules, Bhat told ZDNet in an interview today. Bhat believes the Emotet operators have spent the last few weeks re-establishing communications with previously infected bots that they abandoned at the end of May, and spreading across local networks to maximize the size of their botnet before moving on to their main operation -- sending out email spam. This ramp-up period was predicted by several security researchers last month, when the Emotet crew turned on the lights on the C&C servers. The fact that Emotet operations went dead for a few months is not really a "new thing." Malware botnets often go inactive for months for different reasons. Some botnets go dark to upgrade infrastructure, while other botnets go down just because operators take vacations. For example, the Dridex botnet regularly goes down each year between mid-December and mid-January, for the winter holidays. At the time of writing, it is unclear why Emotet has shut down over the summer. Nonetheless, the botnet came back in its previous state, continuing to operate using a dual infrastructure model, effectively running on two separate botnets. TrickBot replaced Emotet as top botnet But even if Emotet shut down operations for nearly four months, other botnets didn't take a break. While Emotet had been down, the operators of the TrickBot botnet have taken the title of the most active malware operation on the market. Emotet and TrickBot share many similarities. Both were banking trojans that were re-coded to work as malware loaders -- malware that downloads other malware. Both infect victims and then download other modules to steal credentials or move laterally across a network. Furthermore, they both sell access to infected hosts to other malware gangs, such as cryptocurrency mining operations and ransomware operators. With TrickBot operations in full stride, Emotet coming back to life is bad news for system administrators in charge of protecting enterprise and government networks, both botnets' favorite targets. Security researchers and system administrators looking for file hashes, server IP addresses, spam email subject lines, and other indicators of compromise (IOCs) can find this data freely shared on Twitter. Cryptolaemus, a group of security researchers tracking the Emotet botnet, are also expected to publish free threat intel data later today. Source
  14. It sounds like something out of a hacking movie: slow heavy metal music plays while the hero goes to town on their keyboard, green text and 3d imagery flashing by. He explains to his partner that he’s going to take the botnet down from the inside; the infected computers will cure themselves. They hit the Enter key like it insulted someone’s mother. The over-sized screen, covered in red dots, slowly starts to turn white. The virus is clear. The real-life version didn’t happen quite like that, but it might not be far off: French police hijacked and then cleared a botnet with nearly a million infected computers. Not the actual botnet. Retadup is, according to antivirus firm Avast, a malicious worm affecting Windows machines throughout Latin America. It’s designed to install on the infected machine and then begin mining for cryptocurrency. Avast discovered a flaw in the malware’s command and control server that would allow someone in command of the botnet to remove the malware from infected computers without pushing any new code to those computers. The firm knew it could clear the botnet, but didn’t have the legal authority to pull the trigger. So it reached out to French police. While the botnet itself focused on Latin America, the botnet’s infrastructure was located in France. In July of this year, the police got the go-ahead from the prosecutor. Avast prepped a disinfection server. When they brought it online, thousands of bots began connecting to it and accepting the self-destruct command. The whole operation had to be done very carefully. While cryptocurrency mining is a huge waste of power, it’s hardly malicious. If the botnet operators had become aware of the sting operation, they could’ve pushed out ransomware or something a lot more malicious. Sitting unaware, they were simply pulling in passive income. Don’t skip that antivirus app The police could provide only limited information to Avast due to privacy laws, but the firm uncovered some interesting stuff. The botnet operators themselves were infected with another worm, Neshta. Avast cheekily notes that its software would’ve protected Retadup authors. The firm also noted that of the computers infected, 82% of the systems were running Windows 8.1 or earlier; over 52% ran Windows 7. 85% of the victims had no third-party anti-virus installed. That’s not a problem in itself these days, but many also had any protection of any kind disabled. French police believe that the authors were mining several million euros worth of cryptocurrency each year since 2016, and think the botnet extended to as many as 140 countries. The police have not yet apprehended the perpetrators, they said. They say that the authors could re-create a platform like this at any time, and could refocus a new botnet to attack corporations or other institutions. It really does sound like something out of a movie, and it’s rare that anything that happens on the internet comes out sounding so cinematic. Source
  15. ‘Satori’ IoT Botnet Operator Pleads Guilty A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies. Kenneth “Nexus-Zeta” Schuchman, in an undated photo. Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors. According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fibre-optic networking devices. Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days). Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems. Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems. The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard. Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him. Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.” As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address [email protected] That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash. People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity. “Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains. While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk. Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others. The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet. It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000. However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.” Source: ‘Satori’ IoT Botnet Operator Pleads Guilty (KrebsOnSecurity - Brian Krebs)
  16. Gafgyt has been updated with new capabilities, and it spreads by killing rival malware. Tens of thousands of Wi-Fi routers are potentially vulnerable to an updated form of malware which takes advantage of known vulnerabilities to rope these devices into a botnet for the purposes of selling distributed denial of service (DDoS) attack capabilities to cyber criminals. A new variant of Gafgyt malware – which first emerged in 2014 – targets small office and home routers from well known brands, gaining access to the devices via known vulnerabilities. Now the authors of Gafgyt – also known as Bashlite – have updated the malware and are directing it at vulnerabilities in three wireless router models. The Huawei HG532 and Realtek RTL81XX were targeted by previous versions of Gafgyt, but now it's also targeting the Zyxel P660HN-T1A. In all cases, the malware is using a scanner function to find units facing the open internet before taking advantage of vulnerabilities to compromise them. The new attacks have been detailed by cybersecurity researchers at Palo Alto Networks. The Gafgyt botnet appears to be directly competing with another botnet – JenX – which also targets the Huawei and Realtek routers, but not Zyxel units. Ultimately, the attackers behind Gafgyt want to kill off their competition by replacing JenX with their own malware. "The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device's resources when launching attacks," Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division told ZDNet. "As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device's full resources dedicated to its attack". Control of the botnet allows its gang to launch DDoS attacks against targets in order to cause disruption and outages. While the malware could be used to launch denial of service campaigns against any online service, the current incarnation of Gafgyt appears to focus on game servers, particularly those running Valve Source Engine games, including popular titles Counter-Strike and Team Fortress 2. Often the targeted servers aren't hosted by Valve, but rather are private servers hosted by players. The most common reason for attacks is plain sabotage of other users: some young game players want to take revenge against opponents or rivals. Those interested in these malicious services don't even need to visit underground forums to find them – Unit 42 researchers note that botnet-for-hire services have been advertised using fake profiles on Instagram and can cost as little as $8 to hire. Researchers have alerted Instagram to the accounts advertising malicious botnet services. "There's clearly a younger demographic that they can reach through that platform, which can launch these attacks with little to no skill. It is available to everyone and is easier to access than underground sites," said Davila. As more IoT products become connected to the internet, it's going to become easier for attacker to rope devices into botnets and other malicious activity if devices aren't kept up to date. The routers being targeted by the new version of Gafgyt are all old – some have been on the market for more than five years – researchers recommend upgrading your router to a newer model and that you should regularly apply software updates to ensure the device is as protected as possible against attacks. "In general, users can stay safe against botnets by getting in the habit of updating their routers, installing the latest patches and implementing strong, unguessable passwords," Davila explained. The more frequent the better, but perhaps for simplicity, considering timing router updates around daylight savings so at least you're updating twice a year," he added. Source: This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army (via ZDNet)
  17. Lemon Duck Cryptojacking Botnet Changes Up Tactics The sophisticated threat is targeting Microsoft Exchange servers via ProxyLogon in a wave of fresh attacks against North American targets. The Lemon Duck cryptocurrency-mining botnet has added the ProxyLogon group of exploits to its bag of tricks, targeting Microsoft Exchange servers. That’s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. On the latter front, it’s using fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure. Lemon Duck targets victims’ computer resources to mine the Monero virtual currency, with self-propagating capabilities and a modular framework that allows it to infect additional systems that become part of the botnet. It has been active since at least the end of December 2018, and Cisco Talos calls it “one of the more complex” mining botnets, with several interesting tricks up its sleeve. For instance, Lemon Duck has at least 12 different initial-infection vectors – more than most malware, with Proxylogon exploits only the latest addition. Its existing capabilities ranged from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing; targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; targeting internet-of-things devices with weak or default passwords; and exploiting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines. “Since April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons,” according to an analysis released Friday. Cisco Talos researchers previously observed an increase in DNS requests connected with Lemon Duck’s C2 and mining servers last August, with the attacks mainly targeting Egypt, India, Iran, the Philippines and Vietnam. In the latest rash of attacks, which began in April, the group has changed up its geographic targets to focus primarily on North America, followed by Europe and Southeast Asia, and a handful of victims in Africa and South America. Targeting Exchange Servers with Monero-Mining ProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware. The highly publicized exploit chain suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to info-stealers, and now financially motivated groups are getting in on the action too. In Lemon Duck’s case, once the Exchange servers are compromised, it executes various system commands using the Windows Control Manager (sc.exe), including copying two .ASPX files named “wanlins.aspx” and “wanlin.aspx.” “These files are likely web shells and were copied from C:\inetpub\wwwroot\aspnet_client\, a known directory where a majority of the web shells were initially observed following Microsoft’s release of details related to Hafnium activity,” according to the research. Next, Cisco Talos researchers observed the echo command being used to write code associated with a web shell into the previously created ASPX files, and the modification of the Windows registry to enable RDP access to the system. “In this case, several characteristics matched portions of code associated with known China Chopper variants identified days after the Exchange Server vulnerabilities were publicized,” they noted. Other interesting aspects of the latest campaign include the fact that Lemon Duck executes a PowerShell script that downloads and executes an additional malware payload, “syspstem.dat,” which includes a “killer” module which contains a hardcoded list of competing cryptocurrency miners that Lemon Duck disables. The module is run every 50 minutes. Also, the malware is now leveraging Certutil to download and execute two new malicious PowerShell scripts, researchers said. Certutil is a native Windows command-line program that is installed as part of Certificate Services. It is used to verify and dump Certificate Authority (CA) information, get and publish new certificate revocation lists, and so on. One of the PowerShell scripts, named “dn.ps1,” attempts to uninstall multiple antivirus products, and also retrieves a Cobalt Strike payload. Cobalt Strike Added to the Mix Cobalt Strike is a penetration-testing tool that’s commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat actors have since figured out how to turn it against networks to exfiltrate data, deliver malware and create fake C2 profiles that look legitimate and avoid detection. Lemon Duck’s Cobalt Strike payload is configured as a Windows DNS beacon and attempts to communicate with the C2 server using a DNS-based covert channel, researchers noted. The beacon then communicates with this specific subdomain to transmit encoded data via DNS A record query requests. “This represents a new TTP for Lemon Duck, and is another example of their reliance on offensive security tools (OSTs), including Powersploit’s reflective loader and a modified Mimikatz, which are already included as additional modules and components of Lemon Duck and used throughout the typical attack lifecycle,” according to Cisco Talos. Lemon Duck’s Fresh Anti-Detection Tricks While Lemon Duck casts a wide net in terms of victimology, it has been exclusively using websites within the TLDs for China (“.cn”), Japan (“.jp”) and South Korea (“.kr”) for its C2 activities since February, rather than the more familiar “.com” or “.net.” “Considering these [TLDs] are most commonly used for websites in their respective countries and languages…this may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments,” according to Cisco Talos. “Due to the prevalence of domains using these [TLDs], web traffic to the domains…may be more easily attributed as noise to victims within these countries.” During the Lemon Duck infection process, PowerShell is used to invoke the “GetHostAddresses” method from the .NET runtime class “Net.Dns” to obtain the current IP address for an attacker-controlled domain, researchers explained. “This IP address is combined with a fake hostname hardcoded into the PowerShell command and written as an entry to the Windows hosts file,” they said. “This mechanism allows name resolution to continue even if DNS-based security controls are later deployed, as the translation is now recorded locally and future resolution requests no longer rely upon upstream infrastructure such as DNS servers. This may allow the adversary to achieve longer-term persistence once operational in victim environments.” Cryptojackers Take Notice of ProxyLogon Lemon Duck is not the first cryptomining malware to add ProxyLogon to its arsenal. For instance, another cryptojacking group was seen in mid-April doing the same thing. That bad code was fairly simple, but also in mid-April a heretofore little-seen Monero-mining botnet dubbed Prometei began exploiting two of the Microsoft Exchange vulnerabilities in ProxyLogon. This malware is also highly complex and sophisticated, Cybereason researchers noted at the time. While cryptojacking is its current game, researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage. The threat will likely continue to evolve, Cisco Talos researchers said. They also observed domains linked to Lemon Duck and another cryptocurrency miner, DLTMiner, used in relation to Microsoft Exchange attacks where ransomware was also deployed. “At this time, there doesn’t appear to be a link between the Lemon Duck components observed there and the reported ransomware (TeslaRVNG2),” according to the analysis. “This suggests that given the nature of the vulnerabilities targeted, we are likely to continue to observe a range of malicious activities in parallel, using similar exploitation techniques and infection vectors to compromise systems. In some cases, attackers may take advantage of artifacts left in place from prior compromises, making distinction more difficult.” Meanwhile, it’s clear that the threat actor behind Lemon Duck is continuously evolving its approach to maximize the ability to achieve its mission objectives, researchers noted. “Lemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected systems to mine cryptocurrency and generate revenue for the adversary behind this botnet,” they concluded. “The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments. … Organizations should remain vigilant against this threat, as it will likely continue to evolve.” Source: Lemon Duck Cryptojacking Botnet Changes Up Tactics
  18. A botnet named after Prometheus jumps is also exploiting Exchange Server flaws (Getty Images) Sometimes a glaring new software vulnerability is all that scammers need to revive a trusty hacking scheme. Just days after Microsoft announced that suspected Chinese spies were exploiting bugs in Microsoft Exchange Server software in March, Russian-speaking attackers controlling a botnet, or army of compromised computers, used those vulnerabilities to conduct a series of intrusions at companies in North America, according to incident responders at security firm Cybereason. The hacks, which are among several breaches involving the Exchange Server vulnerabilities, show how the same bugs in widely used software can be used for very different purposes. And the reemergence of the so-called Prometei botnet, named after the Russian word for Prometheus, the Greek god of fire, is a reminder of the many malicious purposes that the zombie computers serve. Cybereason said it was aware of more than a dozen recent hacking incidents involving the Prometei botnet, which the attackers typically use to generate cryptocurrency. The botnet, first discovered last year, has previously targeted the financial, manufacturing and travel sectors, according to Cybereason. In this case, the operators of Prometei appear to be solely interested in making money. Botnets, though, are frequently used for multiple purposes, and the Emotet and Trickbot hacking tools are so often used to deploy ransomware that U.S. government agencies and tech companies have tried to disrupt them. The Prometei administrators have some of the technical groundwork in place should they want to embrace more “destructive payloads,” like ransomware, according to Cybereason. They use EternalBlue, a stolen U.S. National Security Agency hacking tool that allows malicious code to spread from one machine to another. Still, the attackers have confined themselves to using compromised servers to generate the Monero cryptocurrency. Ever the opportunists, it’s little surprise that botnet operators were some of the first on the scene when the Exchange Server vulnerabilities were revealed. “Botnet operators usually want to spread fast and mostly infect machines indiscriminately,” Assaf Dahan, Cybereason’s head of threat research, said in an email. Dahan and his colleagues make the case that Prometei has been around since 2016, based on a command they found in the malicious code. Source: A botnet named after Prometheus jumps is also exploiting Exchange Server flaws
  19. Gafgyt Botnet Lifts DDoS Tricks from Mirai The IoT-targeted malware has also added new exploits for initial compromise, for Huawei, Realtek and Dasan GPON devices. Several variants of the Gafgyt Linux-based botnet malware family have incorporated code from the infamous Mirai botnet, researchers have discovered. Gafgyt (a.k.a. Bashlite) is a botnet that was first uncovered in 2014. It targets vulnerable internet of things (IoT) devices like Huawei routers, Realtek routers and ASUS devices, which it then uses to launch large-scale distributed denial-of-service (DDoS) attacks. It also often uses known vulnerabilities such as CVE-2017-17215 and CVE-2018-10561 to download next-stage payloads to infected devices. The latest variants have now incorporated several Mirai-based modules, according to research from Uptycs released Thursday, along with new exploits. Mirai variants and its code re-use have become more voluminous since the source code for the IoT botnet was released in October 2016. The capabilities nicked from Mirai include various methods to carry out DDoS attacks, according to the research: HTTP flooding, in which the botnet sends a large number of HTTP requests to a targeted server to overwhelm it; UDP flooding, where the botnet sends several UDP packets to a victim server as a means of exhausting it; Various TCP flood attacks, which exploit a normal three-way TCP handshake the victim server receives a heavy number of requests, resulting in the server becoming unresponsive; And an STD module, which sends a random string (from a hardcoded array of strings) to a particular IP address. Meanwhile, the latest versions of Gafgyt contain new approaches for achieving initial compromise of IoT devices, Uptycs found; this is the first step in turning infected devices into bots to later perform DDoS attacks on specifically targeted IP addresses. These include a Mirai-copied module for Telnet brute-forcing, and additional exploits for existing vulnerabilities in Huawei, Realtek and GPON devices. The Huawei exploit (CVE-2017-17215) and the Realtek exploit (CVE-2014-8361) are both used for remote code execution (RCE), to fetch and download the Gafgyt payload, according to the analysis. “The Gafgyt malware binary embeds RCE exploits for Huawei and Realtek routers, by which the malware binary, using ‘wget’ command, fetches the payload,” according to Uptycs. “[It] gives the execution permission to payload using ‘chmod’ command, [and] executes the payload.” The GPON exploit (CVE-2018-10561) is used for authentication bypass in vulnerable Dasan GPON routers; here, the malware binary follows the same process, but can also remove the payload on command. “The IP addresses used for fetching the payloads were generally the open directories where malicious payloads for different architectures were hosted by the attacker,” researchers added. IoT Botnet Variants Abound IoT botnets like Gafgyt are constantly evolving. For instance, researchers in March discovered what they said is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network. Mirai hasn’t disappeared either: a new variant of the botnet was recently discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices. Since mid-February, the variant has been targeting six known vulnerabilities – and three previously unknown ones – in order to infect systems and add them to a botnet. It’s only the latest variant of Mirai to come to light. Last year, a version dubbed Mukashi was seen taking advantage of a pre-authentication command-injection vulnerability found in Zyxel NAS storage devices. “Malware authors may not always innovate, and researchers often discover that malware authors copy and re-use leaked malware source code,” Uptycs researchers said. To protect against these kinds of botnet infections, users should regularly monitor for suspicious processes, events and network traffic spawned on the execution of any untrusted binary, researchers recommended. And, users should keep all systems and firmware updated with the latest releases and patches. Source: Gafgyt Botnet Lifts DDoS Tricks from Mirai
  20. New P2P botnet infects SSH servers all over the world Botnet is hard to detect and with no centralized control server, harder to take down. Enlarge Aurich Lawson 87 with 46 posters participating Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. P2P botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down. “What was intriguing about this campaign was that, at first sight, there was no apparent command and control (CNC) server being connected to,” Guardicore Labs researcher Ophir Harpaz wrote. “It was shortly after the beginning of the research when we understood no CNC existed in the first place.” The botnet, with Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including: In-memory payloads that never touch the disks of infected servers. At least 20 versions of the software binary since January. A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines. The ability to backdoor infected servers. A list of login credential combinations used to suss out weak login passwords that’s more “extensive” than those in previously seen botnets. Put that all together and... Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that’s effective, difficult to detect and resilient to takedowns. The new code base—combined with rapidly evolving versions and payloads that run only in memory—make it hard for antivirus and other end-point protection to detect the malware. The peer-to-peer design makes it difficult for researchers or law enforcement to shut down the operation. The typical means of takedown is to seize control of the command-and-control server. With servers infected with FritzFrog exercising decentralized control of each other, this traditional measure doesn’t work. Peer-to-peer also makes it impossible to sift through control servers and domains for clues about the attackers. Harpaz said that company researchers first stumbled on the botnet in January. Since then, she said, it has targeted tens of millions of IP addresses belonging to government agencies, banks, telecom companies, and universities. The botnet has so far succeeded in infecting 500 servers belonging to “well-known universities in the US and Europe, and a railway company.” Full featured Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to an “malware server.” (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it’s possible that the “malware server” is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren’t immediately available to clarify.) To infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys the botnet uses to send commands and receive data. “This program, which we named frogger, allowed us to investigate the nature and scope of the network,” Harpaz wrote. “Using frogger, we were also able to join the network by ‘injecting’ our own nodes and participating in the ongoing P2P traffic.” Before infected machines reboot, FritzFrog installs a public encryption key to the server’s “authorized_keys” file. The certificate acts as a backdoor in the event the weak password gets changed. The takeaway from Wednesday’s findings is that administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect. The report has a link to indicators of compromise and a program that can spot infected machines. New P2P botnet infects SSH servers all over the world
  21. The Qbot botnet uses a new template for the distribution of their malware that uses a fake Windows Defender Antivirus theme to trick you into enabling Excel macros. Qbot, otherwise known as QakBot or QuakBot, is Windows malware that steals bank credentials, Windows domain credentials, and provides remote access to threat actors who install ransomware. Victims usually become infected with Qbot through another malware infection or via phishing campaigns using various lures, including fake invoices, payment and banking information, scanned documents, or invoices. Example Qbot spam email Source: Brad Duncan Attached to these spam emails are malicious Excel (.xls) attachments. When opened, these attachments will prompt a user to 'Enable Content' so that malicious macros will run to install the Qbot malware on a victim's computer. To trick a user into clicking the 'Enable Content button, and thus enabling macros, threat actors use stylized document templates that pretend to be from a trustworthy organization or from your operating system. On August 25th, the Qbot switched to a new template that pretends to be an alert from Windows Defender Antivirus, claiming that the document is encrypted. To decrypt the document, users need to click on 'Enable Editing' or 'Enable Content' to decrypt it using the 'Microsoft Office Decryption Core.' New 'Windows Defender Antivirus' Qbot attachment Once enable content is clicked, malicious macros will be executed that download and install the Emotet malware on a victim's computer. To people who work in cybersecurity, are IT admins, or Windows enthusiasts, the above message appears silly and made up. To casual users, though, it is convincing enough that many would follow the instructions and become infected with Qbot. Why it's essential to recognize Qbot attachments? Over the past couple of months, Qbot has seen increased distribution, especially after being delivered in spam spewed forth by the Emotet botnet. When infected, Qbot performs various malicious activities that allow threat actors to gain access to your bank accounts and your network. Once they gain access to a network, they install ransomware such as ProLock throughout the system. Due to this, it is vital to recognize the malicious document templates used by Qbot so that you do not accidentally become infected. Source
  22. Tor is still DHE 1024 (NSA crackable) After more revelations, and expert analysis, we still aren't precisely sure what crypto the NSA can break. But everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys. Assuming no "breakthroughs", the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips. The problem with Tor is that it still uses these 1024 bit keys for much of its crypto, particularly because most people are still using older versions of the software. The older 2.3 versions of Tor uses keys the NSA can crack, but few have upgraded to the newer 2.4 version with better keys. You can see this for yourself by going to a live listing of Tor servers, like http://torstatus.blutmagie.de/. Only 10% of the servers have upgraded to version 2.4. Recently, I ran a "hostile" exit node and recorded the encryption negotiated by incoming connections (the external link encryption, not the internal circuits). This tells me whether they are using the newer or older software. Only about 24% of incoming connections were using the newer software. Here's a list of the counts: 14134 -- 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 5566 -- 0xc013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 2314 -- 0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 905 -- 0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1 -- 0xc012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA The older software negotiates "DHE", which are 1024 bit Diffie-Hellman keys. The newer software chooses ECDHE, which are Elliptical-Curve keys. I show the raw data because I'm confused by the last entry, I'm not sure how the software might negotiate ECDHE+3DES, it seems like a lulz-worthy combination (not that it's insecure -- just odd). Those selecting DHE+3DES are also really old I think. I don't know enough about Tor, but I suspect anything using DHE+3DES is likely more than 5 years old. (By the way, I used my Ferret tool to generate this, typing "ferret suites -r ".) The reason software is out of date is because it takes a long time for repositories to be updated. If you type "apt-get install tor" on a Debian/Ubuntu computer, you get the 2.3 version. And this is what pops up as the suggestion of what you should do when you go to the Tor website. Sure, it warns you that the software might be out-of-date, but it doesn't do a good job pointing out that it's almost a year out of date, and the crypto the older version is using is believed to be crackable by the NSA. Of course, this is still just guessing about the NSA's capabilities. As it turns out, the newer Elliptical keys may turn out to be relatively easier to crack than people thought, meaning that the older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, that the NSA is best at cracking. Therefore, I'd suggest that the Tor community do a better job getting people to upgrade to 2.4. Old servers with crackable crypto, combined with the likelyhood the NSA runs hostile Tor nodes, means that it's of much greater importance. by Robert Graham from Errata Security The feds pay for 60 percent of Tor’s development. Can users trust it? This week, we learned that the NSA had managed to circumvent much of the encryption that secures online financial transactions and other activities we take for granted on the Internet. How? By inserting backdoors into the very commercial software designed to keep sensitive medical records, bank files and other information private. The NSA’s sustained attempt to get around encryption calls into question many of the technologies people have come to rely on to avoid surveillance. One indispensable tool is Tor, the anonymizing service that takes a user’s Internet traffic and spits it out from some other place on the Web so that its origin is obscured. So far there’s no hard evidence that the government has compromised the anonymity of Tor traffic. But some on a Tor-related e-mail list recently pointed out that a substantial chunk of the Tor Project’s 2012 operating budget came from the Department of Defense, which houses the NSA. Last year, DoD funding accounted for more than 40 percent of the Tor Project’s $2 million budget. Other major donors include the U.S. State Department, which has an interest in promoting Internet freedom globally, and the National Science Foundation. Add up all those sources, and the government covers 60 percent of the costs of Tor’s development. Tor Executive Director Andrew Lewman wrote in an e-mail to users that just because the project accepts federal funding does not mean it collaborated with the NSA to unmask people’s online identities. “The parts of the U.S. and Swedish governments that fund us through contracts want to see strong privacy and anonymity exist on the Internet in the future,” Lewman wrote. “Don’t assume that ‘the government’ is one coherent entity with one mindset.” And Roger Dingledine, a founder of the Tor Project, says that the Defense Department money is much more like a research grant than a procurement contract. “They aren’t ‘buying products’ from us,” Dingledine tells me. “They’re funding general research and development on better anonymity, better performance and scalability and better blocking-resistance. Everything we do we publish in the open.” Dingledine acknowledges that “bad guys” could conceivably introduce vulnerabilities into Tor’s open-source code. But one of the major advantages of open-source software is that the product can be inspected by anyone for defects, which raises its security somewhat. There’d only be a problem if the NSA were somehow able to insert malicious code that nobody recognized. The NSA didn’t immediately respond to a request for comment Friday afternoon. Update: Roger Dingledine writes in to explain why the government has never asked the Tor Project to install a backdoor: I think this is mainly due to two reasons: A) We’ve had that faq entry up for a long time, including the part where we say we’ll fight it and that we have lots of lawyers who will help us fight it. So they know it won’t be easy. B ) I do a lot of outreach to various law enforcement groups to try to teach them how Tor works and why they need it to be safe. See e.g. the first two paragraphs of this: I think ‘A’ used to be a sufficient reason by itself, but now we’re reading about more and more companies and services that have tried to fight such a request and given up. The architecture of the Tor network makes it more complex (there’s no easy place in the deployed network to stick a backdoor), but that doesn’t mean they won’t try. I guess we rely on ‘B’ for now, and see how things go. Source Large botnet cause of recent Tor network overload Recently, Roger Dingledine described a sudden increase in Tor users on the Tor Talk mailinglist. To date there has been a large amount of speculation as to why this may have happened. A large number of articles seem to suggest this to be the result of the recent global espionage events, the evasion of the Pirate Bay blockades using the PirateBrowser or the Syrian civil war. At the time of writing, the amount of Tor clients actually appears to have more than quintupled already. The graph shows no signs of a decline in growth, as seen below: An alternative recurring explanation is the increased usage of botnets using Tor, based on the assertion that the increase appears to consist of mostly new users to Tor that apparently are not doing much given the limited impact on Tor exit performance. In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users. A recent detection name that has been used in relation to this botnet is “Mevade.A”, but older references suggest the name “Sefnit”, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators. Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase. Thus one important thing to note is that this was an already existing botnet of massive scale, even prior to the conversion to using Tor and .onion as command and control channel. As pointed out in the Tor weekly news, the version of Tor that is used by the new Tor clients must be 0.2.3.x, due to the fact that they do not use the new Tor handshake method. Based on the code we can confirm that the version of Tor that is used is The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based). Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. We have however no compelling evidence that this is true, so this assumption is merely based on a combination of small hints. It does however originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime. This specific version of the malware, which includes the Tor functionality, will install itself in: %SYSTEM%\config\systemprofile\Local Settings\Application Data\Windows Internet Name System\wins.exeAdditionally, it will install a Tor component in: %PROGRAMFILES%\Tor\Tor.exeThis location is regularly updated with new versions. Related md5 hashes: 2eee286587f76a09f34f345fd4e00113 (August 2013)c11c83a7d9e7fa0efaf90cebd49fbd0b (September 2013)Related md5 hashes from non-Tor version: 4841b5508e43d1797f31b6cdb83956a3 (December 2012)4773a00879134a9365e127e2989f4844 (January 2013)9fcddc45ae35d5cdc06e8666d249d250 (February 2013)b939f6ef3bd292996f97aa5786757870 (March 2013)47c8b85a4c82ed71487deab68de196ba (March 2013)3e6eb9f8d81161db44b4c4b17763c46a (April 2013)a0343241bf53576d18e9c1329e6a5e7e (April 2013)Source New Tor packages There's a new Tor to hopefully help mitigate some of the problems with the botnet issues Tor is experiencing. All packages, including the beta Tor Browser Bundles, have been updated. Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know. https://www.torproject.org/projects/torbrowser.html.en#downloads Tor Browser Bundle (2.4.17-beta-1) Update Tor to Update NoScript to Update HTTPS Everywhere to 4.0development.11 Source
  • Create New...