General discussion

NEWS - October 26, 2010

Bredolab botnet shut down

Year 2010 is becoming a good year in shutting down big botnets.

Latest case: Bredolab.

The Dutch National Crime Squad has announced a major takedown. The people behind the botnet have not been caught, but the servers (hosted in LeaseWeb IP space) have been taken over, effectively shutting down the botnet.

Bredolab is a large family of complicated, polymorphic trojans. They have been distributed via drive-by-downloads and email. Bredolab is known to be connected to email spam campaigns and rogue security products. And the size of the botnet was massive: over 30 million infected computers and close to 150 command & control servers.

Interestingly, the crime squad has announced that they will be sending a warning to infected PCs: "Users of computers with viruses from this network will receive a notice of at the time of next login with information on the degree of infection."

So they will probably use the existing botnet infrastructure to send a program to all infected machines, showing them a warning.

This is rarely done because running code on somebody else's computer might be seen as "unauthorized use", possibly making it illegal - although the intentions are obviously good.

Here's a video with more information (Severe warning! It is in Dutch).

Updated to add: The Dutch police is redirecting Bredolab-infected computers to this help page.
Updated to add: A 27-year old man has been arrested in Armenia. He is under investigation for being one of the operators behind Bredolab.

As Posted @ the F-Secure Weblog

Also : Dutch police behead Bredolab botnet

Discussion is locked

Reply to: NEWS - October 26, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 26, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Kaspersky Anti-Virus cripples Servers

Since yesterday, Kaspersky anti-virus software is apparently causing serious problems in some corporate environments. There have been complaints in forums (German language link) from administrators of servers running with Kaspersky Anti-Virus about high system load - high enough in some cases to stop the whole system. The reports concern Windows server with Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition, whether other versions are affected is unclear.

Kaspersky has since confirmed that on Saturday evening, a faulty update for Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition was published. This led to the described load problems on Windows server systems.

As a temporary work around, administrators of affected systems were advised to disable the signature auto-updates and to roll back to an older signature status. Today, October 25th at 12:46, Kaspersky released a further update to correct the problem.

Also : Misfiring Kaspersky update reduces servers to a crawl

- Collapse -
Apple iOS 4.1 Security Hole Revealed

Anyone can gain access to call history and other private info on iOS 4.1

Commenters on Mac Rumors forums are reporting that Apple's iOS 4.1, the current software running on the iPhone, contains a security loophole that allows anyone who knows the easy trick to bypass the passcode entry screen and gain access to the Phone app.

Here's how it works: At the passcode entry screen, select "Emergency Call." Input any number, hit "Send" and the phone's sleep button in quick, almost simultaneous, succession. You will now have full access to the Phone app, which includes Contacts, Call History, Voicemail, and the Dialer. If you hit "Share Contact" and the camera button, you will also gain access to the Photos app. Simply hitting "Share Contact" or "Email" will allow you to send an e-mail or MMS, Boy Genius adds (see video). And that's about all you can do.

According to The Unofficial Apple Weblog, the loophole doesn't exist on the beta version of iOS 4.2, so it's possible that Apple is already aware of the problem. TUAW also makes the common sense point that the best way to ensure the security of your iPhone (or any other device that may contain sensitive information) is to prevent anyone from gaining physical access.

- Collapse -
Botnet for Sale Business Going Strong, Security Researchers

The group behind an attack on Twitter last year is now in the botnet-renting business - a racket security pros say can be very profitable.

From spamming to harvesting data, botnets are a hot commodity for attackers. But as the Iranian Cyber Army's decision to sell access to its botnet shows, hawking access to compromised computers can be profitable too.

The price of a botnet depends on a number of factors. The first is size, noted Imperva Senior Security Strategist Noa Bar Yosef. Beyond that, it often depends on what type of attack is being planned, the length of the attack, the target and its geo-location.

"Although a rental is based on a multitude of factors as stated above, to give some ballpark figures," she said, "a 24-hour DDoS [distributed denial of service] attack can be anything from a mere $50 to several thousand dollars for a larger network attack. Spamming a million e-mails, given a list, ranges [from] $150 to $200. ? A monthly membership for phishing sites is roughly $2,000."

Researchers at Damballa said the company has seen the 24-hour rental of 100,000-strong botnets cost $50 to $200 for a DDoS attack. Symantec, meanwhile, reported its researchers recently found an advertisement for the "Eleonor" botnet with an even lower price tag-just $40 a day, though it was not clear what the buyer would be getting for that.

- Collapse -
The "Iranian Cyber Army" Strikes Back

It all began in December 2009, when a group of hacktivists, which call themselves the "Iranian Cyber Army", defaced several popular websites around the globe, including Twitter and the Chinese search engine Baidu. The defacement pages included messages in English against the US embargo on Iran, as well as a message in Persian that stated "This is a warning".

Fast forward to September 2010. The website of TechCrunch Europe, one of Europe's most popular technology blogs, got hacked. The attackers installed a page which redirected the blog's readers to a crime server. The crime server then executed a script which exploited a vulnerability to silently install malware on the visitors' machines.

Much More than a Single Exploit

While investigating this incident, Seculert Research Lab found what seems to be a connection between the attack against TechCrunch Europe, as well as many other similar worldwide attacks, and the "Iranian Cyber Army" group. The crime server involved in these attacks didn't use a script to exploit only one vulnerability; it was actually using a collection of exploits - aka an exploit kit.

There are numerous different exploit kits being sold in underground forums among cyber criminals. Competition in this crowded and lucrative market is driving authors to create exploit kits with sleek and sexy user interfaces, so the product will be more attractive to potential customers. One such example is the administration panel of the Phoenix exploit kit, which displays a stylish animation of a flying phoenix (Figure 1). [Figure 1:Phoenix Exploit's Kit Administration Panel]

Also :
Iranian Cyber Army moves into botnets
Iranian Cyber Army behind TechCrunch Europe hack?

- Collapse -
Rapleaf Says It Has Fixed Privacy Issue With Facebook

A company that compiles profiles of Internet users for targeted advertising said it is no longer passing user identifiers used by Facebook and MySpace to advertising networks due to privacy concerns.

Rapleaf, a company based in San Francisco, acknowledged the issue, which was highlighted in a recent Wall Street Journal series of stories concerning data collection and online privacy.

"We realize that even with the best of intentions, we sometimes make mistakes, especially in an industry with technology advances moving so quickly," wrote Rapleaf CEO Auren Hoffman in a blog post on Sunday. "The aggregation of data has big potential upsides and downsides. The bar for data aggregation companies like Rapleaf is very high."

Facebook, MySpace and other online services employ user identifiers, which can appear as a number in the URL of a person's profile. The Wall Street Journal found that many popular Facebook applications such as Farmville were transmitting those user identifiers back to advertisers.

That happened because the applications were looking at the referrer URL, a Web standard that lets a Web site know where a person was previously browsing. Referrers are useful for a variety of reasons, including letting website owners know how people found their site.

But passing referrer URLs on to advertisers is considered risky for privacy. Rapleaf's Hoffman wrote that his company had transmitted the referrers for Facebook and MySpace to "to ad networks in a small minority of cases."

"While dozens of companies made the same mistake Rapleaf did, we were the first company to fix it," Hoffman wrote.

Related news: Facebook gets poked in latest privacy gaffe

- Collapse -
Fake Defragmenter Holds PCs for Ransom

Screenshot of fake defragmenter, System Defragmenter:,1425,sz=1&i=238086,00.jpg

According to CyberDefender's research team, "System Defragmenter pretends to be an optimization program that will scan the hard drive to fix any memory problems and hard disk errors the machine may have." After it runs, trying to launch any program or shortcut on the desktop will just trigger the error message "Scan Hard Drive". The hard drive scan finishes with a warning that the drive has errors that can only be fixed if the user purchases the full program. And, according to CyberDefender, the payment page isn't actually secure but includes a fake "verified" green address bar.,2817,2371457,00.asp?kc=PCRSS05079TX1K0000992

- Collapse -
ISC: Firefox News (0-day vulnerability)

There is a 0day vulnerability for Firefox, including the latest version. This vulnerability is already being exploited, so beware...

The good thing is that Mozilla is quite fast on those and already confirmed the issue and is working to get it fixed.

- Collapse -
Firefox zero-day under attack at Nobel Prize site

Malicious hackers are exploiting a zero-day vulnerability in Mozilla's Firefox browser to launch drive-by download attacks against visitors the Nobel Prize website.

According to researchers at Norman ASA, Firefox users who surfed to the site were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine.

The exploit was successful on Firefox versions 3.5 and 3.6, according to Norman.

Once a drive-by download is successful, Norman said the malware would then attempt to connect to two Internet addresses, both which point to a server in Taiwan.

Mozilla's security response team is investigating the issue, according to a spokesperson.

Also see: Norman Warns Concerning New Vulnerability in Firefox Browser

- Collapse -
56% of all dangerous websites end in .com

.jp is the safest country-level domain

More than half (56 percent) of all risky websites end in .com, says McAfee.

According to the security firm's fourth annual Mapping the Mal Web report, 6.2 percent of websites are dangerous, that's up on 5.8 percent last year.

Vietnam (.vn) was named the most riskiest country-level domain, with 59 percent of all the country's websites being ranked. Meanwhile, Japan (.jp) was name the safest country-level domain for the second year in a row.

"This report underscores how quickly cybercriminals change tactics to lure in victims and avoid being caught," said Paula Greve, director of web security research, McAfee Labs.

- Collapse -
Telstra gains remote access to customers' PCs

Telstra has confirmed that it has started utilizing a new service tool that would help its helpdesk consultants to remotely access customers? computers and smartphones to configure and troubleshoot problems.

Telstra consumer executive director Ms Rebekah O'Flaherty said that the new tool would help them remove the confusion often associated with talking customers during troubleshooting session. The service would be very helpful for customers who possess limited technical knowledge.

Telstra will make use of LogMeIn Rescue that uses 256-bit SSL encryption, the same security levels trusted by major financial and banking institutions. The company has fully tested the remote access technology before offering it to its customers.

However, an information security specialist has warned that the new tool might prove to be a bad idea as the users could steal passwords to access sensitive information, and even install malware.

- Collapse -
Google illegally divulges user searches, suit claims

Attorneys on Monday accused Google of intentionally divulging millions of users' search queries to third parties in violation of federal law and its own terms of service.

The complaint, filed in federal court in San Jose, California, challenges Google's longstanding practice of including search terms in HTTP referrer headers, which are easily readable by websites that users click on. It claims Google has repeatedly experimented with systems that keep search terms private but has has never rolled them out because it has a vested interest in sharing the information with third parties, including search engine optimization services.

"Over protests from privacy advocates, however, Google has consistently and intentionally designed its services to ensure that user search queries, which often contain highly-sensitive and personally-identifiable information ('PII'), are routinely transferred to marketers, data brokers, and sold and resold to countless other third parties," the complaint alleges.

The lawsuit goes on to say that Google can cross reference search terms with data held by DoubleClick, which in 2007, the search behemoth agreed to buy for $3.1bln in cash. Combined with a user's IP address and additional information from services including Google Analytics, third parties can connect "the dots of 'anonymous' data" to link queries to a specific individual, a phenomenon known as "reidentification," the complaint states.

CNET Forums

Forum Info