Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: cowlag
« on: 28. October 2010., 22:30:26 »

thats crazy, I would not want to be that guy. Also security tool has spread pretty quickly I wish there was a way to trace that one down and find out where it came from...
Posted by: Samker
« on: 28. October 2010., 16:44:19 »


Bredolab-infected PCs Downloading Fake Antivirus Software - Antivirusplus


A massive takedown operation conducted by Dutch police and security experts earlier this week does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover.

The latest look at the botnet by FireEye's Malware Intelligence Lab shows that two domains are being used to issue instructions to infected computers. PCs that are infected with Bredolab are programmed check in with certain domains in order to receive new commands, wrote Atif Mushtaq, of FireEye: http://blog.fireeye.com/research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html

One domain, which is on an IP (Internet protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus, Mushtaq said. Cybercriminals have found that fake antivirus programs can be a thriving business. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats on the Internet.

The other domain is instructing computers compromised with Bredolab to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia.

The infected computers that are communicating with domains appear to have a variant of Bredolab installed, Mushtaq wrote. Malware authors frequently have to modify the code in order to avoid detection by antivirus software.

Mushtaq submitted the Bredolab variant to VirusTotal, an online service that accepts malware samples and checks to see whether 42 different security software suites detect it. VirusTotal includes some of the most widely sold products from vendors such as Symantec, Trend Micro and McAfee.

As of Wednesday, only one product detected it, Mushtaq wrote. The results, however, are not surprising: much new malware remains undetected for a short time. When a vendor discovers it, the sample is shared throughout the security community, increasing the chances that other security software will pick it up.

The main Bredolab botnet appears to have been taken out after Dutch police seized control of 143 command-and-control servers on Monday and shut down their communication with infected PCs. Police uploaded their own code to those infected computers -- estimated to number as many as 29 million -- warning that the computer was infected.

Working with Dutch police, Armenian authorities arrested a 27-year-old man on Tuesday for allegedly controlling Bredolab. If he is extradited to the Netherlands, he could face between four and six years in prison.

The Bredolab variant that is still working may have come from the original Bredolab code, which may have been leaked and used by someone other than its author, Mushtaq wrote.

"This is not so unusual," Mushtaq wrote. "According to some confirmed sources, Cutwail (a famous spam botnet) code was leaked when one of the developers left the original bot herder's team and started building his own botnet."

It's also possible that a portion of the Bredolab botnet was rented to some other gang, Mushtaq wrote. Security experts have said that Bredolab was rented out to other cybercriminals, who could then upload their own specific code to infected machines or use the computers for spamming.

Authorities have shut down most of Bredolab's command-and-control servers, so Mushtaq wrote on Tuesday that "a big portion of this botnet has been dismantled and is never going to recover": http://blog.fireeye.com/research/2010/10/bredolab-severely-injured-but-not-dead.html

Still, cybercriminals who are involved with Bredolab are taking a higher risk: Dutch prosecutors said on Wednesday they are still investigating could make more arrests.

"No doubt some of the bot herders are still untouched and committed enough to continue their operations even under this extra scrutiny," Mushtaq wrote.

(PCW)
Posted by: dss2010
« on: 28. October 2010., 03:02:52 »

Without the help and cooperation of law enforcement around the world, how can we expect the Internet to become safer?  Security software protects us from threats after the fact, so we only have law enforcement to protect users preemptively.  It is great that this man was caught, but to imagine that he may not even be charged is totally counterintuitive.

Thanks for sharing.
Posted by: Samker
« on: 27. October 2010., 07:25:39 »


DNS – Alleged Botnet Mastermind Held in Armenia

At the request of the Dutch Public Prosecution Service, Armenian police arrested the probable mastermind behind the criminal Bredolab botnet network at the international airport in Yerevan.

The network was taken down Monday by the Dutch High Crime Tech Team.

Bredolab botnets are utilized by criminals worldwide to distribute spam and viruses.

During the takedown of the Bredolab network at a Dutch hosting provider, the suspect made several attempts to take back control of the botnet. When his efforts failed, he made a massive attack with 220,000 infected computers on the hosting provider.

This attack, called DDoS, was terminated after three computer servers in Paris used by the suspect were disconnected from the internet.

Armenian authorities will not extradite the man, an Armenian national, to the Netherlands, where he would face four to six years in prison if convicted on computer crime charges, according to Threatpost. That means Dutch authorities will have to try him in Armenia if he is charged. It’s unclear what charges - if any - will be brought against the man who was arrested, Threatpost said.

More than 100,000 computer users have been warned that their computers are part of the botnet.

The High Crime Tech Team already received 55 responses from users whose computers were compromised.

More: http://dns.tmcnet.com/topics/internet-security/articles/111701-alleged-botnet-mastermind-held-armenia.htm

Posted by: vishwanath99
« on: 27. October 2010., 06:24:26 »

Its a sophisticated and organised cyber crime.
 
Posted by: Samker
« on: 26. October 2010., 15:45:06 »



Dutch police and net security organisations have teamed up to dismantle many of the command and control servers associated with the Bredolab botnet.

The Bredolab Trojan, which has spyware components that allow criminals to capture bank login details and other sensitive information from compromised machines, has infected an estimated 30 million computers worldwide since its emergence in July 2009.

Infected machines remain pox-ridden but the command system associated with the cybercrime network has been decapitated, following an operation led by hi-tech police in The Netherlands.

The Dutch Forensic Institute NFI, net security firm Fox-IT and GOVCERT.NL (the Dutch computer emergency response team) assisted in the operation which involved the takedown of 143 servers associated with the botnet. Fox-IT used the botnet itself to alert infected victims that there was a problem with their machines, directing them to a notice here: http://teamhightechcrime.nationale-recherche.nl/nl_infected.php

The command systems were hired by unidentified cybercrooks from hosting provider LeaseWeb, which co-operated in the dismantling of the botnet.

A statement (in English) by the Dutch National Crime Squad on the takedown operation can be found here: http://www.om.nl/actueel/nieuws-_en/@154338/dutch_national_crime

(ElReg)


If you have problem with Bredolab botnet-trojan, download and run Microsoft Removal Tool:
http://scforum.info/index.php/topic,4510.0.html



Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising