- Email: [email protected]
Wins and losses in the war on botnets
CALENDAR
Wins and losses in the war on botnets
T
he Mariposa botnet may be moribund following the arrests of its operators in Spain in early 2010, but the software that spawned it seems to be having a new lease of life.
The Butterfly bot kit, also known as Palevo, Pilleuz or Rimecud, is the same code used to create malware for Mariposa. And according to botnet monitoring firm Unveillance, it has now been used to build a botnet even larger than Mariposa – perhaps twice as large – with infections seen in at least 172 countries. A handful of the Command and Control (C&C) servers running the Butterfly botnet – dubbed ‘EvilFistSquad’ by Damballa and ‘Metulji’ by Unveillance and Panda Labs – have been taken offline, but others remain highly active. The Butterfly botnet software framework incorporates a licence control mechanism linking bot clients to specific C&C servers, permitting the operation of multiple botnets by individuals or groups, each of which will have paid for a licence. However, in June 2011, a multinational law enforcement operation, which included the FBI, Interpol, the Serbian Ministry of Internal Affairs and the Slovenian Police, arrested two individuals – Aljosa Borkovic and Darko Malinic – and confiscated equipment. In addition to using botnets to steal several hundred thousand dollars from victims’ bank accounts worldwide, the two men are also alleged to be the Butterfly framework creators, meaning that law enforcement officials may now be in possession of information about other botnet operators who bought licences. Meanwhile, Kaspersky Labs reports that a botnet known as TDL-4 may be in control of as many as four million computers. It’s also quite sophisticated, using encryption, peer-to-peer mechanisms for distributing commands to bots and proxy server functionality where infected machines can be exploited to provide anonymous access to the Internet. Recent changes to the software
20
Network Security
are geared to avoiding detection by security researchers and other botnets. Kaspersky believes that TDL-4 managed to infect 4.5 million computers in the first three months of 2011 and has distributed more than 30 malware variants. The botnet’s operators are paying third parties to add infected machines to the network, and are renting access to it at prices starting at around $100 a month. On the plus side, following its takeover of the Coreflood botnet, the FBI has now revealed that it remotely ‘scrubbed’ around 19,000 victim machines, belonging to 24 organisations, infected with the trojan. As part of Operation Adeona, the FBI obtained a court order allowing it to seize servers and other equipment and set up its own C&C server. That allowed it to issue commands to infected machines to uninstall the bot code. Permission was obtained from the victims before the commands were sent. The FBI also said it had been able to identify hundreds of other victims and notify them that their machines were compromised.
Al-Qaeda forum knocked offline
W
ebsites and a forum used as trusted outlets for communication by al-Qaeda have been knocked offline by denial of service attacks. No-one has yet claimed responsibility.
In what appear to have been carefully co-ordinated attacks, the forum al-Shamukh was taken down when its primary domain came under attack. Two other jihadist forums, including the Ansar al-Mujahideen Network, were also taken offline. The attacks were noted by Evan Kohlmann of Flashpoint Partners, who studies terrorist organisations. He said that, of the many jihadist forums and websites, al-Shamukh was the only one trusted by al-Qaeda to act as an ‘official’ communications channel. The content of the forum is mirrored – for example at aljahad.com/vb/ – and al-Shamukh is likely to come back online when the attacks finish, but the incident has shown the vulnerability of these sites.
EVENTS CALENDAR 30 July – 2 August 2011 Black Hat USA 2011 Las Vegas, Nevada, US Website: www.blackhat.com
4 – 7 August 2011 Defcon 19 Las Vegas, Nevada, US Website: www.defcon.org
6 – 15 August 2011 SANS Boston 2011 Boston, Ma, US Website: www.sans.org/boston-2011
30 Aug – 2 Sep 2011 44Con London, UK Website: www.44Con.com
19 – 20 September 2011 BruCON Security Conference Brussels, Belgium Website: www.brucon.org
19 – 27 September SANS Network Security 2011 Las Vegas, US Website: www.sans.org/network-security-2011/
11 – 13 October, 2011 RSA Conference Europe 2011 London, UK Website: www.rsaconference.com/events. htm
30 October – 2 November Black Hat DC 2012 Washingon DC, US Website: www.blackhat.com
2 – 3 November, 2011 RSA Conference China 2011 Beijing, China Website: www.rsaconference.com/events. htm
July 2011
Wins and losses in the war on botnets
T
he Mariposa botnet may be moribund following the arrests of its operators in Spain in early 2010, but the software that spawned it seems to be having a new lease of life.
The Butterfly bot kit, also known as Palevo, Pilleuz or Rimecud, is the same code used to create malware for Mariposa. And according to botnet monitoring firm Unveillance, it has now been used to build a botnet even larger than Mariposa – perhaps twice as large – with infections seen in at least 172 countries. A handful of the Command and Control (C&C) servers running the Butterfly botnet – dubbed ‘EvilFistSquad’ by Damballa and ‘Metulji’ by Unveillance and Panda Labs – have been taken offline, but others remain highly active. The Butterfly botnet software framework incorporates a licence control mechanism linking bot clients to specific C&C servers, permitting the operation of multiple botnets by individuals or groups, each of which will have paid for a licence. However, in June 2011, a multinational law enforcement operation, which included the FBI, Interpol, the Serbian Ministry of Internal Affairs and the Slovenian Police, arrested two individuals – Aljosa Borkovic and Darko Malinic – and confiscated equipment. In addition to using botnets to steal several hundred thousand dollars from victims’ bank accounts worldwide, the two men are also alleged to be the Butterfly framework creators, meaning that law enforcement officials may now be in possession of information about other botnet operators who bought licences. Meanwhile, Kaspersky Labs reports that a botnet known as TDL-4 may be in control of as many as four million computers. It’s also quite sophisticated, using encryption, peer-to-peer mechanisms for distributing commands to bots and proxy server functionality where infected machines can be exploited to provide anonymous access to the Internet. Recent changes to the software
20
Network Security
are geared to avoiding detection by security researchers and other botnets. Kaspersky believes that TDL-4 managed to infect 4.5 million computers in the first three months of 2011 and has distributed more than 30 malware variants. The botnet’s operators are paying third parties to add infected machines to the network, and are renting access to it at prices starting at around $100 a month. On the plus side, following its takeover of the Coreflood botnet, the FBI has now revealed that it remotely ‘scrubbed’ around 19,000 victim machines, belonging to 24 organisations, infected with the trojan. As part of Operation Adeona, the FBI obtained a court order allowing it to seize servers and other equipment and set up its own C&C server. That allowed it to issue commands to infected machines to uninstall the bot code. Permission was obtained from the victims before the commands were sent. The FBI also said it had been able to identify hundreds of other victims and notify them that their machines were compromised.
Al-Qaeda forum knocked offline
W
ebsites and a forum used as trusted outlets for communication by al-Qaeda have been knocked offline by denial of service attacks. No-one has yet claimed responsibility.
In what appear to have been carefully co-ordinated attacks, the forum al-Shamukh was taken down when its primary domain came under attack. Two other jihadist forums, including the Ansar al-Mujahideen Network, were also taken offline. The attacks were noted by Evan Kohlmann of Flashpoint Partners, who studies terrorist organisations. He said that, of the many jihadist forums and websites, al-Shamukh was the only one trusted by al-Qaeda to act as an ‘official’ communications channel. The content of the forum is mirrored – for example at aljahad.com/vb/ – and al-Shamukh is likely to come back online when the attacks finish, but the incident has shown the vulnerability of these sites.
EVENTS CALENDAR 30 July – 2 August 2011 Black Hat USA 2011 Las Vegas, Nevada, US Website: www.blackhat.com
4 – 7 August 2011 Defcon 19 Las Vegas, Nevada, US Website: www.defcon.org
6 – 15 August 2011 SANS Boston 2011 Boston, Ma, US Website: www.sans.org/boston-2011
30 Aug – 2 Sep 2011 44Con London, UK Website: www.44Con.com
19 – 20 September 2011 BruCON Security Conference Brussels, Belgium Website: www.brucon.org
19 – 27 September SANS Network Security 2011 Las Vegas, US Website: www.sans.org/network-security-2011/
11 – 13 October, 2011 RSA Conference Europe 2011 London, UK Website: www.rsaconference.com/events. htm
30 October – 2 November Black Hat DC 2012 Washingon DC, US Website: www.blackhat.com
2 – 3 November, 2011 RSA Conference China 2011 Beijing, China Website: www.rsaconference.com/events. htm
July 2011