Botnet

At Least 1.65 Million Computers Are Mining Cryptocurrency For Hackers So Far This Year (vice.com) 37

According to new statistics released on Tuesday by Kaspersky Lab, a prominent Russian information security firm, 2017 is on track to beat 2016 -- and every year since 2011 -- in terms of the sheer number of computers infected with malware that installs mining software. From a report: So far in 2017, the company says it has detected 1.65 million infected machines. The total amount of infected computers for all of the previous year was roughly 1.8 million. The infected machines are not just home computers, the firm stated in a blog post, but company servers as well. "The main effect for a home computer or organization infrastructure is reduced system performance," Anton Ivanov, a security researcher for Kaspersky, wrote me in an email. "Also some miners could download modules from a threat actor's infrastructure, and these modules could contain other malware such as Trojans [malware that disguises itself as legitimate software]." Ivanov said that the firm doesn't know how much money has been made overall with this scheme, but a digital wallet for one mining botnet that the company identified currently contains over $200,000 USD.
Android

Tech Firms Team Up To Take Down 'WireX' Android DDoS Botnet (krebsonsecurity.com) 29

An anonymous reader quotes a report from Krebs On Security: A half dozen technology and security companies -- some of them competitors -- issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle "WireX," an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks. Experts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are more challenging to defend against and thus require broader industry cooperation to defeat. News of WireX's emergence first surfaced August 2, 2017, when a modest collection of hacked Android devices was first spotted conducting some fairly small online attacks. Less than two weeks later, however, the number of infected Android devices enslaved by WireX had ballooned to the tens of thousands. Experts tracking the attacks soon zeroed in on the malware that powers WireX: Approximately 300 different mobile apps scattered across Google's Play store that were mimicking seemingly innocuous programs, including video players, ringtones or simple tools such as file managers.

Experts involved in the takedown say it's not clear exactly how many Android devices may have been infected with WireX, in part because only a fraction of the overall infected systems were able to attack a target at any given time. Devices that were powered off would not attack, but those that were turned on with the device's screen locked could still carry on attacks in the background, they found. The identical press release that Akamai and other firms involved in the WireX takedown agreed to publish says the botnet infected a minimum of 70,000 Android systems, but Seaman says that figure is conservative.

Botnet

A Year After Mirai: DVR Torture Chamber Test Shows Two Minutes Between Exploits (sans.edu) 36

UnderAttack writes: Over two days, the Internet Storm Center connected a default configured DVR to the internet, and rebooted it every 5 minutes in order to allow as many bots as possible to infect it. They detected about one successful attack (using the correct password xc3511) every 2 minutes. Most of the attackers were well known vulnerable devices. A year later, what used to be known as the "Mirai" botnet has branched out into many different variants. But it looks like much hyped "destructive" variants like Brickerbot had little or no impact.
Privacy

Someone Published a List of Telnet Credentials For Thousands of IoT Devices (bleepingcomputer.com) 104

An anonymous reader writes: A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. During the past week, a security researcher has been working to find affected devices and notify owners or their ISPs. Following his work, only 2,174 devices still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. "There are devices on the list of which I never heard of," the researcher said, "and that makes the identification process much slower."
Social Networks

Nearly 90,000 Sex Bots Invaded Twitter in 'One of the Largest Malicious Campaigns Ever Recorded on a Social Network' (gizmodo.com) 53

An anonymous reader shares a report: Last week, Twitter's security team purged nearly 90,000 fake accounts after outside researchers discovered a massive botnet peddling links to fake "dating" and "romance" services. The accounts had already generated more than 8.5 million posts aimed at driving users to a variety of subscription-based scam websites with promises of -- you guessed it -- hot internet sex. The accounts were first identified by ZeroFOX, a Baltimore-based security firm that specializes in social-media threat detection. The researchers dubbed the botnet "SIREN" after sea-nymphs described in Greek mythology as half-bird half-woman creatures whose sweet songs often lured horny, drunken sailors to their rocky deaths. ZeroFOX's research into SIREN offers a rare glimpse into how efficient scammers have become at bypassing Twitter's anti-spam techniques. Further, it demonstrates how effective these types of botnets can be: The since-deleted accounts collectively generated upwards of 30 million clicks -- easily trackable since the links all used Google's URL shortening service.
Security

Firm Responsible For Mirai-Infected Webcams Hires Software Firm To Make Its Products More Secure (securityledger.com) 18

chicksdaddy writes from a report via The Security Ledger: After seeding the globe with hackable DVRs and webcams, Zhejiang Dahua Technology Co., Ltd. of Hangzhou, China will be working with the U.S. firm Synopsys to "enhance the security of its Internet of Things (IoT) devices and solutions." Dahua, based in Hangzhou, China said it will with Mountain View based Synopsys to "enhance the security of its Internet of Things (IoT) devices and solutions." In a joint statement, the companies said Dahua will be adopting secure "software development life cycle (SDLC) and supply chain" practices using Synopsys technologies in an effort to reduce the number of "vulnerabilities that can jeopardize our products," according to a statement attributed to Fu Liquan, Dahua's Chairman, The Security Ledger reports. Dahua's cameras and digital video recorders (DVRs) figured prominently in the Mirai botnet, which launched massive denial of service attacks against websites in Europe and the U.S., including the French web hosting firm OVH, security news site Krebsonsecurity.com and the New Hampshire based managed DNS provider Dyn. Cybercriminals behind the botnet apparently exploited an overflow vulnerability in the web interface for cameras and DVRs to gain access to the underlying Linux operating system and install the Mirai software, according to research by the firm Level3. In March, Dahua was called out for another, serious vulnerability in eleven models of video recorders and IP cameras. Namely: a back door account that gave remote attackers full control of vulnerable devices without the need to authenticate to the device. The flaw was first disclosed on the Full Disclosure mailing list and described as "like a damn Hollywood hack, click on one button and you are in."
Botnet

Attackers DDoS WannaCry Kill Switch (venturebeat.com) 73

An anonymous reader quotes VentureBeat: As of late Friday, after many of the deadlines threatening data deletion had passed, few victims had paid ransoms. According to Elliptic Enterprises, only about $94,000 worth of ransoms had been paid via Bitcoin, which works out to less than one in a thousand of the 300,000 victims who were reportedly affected by WannaCry... While not as bad as feared, ransomware (not to mention cybersecurity threats in general) isn't going away. Wired reported that the domain registered by Hutchins has been under intense denial-of-service attacks delivered by an army of IoT devices marshalled, zombie-like, by Mirai.
Security

New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two (bleepingcomputer.com) 115

An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.

EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.

Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.

Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."
Botnet

Groups War Over Resources For DDoS Attacks (csoonline.com) 23

An anonymous reader quotes CSO: As more groups get into the denial-of-service attack business they're starting to get in each other's way, according to a report released Thursday... There are only so many devices around that have the kind of vulnerabilities that make them potential targets for a botnet. That translates into a smaller average attack size, said Martin McKeay, senior security advocate at Cambridge, Mass.-based Akamai Technologies Inc. There are only so many devices around that have the kind of vulnerabilities that make them potential targets for a botnet. "And other people can come in and take over the device, and take those resources to feed their own botnet," he said. "I'm seeing that over and over."
The article reports a median size for DDoS attacks of 4 gigabits per second at the start of 2015 -- which droped in the first quarter of 2017 down to 500 megabits per second.
Communications

FCC Suspends Net Neutrality Comments, As Chairman Pai Mocks 'Mean Tweets' (gizmodo.com) 184

An anonymous reader writes:Thursday the FCC stopped accepting comments as part of long-standing rules "to provide FCC decision-makers with a period of repose during which they can reflect on the upcoming items" before their May 18th meeting. Techdirt wondered if this time to reflect would mean less lobbying from FCC Chairman Ajit Pai, but on Friday Pai recorded a Jimmy Kimmel-style video mocking mean tweets, with responses Gizmodo called "appalling" and implying "that anyone who opposes his cash grab for corporations is a moron."

Meanwhile, Wednesday The Consumerist reported the FCC's sole Democrat "is deploying some scorched-earth Microsoft Word table-making to use FCC Chair Ajit Pai's own words against him." (In 2014 Pai wrote "A dispute this fundamental is not for us five, unelected individuals to decide... We should also engage computer scientists, technologists, and other technical experts to tell us how they see the Internet's infrastructure and consumers' online experience evolving.") But Pai seemed to be mostly sticking to friendlier audiences, appearing with conservative podcasters from the Taxpayer Protection Alliance, the AEI think tank and The Daily Beast.

The Verge reports the flood of fake comments opposing Net Neutrality may have used names and addresses from a breach of 1.4 billion personal information records from marketing company River City Media. Reached on Facebook Messenger, one woman whose named was used "said she hadn't submitted any comments, didn't live at that address anymore and didn't even know what net neutrality is, let alone oppose it."

Techdirt adds "If you do still feel the need to comment, the EFF is doing what the FCC itself should do and has set up its own page at DearFCC.org to hold any comments."
Security

New Ransomware 'Jaff' Spotted; Malware Groups Pushing 5M Emails Per Hour To Circulate It (theregister.co.uk) 58

An anonymous reader writes: The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff". Jaff spreads in a similar way to the infamous file-encrypting malware Locky and even uses the same payment site template, but is nonetheless a different monster. Attached to dangerous emails is an infectious PDF containing an embedded DOCM file with a malicious macro script. This script will then download and execute the Jaff ransomware. Locky -- like Jaff -- also used the Necurs botnet and a booby-trapped PDF, security firm Malwarebytes notes. "This is where the comparison ends, since the code base is different as well as the ransom itself," said Jerome Segura, a security researcher at Malwarebytes. "Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing." Proofpoint reckons Jaff may be the work of the same cybercriminals behind Locky, Dridex and Bart (other nasty malware) but this remains unconfirmed. And Forcepoint Security Labs reports that malicious emails carrying Jaff are being cranked out at a rate of 5 million an hour on Thursday, or 13 million in total at the time it wrote up a blog post about the new threat.
Botnet

New IoT Malware Targets 100,000 IP Cameras Via Known Flaw (csoonline.com) 60

Researcher Pierre Kim has found a new malware, called Persirai, that has been infecting over 100,000 Chinese-made, internet-connected cameras. According to Trend Micro, the malware has been active since last month and works by exploiting flaws in the cameras that Kim reported back in March. CSO Online reports: At least 1,250 camera models produced by a Chinese manufacturer possess the bugs, the researcher went on to claim. Over a month later in April, Trend Micro noticed a new malware that spreads by exploiting the same products via the recently disclosed flaws. The security firm estimates that about 120,000 cameras are vulnerable to the malware, based on Shodan, a search engine for internet-connected hardware. The Persirai malware is infecting the cameras to form a botnet, or an army of enslaved computers. These botnets can launch DDoS attacks, which can overwhelm websites with internet traffic, forcing them offline. Once Persirai infects, it'll also block anyone else from exploiting the same vulnerabilities on the device. Security firm Qihoo 360 has also noticed the malware and estimated finding 43,621 devices in China infected with it. Interestingly, Persirai borrows some computer code from a notorious malware known as Mirai, which has also been infecting IoT devices, such as DVRs, internet routers, and CCTV cameras, but by guessing the passwords protecting them.
Botnet

New Shodan Tool Tracks Down Botnet Command-And-Control Servers (thestack.com) 11

An anonymous reader quotes The Stack: Search engine Shodan has announced a tool to help businesses hunt out and block traffic from malware command-and-control servers. The new Malware Hunter service, which has been designed in a collaborative project with threat intelligence company Recorded Future, continuously scans the internet to locate control panels for different remote access Trojans, including Gh0st RAT, Dark Comet, njRAT, XtremeRAT, Net Bus and Poison Ivy. The internet crawler identifies botnet C2 servers by connecting to public IP addresses and sending traffic which mimics that of an infected device. If the receiver computer sends back a response, that server is flagged.
The article reports that Shodan's Malware Hunter tool has already traced over 5,700 RAT servers -- more than 4,000 of them based in the United States.
Security

A Sophisticated Grey Hat Vigilante Protects Insecure IoT Devices (arstechnica.com) 143

Ars Technica reports on Hajime, a sophisticated "vigilante botnet that infects IoT devices before blackhats can hijack them." Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems." But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape...

Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers.

Pascal Geenens, a researcher at security firm Radware, watched the botnet attempt 14,348 hijacks from 12,000 unique IP addresses around the world, and says "If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on...grey hat vigilantes to purge the threat the hard way."

And long-time Slashdot reader The_Other_Kelly asks a good question. "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"
Security

Hacking Group Is Charging German Companies $275 For 'DDoS Tests' (bleepingcomputer.com) 29

An anonymous reader writes: "A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to pay $275 for 'testing their DDoS protection systems,' reports Bleeping Computer. Attacks were reported against DHL, Hermes, AldiTalk, Freenet, Snipes.com, the State Bureau of Investigation Lower Saxony, and the website of the state of North Rhine-Westphalia. The attack against DHL Germany was particularly effective as it shut down the company's business customer portal and all APIs, prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL. While the group advertised on Twitter that their location was in Russia, a German reporter who spoke with the group via telephone said "the caller had a slight accent, but spoke perfect German." Following the attention they got in Germany after the attacks, the group had its website and Twitter account taken down. Many mocked the group for failing to extract any payments from their targets. DDoS extortionists have been particularly active in Germany, among any other countries. Previously, groups named Stealth Ravens and Kadyrovtsy have also extorted German companies, using the same tactics perfected by groups like DD4BC and Armada Collective.
Botnet

BrickerBot, the Permanent Denial-of-Service Botnet, Is Back With a Vengeance (arstechnica.com) 113

An anonymous reader quotes a report from Ars Technica: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks -- with 1,295 attacks coming in just 15 hours -- it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day. Shortly after BrickerBot.3 began attacking, Geenens discovered BrickerBot.4. Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves that someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.
Botnet

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com) 88

An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.
Botnet

New Destructive Malware Intentionally Bricks IoT Devices (bleepingcomputer.com) 163

An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."
The Internet

UW Professor: The Information War Is Real, and We're Losing It (seattletimes.com) 444

An anonymous reader writes: It started with the Boston marathon bombing, four years ago. University of Washington professor Kate Starbird was sifting through thousands of tweets sent in the aftermath and noticed something strange. Too strange for a university professor to take seriously. "There was a significant volume of social-media traffic that blamed the Navy SEALs for the bombing," Starbird told me the other day in her office. "It was real tinfoil-hat stuff. So we ignored it." Same thing after the mass shooting that killed nine at Umpqua Community College in Oregon: a burst of social-media activity calling the massacre a fake, a stage play by "crisis actors" for political purposes. "After every mass shooting, dozens of them, there would be these strange clusters of activity," Starbird says. "It was so fringe we kind of laughed at it. "That was a terrible mistake. We should have been studying it." Starbird argues in a new paper, set to be presented at a computational social-science conference in May, that these "strange clusters" of wild conspiracy talk, when mapped, point to an emerging alternative media ecosystem on the web of surprising power and reach. There are dozens of conspiracy-propagating websites such as beforeitsnews.com, nodisinfo.com and veteranstoday.com. Starbird cataloged 81 of them, linked through a huge community of interest connected by shared followers on Twitter, with many of the tweets replicated by automated bots. Starbird is in the UW's Department of Human Centered Design & Engineering -- the study of the ways people and technology interact. Her team analyzed 58 million tweets sent after mass shootings during a 10-month period. They searched for terms such as "false flag" and "crisis actor," web slang meaning a shooting is not what the government or the traditional media is reporting it to be. Then she analyzed the content of each site to try to answer the question: Just what is this alternative media ecosystem saying? Starbird is publishing her paper as a sort of warning. The information networks we've built are almost perfectly designed to exploit psychological vulnerabilities to rumor. "Your brain tells you 'Hey, I got this from three different sources,'" Starbird says. "But you don't realize it all traces back to the same place, and might have even reached you via bots posing as real people. If we think of this as a virus, I wouldn't know how to vaccinate for it." The report goes on to say that "Starbird says she's concluded, provocatively, that we may be headed toward 'the menace of unreality -- which is that nobody believes anything anymore.'"
Botnet

Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot (linux.com) 85

"We're building a world-size robot, and we don't even realize it," security expert Bruce Schneier warned the Open Source Leadership Summit. As mobile computing and always-on devices combine with the various network-connected sensors, actuators, and cloud-based AI processing, "We are building an internet that senses, thinks, and acts." An anonymous reader quotes Linux.com: You can think of it, he says, as an Internet that affects the world in a direct physical manner. This means Internet security becomes everything security. And, as the Internet physically affects our world, the threats become greater. "It's the same computers, it could be the same operating systems, the same apps, the same vulnerability, but there's a fundamental difference between when your spreadsheet crashes, and you lose your data, and when your car crashes and you lose your life," Schneier said...

"I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."

Slashdot Top Deals