Researchers Say Kelihos Gang Is Building New Botnet

alphadogg writes "The cyber-criminal gang that operated the recently disabled Kelihos botnet has already begun building a new botnet with the help of a Facebook worm, according to security researchers from Seculert. Security experts from Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, announced that they took control of the 110,000 PC-strong Kelihos botnet on Wednesday using a method called sinkholing. That worm has compromised over 70,000 Facebook accounts so far and is currently distributing a new version of the Kelihos Trojan."

Re:

[SJHillman]

Relatively low (compared to XP/Win7) and continually declining marketshare would be my guess.

Re:

[Khyber]

Because Vista was so shitty that even malware crashed before being able to execute.

Two deadly vectors of infection...

[mspohr]

Another reason I'm glad I don't use Facebook or Windows.

Re:Two deadly vectors of infection...

[SJHillman]

As a previous poster pointed out, trojans care not if it's Windows, Linux, Mac OSX or BSD because the user is the weak link, not the OS. All you need is 1) a trojan for that OS and 2) a user that gives the trojan permissions - most infections I've come across on Windows lately do not have administrator permissions unless the user does. Likewise, Facebook isn't so much the weak link as users are because they'll click on anything.

Re:

[Charliemopps]

If thieves only targeted a certain model of car because it was very popular and therefor the parts valuable (which is actually the case) you would still be doing yourself a favor by avoiding that model of car, even if you were diligent about where you parked it and buying a security system for it.

Re:

[mspohr]

So why does this only infect Windows? Are Linux and Mac users smarter? Are all Facebook users incredibly stupid? Do only Linux and Mac users realize that it's stupid to type in your password for some random software? Are only Windows users smart enough to remember their administrator passwords? Does god hate Windows? Do the people who write trojans hold a particularly low opinion of Windows users? Are they trying to educate Windows users? Is that possible? I know a few Windows users and they don't s

Re:

[grcumb]

I have mod points, but tragically there's no +1 troll option.

Re:

[mspohr]

You could try "+1 Funny".

Re:

[grcumb]

You could try "+1 Funny".

I could, but I was trying for a "+1 Funny" myself.

Re:

[dkf]

So why does this only infect Windows? Are Linux and Mac users smarter?

I suspect that there are a few reasons for targeting Windows.

1. Low-intelligence users (who also tend to have reduced spending power) gravitate to cheap available pre-built hardware running the default OS. That points to Windows.
2. Windows was historically bad at security, so blackhats gained a lot of experience there. This has got to be a major factor and it can't be helped now.
3. Windows is much better at security now, but Microsoft hasn't quite got the usability of security right. There are just a few too many s

Re:

[Tom]

As a previous poster pointed out, trojans care not if it's Windows, Linux, Mac OSX or BSD because the user is the weak link, not the OS.

True in theory.

Real life begs to differ, though. Geeks regularily forget about real life. In your head, your password policy grants your users great passwords at a theoretical complexity of 10^18. In real life, the actual complexity is closer to 10^7 due to patterns.

Same with the trojans and other malware. Yes, theoretically some classes of malware could be just as easily targeted on OS X or Linux. In reality, though, OS X has about 15% market share and less than 1% virus share, while Linux has 5% market sh

Re:

[Nikker]

But I'm not a computer programmer and I want something that Just Works! I pay my hard earned money for my copy of Windows why should I have to sort through thousands of lines of codes just to get my system work properly?

This is why Windows will never truly be a Real OS.

Re:

[Nikker]

Successful troll is successful.

Re:

[Nikker]

Sorry let me rephrase that.

You were successfully trolled.

Re:

[Nikker]

*Drops baited hook in water, makes popcorn, sits back, enjoys show.
BTW. Copy pasta is great! Needs a little salt

Re:

[Nikker]

Snff sniff. You are right, I'm sorry. Please accept my humble apology. One day I will learn to not troll forums and copy pasta just like you. Alas I do not think I could ever be as good as you.

Re:

[eldorel]

I'm going to leave my uid on this so you can't just dismiss it as another troll.


DEAR APK,
I've already had to scroll past this same post twice IN THIS THREAD ALONE.

You have copy/pasted the exact same set of directions to just about every security related article for the past several months.
We've all already seen it, and it's just wasting space.

If you want to inform new people, fine.

Put together your own web site, post all of these directions in a single place where you can keep them up to da

Re:

[eldorel]

(sigh)
Fine, you're awesome, incredible, and one of the most accomplished programmers the world has ever seen.

I don't care, and it doesn't negate anything that I said.

You act like a dick with low self esteem who likes to blow his own horn on other peoples web sites.
No one cares what you have done when we can look at and test the actual information you are presenting, so quit with the self promotion.

I wasn't being condescending, nor was I trying to be insulting.
Instead I was simply pointing out t

is facebook the new preferred target for attacks?

[Anonymous Coward]

seems prime for that.. with the average smart user there having the i.q. of a 90s aol'er.

Anonymous

[Anonymous Coward]

We all knew Anonymous would strike again. Why aren't the authorities doing something about these criminals?

Maybe what we need to do is make it so that nobody can access the internet without supplying a sample of their DNA. And then make it so that all communications from the user to the internet are logged in an extremely verbose manner, and have a system of spy networks at the ready to detect subversive behavior. The governments could intentionally put things like porn or questionable books like Fahrenheit 451, 1984, or The Diary of Anne Frank on the internet and then arrest civilians when they try to access them.

I wish I were in a position of power where I could institute a program like that in the United States of America. For too long we have strayed from the Lord's Path, and we need a true leader to bring this country back in the right direction.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How many of those where linux pc's again? None

[Anonymous Coward]

Linux isn't some magic bullet that is immune to trojans

repeat after me, Linux is the kernel, Linux is the kernel, Linux is the kernel, Linux is the kernel, Linux is the kernel, Linux is the kernel, Linux is the kernel, Linux is the kernel, Linux is the kernel

as long as whatever happens to be the payload can access user's files and see what the user does and can make network connections that's all it needs

How do you pretend to deliver that payload exactly? Heck, every Linux distribution out there is totally different from the others, they have different, ABIs (elibc, glibc, uclibc), different kernel versions which are also patched differently. They run different window managers and different desktops environ

Re:

[Mitchell314]

People running Linux are also more educated.

Isn't the front line of defense in security a vigilant and knowledgeable userbase, not the OS/kernel? Yeah, yeah, I know, it's a free-ponies-for-all pipe dream.

Re:How many of those where linux pc's again? None

[monkeyhybrid]

How do you pretend to deliver that payload exactly? Heck, every Linux distribution out there is totally different from the others, they have different, ABIs (elibc, glibc, uclibc), different kernel versions which are also patched differently. They run different window managers and different desktops environments. People running Linux are also more educated.

And nearly all will run bash, python and perl scripts. A malicious payload doesn't have to be a compiled binary.

Re:

[Lotana]

So yes, that would work, if the user:
1) accepts the download of the malicious trojan.
2) manually sets the executable bit of the file
3) doesn't bother to look at the contents of the -readable- script.
4) manually runs the script.

I run Linux and love it, but even though my view is biased even I have to admit that no system is immune to the dancing pigs problem [wikipedia.org].

Lets say the trojan is a new game on Freshmeat and distributed as an rpm or deb package for Linux and exe install file for Windows. User will happily dpkg the file on their system and that will be the end of that.

You would very easily have a full project on Sourceforge with the code perfectly clean, but have the pre-compiled binaries specially modified. Sure you won't get thos

Re:

[PigleT]

It's a simple case of majority-ism. Most facebook users will be on Windows and probably IE, so if you're going to make a trojan, to make your job easy that's who you target.

Security isn't limited to exploits in the scope of a user's OS; it's all about privacy, and messing in their web-identified spaces also counts as a security violation.

Re:

[mybeat]

People running Linux are also more educated.

My grandma is running Linux, I wouldn't call here that educated.

Re:

[Anonymous Coward]

apt-get install trojan
E: Unable to locate package trojan

Nope, doesn't work.

Re:

[techno-vampire]

Linux isn't some magic bullet that is immune to trojans

Of course it isn't. However, unlike any OS that Microsoft has ever sold, security is part of the basic design, not something that's tacked on later as an afterthought. And, as others have pointed out, Linux isn't a monoculture, the way Windows is. There are only a few versions of Windows out there, all of them, almost without exception, using the same file manager and desktop environment. Most of them use the same email client and office suite, a

Re:

[Billly Gates]

I am sick and tired of this MS FUD. ... why do I keep coming here?

Your bias is based on 10 to 15 year old facts on depreciated or nearly depreciated kernels and apis. I think it is a sign of insecurity to blindly follow something when facts are contrary.

Last week a slashdotter said in a straight face that he is waiting for the first ever unix virus as they do not exist and was gloating. I kindly reminded him where did the term root*kit came from? Root sounds like a Linux account if you ask me.

I have seen fi

Re:

[techno-vampire]

I am sick and tired of this MS FUD.

FUD? Are you denying, then, that well over 90% of all the viruses found "in the wild" target MS Windows and that the rest target the Mac OS? Are you claiming that there is, currently, malware out there designed to target Linux? If so, I'd like to know about it because I've never heard of it.

As far as root kits go, you either need to have access to a machine to install one or you need to trick somebody into giving your installer root access, just as you need to get

Re:

[Billly Gates]

Tons of malware target Linux.

SQL injections, *root*kits, and php vulnurabilities all target Linux or the LAMP stack. Linux hosts the servers with the fast pipes and the sensitive credit card data. The Windows PCs serve as the bots to launch the attacks

Rootkit can be installed by an exploit. The whole oh just do not be root and click on shit is 1990s security. All you need to do is exploit php or your sql database and I can get your server to run my code and then install the rootkit to hide it.

Its that out o

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[eldorel]

OK, screw my mod points. I have to comment on this.

There is a big difference between a virus or trojan that takes advantage of a flaw in the operating system and one that relies on brute forcing the password to a privileged user account or tricking a user into handing over the password directly.


I support networks for a living, and we also deal with lots of small businesses and residential systems.
The single biggest infection vector on any operating system is third party browser plugins such as flas

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[techno-vampire]

Interesting. Thank you. Wikipedia mentions that there are about 850 known Linux viruses, mostly obsolete because the vulnerabilities they exploited have been patched. And, I gather, none of them are currently known to be in the wild. How many Windows viruses are there currently known of and active?

What I find most interesting, however, is the cross-platform attacks. Please note, that I never said that Linux malware is completely impossible, I said that it's nowhere near as much of a danger to Linux a

Re:

[techno-vampire]

"Linux != invulnerable"?

I known it's probably a waste of time arguing with AC, but there's one thing I have to point out: I never said that Linux is invulnerable. I didn't because it's not. It is, however, much better at security than Windows and far, far faster at plugging security holes once they're found. If nothing else, not having to wait for Patch Tuesday to distribute things makes it more efficient. And, I might add, the only FUD in this discussion is the straw-men people like you keep coming

Re:

[mug funky]

so it's not security through obscurity, it's security through diversity.

either variant of linux on it's own is not a large enough target.

this is how wild plants survive better than crops...

Re:

[techno-vampire]

Not completely, of course, but I'm comming to think it's an important factor. One of the reasons the Potato Blight devistated Ireland so thoroughly, you know, is that almost all of the farmers were growing the same breed of potato, which happened to be exceptionally suseptable to the disease. It's the same thing with Windows. Since most Windows users use the same programs for their work, they're all wide open to the same malware. Just using Firefox, Thunderbird and/or LiberOffice can make Windows safer

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[techno-vampire]

I'm quite familiar with SELinux, TYVM. AIUI, SELinux was developed when it became apparant that the original security scheme was no longer adaquate. And, although it's only supposed to be watching for security threats, most of the alerts I've had to deal with have had to do with real stupid bugs, such as a program trying to walk all of /proc for no good reason.

Re:

[ozmanjusri]

The OS in question bears no relevance here:

Can you show us any current Linux trojans?

Re:

[powerspike]

They are running a "Business". You try to maximize your profits. More infections means more money to them. Time Vs Effort. It'll wildly more profitable to go after large targets like windows (and even Mac OSX these days), instead of things like BSD and Linux. They are Already up to 70k Accounts according to the summary, do you even think that there is that many people using Facebook from a linux system?

Re:

[lister king of smeg]

Firstly Android while having a Linux kernel does not act like linux, it rose not require a password to install software like you do in Linux this is done by the people implimenting Android because they want it to be easy and in know way intemadating to the users so they make it easy to use at the expense of security. Secondly most of the Android malware are trojan apps that are installed by users trojans are a User security issue not a os security issue. And third Android is based on Java whichever you hear

Re:

[ozmanjusri]

Riighterr!!!! Knew so - how's Android (a Linux) doing, security-wise for years now? Torn up!

Actually, no. More of a beat up.

Despite Microsoft attempting to buy scare stories with free phones, malware on Android is rare and generally easily removed.

"Microsoft is offering five Android malware victims a free Windows Phone 7 phone. The catch? You need to share your rage against Android with the Twitterverse."

http://securitywatch.pcmag.com/none/291668-microsoft-offers-free-windows-phones-to-android-malware-victims [pcmag.com]

"Advanced users are already wary of alarmist declarations from security vendors, and though the malware threat for Android is growing, many consider it overblown, especially when compared to Windows and other desktop operating systems".

http://androidcommunity.com/symantec-backs-off-of-android-malware-claims-after-researchers-cry-foul-20120201/ [androidcommunity.com]

security firms that warn of Android malware 'charlatans and scammers'

http://www.zdnet.com/blog/hardware/are-security-firms-that-warn-of-android-malware-charlatans-and-scammers/16412 [zdnet.com]

Re:

[ozmanjusri]

FUD.

Re:

[ozmanjusri]

Nutcase FUD.

Re:

[tomhath]

Probably very few, because very few people use a Linux distro for web browsing (less than 2% last I heard).

Re:

[GmExtremacy]

How comical! How comical! APK has already been annihilated. Hillbilly Mutt 20 agrees, and he's an existentialist Armageddon.

How could you possibly delude yourself to such an extreme degree that you believe that someone like APK, who doesn't use the legendary Gamemaker to solve all of his problems, could beat a Gamemaker advocate such as I? The hilarity of such a mindset is simply astounding!

Re:

[GmExtremacy]

I know of your true power, APK. I know of it all! I've defeated you time and time again. Don't you dare make me trick into so I can your buttsnap. Don't you dare.

Now fuckin' use Gamemaker instead of your shitty hosts file.

Re:

[GmExtremacy]

How comical! How comical! They're all 100% incorrect. Gamemaker reigns supreme. If they were True Puter Experts, like me, they'd be using Gamemaker!

Turn to dust and die now!

Re:

[GmExtremacy]

I am one who cannot be defeated by someone like you. You, one who doesn't even use Gamemaker, cannot possibly hope to comprehend my true ferocity!

I'm a buttnude extremist! I have the power! I have the Gamemaker!

You agree with me 100%. That's why you're cowering in the corner and trying to save your public image by saying you're right. But you know otherwise. You know you're 100% wrong.

Re:

[GmExtremacy]

A mere clone! Get out of here! You're a mere eyesore!

Gamemaker is the greatest. "Slashdot" and your experts (you) have been utterly annihilated. Now return to Gamemakerdom.

Re:

[GmExtremacy]

"I am one who cannot be defeated by someone like you. You, one who doesn't even use Gamemaker, cannot possibly hope to comprehend my true ferocity!

I'm a buttnude extremist! I have the power! I have the Gamemaker!

You agree with me 100%. That's why you're cowering in the corner and trying to save your public image by saying you're right. But you know otherwise. You know you're 100% wrong."

Your ad hominem attacks will never defeat my arguments based in logic.