Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Botnet Communications Security

World's Most Destructive Botnet Returns With Stolen Passwords and Email In Tow (arstechnica.com) 30

Posted by BeauHD from the guess-who's-back dept.
An anonymous reader quotes a report from Ars Technica: If you've noticed an uptick of spam that addresses you by name or quotes real emails you've sent or received in the past, you can probably blame Emotet. It's one of the world's most costly and destructive botnets -- and it just returned from a four-month hiatus. A post published on Tuesday by researchers from Cisco's Talos security team helps explain how Emotet continues to threaten so many of its targets.

Spam sent by Emotet often appears to come from a person the target has corresponded with in the past and quotes the bodies of previous email threads the two have participated in. Emotet gets this information by raiding the contact lists and email inboxes of infected computers. The botnet then sends a follow-up email to one or more of the same participants and quotes the body of the previous email. It then adds a malicious attachment. The result: malicious messages that are hard for both humans and spam filters to detect. The use of previously sent emails isn't new, since Emotet did the same thing before it went silent in early June. But with its return this week, the botnet is relying on the trick much more. About 25% of spam messages Emotet sent this week include previously sent emails, compared with about 8% of spam messages sent in April. "To make sending the spam easier, Emotet also steals the usernames and passwords for outgoing email servers," the report adds. "Those passwords are then turned over to infected machines that Emotet control servers have designated as spam emitters. The Talos researchers found almost 203,000 unique pairs that were collected over a 10-month period."

Malwarebytes says Emotet has brought back another tactic where it refers to targets by name in subject lines. "Once opened, the documents attached to the emails claim that, effective September 20, 2019, users can only read the contents after they have agreed to a licensing agreement for Microsoft Word," reports Ars Technica. "And to do that, according to a post from security firm Cofense, users must click on an Enable Content button that turns on macros in Word."

"After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations," Cofense researchers Alan Rainer and Max Gannon wrote. "When run, these executables launch a service that looks for other computers on the network. Emotet then downloads an updated binary and proceeds to fetch TrickBot if a (currently undetermined) criteria of geographical location and organization are met."
This discussion has been archived. No new comments can be posted.

World's Most Destructive Botnet Returns With Stolen Passwords and Email In Tow More

World's Most Destructive Botnet Returns With Stolen Passwords and Email In Tow

Comments Filter:

  • Too funny (Score:4, Funny)

    by nyet ( 19118 ) on Thursday September 19, 2019 @11:44PM (#59215060) Homepage

    LOL MSWord

    • Good to know some things never change, I guess?

    • Re: (Score:3, Informative)

      by That Ordinary Guy ( 6159720 )

      I suspect the kick-starter for that spam/malware campaign might have been that outlook.com was hacked at the beginning of this year:
      https://www.theverge.com/2019/... [theverge.com]

      Our mail servers still currently receive more spam/infected emails from apparently valid outlook.com email addresses than last year.

      We host websites for customers that prefer to use outlook.com and we waste a lot of time explaining to them that we have nothing to do with their own outlook.com email addresses being used to sent spam/malware to pe

      • Agreed, I get outlook.com mail from outlook servers that is trying to extort me about once a week. I used to forward the full message with headers to abuse at outlook. Nothing, nada, form email response. I switched tactics. I now blacklist outlook.com by default with exceptions for the couple of people that I interact with on outlook.
        I am glad I use pine to read email, and don't use word. Where would I be without Linux??? Funny really, people will ask me from time to time about their computer problems on

        • Except I have never used windows and so I have no clue what they are talking about.

          Windows is exactly like Linux, accept that instead of typing on a keyboard, there's a pretty picture that's placed above the keyboard. Attached from the picture-frame, to the keyboard, are a lot of very jittery mechanical gears, sprockets, knobs and metal arms with small rubber parts, all intertwined. They all serve to press the keys on the keyboard for you, in ways that you never would. But I mean, there are PICTURES!!!

  • Require strict RFC compliance
    Use SPF

    Spam problem solved.

    • Re:Easy Peasy (Score:5, Insightful)

      by deek ( 22697 ) on Friday September 20, 2019 @03:26AM (#59215294) Homepage Journal

      Create bot that extracts SMTP mail server, password, and sent email history from infected clients.
      Use details to send spam, quoting a message and subject line that was previously sent to that address.

      Spam problem continues, with the bonus that no RFC or SPF conditions will ever get in the way.

      Read the FA. This is what Emotet is doing.

      • Re: (Score:1)

        by MrNaz ( 730548 )

        As soon as an SMTP server notices that an account has sent a spam message, expire the SMTP auth password. This ought to be a short-lived problem.

      • Read it yourself.

        The SPAM message that is supposedly sent "From" someone is not sent via the SMTP server that is authorized to be sending on behalf of that user. In other words, other than the appearance of the message, it is still run-of-the-mill fraudulent email sent that will be received from an unauthorized MTA.

        This is called a "Joe Job" and is very effectively countered by SPF. In fact, it is what SPF was designed for.

    • Re: (Score:3)

      by Zocalo ( 252965 )
      In my experience SPF is mostly great at one thing; preventing addresses on a domain being used as a source for Joe-Jobs. [Every time I've deployed SPF on a domain the bounces from Joe-Jobs has fallen to near zero pretty much overnight, so I'm guessing most major spambots check SPF before spoofing an email from a given domain. This alone makes it worth deploying, IMHO]. In this case though Emotet is scraping the address book and emails of a victim's PC and sending RFC-compliant emails using already establ

      • No, it is not. The messages are being sent by "normal" spam methods and are Joe Jobs. They are NOT being sent via the authorized MTA (that is, the messages are sent by third-party spam servers, not the users MTA).

  • Want to end spam, put out lots of warnings, on every media platform and then target the advertisers, your ad then you will pay for that spam twice, one payment to the spammer and the next payment a fine, keep it up and that fine becomes a custodial sentence.

    • Re: (Score:1)

      by MrNaz ( 730548 )

      In other news:

      LA Police have issued an arrest warrant for His Royal Majesty Prince Ekwa Rajakharanaba of Nigeria for repeatedly breaching email spam rules when attempting to find someone providing financial brokerage services.

    • Another way... make email an 'opt in' service, like Whatsapp, Telegram etc.

      It's time to dump SMTP for a webservices-based email protocol that requires opt-in before you can send people crap. This solves the spam issue, and means you're automatically GDPR "compliant" because people have had to opt-in, and can opt out any time they want (and when they do, you can't actually send to them any longer).

  • "World's Most Destructive Botnet" (Score:5, Interesting)

    by phantomfive ( 622387 ) on Friday September 20, 2019 @12:51AM (#59215140) Journal
    The world's most destructive botnet....sends spam? It's not the one that actually ruins devices [zdnet.com], or the one that destroyed nuclear centrifuges, it's the one that spreads by "tricking" people to enable macros in MS Word. Most destructive.

    Oh Lord, save me from these morons, for they care not what words mean.
  • [rant]

    If you do a google search for the meaning of cbd oil you might just find that your gmail will begin being spammed. (I am not a cannabis user so I did not know WTF cbd oil was and could care fucking less either way.)

    The problem is other non related things happen as well. For instance if you string search for "rat control methods", which I did a few months back; then all of a sudden you may get spam from garbage fishing mail pretending to be a pest control company. Terminix P is one there are others be

  • Any recommendations on videos that may be able to train my idiot relatives to check the links they're clicking after all my attempted to train them have failed?

    • In this particular case it's a reply to an ongoing conversation, so that's going to fool most people.

      I'm general, by far the most effective phishing training I've ever seen is to simply send them a phishing email once in a while. Send an email using / spoofing a different address or name so it doesn't look like it's coming from you. Include a link or attachment which has a message reminding them that they should not have clicked; if they are seeing the message they goofed.

      A psychologist might be intereste

  • "The result: malicious messages that are hard for both humans and spam filters to detect."

    I would say harder, but considering the number of people that will click on anything, I'm not sure it matters.

    The whole "Microsoft Licensing" thing sounds plausible, which is a sad commentary on the current state of the web. It doesn't matter that the bit about clicking to 'enable' a supposed Microsoft license it wasn't true., what matters is that people will accept it as true without so much as a second thought.

    "Oh, a

    • Re: (Score:2)

      by deek ( 22697 )

      Looks like a Microsoft Office only problem. According to some articles I've read, the macro in the attached doc file doesn't run under Libreoffice.

  • Didn't think so.
    Brain damaged lazy people running Windows and Microsoft crapware.

    • Re: (Score:2)

      by Dadoo ( 899435 )

      Why are you surprised? I'm certainly not. It never ceases to amaze me the amount of money people are willing to spend trying to make Windows secure, when there are alternatives. The thing that kills me is that a larger company would almost certainly pay less to "fix" the thinks it thinks are wrong with something like Linux than is costs for all that security software.

Slashdot Top Deals

Always draw your curves, then plot your reading.

Close