Posts Tagged Botnet
Antivirus Researchers Confirm: Flashback Still Infects More Than 500,000 Macs – Forbes
Posted by Michael B. Calyn in Cyber Security, Social, Society, Technology on April 20, 2012
4/20/2012
Antivirus Researchers Confirm: Flashback Still Infects More Than 500,000 Macs
Dr. Web’s count of Macs actively running Flashback over the last weeks, showing more than half a million machines still infected.
On Wednesday, I wrote that antivirus firms disagreed by enormous margins on how many Macs remain infected by the Flashback trojan, with Kaspersky reporting as few as 30,000 machines still infected and Dr. Web, the Russian security company that first spotted the botnet, counting well over half a million Macs still running the Flashback malware.
Now Symantec has revised its findings, and they don’t look good. The antivirus firm, which earlier reported that only 140,000 machines were infected, now agrees with Dr. Web that the number is probably closer to four times that many.
Dr. Web released new statistics Friday showing that the process of eliminating Flashback from Macs is proceeding much slower than expected: On Friday, the Russian firm released new data showing that 566,000 active infected machines were counted Thursday and 610,000 counted Wednesday. (See chart above.)
Apple released a tool to remove Flashback from Macs late last week, along with several updates to Java over the last month designed to block Flashback’s method of infecting users who visit rigged WordPress blogs that exploited a vulnerability in the plugin. But the slow cleanup rate that Dr. Web has reported implies that only a fraction of users have run Apple’s cleanup program. “There are millions of people who still believe Mac is safe,” Dr. Web chief executive Boris Sharov told me when I spoke with him about his firm’s numbers Wednesday. “They don’t care. Plenty of people are not updating their Java. They say ‘I’m too busy, let’s wait until I have time.’”
Antivirus firms have been tracking the volume of Flashback’s infections by creating false command and control servers–known as sinkholes–to watch how many infected machines phone home to the spoofed machines. Sharov told Wednesday that the other antivirus firms were underestimating the volume of Flashback’s remaining infections because they didn’t have as many command control domains registered as Dr. Web. But Symantec initially disagreed with Dr. Web’s assessment, arguing that all the malware currently cycles through all domains, so any sinkhole should give the count.
But on Friday Symantec updated its blog post to say that in fact, Dr. Web was right. An error in the malware was causing it to “hang” on certain domains and preventing them from registering on Symantec’s sinkhole.
“We were trying to understand the huge discrepancy between our numbers and Dr. Web’s. After reading Dr. Web’s blog, we now believe that between where we were measuring and they were measuring, a server was holding connections” preventing Symantec’s sinkhole from accurately measuring the botnet, Symantec’s Liam O Murchu says. “We’re now confident that what they’re seeing is accurate.”
So far, Flashback has been used only for click fraud, though like any Trojan it’s capable of updating itself for other nasty activities like credit card theft or denial of service attacks.
Apple’s Flashback removal tool can be found here.
Antivirus Researchers Confirm: Flashback Still Infects More Than 500,000 Macs – Forbes.
Related articles
- Flashback botnet not shrinking, huge numbers of Macs still infected (techworld.com.au)
- Flashback botnet not shrinking, huge numbers of Macs still infected (macworld.com)
- Flashback botnet not shrinking, huge numbers of Macs still infected (computerworld.co.nz)
- Infected Macs may be increasing, not declining (technolog.msnbc.msn.com)
- Whoops: Symantec was wrong, some 650K Macs still infected with Flashback (thenextweb.com)
- A Week After Apple’s Fix, Flashback Still Infects Half a Million Macs (apple.slashdot.org)
- Flashback infections not waning after all; 650,000 Macs still hijacked (arstechnica.com)
- New report says Flashback infections remain high (news.cnet.com)
- Flashback Mac botnet shrinks, says Symantec (techworld.com.au)
- Flashback waning, but still infecting about 140,000 Macs (arstechnica.com)
Kelihos gang is building a new botnet, researchers say
Posted by Michael B. Calyn in Cyber Security, Internet on April 1, 2012
Kelihos gang is building a new botnet, researchers say
The cyber criminal gang behind the sinkholed Kelihos botnet can easily regain control over a part of it
By Lucian Constantin, IDG News Service
March 30, 2012
The cyber-criminal gang that operated the recently disabled Kelihos botnet has already begun building a new botnet with the help of a Facebook worm, according to security researchers from Seculert.
Security experts from Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, announced that they took control of the 110,000 PC-strong Kelihos botnet on Wednesday.
BACKGROUND: International security team shoots down second Hlux/Kelihos botnet
The researchers used a method called sinkholing, which involves infiltrating the botnet’s peer-to-peer (P2P) network with rogue clients and tricking the other peers to report back to command and control servers under their control.
However, one day after the successful sinkholing operation was announced, malware experts from security firm Seculert reported that the Kelihos gang had already started building a new botnet.
The Kelihos gang pays the creators of a Facebook worm to install their Trojan horse on already infected computers. That worm has compromised over 70,000 Facebook accounts so far and is currently distributing a new version of the Kelihos Trojan, Seculert security researchers said in a blog post on Thursday.
However, the Kelihos gang can also leverage the Facebook worm to regain control of the Kelihos bots sinkholed by Kaspersky and its partners, since the worm is still installed on those machines. All it needs to do in order to bypass the sinkhole is pay the worm’s operators to reinfect those computers with the new Kelihos version, said Aviv Raff, Seculert’s chief technology officer, in email.
Sinkholing alone does not result in the complete takedown of botnets, because it doesn’t impact the cyber criminals that operate them or their distribution infrastructure, said Gunter Ollmann, vice president of research at security company Damballa, in a blog post on Thursday.
“If you’re going to take down a botnet you have to take out the criminals at the top. It’s the only way,” Ollmann said. “In the case of P2P-based botnets, there’s very little infrastructure you can get your hands on — and you’ll probably end up having to issue commands to botnet victim devices — which is fraught with legal and ethical problems.”
Ollmann believes that a similar group of researchers will probably attempt to sinkhole the new Kelihos botnet in the future. Unfortunately, cyber criminals can easily escape from this virtual game of Whac-A-Mole by implementing domain generation algorithms as a backup strategy for updating their botnets, he said.
Kelihos gang is building a new botnet, researchers say.
Related articles
- Researchers Say Kelihos Gang Is Building New Botnet (it.slashdot.org)
- Kelihos zombies erupt from mass graves after botnet massacre (go.theregister.com)
- Kelihos.B is still live and social (seculert.com)
- Kelihos Is Dead: Long Live Kelihos (circleid.com)
- Kelihos Botnet Sucked into Netherlands Sinkhole (blogs.wsj.com)
- Second Kelihos botnet downed, 116,000 machines freed (theverge.com)
- Security firms disable the second Kelihos botnet (infoworld.com)
- Staggering Kelihos zombie army smacked down AGAIN (go.theregister.com)
- New Zeus P2P bots: anonymous cyber-crime ready for mass market (arstechnica.com)
- Botnet Shutdown Success Story – again: Disabling the new Hlux/Kelihos Botnet (securelist.com)
Recent Comments