Mariposa botnet rise from the ashes

The Mariposa botnet made headlines when three of its alleged operators were arrested in Spain prior to its supposed shutdown. This was followed by a sudden and drastic decrease in Mariposa-related incidents, which was very understandable because the botnet was reported to have already been taken down.

Lately, however, Trend Micro has observed a strange increase in activity related to WORM_PALEVO—the Trend Micro detection name for malware related to the Mariposa botnet. The increase started late in the fourth quarter of 2010.

“It seems that despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to abuse.ch, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name—Mariposa,” explained Jessa De La Torre, Trend Micro’s Threat Response Engineer.

“We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same,” said.

WORM_PALEVO is a modularized bot mainly used to perform distributed denial-of-service (DDoS) attacks and to download other files. As a commercial bot, its modules can be separately bought should herders want to add features such as propagation, browser monitoring and hijacking, cookie stuffing, and flooding and download routines to their creations. The bots communicate with their C&C server using UDP, which firewall devices do not typically block.

Complete sourcecode of ZeuS botnet leaked to the masses

Center for Strategic and International Studies, CSIS has found that the complete source code for the ZeuS botnet crime kit is being distributed on several underground forums as well as through other channels. CSIS has also collected several addresses from where Zeus source code is being distributed in a compressed zip archive. The company says it has also downloaded, unzipped and compiled the code to confirm its authenticity. Peter Kruse, Partner & Security Specialist, CSIS says, “We can hereby confirm that the complete ZeuS/Zbot source code is freely available for inspection, inspiration or perhaps to be compiled and used in future attacks. ”

ZeuS/Zbot is already considered as being amongst the most pervasive banking Trojan in the global threat landscape. It is an advanced crime kit and very configurable. With the release and leakage of the source code the ZeuS/Zbot could easily become even more widespread and an even bigger threat than it already is today.

The source code would greatly help security companies analyze how this advanced botnet really works and this could mark a breakthrough for the industry, which is struggling to keep pace with the highly advanced malware being developed, which are increasingly difficult to detect. However, this would also give other malware writers a head-start for advanced virus and botnet writing.

Arbor Network launches new anti-DDoS package

Arbor Networks, a security and network management solutions provider, announced today the Arbor Pravail Availability Protection System (APS), a new product family focused on securing the Internet data center (IDC) edge. An important new capability introduced within the Arbor Pravail APS is Cloud Signaling, a protocol that bridges the gap between the data center edge and the provider cloud, where Arbor’s Peakflow SP platform is pervasively deployed. The addition of Cloud Signaling automates the connecting of service providers, network operators and data center customers with the mission to ensure the availability of IDC infrastructure and speed time-to-mitigation for distributed denial of service (DDoS) attacks.

Cloud Signaling enables optimal protection of the Internet data center from availability threats, identifying and mitigating application-layer attacks at the data center edge and volumetric denial of service attacks in the provider cloud. No other vendor is able to offer this comprehensive, automated protection against availability threats to IDC infrastructure.

For the second consecutive year, botnet-driven volumetric and application-layer DDoS attacks continue to be the most significant problems facing network operators, according to the Arbor Networks 2010 Worldwide Infrastructure Security Report. In 2010, for the first time, volumetric DDoS attacks topped the 100 Gbps barrier and an alarming 77 percent of respondents detected application-layer attacks. These application-layer attacks are targeting both end customers and network operators’ own critical support services, such as HTTP, Web and domain name system (DNS) services. IDC operators reported that application-layer DDoS attacks are leading to significant outages, increased operational expenditures (OPEX), customer churn and revenue loss. Moreover, enterprises point to the DDoS threat to the data center – the availability of services and data – as one of the biggest obstacles for organizations looking to move to cloud-based infrastructure today.

Cloud Signaling addresses the need for a coordinated response to both aspects of today’s increasingly complex DDoS threat – the magnitude of the largest volumetric attacks and the sophistication of the latest in application-layer denial of service attacks. Working with their Internet service provider (ISP) and managed security services provider (MSSP) customers, Arbor Networks has developed a protocol to facilitate both customer on-premise mitigation of application-layer attacks and upstream mitigation of volumetric attacks in an automated and real-time manner. Arbor customers who utilize Cloud Signaling can offer customers a comprehensive, integrated protection from the data center edge to the service provider cloud.

When a data center operator discovers that they are under a service-disrupting DDoS attack, they can choose to mitigate the attack in the cloud by triggering a signal to upstream infrastructure of their provider’s network. A volumetric DDoS attack congesting the upstream links would immediately diminish or disappear altogether from the data center’s access links and service availability would be protected. IDC customers also benefit from real-time monitoring of the attack mitigation, as well as granular post-mortem reports with details of the attack and the steps taken by the operator to mitigate the attack, keeping them in control and maintaining their expertise in command of the event. The addition of Cloud Signaling into the ISP/MSSP portfolio further strengthens the overall managed DDoS service offering by providing customers with complete DDoS protection from a single dashboard. Cloud Signaling enables the IDC operator to reduce time to mitigation and increase the effectiveness of response against DDoS threats, thus saving the company from major operational expense and preserving the company’s reputation.

U.S. Department of Justice takes down Coreflood botnet

Following the infection of more than 2 million computers worldwide – most of which were based in the United States, The US Department of Justice in association with Microsoft has moved swiftly to file civil complaints, issued a restraining order and numerous criminal seizure warrants.

The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.

The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud, and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country, and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names. Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” said U.S. Attorney David B. Fein for the District of Connecticut. “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”

“The actions announced are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware,” said Assistant Attorney General Lanny A. Breuer of the Criminal Division. “Law enforcement will continue to use innovative and responsible actions in our fight against cyber criminals and at the same time, we urge consumers to ensure they are continually taking prudent measures to guard against harm, including routinely updating anti-virus security protection.”

“Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation’s information infrastructure,” said Shawn Henry, Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch. “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”

According to court filings, Coreflood is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server. A computer infected by Coreflood and subject to remote control is referred to as a “bot,” short for “robot.” According to information contained in court filings, the group of all computers infected with Coreflood is known as the Coreflood botnet, which is believed to have been operating for nearly a decade and to have infected more than two million computers worldwide.

Coreflood steals usernames, passwords, and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.

In the enforcement actions announced today, five C & C servers that remotely controlled hundreds of thousands of infected computers were seized, as were 29 domain names used by the Coreflood botnet to communicate with the C & C servers. As authorized by the TRO, the government replaced the illegal C & C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.

The Coreflood malware on a victim’s computer is programmed to request directions and commands from C & C servers on a routine basis. New versions of the malware are introduced using the C & C servers on a regular basis, in an effort to stay ahead of security software and other virus updates. If the C & C servers do not respond, the existing Coreflood malware continues to run on the victim’s computer, collecting personal and financial information. The TRO authorizes the government to respond to these requests from infected computers in the United States with a command that temporarily stops the malware from running on the infected computer. During that time, the defendants will not be able to introduce different versions of the Coreflood malware onto the infected computers. By limiting the defendants ability to control the botnet, computer security providers will be given time to update their virus signatures and malicious software removal tools so that all victims can have a reliable tool available to them that removes the latest version of the malware from an infected computer.

DOJ and FBI are working with Internet service providers around the U.S. to identify and notify as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood. Identified owners of infected computers will also be told how to “opt out” from the TRO, if for some reason they want to keep Coreflood running on their computers. At no time will law enforcement authorities access any information that may be stored on an infected computer.

While this enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely. Nor does it mean that criminals will not attempt to build another botnet using a different version of the Coreflood malware or other malware. The best defense against such malware, and botnets in general, is for users to ensure their computers are protected by regularly-updated anti-virus security software.

McAfee enhances network security platform

McAfee has announced enhancements to its Network Security Platform. The latest release of McAfee Network Security Platform includes enhanced botnet control through reputation intelligence, virtual network inspection and a traffic analysis port for network monitoring, forensics and other advanced analysis engines.

In the most recent Gartner Magic Quadrant for Network IPS, Gartner states, “As vulnerability research has improved, the gap between vulnerability exploitation and IPS signatures to protect that vulnerability has closed.  Future protection improvements of significance will come from bringing intelligence into the IPS from external sources instead – points the IPS does not normally have visibility within.”

Real-time, reputation-based intelligence through McAfee Global Threat Intelligence provides McAfee Network Security Platform users with additional context for enforcing network security policies, not to mention faster, more accurate threat detection.

The latest release of McAfee Network Security Platform includes:

• Enhanced botnet control: File and network connection reputation feeds from cloud-based McAfee Global Threat Intelligence allows Network Security Platform to perform in-line botnet prevention based on over 60 million malware samples and the reputation of hundreds of millions of network connections based on over two billion IP reputation queries each month.  This external intelligence provides vital context for faster, more accurate detection and prevention.
• Traffic analysis port: Traffic redirect capabilities allow arbitrary network traffic to be subjected to additional inspection by McAfee and third party products, including data loss prevention, network forensics and advanced malware analysis tools.
• Virtual network inspection: Enables the Network Security Platform sensors to examine inter virtual machine traffic on virtual environments and provide attack detection for virtual data center environments.  Network Security Platform can inspect traffic both within virtual environments and between virtual and physical environments, giving organizations the same level of visibility regardless of where the traffic flows.

As enterprises consolidate data centers, adopt cloud-services, and virtualize critical infrastructure they need a way to unify security management across physical and virtual infrastructures. In partnership with Reflex Systems, a player in virtualization management solutions and McAfee brings its threat detection and security management to virtual environments.

“Virtualization is becoming a standard part of every enterprise data center infrastructure – be it in-house or in the cloud – and organizations are recognizing that they must extend enterprise-class security and management into the virtual environment,” said Preston Futrell, President and CEO of Reflex Systems.  “We are pleased to partner with McAfee to help customers seamlessly integrate virtualization security and management into their existing security infrastructure, systems and best-practices.”

Together, McAfee and Reflex Systems will offer integrated virtual and physical security and management that enables customers to holistically monitor and understand security issues, easily apply best practices, and provide comprehensive reporting for compliance purposes across the current and next generation data center infrastructure.

“When building out Savvis’ enterprise cloud offerings, it was imperative that we base our cloud architecture on a strong security foundation with the right tools to provide customers piece of mind as they begin leveraging new cloud technologies in the data center,” said Ken Owens, Savvis technical vice president for security and virtualization technologies.  “Bringing together two best-of-breed solutions like Reflex and McAfee to meet the unique, dynamic security and management challenges in both the physical and virtual infrastructure will go a long way in helping accelerate the adoption of virtualization and cloud technology.”