Botnet drama: database theft, IM attacks, financial fraud

Are you a victim? If not, the guy next door might be. According to the story, two botnets claimed over 150,000 compromised machines, some with RATS (remote administration tools) installed and one machine being used "as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords."

Are you a victim? If not, the guy next door might be.  According to the story, two botnets claimed over 150,000 compromised machines, some with RATS (remote administration tools) installed and one machine being used "as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords." according to Wayne Porter and SpywareGuide.

The RAT is used to gain complete access of the end-user's PC - files can be uploaded, downloaded, or whatever the Botmaster feels like doing with the machine.

However, what the Botnet master really feels like doing, is downloading the payment database application to your PC, then scanning for misconfigured shopping carts using you as the fall guy.

Let us explain further...if an end user clicks on a malicious link passed to them via Instant Messaging, Remote Administration Server, a commercially available application produced by Famtech, is automatically installed via a "beh.exe". The install is designed to hide the application in the systray with no interaction from the end user. Once this application is installed, the end user's computer is compromised and can be accessed remotely with additional malware applications installed on the desktop.

VitalSecurity has more chilling details on the inner workings of the bot masters and hax0rs.

I could point you to forums where bad-guys teach the art of card theft, or where the illusion of control is created by expert Botnet herders, who share corrupted source code with newbies who do nothing but complain that their newly compiled Bots mysteriously fail to work - meanwhile, the experts continue to pull in the dough by profiting off Mr N00b-Hax0r's Bots. Or how about the soft-target dynamic DNS providers...they shut down Botnet domains for 90 days, then relent and reactivate with minimal hassling! One guy has had his Botnet reinstated five times, for God's sake. I could even tell you how people share the latest scripts to "break" Adware vendor coding, [...]

Looking at the files in use, back when these guys first got going, they were using Active X kits via drive-bys to make their money. But like I've been saying for some time now, bad guys are looking to exploit IM more and more. Examining all the files collected here, it's almost like looking at a fossilised history of malware - humble Active X beginnings, a heady dive into IRC and (before you know it) automated spreaders, reworked SDBots and EXEs pointing to multiple DNS entries. The amazing thing here is that they aren't bothering with Adware installs much anymore...but then, considering what they're up to, they don't really need to.

FaceTime press release here.

I've started an informal survery of computer/internet users I come into contact with on an routine basis -- grocery store clerks, neighbors, coffee shop baristas, etc., asking a few questions: is their operating system fully updated (patched), do they run an updated antivirus, and do they use a router and/or software firewall. People who answer 'no" to those questions are most at risk for being victims of botnets and the scenarios described above. So far the results are discouraging. 

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All