Bredolab Botnet Still Active

More Tax Payment malware news today, with a resurgence of the Bredolab botnet.

Our MessageLabs Anti-Virus Service reported a suspicious email, similar to the Tax Spam Malware Warning yesterday. The message title once again was Your Tax Payment ID [Random Number] is failed

This time Symantec reported it as Trojan.Bredolab, which is a likely resurfacing of a Bredolab botnet.

The Bredolab botnet was partially dismantled in November 2010 through the seizure by Dutch law enforcement agents of 143 command and control servers, effectively removing the botnet herder’s ability to control the botnet centrally. Although the botnet’s size and capacity has been severely reduced by the law enforcement intervention.

A PC infected with Bredolab shows a number of effects as the malware:

  • Downloads more malware on to the compromised computer
  • Lowers the security settings on the infected computer
  • May result in file deletion

If your anti virus software or mail gateway informs you that it has detected Bredolab, follow the instructions and do not open any affected files. To make sure that your machine does not get infected keep your anti virus software switched on and the signatures up to date.

Further resources

Uniform Traffic Ticket Malware Spam

If you live anywhere except the City of New York you may have been surprised to receive an email recently, which claims to come from the New York State Department of Motor Vehicles. Even if you aren’t based in the United States, or even don’t drive a car, you may well see the posting which poses as a “Uniform Traffic Ticket” and says that you are charged with speeding at 7:25 AM on the 5th July 2011.

People may be tempted to open the attachment out of curiosity, or even alarm if they have been driving in New York City, but do not, or you may end up with a computer infected with malware.

However, the message is certainly not from New York State Police and the attachment does not contain a speeding ticket. In fact, the attachment contains a trojan that, if opened, can install itself on the user’s computer. Typically, such trojans are able to contact a remote server and download further malware that can steal information from the infected computer and allow criminals to control it from afar.

The email sender address has been reported as automailer.nnn, no-reply.nnn and info.nnn, all purportedly at nyc.gov. It goes without saying that the New York State Police and the New York State Department of Motor Vehicles have nothing to do with this email, and this should be treated as all Viruses and Spyware. The New York State Police Computer Crime Unit has issued a Hoax E-mail Alert dealing with the Uniform Traffic Ticket Malware Spam.

The attached file, which is called something like Ticket-O64-211.zip, Ticket-728-2011.zip, or just Ticket.zip, is designed to download further malicious code onto your computer and compromise your security. Sophos anti-virus products detect the malware payload as Mal/ChepVil-A, while the CyberCrime & Doing Time Blog identifies that the malware connects to a Russian domain and downloads files called “/ftp/g.php” and “pusk3.exe”.

The Uniform Traffic Ticket Malware Spam email is probably the work of a Botnet, which is a group of computers infected with malicious software and controlled as a group without the owners’ knowledge. The network of private computers, sometimes known as zombies or robots, run autonomously and automatically to send out spam emails to encourage users to open virus or Trojan infected attachments. This means that it is pointless blocking the sender, as the sender address is forged, and unrelated to the actual computer used to send the email.

We recommend that you delete the e-mail it and not forward it to anyone else. Make sure that you have active anti-virus software, and have your firewall switched on. Of course you should only open e-mails from familiar and trusted sources; if you really have been speeding in New York City, the New York State Department of Motor Vehicles will certainly find a way to let you know!

For further information on this subject:

Microsoft Offers Reward for Information on Rustock Botnet

In a further move against international cyber criminals, Microsoft has offered a reward of $250,000.00 reward for information that results in the identification, arrest and criminal conviction of those responsible for controlling the notorious Rustock bot-net.

Microsoft says that IP address infections of Rustock have reduced by more than 50% worldwide since the company took action in March. Microsoft took the infamous Rustock botnet down earlier this year alongside U.S. enforcement agents, and claims that it remains dead.

The Rustock botnet was the largest source of spam in the world, consisting of around 150,000 machines sending around 30 billion spam messages a day. The take down was part of Microsoft’s fight against illegal botnets, designed to stop the spread of malware and spam mail.

Anyone with information on the Rustock botnet or its operators should contact Microsoft at avreward@microsoft.com.

To find out more about Microsoft Offering a Reward for Information on Rustock Botnet, click here to see the post on the Official Microsoft Blog.

If you have missed previous TechCo Support posting about the fight against the menace of Botnets and the progress of the Microsoft Digital Crimes Unit please see:

Microsoft Reward Document

Microsoft Floors The Coreflood Botnet

With headlines like “More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme”, the U.S. Department of Justice (DoJ) and Federal Bureau of Investigation announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications.

The Coreflood botnet is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server.

Interestingly, the US Government also obtained a temporary restraining order (TRO), granting authorization to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers.

Essentially the DoJ was allowed to impersonate the commanding servers and send a Stop command to the botnet agents that were tethered to the 5 illegal computers, known as a command and control (C&C or CnC) servers. This is believed to be a precedent, and opens the door for more active countermeasures against these criminal money-making machine networks.

Following on from the earlier successes against the Rustock botnet in March, and the Waledac botnet in February, this action takes the war against these cyber crimanls a stage further.

Other links on the subject:

Microsoft Claims Rustock Botnet Takedown

Have you missed your daily dose of spam emails advertising everything from Viagra to fake pharmaceuticals and watches this week? According to a link spotted on eWeek, Microsoft is claiming responsibility for the takedown of the massive Rustock botnet, which stopped sending out spam midmorning on 16 March 2011.

This operation, known as Operation B107, is the second high-profile takedown in Microsoft’s joint effort between Microsoft Digital Crimes Unit (DCU), Microsoft Malware Protection Center and Trustworthy Computing – known as Project MARS (Microsoft Active Response for Security) – to disrupt botnets and begin to undo the damage the botnets have caused.

The previous operation against the Waledac botnet (B49) followed a judgement by the US District Court of Eastern Virginia, that upheld a recommendation to grant Microsoft’s motion for the transfer of the domains behind the Waledac botnet to Microsoft.

The Rustock Botnet is estimated to have infected up to 1.7 million computers worldwide, and up to the end of 2010 may have been responsible for almost 50% of the spam sent worldwide. At times Rustock was capable of sending 30 billion spam e-mails per day.

The Rustock Botnet was identified as being more complicated than the Waledac botnet, using hard coded IP addresses rather than domain names, and peer-to peer command and control servers. To combat this Microsoft obtained a court order allowing them to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis.

The amount of computers which can be linked in a botnet is mind boggling, and because the bots are so versatile their use is limited only be the imagination of their controller, or bot-herder.

In order to combat botnets, Microsoft encourage every computer owner to make sure their machine isn’t doing a criminal’s dirty work. If you believe your computer may be infected by Rustock or other type of malware, we encourage you to visit support.microsoft.com/botnets for free information and resources to clean your computer.

Further links and resources

Finally, for everyone who likes comics, check out the Microsoft comic strip Terrifying Tales of Digital Delivery

Microsoft Takes Down The Waledac Botnet

In a post on the Official Microsoft blog, entitled Cracking Down on Botnets, Microsoft announced the takedown of the Waledac botnet, one of the 10 largest botnets in the United States and a major distributor of spam globally. Microsoft achieved this after a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals.

In a complaint filed in the Eastern District of Virginia on the 22 February against John Does 1-27 et al, Microsoft alleged that the “Doe defendants have undertaken the forgoing acts with the knowledge that such acts would cause harm through the .com domains located in Virginia and through user computers located in Verginia, therby injuring Microsoft, its customers and others both in Virginia and elsewhere in the United States”. This argues that the Virginia Court has jurisdiction over the case regardless where the perpetrator reside.

The takedown of the Waledac botnet, or Operation B49 as it was known internally in Microsoft, was the result of months of investigation. The Waledac botnet is believed to have had the capacity to send over 1.5 billion spam emails per day. From Microsoft’s analysis, between 3-21 December 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone.

This legal and industry operation against Waledac is the first of its kind, but hopefully it won’t be the last. Microsoft has acted with experts from the international security communication to combat this menace to computer users everywhere. However, taking down the botnet is not the end of the story.

Thousands of computers are still infected with the Waledac computer worm, a self-replicating malware computer program. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware. Microsoft advise users people running Windows machines to visit the Microsoft Security Web site, where they can find Microsoft’s Malicious Software Removal Tool, which removes Waledac.

Links and resources relating to Microsoft Takes Down The Waledac Botnet:

Is Conficker the start of the biggest botnet in history?

Conficker worm infected machines may comprise one of the biggest networks of robot computers (botnets) in Internet history if security experts’ fears are proved correct. From midnight on 1 April, the Conficker program will start scanning thousands of websites for a new set of instructions telling it what to do next.

Conficker – also known among security experts as “Downadup” was first discovered in November last year, being sold as part of a kit by a Chinese hacker. Since then, two variants have been spotted in the wild as the virus has gone on to infect more than 10m PCs.

Microsoft has offered a bounty of $250,000 (£176,000) for the identity of Conficker’s creator, who currently remains unknown. Usual methods of unpacking the virus code to examine its workings have been thwarted because the authors have encrypted it, using algorithms that render it almost uncrackable.

For more aspects of this story see Conficker virus – deadly threat or April Fool’s joke