Re: [botnets] re MAC trojan
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Not sure this is necessariyl true, but that's beside the point as I'm sure we could have hundreds of witty replies all day long going both ways. The point is this requires user interaction to infect a machine. I am not seeing the part where unpatched vulnerabilities come into play with this. This is no different than if someone had a malicious package sent for download. It requires the user to consent to install something bad.. this isn't a drive-by-exploit targeting all macs like MPack for primarily IE Windows.. not yet anyway. It's a good thing to be on the look out for though, however it's not the end of the internets. Steven On Thu, 01 Nov 2007 16:35:11 +0200, Interspace System Department [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Gadi Evron пишет: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 1 Nov 2007, Gary Flynn wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is nothing more than simple downloadable malware exacerbated somewhat by permissive configuration settings. It exploits no security defects. As I understand it, the operator is given multiple opportunities to refuse the program: Yes, but it's who uses it and how that matters. Relax. MAC users are not that stupid as MS users... http://www.jmu.edu/computing/security/#macmalware (I'm only subscribed to the archive so I apologize if this has been already pointed out or already proven incorrect today) ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sat, 3 Nov 2007 13:54:44 -0400, Mr. X [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Dude, you gotta get over yourself. The fact that the mac os x operating system has no viruses is not the fault of the user base. And the tirades of the told-you-so's are petty and so OT let's just get back to info on botnets. Anyone targeting the Mac or Linux base is I agree they are OT but technically isn't this entire thread, regardless of the view point? AFAIK there is not presently any botnet associated with this mac trojan or any variants of it as this time. There's definitely potential but no connection, otherwise we could be discussing any piece of malware on this list. clearly doing it not to add bots (doesnt even make sense numbers wise) but for exactly this response, seeing their handiwork talked about ad- nauseum on CNN and with the shoe banging security websites and slashdot windows users smugly yelling I was right! Sorry, but enough is enough gang. D On Nov 3, 2007, at 10:35 AM, Dave Ellingsberg [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is not so much a SE issue as it is a pure of heart issue. For way too long the Mac has been invincible, I can click on anything, you can not hurt me! This adds to the newbie issue as those buying into the gullible mac attitude are invincible! So it adds to the End-Loser problem. Now we see a shift in targeting and lo the invincible are to be subjected to the Kryptonite of the Internet underworld. And without the antibodies of common sense that those of us who have prowled the gutters of the mighty M$. There is no way to wake up those who have come to slurp up the invincible theme anymore than you can change that attitude of those who think M$ is better because it is a GUI interface to servers an therefore anyone can do it safe and secure [well I have not heard those last two things come up when it time to switch!]. Most on this list have years of experience supporting groups of the above, in all 4 categories. We are called on to clean up the messes after the clickers and planners. We are all reactive in one way or another. Keep thinking about it, ProActive is really not attainable, but its a good goal! bigfoot. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mech config captured today
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Just taking a wild stab in the dark, I'd bet on SSH brute force. A number of groups on Undernet (Romanian ones especially) are known to SSH brute force attack boxes and then install mech and put up a bunch of clones in an IRC channel from the box. Here's a nice example of the classic scenario (sometimes it's more automated though): http://lists.virus.org/dshield-0407/msg00193.html Steven On Fri, 16 Nov 2007 12:08:49 -0500, Adriel Desautels [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] New Storm variant
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Adriel, The quick goal would be to get them (nic.ru) to suspend the 15 domains that are currently active: * familypostcards2008.com * freshcards2008.com * happy2008toyou.com * happycards2008.com * happysantacards.com * hellosanta2008.com * hohoho2008.com * merrychristmasdude.com * newyearcards2008.com * newyearwithlove.com * parentscards.com * postcards-2008.com * santapcards.com * santawishes2008.com * uhavepostcard.com If I missed one, please feel free to add it. Other than that, the goal I supposed would be to have more open communication with them as it seems no one is getting a response back. I know I haven't received one. Steven On 1/7/08 5:07 PM, Adriel Desautels [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- John, I may know some people in Russia that can help. What would you like me to request? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 a --- Netragard, LLC - http://www.netragard.com - We make IT Safe Penetration Testing, Vulnerability Assessments, Website Security John Draper wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Richard Cox wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- The new instance of the Storm worm launched on Christmas Eve is already having a major impact (see http://www.spamhaus.org/news.lasso?article=624) Whoever planned this worm attack was clever - he ran all his malware domains (which the victims click on to download their greetings cards - aka trojans) on fast-flux (botnet) hosting, relying on the Russian ccTLD (nic.ru) to do the updates. Unfortunately for all of us, nic.ru is closed for Christmas and New Year - not returning until January 9th. Many people have tried to contact nic.ru, both by telephone (during their advertised opening times) and by email but nic.ru do not reply. Ten more days of infection - at the very least - will get that guy one huge botnet and I know I don't need to mention what that sort of power could do. If anyone DOES know of an emergency process to contact nic.ru, could they either use it, post it here, and/or mail me directly with it? Thanks - and seasonal greetings all round! Best regards Darn - my last Russian contact left the country last year... Don't know anyone who lives in Moscow anymore or I would have them physically go to there they are and contact them... Also, calling Russian ISP's (assuming you get around the language barrior) can be daunting... VIOP and other cheap means to call Russia aside, is still rather difficult. Also, I hear a lot of Russian ISP's are on the take and cater to a lot of fraud and other activities... Good luck in your venture... and find someone who speaks fluent Russian for starters... John ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] New Storm variant
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi Chato, These two domains are part of the original 13 that were registered with ESTDOMAINS (not nic.ru) and they should currently all be in a suspended state. Steven On Tue, 08 Jan 2008 00:24:20 +0100, Chato H. Flores [EMAIL PROTECTED] wrote: I add two domains to the list: ptowl.com yxbegan.com Best regards, Chato Flores On Mon, 07 Jan 2008 23:13:57 +0100 Steven Adair [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Adriel, The quick goal would be to get them (nic.ru) to suspend the 15 domains that are currently active: * familypostcards2008.com * freshcards2008.com * happy2008toyou.com * happycards2008.com * happysantacards.com * hellosanta2008.com * hohoho2008.com * merrychristmasdude.com * newyearcards2008.com * newyearwithlove.com * parentscards.com * postcards-2008.com * santapcards.com * santawishes2008.com * uhavepostcard.com If I missed one, please feel free to add it. Other than that, the goal I supposed would be to have more open communication with them as it seems no one is getting a response back. I know I haven't received one. Steven On 1/7/08 5:07 PM, Adriel Desautels [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- John, I may know some people in Russia that can help. What would you like me to request? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 a --- Netragard, LLC - http://www.netragard.com - We make IT Safe Penetration Testing, Vulnerability Assessments, Website Security John Draper wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Richard Cox wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- The new instance of the Storm worm launched on Christmas Eve is already having a major impact (see http://www.spamhaus.org/news.lasso?article=624) Whoever planned this worm attack was clever - he ran all his malware domains (which the victims click on to download their greetings cards - aka trojans) on fast-flux (botnet) hosting, relying on the Russian ccTLD (nic.ru) to do the updates. Unfortunately for all of us, nic.ru is closed for Christmas and New Year - not returning until January 9th. Many people have tried to contact nic.ru, both by telephone (during their advertised opening times) and by email but nic.ru do not reply. Ten more days of infection - at the very least - will get that guy one huge botnet and I know I don't need to mention what that sort of power could do. If anyone DOES know of an emergency process to contact nic.ru, could they either use it, post it here, and/or mail me directly with it? Thanks - and seasonal greetings all round! Best regards Darn - my last Russian contact left the country last year... Don't know anyone who lives in Moscow anymore or I would have them physically go to there they are and contact them... Also, calling Russian ISP's (assuming you get around the language barrior) can be daunting... VIOP and other cheap means to call Russia aside, is still rather difficult. Also, I hear a lot of Russian ISP's are on the take and cater to a lot of fraud and other activities... Good luck in your venture... and find someone who speaks fluent Russian for starters... John ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] (broadband routers) PC World: Flash Attack Could TakeOver Your Router
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- How are you defining network operators? Do you mean by the normal [in most cases home] user? Apparently flash is able to allow UPnP access per PDP's posting at www.gnucitizen.org. Apparently this is not a flaw and is a feature (we've heard that before) of Flash and works as advertised. However, most of the broadband routers have UPnP open by default, so all a malicious SWF file has to do is start taking action via UPnP from your Linksys/NetGear/D-Link/etc. home router. You might want to look into disabling this function as it apparently doesn't support any form of authentication. Steven On Wed, 16 Jan 2008 12:10:40 -0600 (CST), Gadi Evron [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Props to Jeff Chan who I saw it from. Yes, I still believe these ISP distributed machines called broadband routers are a network operators issue. But not all may agree on that. -- http://news.yahoo.com/s/pcworld/20080116/tc_pcworld/141399 Flash Attack Could Take Over Your Router Robert McMillan, IDG News Service Tue Jan 15, 7:08 PM ET Security researchers have released code showing how a pair of widely used technologies could be misused to take control of a victim's Web browsing experience. The code, published over the weekend by researchers Adrian Pastor and Petko Petkov, exploits features in two technologies: The Universal Plug and Play (UPnP) protocol, which is used by many operating systems to make it easier for them to work with devices on a network; and Adobe Systems' Flash multimedia software. By tricking a victim into viewing a malicious Flash file, an attacker could use UPnP to change the primary DNS (Domain Name System) server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker's Web server, even if he typed Citibank.com directly into the Web browser navigation bar. The most malicious of all malicious things is to change the primary DNS server, the researchers wrote. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. Because so many routers support UPnP, the researchers believe that ninety nine percent of home routers are vulnerable to this attack. In fact, many other types of UPnP devices, such as printers, digital entertainment systems and cameras are also potentially at risk, they added in a Frequently Asked Questions Web page explaining their research. [...] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] reviving this list, allowing sharing
I agree here. It'd be a bit much and cause people to unsubscribe if there's not some digest type format. The malware would still have to be sandboxed in some fashion to be overly relevant. Just having information from nepenthes will give you limited information. Also, unless there's a way to keep duplicate information from making its way to the list, it would be extremely noisy with tons of reports on the same thing. Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Pleger Sent: Wednesday, August 27, 2008 9:56 PM To: Jeremy Cc: botnets@whitestar.linuxbox.org Subject: Re: [botnets] reviving this list, allowing sharing I think that is a bit too high volume for this list, maybe throwing honeypot logs to an aggregator and then sending a daily digest would be more appropriate. James Pleger e: [EMAIL PROTECTED] On Wed, Aug 27, 2008 at 6:10 PM, Jeremy [EMAIL PROTECTED] wrote: I propose that each and every one of us on this list configure our nepenthes boxes with the email address of this distribution list, so we can share information about new botnet clients in real time. Thoughts? -Jeremy On Wed, Aug 27, 2008 at 4:41 PM, Gadi Evron [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi. When this list was started a while back a lot of sharing and discussion was happening. This make us take a step back at the time. Today, when most of this information can do far more good than harm, it is my strong belief open information sharing on botnets, malcious web sites and similar subjects will be useful. Feel free to share data, and let's see how it goes. We, on our end will work to mitigate the risks you send in. Who is first? Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -- -BEGIN PGP SIGNATURE- Version: 1.0 5468657365206172656E27742074686520626F747320796F75277265206C6F6F 6B696E6720666F722E2E2E746865792063616E20676F2061626F757420746865 697220627573696E6573732E2E2E6D6F766520616C6F6E672E2E2E00 -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] [phishing] XP update phish/malware
It seems Imageshack with malicious or at least abusive Flash files is getting more popular. We saw a similar attack, yet far less malicious, on Facebook last week. User's walls were spammed with a messae about someone having a crush on them with a link to an Imageshack flash file. The file then did a full redirect to a dating website. The bad guys are both simply just using them as a jumping point and in some cases playing off of their [somewhat] trusted name. Steven On Thu, 28 Aug 2008 09:18:12 -0400, Discini, Sonny [EMAIL PROTECTED] wrote: Here is another XP/Vista download link: ht tp://img 182.imageshack.us/img182/7145/47024671do7 .swf -- Steve I had a bunch of that come through in 3 separate waves yesterday. The malware download pointed to: Hxxp://89.187.49.18/install.exe Note that the payload is known to Sophos so I'm assuming that most of the other big players also pick it up. Nothing new. Sonny Sonny Discini, Senior Network Security Engineer Office of the CIO Department of Technology Services Montgomery County Government -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Pirk Sent: Thursday, August 28, 2008 7:13 AM To: [EMAIL PROTECTED] Cc: Botnets Subject: Re: [phishing] XP update phish/malware Equal bytes for women. On Wed, 27 Aug 2008, Steve Pirk wrote: Here are some links related to a XP update phish/malware download. Image or payload? ht tp://img 504.imageshack.us/img504/6262/23031231ob0 .swf That was the only link in the email. -- Steve Equal bytes for women. ___ phishing mailing list [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing ___ phishing mailing list [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] URL formats
heh I think this is a discussion that's been had many times. A lot of people use and I am in favor of obfuscating http links with: hxxp://urlformat then for any URLs that have sensitive info that you want to still post use removed, example: http://www.some.site/keylog.php?blah=1IP=10.10.10.10 could be made into hxxp://www.some.site/keylog.php?blah=1IP=removed Just a few suggestions. Maybe an RFC is in order? :D Steven On Thu, 28 Aug 2008 18:32:16 +0100, Chris Burton [EMAIL PROTECTED] wrote: Hi, I was wondering if it would be more helpful if we could propose a standard for posting broken URLs with some form of start/end indicator to allow easier automated processing from the listings? ChrisB. ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
