Storm Worm botnet cracked wide open

A team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn’t as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.

Over the last two years, Storm Worm has demonstrated how easily organised internet criminals have been able to spread this infection. During that period, the Storm Worm botnet has accumulated more than a million infected computers, known as drones or zombies, obeying the commands of a control server and using peer-to-peer techniques to locate new servers. Even following a big clean-up with Microsoft’s Malicious Software Removal Tool, around 100,000 drones probably still remain. That means the Storm Worm botnet is responsible for a considerable share of the Spam tsunami and for many distributed denial-of-service attacks. It’s astonishing that no one has succeeded in dismantling the network, but these researchers say it isn’t due to technical finesse on the part of the Storm Worm’s developers.

Existing knowledge of the techniques used by the Storm Worm has mainly been obtained by observing the behaviour of infected systems, but the researchers took a different approach to disarm it. They reverse translated large parts of the machine code of the drone client program and analysed it, taking a particularly close look at the functions for communications between drones and with the server.

Source:
http://www.heise-online.co.uk/news/Storm-Worm-botnet-cracked-wide-open–/112385

Posted in Internet, Networking, Security | No Comments

USB Worms

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer. Such malicious AUTORUN.INF files are easy to spot. But Downadup does not create files such as this. What it drops on USB drives are AUTORUN.INF files that look like this:

(click to enlarge)

The noteworthy text is found somewhere around the middle of this 90kB file. At the bottom of the screenshot. See it?

Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

…which would execute a DLL called jwgvsq.vmx from a hidden folder on the USB drive.

Source:
http://www.f-secure.com/weblog/archives/00001575.html

Posted in Coding, Hardware, Security, Software, Windows | 1 Comment

VirusTotal Uploader

VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.

Specs:

• Free, independent service
• Use of multiple antivirus engines
• Real-time automatic updates of virus signatures
• Detailed results from each antivirus engine
• Real time global statistics

You can also email your file as an attachment to [email protected] with the subject of “SCAN” and it will scan the file and email you back the results.  Awesome.

Download:
http://www.virustotal.com/metodos.html

Posted in Internet, Security, Software | No Comments

Weak Password Brings ‘Happiness’ to Twitter Hacker

An 18-year-old hacker with a history of celebrity pranks has admitted to Monday’s hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News.

The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter’s administrative control panel by pointing an automated password-guesser at a popular user’s account. The user turned out to be a member of Twitter’s support staff, who’d chosen the weak password “happiness.”

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

“I feel it’s another case of administrators not putting forth effort toward one of the most obvious and overused security flaws,” he wrote in an IM interview. “I’m sure they find it difficult to admit it.”

The hacker identified himself only as an 18-year-old student on the East Coast. He agreed to an interview with Threat Level on Tuesday after other hackers implicated him in the attack.

The intrusion began unfolding Sunday night,  when GMZ randomly targeted the Twitter account belonging to a woman identified as “Crystal.” He found Crystal only because her name had popped up repeatedly as a follower on a number of Twitter feeds. “I thought she was just a really popular member,” he said.

Using a tool he authored himself, he launched a dictionary attack against the account, automatically trying English words. He let the program run overnight, and when he checked the results Monday morning at around 11:00 a.m. Eastern Time, he found he was in Crystal’s account.

That’s when he realized that Crystal was a Twitter staffer, and he now had the ability to access any other Twitter account by simply resetting an account holder’s password through the administrative panel. He also realized he hadn’t used a proxy to hide his IP address, potentially making him traceable. He didn’t think the intrusion was important enough to draw law-enforcement attention, and “didn’t think it would make headlines.”

Source:
http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

Posted in Coding, Internet, Privacy, Security | No Comments

Google Named No. 3 Spam Provider

According to this eWeek article, Google has been named the #3 spam provider in the world according to the most recent Spamhaus Statistics.

They are stating the reason as “Spammers have had success cracking the CAPTCHA tests and creating Gmail accounts from which to spam. Because the spam comes from a domain reputation systems can’t block because it’s so popular, spam from these accounts has an advantage in getting past many anti-spam systems.”

Posted in Internet, Privacy | No Comments