Incident of the Week: Social Networking Sites Used as Command and Control Structure for BotNets

Posted on August 28, 2009 by Gabriel M. Helmer

Are you having trouble making sense of social networking sites like Twitter?  It may be because you are trying to read an encoded command to a malware-infected computer.  Security consultant Jose Nazario at Arbor Networks has discovered that popular social networking sites like Twitter and Jaiku are being used to control botnets, armies of computers that have infected with malware enabling the individual controlling the botnet to steal user information and direct the computers to attack others.  Botnet commanders often use IRC (Internet Relay Chat) messages to control the "slave" computers, but Nazario discovered encoded gibberish in a user's tweets and decoded them to find that the messages directed infected computers to download additional payloads of malware.  According to Nazario's post on the Arbor Networks blog, the original botnet commands appear to have been used to steal user information.

This raises a number of concerns for any website that permits users to generate content. In addition to copyright infringement and other abuse concerns, clearly this highlights another type of content that website administrators should be policing. Also, as companies and institutions begin to view particular websites as being involved in botnet infections, even inadvertently, system administrators may begin blocking access to these sites. As a result, this is a concern both for companies that maintain social networking sites, blogs and other user-generated content, as well as employers and other companies that provide access to those sites.

Tags: , , , , , ,

Incident of the Week: Lativan Internet Service Provider Shut Down After Being Linked to Cybercrime Ring

Posted on August 6, 2009 by Gabriel M. Helmer

Earlier this week, Latvian internet service provider Real Host was shut down by its upstream providers Junik and TeliaSonera after security experts linked Real Host to a number of criminal activities.  Among the many activies allegedly conducted through Real Host were the use of malware to steal banking credentials, SPAM email campaigns and the service provider was running command and control servers for the Zeus botnet (i.e., millions of infected computer slaves or "bots" used by cybercriminals to steal information and attack other computers).  The expert who linked Real Host to these activites and who goes by the pseudonym "Jart Armin," told Network World in an interview that Real Host may be "one of the top European centers of crap."  Armin's site, HostExploit.com, has published a report on the rogue ISP (requires registration) and even has an abstract video of the take-down occuring.

The take-down of rogue ISPs by upstream service providers has become more common in the United States with the removal of Atrivo and McColo, two service providers shut down at the end 2008.  Where service providers did not take action, the Federal Trade Commission filed suit in federal court in California in June of this year to remove the rogue ISP Pricewert/3FN.  The complaint filed by the FTC (.pdf) alleged that, in becoming an active participant in a range of cybercrimes, the ISP committed unfair or deceptive acts or practices in violation of the FTC Act, 15 U.S.C. sec. 45(a). (Note also that the temporary restraining order and preliminary injunction entered in that action not only shut down the ISP, but also ordered the seizure of assets and a number of other extraordinary protections.)

Links:

 

Tags: , , , , , , , , , , , ,