Topics
General News
Botnets
Exploit Kits
Antivirus Reviews
Network Defense
Spyware
Anti-Spam
Phishing Scams
Virus Alerts
Security Forums
Desktop Security
Malware Removal Help
Spam Blocking
Patches and Hotfixes
Antivirus Support

Network Security
General Security
Current Threats
Firewalls and Routers
Intrusion Detection
Web Proxies
Vulnerability Assessment
Quick Resources
About Antisource
Malware Threats Triangle
What is my IP?
 

Welcome to Antisource

This site brings to you a consolidation of malware articles and alerts, as well as the antimalware solutions to fix and block it all. Please read our About page for more information.

ZeroAccess Rootkit and Botnet

Wednesday, December 05, 2012
Author: Richard S. Westmoreland
Permalink: zeroaccess-rootkit-botnet
Botnets
Printer-Friendly Version Author's Profile


ZeroAccess (Sirefef, Vobfus, 0access), is a rather prolific piece of malware.

On Sophos' research blog, James Wyke summarizes the ongoing tracking of the ZeroAccess rootkit and its botnet:

http://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/

Over 9 million computers compromised with this rootkit! I suggest reading through this and following all the links to previous zeroaccess articles. One of the more imporant ones is the Sophos ZeroAccess Botnet technical paper you can download at http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx.

If somehow reading "9 million computers compromised" wasn't enough, Sean at F-Secure's blog posted a visual representation using Google Earth:

http://www.f-secure.com/weblog/archives/00002430.html

So what does ZeroAccess actually do? It mines bitcoins and runs click fraud. If you aren't that familiar with bitcoin currency, you may want to read up on it quick: http://en.wikipedia.org/wiki/Bitcoin#Mining_and_node_operation
  
Read the full article at ZeroAccess Rootkit and Botnet


Project Blitzkrieg: The Gozi Prinimalka trojan

Monday, October 29, 2012
Author: Richard S. Westmoreland
Permalink: gozi-prinimalka-blitzkrieg
General News
Printer-Friendly Version Author's Profile


A few weeks ago, RSA wrote about a new attack against U.S. banks using a custom trojan (Gozi Prinimalka) and ~100 botmasters.

http://blogs.rsa.com/rsafarl/cyber-gang-seeks-botmasters-to-wage-massive-wave-of-trojan-attacks-against-u-s-banks/

Krebs shared his thoughts on this attack labeled "Project Blitzkrieg":

https://krebsonsecurity.com/tag/gozi-prinimalka/

The last couple of weeks technical details on this trojan and botnet were scarce. Arbor Networks finally revealed what many of us were waiting for:

http://ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/

A quick summary to improve your detection capabilities:

- Dropped files use the pattern %UserProfile%govXXXX.exe (X's are 4 lowercase letters)
- C&C IP addresses include 93.115.241.114 and 213.155.28.104
- C&C uri request includes /system/prinimalka.py/
- Opens up SOCKS proxy to relay traffic

Now that this gozi variant has been reverse engineered well in advance of the attack, I suspect new variants will show up with altered configurations.
  
Read the full article at Project Blitzkrieg: The Gozi Prinimalka trojan


Flame and its C&C Domains

Tuesday, June 05, 2012
Author: Richard S. Westmoreland
Permalink: flame-malware-command-control
Virus Alerts
Printer-Friendly Version Author's Profile


I'll keep this brief because there are much better sources of information about what Flame (Skywiper) is and how it works.

So to summarize -

What Flame is:

http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat

This is a trojan used in cyber espionage, originally targeting Iran. It appears to have been around since 2010 (and maybe as early as 2008) and is touted as one of the most complex trojans and C&C infrastructures created to date.

How Flame works:

http://www.crysys.hu/skywiper/skywiper.pdf
http://blog.soleranetworks.com/2012/05/30/what-we-know-so-far-about-the-flame-trojan-3/

Those are both great analysis that reverse engineers the application.

  
Read the full article at Flame and its C&C Domains


Lastest Tweets  
    Latest Virus Descriptions  
    Virus News