DNSChanger is malicious software (malware) that changes a user’s Domain Name System (DNS) settings, in order to divert traffic to unsolicited and potentially illegal sites.

Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name “Rove Digital” and used the malware to manipulate users’ Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

FBI has since seized the rogue DNS servers and the botnet’s command-and-control (C&C) servers as part of “Operation Ghost Click” and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.

To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.

DNS Work	DNSChanger Work

With the ability to change a computer’s DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address, in this case, advertisement websites.

A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.

A new Distributed Denial of Service (DDoS) crimeware bot known as “Zemra” and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.

This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker’s disposal.

Similar to other crimeware kits, the functionality of Zemra is extensive:

• 256-bit DES encryption/decryption for communication between server and client
• DDoS attacks
• Device monitoring
• Download and execution of binary files
• Installation and persistence in checking to ensure infection
• Propagation through USB
• Self update
• Self uninstall
• System information collection

However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user’s choosing.

Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands.

Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot:

• HTTP flood
• SYN flood

Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.

Security researchers from GData, have spotted a DIY (do it yourself) botnet kit, available for sale at selected underground communities.

1 x Builder + stub + updates + installation assistance = €10 ***
This price even dropped down to €5, less than two weeks ago.

The main functions of “Aldi Bot” v1.0 are:
– Possibility to carry out DDoS attacks
– SOCKS; bot owner can use victim’s pc as proxy
– Firefox password stealer; stealing passwords saved in Firefox database
– Remote execution of any file

An update to v2.0 added the following functions to the ones already in use:
– Pidgin password stealer; stealing passwords from the instant messenger Pidgin
– jDownloader password stealer; stealing passwords from a downloader of one-click hoster

The author prides himself with a video, hosted on Youtube, which apparently shows an “Aldi Bot” DDoS attack against the website of the German Federal Police (www.bka.de).

IMDDOS, which is mainly based in China, has grown to become one of the largest active botnets.

The security firm Damballa is warning of a large and fast growing botnet created specifically to deliver distributed denial of service (DDoS) attacks on demand for anyone willing to pay for the service.

The IMDDOS botnet is operated out of China and has been growing at the rate of about 10,000 infected machines every day for the past several months, to become one the largest active botnets currently, Damballa says.

Gunter Ollman, vice president of research at Damballa, said that what makes IMDDOS significant is its openly commercial nature. The botnet’s operators have set up a public Web site potential attackers can use to subscribe for the DDoS service, and to launch attacks against targets.

The site offers various subscription plans and attack options, and provides tips on how the service can be used to launch effective DDoS attacks. It even provides customers with contact information for support and customer service.

Anyone with knowledge of Chinese can essentially subscribe to the service and use it to initiate DDoS attacks against targets of their choice, anywhere around the globe and with next to no effort, Ollman said.

Paid subscribers are provided with a unique alias and a secure access application which they download on to their systems. Users wishing to launch an attack use the application to log into a secure area on the Web site where they can list the hosts and servers they want to attack and submit their request.

The command and control-server behind the botent receives the target list and instructs the infected host machines, or botnet agents, to start launching DDoS attacks against the target site. “Depending on your level of subscription you will be provided a commensurate number of DDoS agents to use” in launching at attack, he said.

A vast majority of the infected machines that are part of the IMDDOS botnet are based on China, however, a significant number of infected machines in the U.S are part of it as well, Ollman said. Law enforcement authorities in the U.S. have been notified of the problem, he added.

The IMDDOS botnet provides another example of what many analysts say is the open and easy availability of sophisticated malware tools and services in China these days.

Source: ComputerWorld

Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.

Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.

The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.

A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:

00129953 |. 81F2 736C6E74 |XOR EDX,746E6C73 ; ”tnls”

The Command & Control servers which it connects to via UDP to receive instructions are:

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days.

Source: Panda Research Blog