I just wrote up an article about using tarpits to fight off HTTP-based DDoS attacks.
We’ve identified two different Better Business Bureau phishing scams circulating over the past few months. One has an attachment which downloads a bunch of other stuff, including the Bandok trojan. The other one links to a website that tries to entice you to download and run an executable – this one is a BHO which sends all of your posts to any site to the phisher’s repository. Not just bank or Paypal or ebay logins – all interactive data sent to every site you visit. Couple this with the fact that the emails are being targeted only at senior management at companies and you have a potentially very damaging scheme.
And it works – we were able to locate one cache of stolen data. In it were over 1000 individuals, almost all were senior management from companies all over, large and small, at VP level and above (yes, even a few CEOs), along with a record of every website they’ve visited, and every field from every form they’ve posted (regardless of SSL encryption).
Read the whole writeup here: http://www.secureworks.com/research/threats/bbbphish
Here’s something interesting I came across – the SpamThru trojan uses a peer-to-peer communication system to avoid the network being shut down. This was inevitable I suppose, but there was something else I didn’t expect – it downloads and installs an anti-virus engine (Kaspersky) in order to ensure other malware doesn’t steal precious resources from the spamming operation. (Of course, it skips any files that belong to itself). Although some malware has tried to remove its competitors before, I can’t recall seeing any using this technique. Of course, the malware authors know which AV has the best detection rates, which must be why they chose KAV.
My analysis can be found here:
Mocbot appears to be almost a non-event, as we predicted. I’m tracking around 25 infected systems in the /8 netblock where I run my honeypot. Still, it takes time for these things to get inside the corporate firewall sometimes, so we may yet see a couple of large organizations hit hard. In the meantime, ever wonder why someone would go through the trouble and risk of releasing malware like this? The answer is simple… money. And it all traces back to spam.
As I write this entry, 692,023 hits are showing on the BlackWorm counter. The spread seems to have tapered off slightly since yesterday, but still a significant number of users are still clicking on the attachments.
You may be asking yourself, “What can I do, as a network admin, to ensure my less sophisticated users don’t fall prey to this worm and have important files overwritten on Feb 3?”