Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Message
<blockquote data-quote="Brianwill" data-source="post: 595" data-attributes="member: 15"><p><h3>The most dangerous botnets</h3><p><strong>A botnet</strong> won't surprise anyone today: they occur all the time, and the underlying infection is easily cleaned out by antivirus software-thanks to the crookedness of authors who collect malware on their knees from humus and sticks. But it happens that pros take on virus writing, and then the damage becomes colossal, and the war against malware is protracted and interesting. In this article, I will analyze such stories, and some of them are not over yet.</p><p></p><p><strong>The most dangerous botnets</strong></p><p>It is impossible to cover all even the most interesting epidemics in one article, so I selected only eight of the most significant cases. And even they can't be described in full detail, so I warn you right away that some details may be omitted - intentionally or not. Keep in mind that the situation around active Trojans may well change from the moment the article is published.</p><p></p><p><strong>ZeuS</strong></p><ul> <li data-xf-list-type="ul"><strong>Brief description:</strong> banking Trojan</li> <li data-xf-list-type="ul"><strong>Years of life:</strong> 2007-present</li> <li data-xf-list-type="ul"><strong>Number of infections:</strong> more than 13 million</li> <li data-xf-list-type="ul"><strong>Distribution method:</strong> exploit pack</li> <li data-xf-list-type="ul"><strong>Distribution</strong>: 196 countries</li> <li data-xf-list-type="ul"><strong>Damage</strong>: more than $ 120 million</li> </ul><p>Our hit parade opens with Zeus, but not the one who sits on Olympus among the gods. This banking Trojan is so widespread that it has taken the first place in the list of America's most wanted botnets. According to sofa analysts, it was used in 90% of all Bank fraud cases in the world.</p><p></p><p>At first, several hundred separate botnets were created on the basis of ZeuS, which were controlled by different gangs of cybercriminals. The author or authors of the bot simply sold the Builder to everyone they met and crossed, and they made their own botnets out of it.</p><p></p><p>Everyone distributed the bot as best they could for example, in 2009, one of the groups conducted a large-scale mailing of Zeus through the spam botnet Pushdo. Damballa estimates that about 3.6 million PCs were infected in the United States alone. In total, more than 13 million computers have been infected since the introduction of Zeus.</p><p></p><p>The Zeus developer was originally known under the nicknames Slavik and Monstr, and it was he who independently sold and supported the bot in 2007-2010. This continued until version 2.0, when in October 2010 Slavik transferred raw materials of version 2.0 to the developer of the SpyEye Trojan and, according to legend, stopped development. But, according to RSA, the original author did not go anywhere, and the transfer of the code was a red herring.</p><p></p><p>In August 2010, that is, two months before the official announcement of the termination of work on Zeus, experts discovered a botnet created on Zeus version 2.1, which was not sold on any underground forum at that time. From this, we can conclude that the author simply changed the business model and decided to create his own botnet, and not sell the bot Builder to everyone.</p><p></p><p>One of the main features in Zeus 2.1 - the scheme of communication with management servers has changed: now server addresses were created using DGA (Domain Generation Algorithms). To protect against interception, the signature of the file uploaded during the update was checked (the RSA-1024 signature was used).</p><p></p><p>Among the innovations of this version, some researchers also include the appearance in September of the ZeuS-in-the-Mobile (ZitMo) build for Android, Windows Mobile, BlackBerry and even Symbian. The newly-minted Troy worked in conjunction with the" regular " desktop version of Zeus and allowed you to bypass 2 TYPES of online banking. According to Check Point Software and Versafe, by the end of 2012, the zitmo build called Eurograber brought its owners a profit of about 36 million euros (about $ 47 million at that time).</p><p></p><p>Someone either got greedy or leaked the source code of Zeus 2.0.8.9 to the left, but the fact remains that the source code of the almost current version of Zeus went on sale on the darknet, it was February 2011. And then either there were no buyers, or the seller was hacked — in may, the source code got into the public. This event was, I think, the most significant for the hacker world in 2011.</p><p></p><p>We should also mention the HVNC module (H stands for Hidden). This is an implementation of a VNC server, but it interacts with a virtual desktop that the user cannot see. Later, based on the merged sources, the HVNC module was converted into a separate project.</p><p></p><p>After the leak, "craftsmen" immediately appeared, who began riveting their Trojans from the Zeus source code, which sometimes were clones of Zeus a little more than completely, including the admin panel. But there were also more worthwhile crafts — for example, <strong>the Citadel project</strong>. Its main feature was the creation of an online platform similar to the modern GitHub. Here, customers could request new features, report bugs, and add their own modules. In short, the development became interactive and brought a lot of money to its admins. Customers were even provided with technical support — it included, for example, the constant maintenance of Citadel in an up-to-date state to bypass the latest protection in the face of antivirus programs.</p><p></p><p>In the fall of 2011, a researcher named Roman Hussy (who was studying Zeus), while researching one of the Zeus variants, noticed strange UDP traffic. Further analysis showed that the new version of Zeus had several IP addresses in the configuration block and computers with these IP addresses responded to the infected system. During the day, approximately 100 thousand unique IP addresses were identified, which were contacted by the new modification, most of them were located in India, Italy and the United States.</p><p></p><p>It turned out that Zeus has acquired peer-to-peer functions designed for updating and based on the Kademlia Protocol. Because of the use of the script namegameover.php, this version was given the name GameOver.</p><p></p><p>In early 2012, another version of Zeus GameOver was discovered: it contained a built-in nginx server to interact with other bots via the HTTP Protocol. From this point on, each bot could act as a proxy for communicating with the original C&C, and protection from the distribution of "updates" by specialists on the other side of the barricades was provided by the same file signature. The GameOver version turned out to be very tenacious and still active.</p><p></p><p>More than 74,000 hacked FTP servers, spam, fraud with fake technical support, exploits, and even social engineering in social networks were used to spread the bot. In short, the whole gentleman's set.</p><p></p><p>Later, it was reported that the FBI, together with experts from about a dozen countries, revealed the group behind the creation of Zeus. All its participants were put on the wanted list, <a href="https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev" target="_blank">including</a> the alleged organizer-a certain Evgeny Bogachev. According to the FBI, Bogachev lives in Anapa and owns a yacht. For his head offer a record amount of 3 million green American rubles! Since then, little has been heard about Zeus updates: the author, apparently, has laid low, and there is no progress in the search at all. We will wait for news.</p><p></p><p>By saying "I don't hear much about updates", I mean that the original Zeus was actually no longer supported, but in 2015 there was a new interesting modification of it was called Sphinx. Its panel is not particularly different, but inside it is a new Trojan, well reworked by unknown authors. Now, in connection with the coronavirus, it is especially active and is spread through social engineering. A fake signature of Kaspersky Lab and a self-made certificate were used as a cover.</p><p></p><p>Treatment of Zeus is very difficult: it successfully bypasses antivirus programs using polymorphic encryption, infects many files, and is constantly updated. The best remedy is to reinstall the infected system, but if you really want to, you can try to find and cure the infected files, of course, without any guarantees of success.</p><p></p><p><strong>Storm</strong></p><ul> <li data-xf-list-type="ul"><strong>Brief description:</strong> email worm for spam and DDoS</li> <li data-xf-list-type="ul"><strong>Years of life:</strong> 2007–2008</li> <li data-xf-list-type="ul"><strong>Number of infections:</strong> about 2 million</li> <li data-xf-list-type="ul"><strong>Distribution method:</strong> spam</li> </ul></blockquote><p></p>
[QUOTE="Brianwill, post: 595, member: 15"] [HEADING=2]The most dangerous botnets[/HEADING] [B]A botnet[/B] won't surprise anyone today: they occur all the time, and the underlying infection is easily cleaned out by antivirus software-thanks to the crookedness of authors who collect malware on their knees from humus and sticks. But it happens that pros take on virus writing, and then the damage becomes colossal, and the war against malware is protracted and interesting. In this article, I will analyze such stories, and some of them are not over yet. [B]The most dangerous botnets[/B] It is impossible to cover all even the most interesting epidemics in one article, so I selected only eight of the most significant cases. And even they can't be described in full detail, so I warn you right away that some details may be omitted - intentionally or not. Keep in mind that the situation around active Trojans may well change from the moment the article is published. [B]ZeuS[/B] [LIST] [*][B]Brief description:[/B] banking Trojan [*][B]Years of life:[/B] 2007-present [*][B]Number of infections:[/B] more than 13 million [*][B]Distribution method:[/B] exploit pack [*][B]Distribution[/B]: 196 countries [*][B]Damage[/B]: more than $ 120 million [/LIST] Our hit parade opens with Zeus, but not the one who sits on Olympus among the gods. This banking Trojan is so widespread that it has taken the first place in the list of America's most wanted botnets. According to sofa analysts, it was used in 90% of all Bank fraud cases in the world. At first, several hundred separate botnets were created on the basis of ZeuS, which were controlled by different gangs of cybercriminals. The author or authors of the bot simply sold the Builder to everyone they met and crossed, and they made their own botnets out of it. Everyone distributed the bot as best they could for example, in 2009, one of the groups conducted a large-scale mailing of Zeus through the spam botnet Pushdo. Damballa estimates that about 3.6 million PCs were infected in the United States alone. In total, more than 13 million computers have been infected since the introduction of Zeus. The Zeus developer was originally known under the nicknames Slavik and Monstr, and it was he who independently sold and supported the bot in 2007-2010. This continued until version 2.0, when in October 2010 Slavik transferred raw materials of version 2.0 to the developer of the SpyEye Trojan and, according to legend, stopped development. But, according to RSA, the original author did not go anywhere, and the transfer of the code was a red herring. In August 2010, that is, two months before the official announcement of the termination of work on Zeus, experts discovered a botnet created on Zeus version 2.1, which was not sold on any underground forum at that time. From this, we can conclude that the author simply changed the business model and decided to create his own botnet, and not sell the bot Builder to everyone. One of the main features in Zeus 2.1 - the scheme of communication with management servers has changed: now server addresses were created using DGA (Domain Generation Algorithms). To protect against interception, the signature of the file uploaded during the update was checked (the RSA-1024 signature was used). Among the innovations of this version, some researchers also include the appearance in September of the ZeuS-in-the-Mobile (ZitMo) build for Android, Windows Mobile, BlackBerry and even Symbian. The newly-minted Troy worked in conjunction with the" regular " desktop version of Zeus and allowed you to bypass 2 TYPES of online banking. According to Check Point Software and Versafe, by the end of 2012, the zitmo build called Eurograber brought its owners a profit of about 36 million euros (about $ 47 million at that time). Someone either got greedy or leaked the source code of Zeus 2.0.8.9 to the left, but the fact remains that the source code of the almost current version of Zeus went on sale on the darknet, it was February 2011. And then either there were no buyers, or the seller was hacked — in may, the source code got into the public. This event was, I think, the most significant for the hacker world in 2011. We should also mention the HVNC module (H stands for Hidden). This is an implementation of a VNC server, but it interacts with a virtual desktop that the user cannot see. Later, based on the merged sources, the HVNC module was converted into a separate project. After the leak, "craftsmen" immediately appeared, who began riveting their Trojans from the Zeus source code, which sometimes were clones of Zeus a little more than completely, including the admin panel. But there were also more worthwhile crafts — for example, [B]the Citadel project[/B]. Its main feature was the creation of an online platform similar to the modern GitHub. Here, customers could request new features, report bugs, and add their own modules. In short, the development became interactive and brought a lot of money to its admins. Customers were even provided with technical support — it included, for example, the constant maintenance of Citadel in an up-to-date state to bypass the latest protection in the face of antivirus programs. In the fall of 2011, a researcher named Roman Hussy (who was studying Zeus), while researching one of the Zeus variants, noticed strange UDP traffic. Further analysis showed that the new version of Zeus had several IP addresses in the configuration block and computers with these IP addresses responded to the infected system. During the day, approximately 100 thousand unique IP addresses were identified, which were contacted by the new modification, most of them were located in India, Italy and the United States. It turned out that Zeus has acquired peer-to-peer functions designed for updating and based on the Kademlia Protocol. Because of the use of the script namegameover.php, this version was given the name GameOver. In early 2012, another version of Zeus GameOver was discovered: it contained a built-in nginx server to interact with other bots via the HTTP Protocol. From this point on, each bot could act as a proxy for communicating with the original C&C, and protection from the distribution of "updates" by specialists on the other side of the barricades was provided by the same file signature. The GameOver version turned out to be very tenacious and still active. More than 74,000 hacked FTP servers, spam, fraud with fake technical support, exploits, and even social engineering in social networks were used to spread the bot. In short, the whole gentleman's set. Later, it was reported that the FBI, together with experts from about a dozen countries, revealed the group behind the creation of Zeus. All its participants were put on the wanted list, [URL='https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev']including[/URL] the alleged organizer-a certain Evgeny Bogachev. According to the FBI, Bogachev lives in Anapa and owns a yacht. For his head offer a record amount of 3 million green American rubles! Since then, little has been heard about Zeus updates: the author, apparently, has laid low, and there is no progress in the search at all. We will wait for news. By saying "I don't hear much about updates", I mean that the original Zeus was actually no longer supported, but in 2015 there was a new interesting modification of it was called Sphinx. Its panel is not particularly different, but inside it is a new Trojan, well reworked by unknown authors. Now, in connection with the coronavirus, it is especially active and is spread through social engineering. A fake signature of Kaspersky Lab and a self-made certificate were used as a cover. Treatment of Zeus is very difficult: it successfully bypasses antivirus programs using polymorphic encryption, infects many files, and is constantly updated. The best remedy is to reinstall the infected system, but if you really want to, you can try to find and cure the infected files, of course, without any guarantees of success. [B]Storm[/B] [LIST] [*][B]Brief description:[/B] email worm for spam and DDoS [*][B]Years of life:[/B] 2007–2008 [*][B]Number of infections:[/B] about 2 million [*][B]Distribution method:[/B] spam [/LIST] [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Top