Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Message
<blockquote data-quote="Brianwill" data-source="post: 600" data-attributes="member: 15"><p><strong>Emotet</strong></p><ul> <li data-xf-list-type="ul"><strong>Brief description:</strong> banker, loader</li> <li data-xf-list-type="ul"><strong>Years of life:</strong> 2014-present</li> <li data-xf-list-type="ul"><strong>Number of infections:</strong> unknown</li> <li data-xf-list-type="ul"><strong>Distribution methods:</strong> spam, SI</li> </ul><p>Emotet is another high-tech banking Trojan. The first versions stole the Bank data of only a few banks, but the botnet was quickly improved and is now also among the top 3 most active and dangerous, although it first appeared relatively recently — in 2014.</p><p></p><p>Infection actively occurs through spam: emails contain a malicious attachment with a macro. The macro is not just executed, but it uses social engineering methods to force the victim to launch itself, which leads to infection.</p><p></p><p>At the turn of 2016 and 2017, the creators repurposed the botnet, and now it mainly acts as a loader for other malware of all stripes. However, it is also not worth deleting it from the list of bankers yet.</p><p></p><p>The botnet is sold under the IaaS or MaaS (malware as a service) model to other cybercrime groups. In particular, Emotet often works in tandem with Ryuk.</p><p></p><p>In the second half of 2019, the number of Emotet infections increased dramatically. The loader suddenly registered a burst of activity. In September, after a short four-month pause, Emotet again began to operate with increasing strength. A total of 27,150 Emotet instances were detected in the second half of 2019 (an increase of 913% compared to last year). During this attack, more than 1000 unique IP addresses were recorded, which hosted C&C Emotet. The graph below shows the number of Emotet samples found for the second half of 2018 and 2019. There is a huge difference.</p><p></p><p>In 2020, a new feature was discovered: Emotet behaves like a worm, hacking into poorly covered Wi-Fi networks and spreading there. Another demonstration of how attackers invent new techniques in the name of more effective infection.</p><p></p><p>As for the geographical distribution, Germany, the United States, India and Russia were the most affected. The top affected countries also include China, Italy and Poland. Emotet is still active, so the infection pattern is constantly changing and may even change by the time this article is published.</p><p></p><p>To date, nothing is known about the creators of Emotet, so there will be no fascinating story of the idiocy of developers and the resourcefulness of law enforcement officers. It's a pity.</p><p></p><p><strong>3ve</strong></p><ul> <li data-xf-list-type="ul"><strong>Brief description:</strong> clickfraud botnet</li> <li data-xf-list-type="ul"><strong>Years of life:</strong> 2013–2018</li> <li data-xf-list-type="ul"><strong>Number of infections:</strong> ~1.7 million</li> <li data-xf-list-type="ul"><strong>Distribution methods:</strong> spam, SI</li> <li data-xf-list-type="ul"><strong>Damage:</strong> about $ 30 million</li> </ul><p>I think you've had enough of the banking Trojans in this collection. However, this bot belongs to a different family-clickfraud botnets. 3ve ("Eve") does not steal Bank data when infected, but clicks tons of ads on fake sites. Of course, the user does not notice anything, since everything happens secretly. The bot contained many detection bypass mechanisms to bring maximum profit to its creators. 3ve is considered the most advanced clickfraud botnet.</p><p></p><p>Distributed by 3ve through the botnets Methbot and Kovter and had several schemes of operation.</p><p></p><p>One of the schemes was identified as 3ve. 1, but it was first discovered by WhiteOps specialists and named <a href="https://www.zdnet.com/article/methbot-5-million-a-day-stolen-from-us-companies/" target="_blank">MethBot</a>. This campaign was also monitored by experts from Symantec and ESET, under the names <a href="https://www.symantec.com/blogs/threat-intelligence/eversion-3ve-arrests-takedown" target="_blank">Miuref</a> and <a href="https://www.welivesecurity.com/2018/11/27/3ve-online-ad-fraud-disrupted/" target="_blank">Boaxxe</a>, respectively. Naturally, no one knew then that this operation was just a small piece of a larger advertising Scam.</p><p></p><p>Another scheme used primarily servers in data centers, rather than computers of ordinary users — bots imitated the behavior of live users of mobile and stationary devices. According to the FBI, 3ve operators used about 1,900 servers in commercial data centers, and they had about 5,000 advertising sites at their disposal.</p><p></p><p>3ve operators went down after they began to fake BGP and allocated blocks of IP addresses belonging to real clients to mask fraudulent activity. When ad networks started blocking addresses associated with the 3ve.1 scheme, operators simply rented infected machines in the Kovter botnet. New bots opened hidden browser Windows and continued using the old scheme.</p><p></p><p>In the third scheme, everything remained the same, but instead of a huge number of low-power bots, the campaign involved several powerful servers and a lot of rented proxies to hide servers.</p><p></p><p>At its peak, the 3ve botnet generated about 3 billion fraudulent requests every day, used about 10,000 fake sites to display ads, had more than a thousand bot servers in data centers, and controlled over a million IP addresses needed to hide bots.</p><p></p><p>The botnet was closed by a joint effort of Google, the FBI, Adobe, Amazon, ESET, Malwarebytes and other companies. There were eight authors, and thirteen criminal cases were opened against them. Six authors are Russians, and two more are Kazakhs. Sometimes legends about Russian hackers do not lie!</p><p></p><p>According to Google, after the 3ve infrastructure was blacklisted and synkholing was used against it, there was a real lull in advertising fraud. Although the men in uniform don't give the exact income of the group, experts estimate 3ve's earnings to be at least $ 30 million.</p><p></p><p><strong>Mirai</strong></p><ul> <li data-xf-list-type="ul"><strong>Brief description:</strong> DDoS botnet</li> <li data-xf-list-type="ul"><strong>Years of life:</strong> 2016-present</li> <li data-xf-list-type="ul"><strong>Number of infections:</strong> more than 560 thousand</li> <li data-xf-list-type="ul"><strong>Distribution methods:</strong> brute force</li> </ul><p>It would be strange if we didn't remember such a famous bot. He is the king of botnets that attack IoT devices, and although he himself has long since died out, his numerous descendants still haunt security professionals. First discovered in 2016, it quickly and efficiently hijacked smart home devices (and sometimes not only them) with weak Telnet passwords.</p><p></p><p>This botnet was developed by students who for some reason got angry at their own University and wanted to organize DDoS attacks on it. But they missed something, and now this is the largest IoT botnet, if you take into account all its clones.</p><p></p><p>The botnet grew slowly at first, but after several attacks, it was noticed and the hunt for its creators began. They didn't come up with anything smarter than just publishing the source code. Like, we don't have to be the authors: it could have been anyone, the source code is open. This feint with their ears did not help them, and the authors were found. Unfortunately, it was already too late: other groups received a powerful and dangerous tool for free. The number of botnets based on Mirai (and sometimes complete clones of it) has exceeded one hundred and continues to grow.</p><p></p><p>In September 2016, after Brian Krebs published an article about DDoS botnet vendors, Krebs himself was the victim of an unusually strong DDoS attack, which peaked at 665 GB/s. This attack in General became one of the most powerful among the known ones. The hoster did not tolerate this anymore, and the site temporarily lay down until a new hoster was found.</p><p></p><p>A month later, a powerful attack was launched against DynDNS. It was held in two waves of about an hour and a half each. Despite the rapid response and measures taken to repel the attack, it still affected users. The consequences were visible until the evening of the same day. It is noteworthy that not one server was attacked, but many around the world. The engineers clearly did not expect such a feed and could not react normally. As a result, at least Twitter, GitHub, SoundCloud, Spotify and Heroku were affected.</p><p></p><p>Ironically, DNS queries were used to attack the DNS provider. Traffic exceeded normal by almost two orders of magnitude, and this is not counting the fact that system administrators urgently introduced filtering. At that time, DNS amplification was already described, but it was not taken seriously. The attack on Dyn corrected the situation, so there are not so many servers vulnerable to this technique anymore.</p><p></p><p>According to the investigation, only about 100 thousand excessively "smart" devices participated in the attack. Nevertheless, the attack was impressive in its scale.</p><p></p><p>Inside Mirai - a small and clean code, which, however, was not very technologically advanced. Only 31 login and password pairs were used for distribution, but even this was enough to capture more than half a million devices.</p><p></p><p><strong>Conclusion</strong></p><p>Powerful botnets come and go: as soon as cybersecurity researchers and law enforcement agencies close one network (and sometimes its owners), the next one appears on the horizon, often even more threatening. For ordinary mortals, the moral here is very simple: put strong passwords on all your devices and update the firmware, and then your computer, router and too smart refrigerator will not start working for a criminal gang.</p></blockquote><p></p>
[QUOTE="Brianwill, post: 600, member: 15"] [B]Emotet[/B] [LIST] [*][B]Brief description:[/B] banker, loader [*][B]Years of life:[/B] 2014-present [*][B]Number of infections:[/B] unknown [*][B]Distribution methods:[/B] spam, SI [/LIST] Emotet is another high-tech banking Trojan. The first versions stole the Bank data of only a few banks, but the botnet was quickly improved and is now also among the top 3 most active and dangerous, although it first appeared relatively recently — in 2014. Infection actively occurs through spam: emails contain a malicious attachment with a macro. The macro is not just executed, but it uses social engineering methods to force the victim to launch itself, which leads to infection. At the turn of 2016 and 2017, the creators repurposed the botnet, and now it mainly acts as a loader for other malware of all stripes. However, it is also not worth deleting it from the list of bankers yet. The botnet is sold under the IaaS or MaaS (malware as a service) model to other cybercrime groups. In particular, Emotet often works in tandem with Ryuk. In the second half of 2019, the number of Emotet infections increased dramatically. The loader suddenly registered a burst of activity. In September, after a short four-month pause, Emotet again began to operate with increasing strength. A total of 27,150 Emotet instances were detected in the second half of 2019 (an increase of 913% compared to last year). During this attack, more than 1000 unique IP addresses were recorded, which hosted C&C Emotet. The graph below shows the number of Emotet samples found for the second half of 2018 and 2019. There is a huge difference. In 2020, a new feature was discovered: Emotet behaves like a worm, hacking into poorly covered Wi-Fi networks and spreading there. Another demonstration of how attackers invent new techniques in the name of more effective infection. As for the geographical distribution, Germany, the United States, India and Russia were the most affected. The top affected countries also include China, Italy and Poland. Emotet is still active, so the infection pattern is constantly changing and may even change by the time this article is published. To date, nothing is known about the creators of Emotet, so there will be no fascinating story of the idiocy of developers and the resourcefulness of law enforcement officers. It's a pity. [B]3ve[/B] [LIST] [*][B]Brief description:[/B] clickfraud botnet [*][B]Years of life:[/B] 2013–2018 [*][B]Number of infections:[/B] ~1.7 million [*][B]Distribution methods:[/B] spam, SI [*][B]Damage:[/B] about $ 30 million [/LIST] I think you've had enough of the banking Trojans in this collection. However, this bot belongs to a different family-clickfraud botnets. 3ve ("Eve") does not steal Bank data when infected, but clicks tons of ads on fake sites. Of course, the user does not notice anything, since everything happens secretly. The bot contained many detection bypass mechanisms to bring maximum profit to its creators. 3ve is considered the most advanced clickfraud botnet. Distributed by 3ve through the botnets Methbot and Kovter and had several schemes of operation. One of the schemes was identified as 3ve. 1, but it was first discovered by WhiteOps specialists and named [URL='https://www.zdnet.com/article/methbot-5-million-a-day-stolen-from-us-companies/']MethBot[/URL]. This campaign was also monitored by experts from Symantec and ESET, under the names [URL='https://www.symantec.com/blogs/threat-intelligence/eversion-3ve-arrests-takedown']Miuref[/URL] and [URL='https://www.welivesecurity.com/2018/11/27/3ve-online-ad-fraud-disrupted/']Boaxxe[/URL], respectively. Naturally, no one knew then that this operation was just a small piece of a larger advertising Scam. Another scheme used primarily servers in data centers, rather than computers of ordinary users — bots imitated the behavior of live users of mobile and stationary devices. According to the FBI, 3ve operators used about 1,900 servers in commercial data centers, and they had about 5,000 advertising sites at their disposal. 3ve operators went down after they began to fake BGP and allocated blocks of IP addresses belonging to real clients to mask fraudulent activity. When ad networks started blocking addresses associated with the 3ve.1 scheme, operators simply rented infected machines in the Kovter botnet. New bots opened hidden browser Windows and continued using the old scheme. In the third scheme, everything remained the same, but instead of a huge number of low-power bots, the campaign involved several powerful servers and a lot of rented proxies to hide servers. At its peak, the 3ve botnet generated about 3 billion fraudulent requests every day, used about 10,000 fake sites to display ads, had more than a thousand bot servers in data centers, and controlled over a million IP addresses needed to hide bots. The botnet was closed by a joint effort of Google, the FBI, Adobe, Amazon, ESET, Malwarebytes and other companies. There were eight authors, and thirteen criminal cases were opened against them. Six authors are Russians, and two more are Kazakhs. Sometimes legends about Russian hackers do not lie! According to Google, after the 3ve infrastructure was blacklisted and synkholing was used against it, there was a real lull in advertising fraud. Although the men in uniform don't give the exact income of the group, experts estimate 3ve's earnings to be at least $ 30 million. [B]Mirai[/B] [LIST] [*][B]Brief description:[/B] DDoS botnet [*][B]Years of life:[/B] 2016-present [*][B]Number of infections:[/B] more than 560 thousand [*][B]Distribution methods:[/B] brute force [/LIST] It would be strange if we didn't remember such a famous bot. He is the king of botnets that attack IoT devices, and although he himself has long since died out, his numerous descendants still haunt security professionals. First discovered in 2016, it quickly and efficiently hijacked smart home devices (and sometimes not only them) with weak Telnet passwords. This botnet was developed by students who for some reason got angry at their own University and wanted to organize DDoS attacks on it. But they missed something, and now this is the largest IoT botnet, if you take into account all its clones. The botnet grew slowly at first, but after several attacks, it was noticed and the hunt for its creators began. They didn't come up with anything smarter than just publishing the source code. Like, we don't have to be the authors: it could have been anyone, the source code is open. This feint with their ears did not help them, and the authors were found. Unfortunately, it was already too late: other groups received a powerful and dangerous tool for free. The number of botnets based on Mirai (and sometimes complete clones of it) has exceeded one hundred and continues to grow. In September 2016, after Brian Krebs published an article about DDoS botnet vendors, Krebs himself was the victim of an unusually strong DDoS attack, which peaked at 665 GB/s. This attack in General became one of the most powerful among the known ones. The hoster did not tolerate this anymore, and the site temporarily lay down until a new hoster was found. A month later, a powerful attack was launched against DynDNS. It was held in two waves of about an hour and a half each. Despite the rapid response and measures taken to repel the attack, it still affected users. The consequences were visible until the evening of the same day. It is noteworthy that not one server was attacked, but many around the world. The engineers clearly did not expect such a feed and could not react normally. As a result, at least Twitter, GitHub, SoundCloud, Spotify and Heroku were affected. Ironically, DNS queries were used to attack the DNS provider. Traffic exceeded normal by almost two orders of magnitude, and this is not counting the fact that system administrators urgently introduced filtering. At that time, DNS amplification was already described, but it was not taken seriously. The attack on Dyn corrected the situation, so there are not so many servers vulnerable to this technique anymore. According to the investigation, only about 100 thousand excessively "smart" devices participated in the attack. Nevertheless, the attack was impressive in its scale. Inside Mirai - a small and clean code, which, however, was not very technologically advanced. Only 31 login and password pairs were used for distribution, but even this was enough to capture more than half a million devices. [B]Conclusion[/B] Powerful botnets come and go: as soon as cybersecurity researchers and law enforcement agencies close one network (and sometimes its owners), the next one appears on the horizon, often even more threatening. For ordinary mortals, the moral here is very simple: put strong passwords on all your devices and update the firmware, and then your computer, router and too smart refrigerator will not start working for a criminal gang. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Top