Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Hacking Tools
The most evil botnets. How the largest armies of malware appeared and died.
Message
<blockquote data-quote="Dr. Smile" data-source="post: 395" data-attributes="member: 19"><p><h4>Emotet</h4><p>Brief description: banker, downloader</p><ul> <li data-xf-list-type="ul">Lived: 2014 - present</li> <li data-xf-list-type="ul">Number of infections: unknown</li> <li data-xf-list-type="ul">Distribution methods: spam, SI</li> </ul><p>Emotet is another tech banking Trojan. The first versions stole the banking data of just a few banks, but the botnet was rapidly improving and now it is also in the top 3 most active and dangerous, although it first appeared relatively recently - in 2014.</p><p>Infection actively occurs through spam: messages contain a malicious attachment with a macro. The macro is simply not executed, but by social engineering it forces the victim to launch himself, which leads to infection.</p><p>At the turn of 2016 and 2017, the creators repurposed the botnet, and now it primarily acts as a downloader for other malware of all stripes. However, it is not worth deleting it from the list of bankers just yet.</p><p>The botnet is marketed as IaaS or MaaS (malware as a service) to other cybercriminal groups. In particular, Emotet often works in tandem with Ryuk.</p><p><img src="https://st768.s3.eu-central-1.amazonaws.com/95493858c99269b01b7200ec4f81a09c/15054/emotet.jpg" alt="emotet.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>In the second half of 2019, the number of Emotet infections skyrocketed. The bootloader suddenly saw a burst of activity. In September, after a short four-month pause, Emotet began to act again with increasing force. In total, 27,150 Emotets were discovered in the second half of 2019 (an increase of 913% over last year). During this attack, more than 1000 unique IP addresses were recorded at which C&C Emotet were located. The graph below shows the number of Emotet samples found for the second half of 2018 and 2019. A colossal difference is visible.</p><p><img src="https://st768.s3.eu-central-1.amazonaws.com/95493858c99269b01b7200ec4f81a09c/15055/emotetstats.jpg" alt="emotetstats.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>In 2020, a new feature was discovered: Emotet behaves like a worm, breaking into poorly covered Wi-Fi networks and spreading there. Another demonstration of how cybercriminals are inventing new techniques in the name of more effective infection.</p><p>With regard to the geography of distribution, Germany, the USA, India and Russia have suffered the most. The top affected countries also include China, Italy and Poland. Emotet is still active, so the infection pattern is constantly changing and may even change by the time this article is published.</p><p>Until now, nothing is known about the creators of Emotet, so there will be no fascinating story of the idiocy of the developers and the resourcefulness of law enforcement officers. It's a pity.</p><h4>3ve</h4> <ul> <li data-xf-list-type="ul">Brief description: click fraud botnet</li> <li data-xf-list-type="ul">Lived: 2013–2018</li> <li data-xf-list-type="ul">Number of infections: ~ 1.7 million</li> <li data-xf-list-type="ul">Distribution methods: spam, SI</li> <li data-xf-list-type="ul">Damage: about $ 30 million</li> </ul><p>I think you are already tired of the banking Trojans in this collection. However, this bot belongs to a different family - click fraud botnets. 3ve ("Eve") does not steal banking data when infected, but clicks tons of ads on fake websites. Of course, the user does not notice anything, since everything happens secretly. The bot contained many mechanisms to bypass the detection in order to bring maximum profit to its creators. 3ve is considered the most advanced click fraud botnet.</p><p>It was distributed by 3ve through the botnets Methbot and Kovter and had several schemes of work.</p><p>One of the schemes received the identifier 3ve.1, but WhiteOps specialists first discovered it and named it MethBot. The campaign was also monitored by experts from Symantec and ESET, under the names Miuref and Boaxxe, respectively. Naturally, no one knew then that this operation was just a small piece of a larger ad fraud.</p><p>Another scheme used primarily servers in data centers, and not computers of ordinary users - bots imitated the behavior of living users of mobile and stationary devices. According to the FBI, 3ve's operators used about 1,900 servers in commercial data centers, and had about 5,000 advertising sites at their disposal.</p><p>Operators 3ve got caught up after they began to forge BGP and allocated blocks of IP addresses belonging to real customers in order to disguise fraudulent activity. When ad networks started blocking addresses associated with the 3ve.1 scheme, operators simply rented infected machines from the Kovter botnet. New bots opened hidden browser windows and proceeded according to the old scheme.</p><p>In the third scheme, everything remained the same, but instead of a huge number of low-power bots, several powerful servers and many rented proxies to hide servers participated in the campaign.</p><p>At its peak, the 3ve botnet generated nearly 3 billion fraudulent requests every day, used 10,000 fake websites to serve ads, had over 1,000 bot servers in data centers, and controlled over a million IP addresses needed to hide bots.</p><p><img src="https://st768.s3.eu-central-1.amazonaws.com/95493858c99269b01b7200ec4f81a09c/15052/3ve.jpg" alt="3ve.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>The botnet was closed by the joint efforts of Google, the FBI, Adobe, Amazon, ESET, Malwarebytes and other companies. There were eight authors, thirteen criminal cases were opened against them. Six authors are Russians, two more are Kazakhs. Sometimes legends about Russian hackers don't lie!</p><p>According to Google, after the 3ve infrastructure was blacklisted and used against it, there was a real lull in ad fraud. While the people in the epaulettes have not named the group's exact earnings, experts estimate 3ve's earnings to be at least $ 30 million.</p><h4>Mirai</h4> <ul> <li data-xf-list-type="ul">Brief description: DDoS botnet</li> <li data-xf-list-type="ul">Lived: 2016 - present</li> <li data-xf-list-type="ul">Number of infections: more than 560 thousand</li> <li data-xf-list-type="ul">Distribution methods: brute force</li> </ul><p>It would be strange if we did not remember such a famous bot. He is the king of botnets that attack IoT devices, and although he himself has long faded, his many descendants still haunt security people. First discovered in 2016, it quickly and efficiently hijacked smart home devices (and sometimes not only them) with weak passwords on Telnet.</p><p>This botnet was developed by students who for some reason got angry with their own university and wanted to organize DDoS attacks on it. But they miscalculated something, and now it is the largest IoT botnet, considering all its clones.</p><p>The botnet grew quietly at first, but after several attacks it was noticed and the hunt for its creators began. They didn’t come up with anything smarter than just publishing the source. Like, we are not necessarily the authors: it could be anyone, the source code is open. This trick with their ears did not help them, and the authors were found. Unfortunately, it was already too late: other factions got a powerful and dangerous tool for free. The number of botnets based on Mirai (and sometimes its complete clones) has exceeded one hundred and continues to grow.</p><p>In September 2016, after Brian Krebs published an article about DDoS botnet sellers, Krebs himself fell victim to an unusually strong DDoS attack, which peaked at 665 GB / s. This attack has generally become one of the most powerful known. The hoster hated this anymore, and the site temporarily lay down until a new hoster was found.</p><p>A month later, a powerful attack was launched against DynDNS. It passed in two waves, about an hour and a half each. Despite the prompt reaction and measures taken to repel the attack, it still affected users. The consequences were visible until the evening of the same day. Remarkably, not one server was attacked, but many around the world. The engineers clearly did not expect such a feed and could not react normally. As a result, at least Twitter, GitHub, SoundCloud, Spotify and Heroku were affected.</p><p>Ironically, DNS queries were used to attack the DNS provider. The traffic exceeded normal by almost two orders of magnitude, and this is not counting the fact that the system administrators urgently introduced filtering. At that time, DNS amplification was already described, but was not taken seriously. The attack on Dyn corrected the situation, so that there were not so many servers vulnerable to this technique.</p><p>According to the investigation, only about 100,000 overly “smart” devices were involved in the attack. Nevertheless, the attack was impressive in scale.</p><p>Inside Mirai there is a small and clean code, which, however, was not very technologically advanced. Only 31 login-password pairs were used for distribution, but even that was enough to capture more than half a million devices.</p><h4>Output</h4><p>Powerful botnets come and go: as soon as information security researchers and law enforcement officers close one network (and sometimes its owners), the next one appears on the horizon, often even more threatening. For mere mortals, the moral here is very simple: put strong passwords on all your devices and update the firmware, and then your computer, router and too smart refrigerator will not start working for a criminal gang.</p></blockquote><p></p>
[QUOTE="Dr. Smile, post: 395, member: 19"] [HEADING=3]Emotet[/HEADING] Brief description: banker, downloader [LIST] [*]Lived: 2014 - present [*]Number of infections: unknown [*]Distribution methods: spam, SI [/LIST] Emotet is another tech banking Trojan. The first versions stole the banking data of just a few banks, but the botnet was rapidly improving and now it is also in the top 3 most active and dangerous, although it first appeared relatively recently - in 2014. Infection actively occurs through spam: messages contain a malicious attachment with a macro. The macro is simply not executed, but by social engineering it forces the victim to launch himself, which leads to infection. At the turn of 2016 and 2017, the creators repurposed the botnet, and now it primarily acts as a downloader for other malware of all stripes. However, it is not worth deleting it from the list of bankers just yet. The botnet is marketed as IaaS or MaaS (malware as a service) to other cybercriminal groups. In particular, Emotet often works in tandem with Ryuk. [IMG alt="emotet.jpg"]https://st768.s3.eu-central-1.amazonaws.com/95493858c99269b01b7200ec4f81a09c/15054/emotet.jpg[/IMG] In the second half of 2019, the number of Emotet infections skyrocketed. The bootloader suddenly saw a burst of activity. In September, after a short four-month pause, Emotet began to act again with increasing force. In total, 27,150 Emotets were discovered in the second half of 2019 (an increase of 913% over last year). During this attack, more than 1000 unique IP addresses were recorded at which C&C Emotet were located. The graph below shows the number of Emotet samples found for the second half of 2018 and 2019. A colossal difference is visible. [IMG alt="emotetstats.jpg"]https://st768.s3.eu-central-1.amazonaws.com/95493858c99269b01b7200ec4f81a09c/15055/emotetstats.jpg[/IMG] In 2020, a new feature was discovered: Emotet behaves like a worm, breaking into poorly covered Wi-Fi networks and spreading there. Another demonstration of how cybercriminals are inventing new techniques in the name of more effective infection. With regard to the geography of distribution, Germany, the USA, India and Russia have suffered the most. The top affected countries also include China, Italy and Poland. Emotet is still active, so the infection pattern is constantly changing and may even change by the time this article is published. Until now, nothing is known about the creators of Emotet, so there will be no fascinating story of the idiocy of the developers and the resourcefulness of law enforcement officers. It's a pity. [HEADING=3]3ve[/HEADING] [LIST] [*]Brief description: click fraud botnet [*]Lived: 2013–2018 [*]Number of infections: ~ 1.7 million [*]Distribution methods: spam, SI [*]Damage: about $ 30 million [/LIST] I think you are already tired of the banking Trojans in this collection. However, this bot belongs to a different family - click fraud botnets. 3ve ("Eve") does not steal banking data when infected, but clicks tons of ads on fake websites. Of course, the user does not notice anything, since everything happens secretly. The bot contained many mechanisms to bypass the detection in order to bring maximum profit to its creators. 3ve is considered the most advanced click fraud botnet. It was distributed by 3ve through the botnets Methbot and Kovter and had several schemes of work. One of the schemes received the identifier 3ve.1, but WhiteOps specialists first discovered it and named it MethBot. The campaign was also monitored by experts from Symantec and ESET, under the names Miuref and Boaxxe, respectively. Naturally, no one knew then that this operation was just a small piece of a larger ad fraud. Another scheme used primarily servers in data centers, and not computers of ordinary users - bots imitated the behavior of living users of mobile and stationary devices. According to the FBI, 3ve's operators used about 1,900 servers in commercial data centers, and had about 5,000 advertising sites at their disposal. Operators 3ve got caught up after they began to forge BGP and allocated blocks of IP addresses belonging to real customers in order to disguise fraudulent activity. When ad networks started blocking addresses associated with the 3ve.1 scheme, operators simply rented infected machines from the Kovter botnet. New bots opened hidden browser windows and proceeded according to the old scheme. In the third scheme, everything remained the same, but instead of a huge number of low-power bots, several powerful servers and many rented proxies to hide servers participated in the campaign. At its peak, the 3ve botnet generated nearly 3 billion fraudulent requests every day, used 10,000 fake websites to serve ads, had over 1,000 bot servers in data centers, and controlled over a million IP addresses needed to hide bots. [IMG alt="3ve.jpg"]https://st768.s3.eu-central-1.amazonaws.com/95493858c99269b01b7200ec4f81a09c/15052/3ve.jpg[/IMG] The botnet was closed by the joint efforts of Google, the FBI, Adobe, Amazon, ESET, Malwarebytes and other companies. There were eight authors, thirteen criminal cases were opened against them. Six authors are Russians, two more are Kazakhs. Sometimes legends about Russian hackers don't lie! According to Google, after the 3ve infrastructure was blacklisted and used against it, there was a real lull in ad fraud. While the people in the epaulettes have not named the group's exact earnings, experts estimate 3ve's earnings to be at least $ 30 million. [HEADING=3]Mirai[/HEADING] [LIST] [*]Brief description: DDoS botnet [*]Lived: 2016 - present [*]Number of infections: more than 560 thousand [*]Distribution methods: brute force [/LIST] It would be strange if we did not remember such a famous bot. He is the king of botnets that attack IoT devices, and although he himself has long faded, his many descendants still haunt security people. First discovered in 2016, it quickly and efficiently hijacked smart home devices (and sometimes not only them) with weak passwords on Telnet. This botnet was developed by students who for some reason got angry with their own university and wanted to organize DDoS attacks on it. But they miscalculated something, and now it is the largest IoT botnet, considering all its clones. The botnet grew quietly at first, but after several attacks it was noticed and the hunt for its creators began. They didn’t come up with anything smarter than just publishing the source. Like, we are not necessarily the authors: it could be anyone, the source code is open. This trick with their ears did not help them, and the authors were found. Unfortunately, it was already too late: other factions got a powerful and dangerous tool for free. The number of botnets based on Mirai (and sometimes its complete clones) has exceeded one hundred and continues to grow. In September 2016, after Brian Krebs published an article about DDoS botnet sellers, Krebs himself fell victim to an unusually strong DDoS attack, which peaked at 665 GB / s. This attack has generally become one of the most powerful known. The hoster hated this anymore, and the site temporarily lay down until a new hoster was found. A month later, a powerful attack was launched against DynDNS. It passed in two waves, about an hour and a half each. Despite the prompt reaction and measures taken to repel the attack, it still affected users. The consequences were visible until the evening of the same day. Remarkably, not one server was attacked, but many around the world. The engineers clearly did not expect such a feed and could not react normally. As a result, at least Twitter, GitHub, SoundCloud, Spotify and Heroku were affected. Ironically, DNS queries were used to attack the DNS provider. The traffic exceeded normal by almost two orders of magnitude, and this is not counting the fact that the system administrators urgently introduced filtering. At that time, DNS amplification was already described, but was not taken seriously. The attack on Dyn corrected the situation, so that there were not so many servers vulnerable to this technique. According to the investigation, only about 100,000 overly “smart” devices were involved in the attack. Nevertheless, the attack was impressive in scale. Inside Mirai there is a small and clean code, which, however, was not very technologically advanced. Only 31 login-password pairs were used for distribution, but even that was enough to capture more than half a million devices. [HEADING=3]Output[/HEADING] Powerful botnets come and go: as soon as information security researchers and law enforcement officers close one network (and sometimes its owners), the next one appears on the horizon, often even more threatening. For mere mortals, the moral here is very simple: put strong passwords on all your devices and update the firmware, and then your computer, router and too smart refrigerator will not start working for a criminal gang. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Hacking Tools
The most evil botnets. How the largest armies of malware appeared and died.
Top