The internet security industry applauded the recent capture of a Botnet hacker in Slovenia.

Known as Iserdo, he is believed to have written the programme on which the mariposa virus is based. Such was the importance of his arrest, that the FBI described it as a major breakthrough.

The mariposa virus created one of the globe’s most virulent botnets which eventually infected over 12 million computers.

Also known as butterfly, the mariposa virus was created as a tool to steal personal financial details from bank customers. Many of the infected companies were in the computers owned by banks, financial institutions and major companies.

The 23-year-old Iserdo was one of the internet security industry’s most wanted men and he, and around a team of three which ran the botnet, have been hunted by officials from around the world. Last December the team of three were arrested in Spain, which led to the closure of the infamous botnet.

The FBI was delighted with the arrests and botnet’s demise, with the deputy assistant director of the unit’s cyber division telling Associated Press:
“To use an analogy here, as opposed to arresting the guy who broke into your home, we’ve arrested the guy that gave him the crowbar, the map and the best houses in the neighbourhood.”

A botnet is a network of compromised computers which are controlled by malicious programmes without the owners of the computers realising their machines are infected. They are designed to sit on the compromised computer and send back key information on the hard drive, including personal information, including usernames and passwords.

Commenting on developments, the BBC was told by Rik Ferguson, an expert in internet security at company Trend Macro, said:
“The guys behind it said it was more successful than they had intended to be. As is the case with most botnets, the more widespread they are the more likely they are to be discovered. They were a victim of their own success.

“The thing with the underground economy is that it’s full of niche vendors and players, it mirrors legitimate business. There’s a lot of competition – it’s not unusual to see malware designed to remove other
malware, just so that it can take over.”

Guest Article by Neil Camp

Two bot herders who were part of the team behind the Mariposa botnet thought that their CVs would stand them in good shape when they applied for jobs at Panda Labs.

Bot herders are hackers who establish what’s known in the industry as botnets; computers that have been taken over by the hackers – without the knowledge of their owners – and networked to combine powerful tools for nefarious activities, such as spam mailing.

It’s long been a tactic of hackers, such as bot herders, to commit an attack on a company’s software, or network, and then use that as a kind of ‘real-life’ CV to get job. But in an industry which is becoming far more professional every day, it’s unlikely that this type of job canvassing is going to win many friends in the future.

So when the two herders who helped run the Mariposa botnet turned up at Panda’s offices, there was some amusement and not a little incredulity.

The two bot herders in question were both Spanish and hid behind their online nicknames of ‘Ostiator’ and ‘Netkaira’ when running the Mariposa botnet. But according to Panda, the job hunt was not down to any feelings of remorse, or repentance, but to the fact that the Mariposa botnet had been closed down and the two bot herders had literally run out of money. They hoped that they could come to an ‘understanding’ with Panda, who they believed would welcome their knowledge.

According to Panda, the fact that the two bot herders had been so closely involved in Mariposa, meant that they could not be employed and went on to say that their somewhat dubious technical skills, meant they were unsuitable anyway.

Undeterred, the two bot herders tried again to secure jobs as Panda some months later, but were again turned down.

Panda pointed out that the openness of the two bot herders approach might be explained by the fact that in Spain, running a botnet is not illegal. Although the company went on to say the Spanish national police force, the Guardia Civil, were looking at ways in which the two bot herders could be prosecuted for stealing identities through the Mariposa botnet.

Guest Article by Neil Camp

The second quarter threat report from McAfee has some bad news for all computer users out there. The main finding is that Spam volumes have increased by 141% since March, 2009, continuing the longest streak of increasing spam volumes ever. But that’s not all, as there has been a dramatic expansion of botnets and auto-run malware.

The report highlighted the fact that 14 million computers have been enslaved by cybercriminal botnets, a 16% increase over last quarter.

Auto-run is becoming an increasing problem and over a test period of 30 days, it was discovered to have infected over 27 million files. Auto-Run malware, which exploits Windows Auto-Run capabilities, does not require any user clicks to activate. It is most often spread through portable USB and storage devices. Depressingly, the rate of detection surpasses the infamous Conficker worm by 400%, making it the number one piece of malware detected around the world.

Mike Gallagher, Senior Vice President and Chief Technology Officer of McAfee Avert Labs, said:
“The jump in bot and spam activity we saw in the last three months is alarming, and the threat from Auto-Run malware continues to grow. The expansion of these infections is a grave reminder of the potential harm that can be caused by unprotected computers in homes and businesses.”

McAfee also provides some background showing the a generally worsening computer security situation.

It is noted that fourteen million additional computers have been turned into botnets this quarter. This equates to more than 150,000 computers infected every day, or 20% of the personal computers bought daily.

It also said that South Korea accounted for the largest boost in bot activity. The country saw a 45% increase in new infected computers over the last quarter. And such botnets were used to execute the recent DDoS cyber attacks against the White House, the New York Stock Exchange and South Korean government Web sites.

But although South Korea has its problems, it only accounts for less than four percent of the world’s new bots. And its the U.S. which tops the list with 15% of the new zombie computers.

And its this bot expansion that is behind the increasing volume of spam, which is now 92% of all email. Spam volumes have now exceeded the highest volume on record by 20%, increasing at a steady rate of roughly 33% each month. This equates to spam volumes growing by over 117 billion emails every day.

What’s most disturbing, is that as the number of bots continues to grow, malware writers have begun to offer malicious software as a service to those who control botnets. By exchanging, or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. And the creation of and management of malware is becoming even easier, thanks to programmes like Zeus.

Programs like Zeus – an easy-to-use Trojan creation tool – continue to make the creation and management of malware even easier.

And cyber criminals are increasingly turning their attention to the popular social networking sites, including Twitter, Facebook and MySpace.

Guest Article by Neil Camp

Security outfit Kaspersky reports that it has discovered a fresh version of the malicious virus Sinowal which represents a very sophisticated threat and computer users should be on their guard. It’s also employs a new method which is being used for the first time by cyber criminals.

Sinowal, also known as Torpig, has the ability to hide itself by contaminating the master boot record (MBR), which is part of a computer’s hard drive. The MBR is the lowest level of the operating system and by sitting here, it effectively by-passes the anti-virus software.

Sinowal is a botnet forming virus which is designed to exploit weaknesses in websites. One of its most recent victims has been the security hole in the Adobe Acrobat Reader of PDF software.

Sinowal is particularly sophisticated on one level, yet quite simple on another, turning it into a long term enemy of the security experts for many years.

Kaspersky admitted that for many computer users, being infiltrated by Sinowal and its variants was inevitable. Sinowal was adept at creating botnets which would later allow trojans onto the infected computers.

The security firm recommended that anti-virus software be kept stringently up-to-date and that should Sinowal be discovered, special instructions had to be followed in order to remove it.

Guest Article by Neil Camp

McAfee’s latest security threat report (covering January to March, 2009), reveals that since January, over 12 million new IP addresses have been hi-jacked by cybercriminals, a 50% increase since 2008.

IP addresses are hijacked and their computers used as zombies within worldwide botnets. A zombie will then be used to send out spam email, infecting other machines which will in turn send out even more email, and so the process goes on, creating billions of spam emails which clog up the system.

The U.S. is home to the greatest percentage of botnet infected computers, accounting for nearly 20% of all zombie machines.

Cybercriminals are rushing to create new botnets after the shakedown of a major spam hosting ISP, McColo Corp, in November 2008 which cut spam levels by some 60%.

And the cybercriminals are quickly recovering the ground that they had lost, with spam volumes now about 70% of what they were before McColo was stopped.

Jeff Green, senior vice president of McAfee Avert Labs, said: “The massive expansion of these botnets provides cybercriminals with the infrastructure they need to flood the web with malware. Essentially, this is cybercrime enablement.”

The report came up with a number of other findings, including that the Koobface virus has made a resurgence. More than 800 new variants of the virus have been discovered in March 2009 alone.

Also, malware writers are increasingly using servers which host legitimate content to launch malicious and illegal content.

URL redirects are being used more often by cybercriminals and the use of web 2.0 sites are being used to hide their location.

Ironically, given the recent media fuss about Conficker, the report concludes that this worm, and all its variants, only accounted for some 10% of detections reported during the first quarter. But whether this means it was over-hyped, or hasn’t yet had the affect feared, remains to be seen.

Guest Article by Neil Camp

Conficker is coming alive.

The virus that threatened to cause chaos on April Fool’s Day and was eventually labelled by some as a prank, is having the last laugh as it becomes activated across a number of personal computers.

Conficker, also spelt Conflicker, and also known as Downadup, or Kido, is a particularly insidious form of worm which sits covertly on a computer and turns them into a zombie, part of a botnet. The zombie sits and awaits instructions, mostly opening the way for a piece of malware with a specific task. This might be a virus called Waledac, which sends out millions of spam emails from the computer’s mail box.

Accompanying the spam emails are false anti-spyware programmes which eventually renders the receiving computer open to attack. The receiving computer is then recruited into the botnet, in turn sending out more spam email. The receiving computer is also sitting there with its defences down, awaiting the virus to send back personal and financial details of its user back to the originator of the worm.

Computer security experts are worried because the worm appears very sophisticated and operates in a stealth mode, sitting on machines until activated. It’s feared that the Conficker has infiltrated thousands of computers, awaiting instructions. Experts also fear that there is a twist that no-one is aware of yet, as the Conficker has yet to show its true colours.

The Conficker and its botnets are thought to be controlled by cyber crime syndicates based in China, Eastern Europe, Latin America and Southeast Asia.

The worm is designed to exploit operating system weaknesses, with Windows being particularly vulnerable. It can by-pass many corporate firewalls as people swap files from one infected computer to a clean one, using a USB memory stick.

Computer users worldwide are being warned to be on their guard against the Conficker.

Guest Article by Neil Camp

Security firm Finjan has discovered a massive network of remotely controlled PCs, including computers inside the U.K. and U.S. governments.

The network, known in the industry as a botnet, is said to have spread across nearly two million individual machines and looks likely to have originated in the Ukraine. Although figures were patchy, it is believed that several computers within U.K. Government departments were comprised. It is understood that the Metropolitan Police is investigating.

A botnet is a cyber criminals dream. The infected computers that form the net become zombies, awaiting instructions from the people who planted them. All it takes is for one machine to be infected, before it then in-turn infects as many machines as it can, creating the botnet. The zombie computers are then open to attack from all kinds of viruses and malware which have different roles in life.

One job might be to send out phishing emails from the computer users mailbox, enlarging the botnet and causing people to load bogus websites which ask for personal and financial details. Another might be to record keystrokes on a user’s computer which allows the cyber criminals to enter a legimate website, usually financial, and empty an account using the information they have gathered. And they might allow access to a computer’s stored information, including files and operating systems.

In effect, the zombie computer becomes a beachhead for all manner of future attacks.

The cyber criminals behind the attack represent the storm troopers and rather than use the open door themselves, they usually sell the opportunity to others. It has been reported that the hackers behind this botnet were selling access to machines within the botnet at around $100 a time.

The botnet hit worldwide, with around 5% of infected machines being situated in the U.K., including the British Government and one computer inside the BBC.

The network was spotted after routine security checks and rumours of its existence, and marks a new stage of sophistication from the world’s cyber criminals.

Guest Article by Neil Camp