An increase in credit and debit card theft via Point of Sale (PoS) malware campaigns over the late 2013 holiday season has resulted in significant media attention and has likely emboldened threat actors as the success of past campaigns comes to light. Media attention has decreased since news of the Target breach and associated fallout, however threat actors targeting PoS systems are still engaged in active [...]Read More
Although Network Time Protocol (NTP) reflection/amplification attacks have been observed in the wild for many years, they have received an uptick in popularity due to recent high-profile attacks, first in late December 2013 on gaming networks, and again this week in Europe.
Arbor is able to confirm that our ATLAS system monitored an attack on Monday, February 10 targeting a destination in France, peaking at 325 Gbps. Since then, ATLAS has observed no less than 4 more attacks exceeding 100 Gbps [...]Read More
Zeus Gameover is a banking trojan that started appearing in the wild sometime in early 2012. As with Citadel, Ice IX, and KINS, it is based on the leaked Zeus trojan source code. The most significant difference between Gameover and its immediate family members is that it uses a peer-to-peer (P2P) network for its command and control (C&C). What also stands out is that there appears to be only one instance of the Gameover botnet, whereas Citadel for example [...]Read More
Madness Pro is a relatively recent DDoS bot, first seen by ASERT in the second half of 2013 and also profiled by Kafeine in October 2013. Kafeine’s blogpost gave good insight into one method of infection and how quickly a potent DDoS botnet can be built. This post will take a deeper-dive into what Madness does upon infection of a system and what its attack capabilities are.
Madness [...]Read More
Trojan.Ferret appeared on my radar thanks to a tweet by @malpush. The tweet revealed a URL that at the time of this writing was pointing to a command and control (C&C) panel that looked like this:
The logo alone convinced me to study this business of ferrets further. Coincidentally (for Arbor), it turns out that this malware is a DDoS bot.
The sample analyzed can [...]Read More
The rise in Bitcoin values seems to have caused an equal increase of Bitcoin spam as malware authors attempt to make money off the many new market participants. One site that was spammed to me three times in one day is bitcoin-alarm.net. I ignored it the first two times, but they must have really wanted me to look at it, so who am I not to oblidge.
The site promises [...]Read More
Inside Recent Point-of-Sale Malware Campaign Activities
Curt Wilson, Dave Loftus, Matt Bing
An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.
It appears that there are [...]Read More
The Athena malware family has existed for quite some time and appears to have a love/hate relationship based on posts in various “underground” forums . The original version was IRC-based, but earlier this year an HTTP-based version was released. While not as prevalent as other malware families, Athena has had a strong presence in our malware processing system for quite some time. This blog post will discuss it’s origins, DDoS capabilities, and go over it’s latest evolution and offer some [...]Read More
The roll out of the Healthcare.gov site in the United States has been met with a significant amount of news coverage. Reports have indicated that the site has been inaccessible to some people when they have attempted to visit it. ASERT has no direct knowledge of any significant denial of service attacks directed towards the site. However, ASERT has recently found one tool that is designed to overload the webpage.
The standalone tool is written in Delphi and performs layer seven [...]Read More
The basics on Beta Bot was covered by Limor Kessem on the RSA blog. As a quick feature summary: