Botnet with 60GB of stolen data cracked wide open
Fast flux no more
Researchers have cracked open a botnet that amassed more than 60GB of passwords and other stolen data, even as it cloaked itself using a state-of-the-art technique known as fast flux.
When its command-and-control server was infiltrated, the Mumba botnet had snagged more than 55,000 PCs, according to the researchers from anti-virus provider AVG. The data-stealing operation is the work of the notorious Avalanche Group, a criminal operation that was responsible for two-thirds of all phishing attacks in the second half of 2009, according to a report earlier this year from the Anti-Phishing Working Group.
“These criminals are some of the most sophisticated on the internet, and have perfected a mass-production system for deploying phishing sites and 'crimeware,'” AVG wrote in a report issued Monday. “This means that mitigating the threat by going after the servers hosting the data using the 'Mumba' botnet is now much harder than before.”
Most botnet command-and-control channels run on compromised webservers or web-hosting services designed for criminals, making it possible to dismantle the network by taking down the central server. Mumba, by contrast, makes use of fast-flux technology, in which the operations are carried out on thousands of compromised PCs. That allows the IP address and host machine to change every few minutes, a measure that frequently foils takedown attempts by researchers and law enforcement.
The botnet appears to have been spawned with an initial malware campaign that was launched in April. Its first week saw more than 35,000 infections. Several smaller campaigns were responsible for the remainder of the botnet's 55,000 victims. The malware uses at least four variants of the latest Zeus crimeware kit, which allows well-financed criminals to deploy highly sophisticated botnets in a hurry.
AVG's discovery is only the latest time that researchers have been able to penetrate a rogue network built on the back of Zeus. Earlier this year, researchers with a separate firm got inside a network that had compromised more than 74,000 machines from at least 2,500 companies, many of which were Fortune 500 firms.
Both botnets were adept at stealing highly sensitive personal details from the PCs they compromised. The stolen data includes login credentials for online bank, retail, and email accounts, and social-networking sites.
A PDF of AVG's report is here. ®
What exactly are you suggesting should be done
I see a lot of handwringing and "think of the children" style proclamations but absolutely nothing of substance.
This is the sort of empty "motherhood statement" that is so beloved of our politicians, full of noble intent but devoid of content.
And yes, I am currently being subjected to the lamest election campaign that I can remember between two utterly vacuous candidates with absolutely nothing important to say and nothing inspiring to offer.
Divertsity is NOT security through obscurity, not even close. Diversity doesn't hide possible exploit routes and hope that nobody finds them - it limits the damage that any one exploit can do.
If an organisation runs all of its boxes on one OS (doesn't matter whether it's Win, Lin, HPUX or whatever) then one exploit can move throughout their entire network. If you have 5 OSes then one exploit will likely not be able to affect all 5 OSes. It's not necessarily impossible, but the work involved would outweigh the benefits unless you're talking about targetted industrial/state espionage.
Your argument that you can find 55k vulnerable OSes has *some* merit but not as much as you think. The fact is the bot only found 55k vulnerable Win installations. If 10k of those boxes had another OS on them the botnet size would be 45k, because regardless of the millions of other Win boxes out there they were never subject to the bot were they?
Diversification is not a magic bullet that stops all exploits, but it helps mitigate the damage that they can cause. Arguing that because it isn;t perfect means it has no value is like arguing for the cessation of immunisation because it doesn't protect against all diseases. You fix what you can...
The revolution will not be tweeted
The revolution will be no re-run brother
The revolution will be live
And after the revolution, everybody will wander about wondering what to do without telecomms, power, 24 hour tesco metro and other such things like money and law and order that keep us safe in our beds at night*.
*your safety in bed at night may vary, I'm talking on average here.