Feeds

Crooks rent out TDSS/TDL-4 botnet to the clueless

Mercenary zombies for hire to dumbed-down Baron Samedis

The Power of One eBook: Top reasons to choose HP BladeSystem

Cybercrooks have set up a web store that offers rented access to compromised machines on the TDSS/TDL-4 botnet.

The latest version of the TDSS botnet agent bundles a component that turns compromised machines into a proxy connected to awmproxy.net.

AWMproxy - which purportedly accepts payment via PayPal, MasterCard, and Visa - charges between $3 per day to $300 a week to would-be Baron Samedis who don't have the nous to acquire their own zombies. The site even offers a Firefox add-on to customers, further dumbing down the process.

Applications including surfing the net anonymously with someone else's IP address or launching cyber attacks, according to security blogger Bryan Krebs. Owners of infected systems used to send threats or view images of child abuse could find themselves in legal hot water.

TDSS/TDL-4 is one of the most sophisticated botnets to date. The malware behind the bot uses rootlet techniques to disguise its presence on infected systems.

Krebs did some digging on the public storefront behind the TDSS/TDL-4 bonnet. Google Analytics code embedded in the storefront homepage allowed Krebs to find sites with the same code. AWMProxy was established in February 2008 using the email adds addressfizot@mail.ru, the same email address used to set up other hostile sites including pornxplayer.com and fizot.com.

The now defunct fizot.com was registered by Galdziev Chingiz of St Petersburg, Russia. Krebs found the fizot@mail.ru address was linked with a LiveJournal blog that discusses such matters as life in St Petersburg, earning megabucks and owning a Porsche sports car with a license plate number that includes the Number of the Beast: "666". Fizot also maintained a YouTube channel that shows a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming around a shopping mall parking lot.

Krebs concludes that although Chingiz may only be "tangentially related" to whoever set up the TDSS storefront he's likely to know more about the main parties behind the operation. In apparent response to Krebs' digging, Fizot deleted nearly all of the posts on his LiveJournal account and the YouTube videos. The solitary entry in the LiveJournal blog claims he sold the AWMproxy service some time ago, without providing any details.

Soon after publishing the article last week Krebs' site and that of his service provider came under denial of service attack. The security blogger suspects resources on the TDSS/TDL-4 bonnet were used to launch the attack but this remains unconfirmed. Krebs' site has since been returned to normal operations. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.