trojan horse, de computer is niet meer van u!

Carey, Steve T GARRISON wrote:

> Overnight we have seen an increase from 16 IP addresses to around 230 IP
> addresses sending out the same pop-up message.
>
> Any chance that a spammer has a 'new' worm that propagates their pop-up, along
> with a compromise.
>
> Steve

Well, as all we see are more IP addresses, my bet would be that however
these machines were compromised, they _are_ indeed compromised. I don't
think there is another answer.

The spammer(s) got him/herself a brand new drone army! WooHoo!

These past few years we're seeing an increase in malware writing as well
as in sophistication. Organized crime and spammers both understand the
potential of drone armies and are making a move on the field. We are not
dealing with bored kids anymore.

Just a couple of weeks ago a drone army constructed of *nix boxes was
brought to my attention (this still happens at times, although not as
often as prior to 1996, it's mostly Windows boxes nowadays). The
interesting thing was that instead of mostly broadband users, most
compromised machines had "secure" in their hosts, as in domains with a
name the sort of: secureserver.whatever or securedhost.whatever. Secure
hosting providers, and similar.

I moved it along to a CERT/CC contact at the time, but heck, there are
millions of drones out there at any given moment. Some armies cease to
exist due to some good work by a select few, but the point is, more
always show up.

If anything, I expect this trend to grow even further in coming years.

Gadi Evron.

________________________________________________________

En door

Gadi Evron,
Senior Security Consultant
Central Bureau of Statistics, Israel.:

[For the list of the most used Trojan horses in drone armies for June/July,
2004, please skip to the end of this email message.]

I figured a list of this nature once in a while (maybe quarterly or monthly
depending on the changing threats) can be useful to some administrators who
wish to actively combat drone armies and/or to inform them as to what they
can expect, capabilities-wise, when planning the defense of their networks.

The information is gathered from the relevant professionals in several
networks who actively follow and combat this threat. In no way do I take any
credit for it (beyond admitting to writing it down under my name and
vouching for the details).

Most of the Trojan horses used for infecting users and creating drone armies
the past year are sd/phat/rbot variants.

Sdbots have spawned numerous variants and were separated into new groups of
malware which in turn were further separated into new groups. Agobots,
Phatbots, etc.

Agobots are most likely to reach and move beyond the three letters counting
(Agobot.ABC).

It's (kind of) a new world, the world of open-source malware. It's been
going on for a while, but there are now over a thousand new variants a month
for different Trojan malware (mostly Trojan horses). The numbers speak for
themselves. These are not lonely cases, this is "code a virus" opportunity
for the masses. Usually with tech-support..

It's always funny to me how some in the AV industry would at times hype new
worms or new barely different variations of worms, in the media, while
ignoring drone armies almost completely.

Just in recent months, due to in many cases me making weird noises, we start
hearing about drone armies.

Over-time, a drone army can reach hundreds of thousands of infected drones
in size, and new armies/drone are created daily. There are a lot more than
just a few drone armies out there, and the Trojan horses used change
constantly.

The basic threat is DDoS from a few thousands of Cable/DSL users (simple
DDoS, gang blackmail) and it grows all the way to big words such as
espionage and the fabled hype which may perhaps one day turn true; "the
death of the Internet". We've had a few close calls (African router, DDoS on
backbone).

Usually though, the goal of these drone armies is simple: SPAM.

Trojan horses used in drone armies and Trojan horses installed on "lonely"
infected machines far outnumber the amounts of infected users from _most_
worms.

The main _spread_ of any worm is usually in the first hours to days of its
creation and release to "the wild". Worms continue to spread over the
Internet for years and there are always infected users who have them. Unlike
worms, most of these Trojan horses remain _overtime_ undisturbed, in huge
exponentially increasing numbers.

The (specific) Trojan horses most used as bots in drone armies for
June/July, 2004, are:

1. Korgobots:
    Use in drone armies: _everywhere_.

    [For example: Korgobot is a variation of Rbot which in turn was a
stripped down version of a Phatbot,
    which in turn is a variation of Agobot which in turn is a variation of
SDbot (KWbot).]

2. dfgbots:
    Use in drone armies: huge.

3. Optix Pro.
    Use in drone armies: wide-spread.

    [Important: Optix Pro is an mIRC (IRC client for Windows) script. People
download this thing from an
    official web site. A checksum for "verification" is available. Cute
ancient trick. Originally most infections were in Australia.]

4. Memory bots
    Use in drone armies: wide-spread.

As an after-thought, I'd like to officially announce the long-awaited end of
the Girlbots plague. There are still huge Girlbots drone armies out there,
but the balance is shifting and they are seen far less often.

You can Google each of these Trojan horses for details. Feel free to contact
me for help with anything using my home email address.

Contributions? Corrections? Mistakes? Please email me.

--
Gadi Evron,
Senior Security Consultant
Central Bureau of Statistics, Israel.