Is your computer secure?

Have you got $67 burning a hole in your pocket? Then you can rent a botnet for 24 hours to launch distributed denial of service (DDoS) attacks, sell fake antivirus software and relay spam to unsuspecting email users via millions of compromised — aka zombie — PCs. Or if you only need an hour, that’s just $9.

Those findings come from iDefense VeriSign’s security intelligence service, which studied 25 black market botnet offerings. Based on the company’s research, botnets are becoming increasingly commoditized, with sellers freely hawking their wares via online forums and banner advertising.

“Organizations need to be wary of the fact that their critical online applications or services could be taken down in under a day by a criminal renting services from bot herders,” said Rick Howard, director of intelligence at iDefense, in a statement.

Unfortunately, the easy access to botnets, as well as the emergence of more automated botnet software, has lowered the botnet barrier to entry for less technologically inclined or well-connected criminals.

In March, for example, Spanish police arrested the three alleged masterminds behind the Marisposa botnet, which ran undetected for six months, compromising more than 12 million PCs, many at blue-chip firms and banks.

“Our preliminary analysis indicates that the botmasters did not have advanced hacking skills,” Pedro Bustamante, senior research adviser with Panda Security, told the Guardian. “This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss.”

Mariposa may now be defect, but one of the most well-known botnet tools, Zeus, is still alive and well. According to a recent report from managed security services provider SecureWorks, “Zeus is sold in the criminal underground as a kit for around $3,000-4,000, and is likely the one malware most utilized by criminals specializing in financial fraud.”

Customize Zeus with numerous add-ons: virtual networking to take over an infected PC ($10,000), an upgrade for attacking Windows 7 or Vista ($2,000), Jabber IM broadcasting to receive stolen data in real time ($500), a Firefox form grabber ($2,000) and a back-connect module for making financial transactions from an infected PC ($1,500). Interestingly, the Zeus application also includes sophisticated anti-piracy features.

If the going rate for renting a botnet or buying the right software seems steep, antivirus vendor Sunbelt recently said that it’s been tracking a Twitter-controlled botnet that can be used to launch DDoS attacks. Dubbed TwitterNET Builder, the tool — available at no charge — lets an attacker simply enter a Twitter username and hit “build” to generate the required malware.

Thankfully, the tool’s reliance on public Twitter commands for control means that attackers get what they pay for. “We’ve notified Twitter about this bot creation system, and they’re looking into it,” said Boyd. In other words, don’t try this at home.

A spamming botnet known for keeping a low profile has been hammering hundreds of Websites — including the CIA, Chase, Mozilla Labs, Twitter, SANS, Google Chrome, and the FBI — during the past week with an unusually conspicuous amount of phony traffic that has researchers rushing to analyze its next move.

The Pushdo botnet, a.k.a. “Cutwail” and “Pandex,” has been flooding those sites with bogus SSL connections that stop short of requesting anything from the Website. The infected bots begin to initiate an SSL connection with some “junk” traffic and then disconnect, according to The Shadowserver Foundation. Shadowserver and other researchers have been monitoring the activity, which increased traffic by several million hits across several hundred thousand IP addresses, according to Shadowserver.

The botnet hit the ZeusTracker Website, for example, with hundreds of thousands of different IP addresses within a 24-hour period. “This is a lot of bots generating a lot of traffic,” blogged Steven Adair, a researcher with Shadowserver. Recent code changes to Pushdo resulted in its bots generating the “junk” SSL connections to the 315 Websites, he said.

So what is Pushdo up to? Joe Stewart, director of malware research for Secureworks, says the botnet is making fake SSL connection attempts: Malformed packets cause the server to return an SSL negotiation error. “By adding the initial header of an SSL conversation, they may be attempting to avoid closer scrutiny by less vigilant inspection devices,” Stewart says. “And by sending a flurry of these connections to a number of legit ‘decoy’ sites, it helps the Pushdo C&C [command and control] traffic blend in and remain undetected in some cases,” he says.

It’s unclear thus far whether this is a test-run for phony SSL connections gone amuck that ended up exposing this Pushdo traffic, or something else. Stewart says it’s possible there could be more to the latest activity, such as the botnet’s rotating its target lists. “It’s hard to say,” he says.

Blending in has traditionally been Pushdo’s trademark: Although it’s one of the top five spamming botnets, it’s also one of the more under-the-radar botnets around. But this latest activity has researchers wondering how this massive surge of traffic, which resembles a distributed denial-of-service (DDoS) attack, would ultimately help its traffic blend in and become less detectable.

Shadowserver says the traffic is technically an attack, even though it doesn’t appear to be trying to knock the sites offline like a DDoS does. “We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either,” Adair says.

Secureworks’ Stewart says he has witnessed botnets sending traffic via SSL or port 443, but this phony SSL connection attempt is a first. “The Pushdo C&C protocol now also uses similar packets to encapsulate its encrypted/compressed phone-home requests,” he says. “Port 443 is commonly being used to proxy all kinds of non-SSL traffic by legit applications and bots alike, so it stands to reason that a heuristic one might look for suspicious or firewall-policy-violating traffic connections over port 443 that aren’t using SSL.”

The surge in traffic from Pushdo could cause problems for Websites with limited bandwidth and that typically get only a few hundred to a few thousand hits daily, Shadowserver says.

Twitter has been spammed, DDoS’ed, and knocked offline, and now it has been used as the command center for a botnet. A researcher last week was looking for clues about the massive distributed denial-of-service (DDoS) attack on Twitter found a Twitter profile that was being used to send updates and malware to bots in an unrelated case of abuse of the site. “This is the first time I’ve seen in the wild botnet commands being pushed on Twitter — it won’t be the last,” says Jose Nazario, manager of security research for Arbor, who first spotted the botnet’s tweets. Nazario says there are probably other bot herders doing the same on Twitter.

“It looks like this guy is updating existing bots. I’ve seen and blogged malicious Twitter accounts in the past that spam links, using lures like ‘follow this band!’ that link to malcode,” he says. But this is the first time Twitter has been used to send commands to bots, he says.

Nazario says Twitter has since disabled the profile, but he says the same user, “upda4t3,” also has an account on Google’s Jaiku, the search engine giant’s microblogging service akin to Twitter. Joe Stewart, director of malware research for SecureWorks, in his Twitter update today said he had found “a newer version of the Twitter Bancos botnet — this one uses another microblogging service as a backup C&C [command and control].”

Botnet operators are always looking for ways to more stealthily communicate and update their victimized machines — some use peer-to-peer communications and HTTP to cover their tracks. Twitter is an ideal venue for them because it’s flexible, noisy with all of its communiques, and doesn’t have the anti-spam controls of other sites, Nazario says. And the anonymity of the URL shorteners also helps them send malicious links under cover, he says.

“They continue to innovate, and Twitter is likely to be yet another new channel to get updates out,” he says.

So far, the botnet seems to be all about stealing online banking information from bank customers in Brazil: Nazario found a couple hundred bots based in Brazil, but he says it’s difficult to get a real count. “To get that estimate, I went by who checked the update links on bit.ly [that] the bot was pushing via the Twitter updates,” Nazario says. “The malware came from somewhere else — we don’t know yet where. The Twitter status updates contain links to new downloads, more malware, and stuff to update and evade AV detection.”

Symantec researchers, meanwhile, are also dissecting the malware associated with the Twitter botnet. The Twitter status posts on the upda4t3 account were sending out new download links to malware that Symantec calls Downloader.Sninfs. The downloader reads a specific Twitter RSS feed once, according to Symantec. “The RSS feed is simply a text file similar to other RSS feeds found on other Internet sites. The RSS text file contains information as to where Downloader.Sninfs can find additional threats to download onto the compromised system. In this way the RSS file acts like a config file for the malware,” Symantec researcher Peter Coogan blogged. The malware downloaded by the Trojan is an existing Bancos password-stealing Trojan, according to Symantec, that poses as the interface at some Brazilian banks in order to steal passwords and other data off the victim’s computer.

The BBC has bought a 22,000 PC botnet to expose how easy it is to buy hijacked machines online.The Corporation’s Click programme claims it purchased the botnet after “visiting chatrooms on the internet”. The botnet was used to send out spam to two test email addresses created by the BBC, and then to simulate a denial-of-service attack on a security company’s back-up server.

The BBC claims it took only 60 machines bombarding the server with requests to knock over the dummy site. Despite hijacking real PCs, the BBC claims it’s done nothing illegal, because the exercise wasn’t done with criminal intent.The BBC says it’s warned the affected users their machines were infected and advised them on to how make their computers more secure. The programme makers also insist they didn’t access any personal data on the machines, although that does raise the question of how they managed to contact the owners of the infected PCs. The BBC was unable to comment at the time of publication.

The BBC didn’t reveal how much it paid for the botnet, although figures from experts suggest it was in the region of £5,000-£6,000.

“Computers from the US and the UK go for about $350 to $400 (£254-£290) for 1,000 [machines] because they’ve got much more financial details, like online banking passwords and credit card details,” McAfee security analyst, Greg Day, told the BBC.

With this type of purchase available to anyone who merely knows where to look to buy, these types to botnets are basically available to anyone who is willing to dish out the cash to buy them, and once bought, can do whatever they please with them. So keep your computer safe and up-to-date so hopefully your computer won’t be a part of something like this!

Now not only your computer can become a zombie, but your router too. Researchers have discovered a botnet that uses home DSL devices to build out its army. It seems as though the time where just having good antivirus software running may not be enough as strong passwords and up-to-date router firmware are even more important than ever before!

The so-called “psyb0t” malware may be the first such code to go after home network devices, say researchers at DroneBL, an organization that monitors abuse of infected machines. So far, somewhere around 100,000 devices have been infected, are being used to wage distributed denial-of-service (DDoS) attacks, and are stealing usernames and passwords, according to DroneBL. DroneBL first discovered the botnet after it hit the site with a DDoS attack. The botnet is IRC-based and had been studied earlier this year by another researcher, Terry Baume, who wrote a white paper (PDF) detailing how vulnerabilities in embedded Linux devices, such as Netcomm’s NB5 ADSL modem, were being infected and recruited into a botnet.

Routers traditionally have been considered relatively immune to malware and attacks, and botnets traditionally use PCs and servers. “Malware is starting to use routers — in this case, still simple Linux boxes,” says Felix “FX” Lindner, a researcher with Recurity Labs, who recently demonstrated how Cisco-router hacking isn’t as difficult as once thought. To be at risk of psyb0t infection, DroneBL researchers say a router must be Mipsel-Linux-based; have telnet, SSH, or Web-based interfaces available to the wide-area network; and have a weak username and password, or firmware daemons that are exploitable. “As such, 90 percent of the routers and modems participating in this botnet are participating due to user error (the user themselves or otherwise),” the researchers blogged. So far, here is a quick list of some of the things the worm can do:

• it is the first botnet worm to target routers and DSL modems
• contains shellcode for many mipsel devices
• it is not targeting PCs or servers
• uses multiple strategies for exploitation, including bruteforce username and password combinations
• harvests usernames and passwords through deep packet inspection
• can scan for exploitable phpMyAdmin and MySQL servers

The router-based botnet is stealthy. “Most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique will certainly not be going away,” the researchers wrote. So now more than ever it is super important that people lock down their home and business networks with strong username and passwords. Since now there is yet another type of malware infection spreading in the wild which no one probably wants to be a part of!

If you happen to be worried about your router possibly being infected or think yours might be infected simply powercycle your device and take appropriate action to lock it down, including the latest firmware updates, and using a secure password.

Here is a link to an article talking more about this particular botnet and also goes into some good details as to how botnets work in general! Check it out HERE!

** UPDATE: It seems as though the person behind this particular botnet has decided to shut it down (for now anyways). After doing some poking around I was able to get into the IRC server and channel which was being used to control the botnet. In the topic the “BotController” posted “.silent on .killall .exit ._exit_ .Research is over: for those interested i reached 80K. That was fun , time to get back to the real life…” Depending on if this is true or not this botnet could have been put to sleep for good… but when one person does it, there will always be more that follow with similar attacks.