A botnet is a network of infected computers under the control of hackers.

The firm said that closing the domains would mean that up to 90,000 PCs would stop receiving orders to send out spam.

A recent analysis by the firm found that between 3-21 December “approximately 651 million spam e-mails attributable to Waledac were directed to Hotmail accounts alone”. It said it was one of the 10 largest botnets in the US.

Machines in a botnet have usually been infected by a computer virus or worm. Typically, users do not know their machine has been hijacked.

Microsoft said that although it had effectively shut down the network, thousands of computers would still be infected with malware and advised people to run anti-virus software. The court order was part of what was called “Operation b49″.

Along with intelligence organisation Shadowserver, the University of Washington and security firm Symantec, Microsoft managed to get a court in Alexandria, Virginia, to force Verisign, which manages the .com domain, to temporarily switch off the domains.

Microsoft said it was the result of months of investigation and described it as a legal first.

“This action has quickly and effectively cut off traffic to Waledac at the .com or domain registry level, severing the connection between the command and control centres of the botnet and most of its thousands of zombie computers around the world.”

Post-Patch Tuesday reports of XP SP2 and SP3 users being unable to restart their systems after applying the new MS10-015 patch led Microsoft to suspend its automatic distribution of that patch while it investigated whether the patch itself was causing the problem. The director of Microsoft’s Security Response Center, Mike Reavey, said in a blog post today that the issue occurs when a system is infected with the so-called Alureon rootkit.

“The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state. In every investigated incident, we have not found quality issues with security update MS10-015,” Reavey said. “Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.”

The finding syncs with what some security researchers concluded earlier in the week, after initial concerns that the patch itself was flawed.

Meanwhile, distribution of the MS10-015 patch is still on hold for some systems via Automatic Update until Microsoft comes up with a fix for the issue, which it says only affects 32-bit machines. Automatic Updates for 64-bit systems are now again pushing the MS10-015 patch, which fixes a bug in the Windows kernel.

“A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk,” Reavey said.

Microsoft is working on a “simpler solution” to detect and eradicate the rootkit from infected systems, which it plans to release in a few weeks, according to Reavey.

Setting a machine to “standard” rather than “administrator” account mode typically prevents kernel malware from infecting systems, he said, and keeps antivirus signatures up-to-date is also helpful.

In the last three months of 2009, about 1,095,000 computers in China were hacked, and 1,057,000 in the United States – this on top of the 10 million or so machines already infected in each country. An estimated $1 trillion in intellectual property was stolen worldwide in 2008 through hacking, McAfee estimated.

In China, hacked computers often are clustered into “botnets,” a.k.a. battalions of corrupted computers commandeered to attack websites and spew spam. The growing presence of botnets is yet another sign of network insecurity – already a huge concern for both business and government. The news comes just after China closed down Black Hawk Safety Net, the country’s biggest training website for hackers. The site signed up some 12,000 paying subscribers, providing them with both primers for cyberattack and Trojan software, which hackers use to illegally control computers. The report also comes after Secretary of State Hillary Rodham Clinton’s historic Jan. 21 speech on Internet freedom, where she announced: “An attack on one nation’s networks can be an attack on all.”

China produced 12 percent of the world’s botnet “zombies,” as they’re called. The U.S. was second on the list with 9.5 percent – down from the top spot (and 13.1 percent) in the previous quarter. The rest of the top five:Brazil, Russia, and Germany.

It’s not necessarily the Chinese themselves who are causing the problems. “Just because the attacks original from China doesn’t mean the people behind the attacks are Chinese or even physically in China,” Gideon Lenkey, founder of protection company Ra Security, told Internetevolution.com. ”China’s Internet is very closed off from the rest of the Internet so it’s a great position to attack from.”

Other findings from the report:

• A drop in spam: Levels dropped from a record 175 billion a day in the third quarter of 2009 to 135 billion, a 24 percent decline. Don’t get too excited – the “overall historical trend still points upward,” said the report. “Compared with the fourth quarter of 2008, volume is up 35 percent.”  For the record, there were about 135.5 billion spam emails sent every day in 2009, compared with 122 billion a day in 2008 and 76.5 billion a day in 2007. The U.S. is the world leader in spam production, but Brazil and India are fast catching up.

• Malware threats are on the rise, nearly doubling over the year. It was a “transformative and evolutionary year for computer threats,” the report said, with portable storage devices becoming a very popular target. This is partly because the hardware is so popular, but also because so many PCs use the Windows autorun feature – meaning no user action is required to become infected.

• Last year saw an increase in bogus  antivirus software that convinces web users their PC is infected and asks them to pay for equally bogus security software. Thanks to the growing popularity of Adobe applications, there also was a rise in attempts to exploit vulnerabilities in Flash and Acrobat reader.

Last month a report from McAfee and the Ce nter for Strategic and International Studies revealed a growing threat of cyberattack, with widespread attacks on critical systems.

AV-Test.org reports that MSE found and killed all 25 rootkits tossed its way during a test it conducted on the new software, which Microsoft rolled out on Tuesday. MSE basically replaces Microsoft’s subscription-based OneCare product, but focuses solely on anti-malware — detecting and removing viruses, spyware, rootkits, and Trojans. It doesn’t come with security “suite” functions, like a firewall, computer maintenance tasks, or backup.

AV-Test.org tested the new version 1.0.1611.0 with virus and spyware definitions 1.67.178.0 on Windows XP SP3, Vista SP2, and Windows 7. Rootkits traditionally have been the nemesis of many AV products. But Andreas Marx, CEO of AV-Test.org, says MSE’s 100 percent rootkit detection rate was “very impressive.”

MSE also detected all 3,700 samples of static malware, but the software was unable to detect new, unknown malware using dynamic, behavior-based detection. “None of the samples were detected based on their suspicious behavior,” Marx says. But, he says, other AV-only packages don’t include this dynamic detection feature, either. It’s usually only available in Internet security “suite” versions of the products, he says.

On XP, MSE found 98.44 percent of current samples of viruses, worms, Trojans, and bots, and 90.95 percent of adware and spyware. AV-Test.org found that MSE was able to remove all active malware components during the repair and cleanup phase, but in some cases residual pieces from the infections remained, such as inactive executable files and a disabled Windows firewall.

“The scan speed is quite OK when compared with other AV products. The scanner is not the fastest one, but also not the slowest available,” Marx says. He notes the test was a quick summary of some of the product’s features, and that the lab plans to conduct more in-depth testing and reviews of MSE. So this is early good news for Microsoft’s brand new product that is being put to the test. Only time will tell if it is able to keep up with the new threats that will target it and try to break through its defenses.

As reported in detail by Trend Micro researcher Rik Ferguson in the Counter Measures blog, the New York Times issued warnings through both Twitter and its website’s front page about malvertisements that trigger the display of a malicious pop-up window. The said pop-up window displays the typical fake antivirus warning indicating malware infection. This forces the affected user to purchase a full version of a rogue antivirus software. Of course, the reported infections are in reality nonexistent. The alarming messages are mere distractions to convince the user into giving away important information.

Not only is good money wasted on purchasing a useless software. Important information such as credit card details are also compromised and made available to cybercriminals.

Lately I have been personally seeing a ton of computers at work with this exact infection (Personal Antivirus). The odd thing I take from it is that it doesn’t usually bring along any other malware with it when it gets onto a system. From time to time I see this program on a system that is infected with a rootkit or other more vicious piece of malware, but for the most part, it seems to work alone and does nothing but want to get your money and credit card information.

So it would seem that the creators of this certain rogue security software don’t want to harm their victim’s computers why placing harmful trojans on the system with it, but merely to create an annoying piece of software that will bug you until you pay it to stop… or remove it with a program such as Spybot – Search and Destroy. So be careful out there… cause even well trusted websites seem to be getting hit with these types of breaches that can harm your computer!

April 1 came and went, and… nothing happened. Several days later, another variant appeared, but without the Internet ending (as some of the worst reporting would have led readers believe) most people believed that DOWNAD, as a major threat, was gone.

While it may no longer be as in the news at it was at its height, DOWNAD didn’t suddenly go away. Recent estimates from the Conficker Working Group place the number of unique IP addresses affected by the top 3 DOWNAD variants at well over 5 million. Even considering the group’s disclaimer of putting the number of actually infected systems at only 25-75% of that number, a minimum of 1.25 million infected systems is nothing to laugh at.

The Trend Micro World Virus Tracking Center (WTC) numbers bear this out as well. Almost 790,000 systems were found to be infected with DOWNAD variants in the first three months of the year. In the three succeeding months, that number was almost 1.9 million. Clearly, DOWNAD did not decide to quietly go away.

In addition, out of the public eye, DOWNAD went off and did something with all those infected systems: it went off and formed its own botnet. This was documentedin mid-April by Advanced Threat Researchers Paul Ferguson and Ivan Macalintal. The short version, however, is simpler: DOWNAD was used to create a botnet. These can be used for the usual range of threats: spam, Denial of Service attacks, spreading FAKEAV malware, and so on.

Like it or not, malware threats are part of what users have to deal with day in, day out. Like anything people deal with regularly, people become used to malware threats. What was once noteworthy and unusual becomes dull and ordinary. However, this in fact doesnotmake the threat any less dangerous. If anything, it can be argued that it makes the threat more dangerous, as users are more likely to be caught unaware of a threat that may not be something they’re looking out for.

In a very real way, threats like DOWNAD become part of the background noise that is a part of life on the Internet. While it may be unrealistic to expect individual users to keep in mind all threats, but good computing practices will help immensely. The most important one may be: keep your software up to date. This is particularly true for your operating system–a properly patched system would have been proof against most DOWNAD variants. Trend Micro users would have been protected via the Smart Protection Network, of course, but closing the underlying vulnerability would still have been essential.

The price of using your computer freely in today’s Internet may well be constant and unceasing vigilance.

When users visit one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code, the researchers say. The final landing page records the visitor’s IP address. When the site is visited for the first time, the user is directed to the exploit payload site. But if the user returns from the same IP address, he is simply directed to the benign site of Ask.com, the researchers report. This one-time download strategy may make the redirects less obvious and harder to detect, they say.

According to a spokesman, the labs first detected what appeared to be benign redirects embedded in compromised Web sites that sent users to Ask.com. “At that time, it seemed likely that hackers were looking to compromise as many sites as possible, getting their foot in the door before activating the campaign with a redirect to a malicious payload site,” he says. The attackers used polymorphic code to avoid detection in these early stages. Now the researchers understand that the malicious campaign actually began simultaneously with the Ask redirect, and the malicious payload site ninetoraq has been infecting users with malware.

Once the user’s computer has been redirected from a compromised site to ninetoraq, the site attempts multiple exploits through obfuscated code targeting vulnerabilities in MDAC, AOL SuperBuddy, Acrobat Reader, and QuickTime, the spokesman says. If it finds an open hole, it drops a malicious PDF file or a Trojan that is designed to steal the user’s information.

Most antivirus applications will not detect either one of these pieces of malicious code, Websense says. One of the exploits is detected by only three of the 41 most commonly used AV programs.

“The obfuscation code injected into these legitimate Web sites is somewhat random, but the deobfuscation algorithm is consistent amongst all the infections,” the researchers say. “The algorithm uses the JavaScript method ‘String.fromCharCode’ to convert a chunk of decimal values to a string. The string obtained after deobfuscation is an iFrame that eventually leads to an exploit site.”

The Websense researchers say the new attack is distinct from Gumblar or Beladen, two other injection attacks that have been redirecting users’ search queries in the past month. It is possible that the same hackers might be developing the different attacks, they say. So be careful when you are out there on the web, cause it seems the bad guys just keep thinking up new and more dangerous stuff everyday!

The compromised websites are operated mostly by smaller businesses and government agencies, and so far security researchers have been unable to identify a common component that is being targeted. That leaves everyone guessing that the sites were penetrated by sneaking key-logging programs onto the PCs of people who maintain the sites.

“It’s all that we can assume because there is no common injection amongst all these 40,000″ sites, Chenette explained. “The only other possible explanation is the website owners have basically had their FTP credentials or account credentials compromised.”

It remains unclear how many end users are being affected, however. Mary Landesman, a researcher at ScanSafe, said less than 0.03 percent of its customer base tried to visit a site infected by Beladen in the entire month of May. That compares with more than 37 percent of its customers trying to visit sites hit by another mass infection that goes by the name Gumblar. Like Beladen, it attempts to install malware on the PCs of people visiting affected sites.

But that doesn’t mean Beladen isn’t important. Beyond it’s demonstrated ability to sneak itself onto so many webservers, it’s also notable because the attack bears the hallmarks of Russian mobsters. Before users are redirected to beladen.net, they are taken to one or more other addresses such as googleanalytlcs.net (note that “analytlcs” is spelled with an l instead of an i), which are attack sites designed to appear connected to Google Analytics.

Those same sites have been used in the past by the cybercriminals known as the RBN, or Russian Business Network. The group is known for producing highly sophisticated malware and offering a network of highly reliable webservers and other infrastructure used to deliver potent attacks. It has largely stayed out of the public eye since being outed in a series of articles by The Washington Post. Beladen may be a sign that the RBN is taking a more active role again.

Beyond that, it’s clear the attackers have taken painstaking steps to ensure the stealth of Beladen. In addition to javascript that is put through multiple layers of obfuscation, the attackers have also covered their tracks by shunting victims through a series of intermediary servers before arriving finally at beladen.net. In an attempt to thwart researchers, the servers check the previous site visited to make sure visitors have been referred by compromised server. I first read about this infection Friday where it had hit about 30,000 sites. It’s ability to grow by a third in less than 72 hours is worth taking seriously.

Sadly, Websense has had little success reaching the owners of the compromised websites.

“Half of the websites that have email addresses listed don’t respond to any security notification,” researchers from Websense said. “Many users think they can throw up a website and that’s the end of the day. They have to be more responsible in understanding that they have to protect the users of that site and the content.”

Website owners who suspect they have been hacked should inspect the source code on the site’s front page. If there’s a block of strange-looking code that mysteriously showed up recently, there’s a decent chance it’s Beladen. So keep your antivirus software up-to-date because even websites that you frequent could have been infected without anyone knowing. The only good thing with this type of infection growing, is that the security companies that produce antivirus software will respond quickly and have ways in their software to keep you safe.

Many people think that as long as they have their antivirus software updated and running while they surf is enough to keep them safe. While this was true a couple years ago, much of the malware causing problems today has found ways to trick the user into getting around their antivirus software and infecting the system. Once it gets into the system, 9 times out of 10 it is usually too late for your antivirus software to help you.

Even though the good guys are constantly changing their strategies to try and stop the malware from effecting their users, the most common case is that the bad guys are constantly changing their ways as well to get around the good guys. Internet Explorer is usually the most targeted browser of choice simply because since it comes with Windows by default, by exploiting that, you have the greatest chance to actually succeed by infected users. This has resulted in a higher demand for alternate and more safe browsers to take its place.

Today, Mozilla’s Firefox is the most popular browser that users pick to replace Internet Explorer. One of the main reasons for this is the fact that you can add “extensions” to the browser to help keep unwanted websites from messing with your computer. Below is a quick list of 10 very helpful extensions you can add on to Firefox to help making your web browsing more safe.

1. BetterPrivacy
2. BlockSite
3. Dr. Web Anti-virus
4. FormFox
5. Ghostery
6. Locationbar
7. NoScript
8. Password Hasher
9. QuickJava
10. Web of Trust

After looking over this list, I have to agree that these extensions do indeed help a great deal in keeping you better protected while browsing the internet. Even though it can’t keep you completely safe from everything, they do a fantastic job in keeping you safe from a good percent of the dangerous and just plain annoying things out on the internet. If you would like to read up more on these extensions, you can click HERE to read up on them and help you decide which ones you would like to use.

In this article I am going to shed a bit more light on a extremely fast and hard to detect piece of malware called a “Rootkit”. 

The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that surreptitiously granted root access. If an intruder could replace the standard administrative tools on a system with a rootkit, the modified tools would allow the intruder to maintain root access over the system while concealing these activities from the legitimate system administrator. 

This type of software (if you want to call it software) became more well known and understood in 2005 when Sony installed rootkits on its music CDs in order for enforce the DRM that came with the CDs. With these events making the rootkit well known to everyone, (even the hackers that write malware) this opened the doors for almost endless possiblities for more ways for these hackers to gain access to a user’s computer. 

A successfully-installed rootkit allows unauthorized users to maintain access as system administrators, and thus to take and keep full control of the “rootkitted” or “rooted” system. Most rootkits typically hide files, processes, network connections, blocks of memory, or Windows Registry entries from other programs used by system administrators to detect specially privileged accesses to computer system resources. However, a rootkit may masquerade as or be intertwined with other files, programs, or libraries with other purposes.

Lately though, it seems these rootkits are doing more than just opening doors for hackers to get into “rooted” computers. They like to help other malware in the disabling of the user’s antivirus software so it won’t try and clean up a growing infection as well to make it seem as though the antivirus program is still working how it should. Once this is complete it then will start to download tons of other malware onto the system to do anything from steal personal information or trick that user to buying a fake license for a “Rogue Security Application“. In other cases it will try and keep itself hidden and just hijack the computer to form a zombie machine to work as part of a botnet that sends out spam emails.

While these infections are harder to spot by the average user, the easiest way to notice that something is going wrong is usually just a few common symptoms. Usually the computer starts acting extremely slow as if it is doing a ton of computing, even if it isn’t doing anything you can see, or when the user tries to use the internet there are an unusual amount of popups that aren’t usually there for commonly visited sites. If you would like to scan your computer for this type of infection I suggest you download and run ComboFix.exe and let it do its thing. Even if it can not clean the infection it will let you know about them so you can take the needed actions to get it cleaned up ASAP! (note: if combofix will not load on your computer, then you are defiently infected with something dangerous as these types of malware commonly try to block it from running)

Last but not least… please always make sure your computer is up-to-date! It is pretty easy to do, so no one really has an excuse to not check it once a month or so as with an up-to-date system you are less likely to get infected! If you would like to make sure your system has all the latest patches from Mircosoft, all you need to do is click HERE (make sure you open the site in Internet Explorer) and follow the steps they give you on the website. Any questions feel free to leave a comment and I will help or answer your questions as best I can!

The belated updates were spotted by researchers for Trend Micro following the arrival of a new file in one of the directories in so-called “honeypot” machines deliberately seeded with Conficker C. Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate. In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the C variant. Exact figures for the number of Conficker-infected machines are hard to determine, but the minimum is widely believed to be three million.

“The Conficker/Downad P2P communications is now running in full swing,” wrote Ivan Macalintal from Trend Research on the company’s security blog. Once it arrives on a machine, the package of data randomly checks one of five different websites – MySpace, MSN, eBay, CNN and AOL – to ensure its host still has net access and to confirm the current time and date. Following this check the data package removes all traces of its installation.

The strong encryption on the payload has, so far, prevented detailed analysis of what it actually does. However, security experts speculate that it is a “rootkit” that will bury itself deep in Windows in order to steal saleable data such as bank website login details. Security researchers are continuing to analyse the payload to get a better idea of what it is intended to do.

Symantec said it too had noticed the increased activity of Conficker and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely. The security firm noticed that the update also included an instruction to the worm to remove itself on 3 May, 2009. However, the Waledac imposed backdoor on the machine will remain open, so its creators can still control compromised PCs.