Bamital Botnet-Take Down by Microsoft and Symantec

A click-fraud malware was propagating widely and Symantec announced the takedown of the Bamital botnet in partnership with Microsoft to identify and shutdown the vital components of botnet.

Watch this to understand Bamital–The Clickjacking Trojan (Video) by Symantec

Bamital is a malware designed to hijack search engine results, redirecting clicks on these search results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections.

Bamital also intercepts web browser traffic and prevents access to certain security-related websites by modifying the Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file to redirect specified URLs to different IP addresses. Malware often modifies a computer's Hosts file to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Bamital variants may also modify certain legitimate Windows files in order to execute their payload. Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer (P2P) networks.

In case, if you reach to this page "https://malwarenotice.microsoft.com/" while searching for something else, you are likely infected by Bamital malware. Please read the instructions mentioned properly and act smartly to help yourself.

Many of the leading anti-malware tools available online can help clean this malware from your computer. Free malware removal tools:
Microsoft Safety Scanner - https://support.microsoft.com/botnets
Norton Power Eraser - https://www.norton.com/bamital


To read detailed analysis, please follow:
Symantec
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_bamital.pdf
http://www.symantec.com/security_response/writeup.jsp?docid=2010-070108-5941-99
http://www.symantec.com/connect/blogs/bamital-bites-dust

Microsoft
http://blogs.technet.com/b/serverandtools/archive/2013/02/07/microsoft-and-symantec-take-down-harmful-bamital-botnet.aspx
http://blogs.technet.com/b/security/archive/2013/02/06/b58-botnet-takedown-crushes-search-hijacking-and-click-fraud-scams.aspx
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBamital
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fBamital
http://blogs.technet.com/b/microsoft_blog/archive/2013/02/06/microsoft-and-symantec-take-down-bamital-botnet-that-hijacks-online-searches.aspx

Year 2038 problem

31st Dec 2036 is the last date for iPhones and Androids phone. No one will be able to see New year of 2037 on their phones. :-) Tested with my own Android device, I am not able to set dates beyond 31st December 2036. :-(
To read more, follow:
http://en.wikipedia.org/wiki/Year_2038_problem
http://www.f-secure.com/weblog/archives/00002489.html

Hackers exposed 1,000,001 Apple Devices UDIDs

Antisec shared a list of 1,000,001 Apple Devices UDIDs pulled from an FBI notebook [ hacking :) ]. System was hacked using an AtomicReferenceArray vulnerability in Java.




Original file NCFTA_iOS_devices_intel.csv contains a total data 12,367,232 iOS devices including UDIDs with user names, device name, device type, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.

Antisec says "there you have. 1,000,001 Apple Devices UDIDs linking to their users and their APNS tokens.
the original file contained around 12,000,000 devices. we decided a million would be enough to release. we trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc."

Although the file is encrypted and availble over internet but decryption method is also listed on pastebin.

Lets see what is inside. :P

Read original post here:
http://pastebin.com/nfVT7b0Z

nj0y !!!  :-)

Spyware

Little info . . .

Achievement

Today I have cleared GREM, another milestone in my career after last year's GCIH.

Privileged to be one out of 573 round the globe.
http://www.giac.org/certified-professionals/directory/forensics

You can find my profile here:

GREM

http://www.giac.org/certified-professional/bhupendra-singh-awasya/127281

GCIH
http://www.giac.org/certified-professional/bhupendra-singh-awasya/123355



nj0y !!!

SpyEye V.1.3.4.X

A new crimeware toolkit emerged in underground economy in December 2009 named SpyEye. It took a chunk of Zeus crimeware toolkit space. Now after take down of Zeus and revealing of Zeus code, recently SpyEye guys introduced their new version "SpyEye V.1.3.4.X" incorporating Zeus in it.

Analysis done and published by TrendMicro lab, can be found in TrendLabs MalwareBlog.

To read more, follow:

http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/

http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/

http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot

#@V3 $@F3 BR0W$!n9 !!!

nj0y !!!

Google search to find Compromised Google Images

Since few weeks, we heard about google image searches infected by Search Engine Optimization (SEO) poisoning. Many legitimate sites linked to scareware trojans and exploits via Google Image results are discovered every day. Many of these sites would otherwise be considered as safe but they've been compromised by a hack of some sort.

Do not search for inurl:wp-images unless you are using test network or use Google SSL as the poisoned SEO sites will only attack if visited from http://www.google.com.

Read more at f-secure

http://www.f-secure.com/weblog/archives/00002161.html

#@v3 $@f3 br0w$!n9 !!!

nj0y !!!