Anti-botnet operations

2010-11-01

Helen Martin

Virus Bulletin, UK
Editor: Helen Martin

Abstract

Partial success in the takedown of Bredolab; m00p gang member enters guilty plea.

Copyright © 2010 Virus Bulletin

Operating in collaboration with a number of online organizations, the Dutch National Crime Squad’s High Tech Crime Team seized 143 command and control servers of the Bredolab botnet last month.

Also involved in the takedown effort were a Dutch hosting provider, the Dutch Forensic Institute, security company Fox IT and GOVCERT.NL (the Dutch computer emergency response team). The investigation also led to the arrest by Armenian police of an individual suspected to have masterminded the botnet.

Despite the seizure of the command and control servers though, a couple of command nodes were found to still be active a few days later – leading to suspicion that a second group of bot herders have begun to issue new instructions to the botnet. The Dutch authorities have indicated that their investigation of the botnet is ongoing.

Meanwhile, in the UK a joint operation between the Metropolitan Police and Finnish authorities culminated in a Scottish man pleading guilty last month to ‘causing unauthorized modification to the content of computers’ as part of his involvement in the m00p hacking group. The group infected tens of thousands of machines worldwide by sending malware attached to spam messages. Thirty-three-year-old Matthew Anderson’s role was in distributing millions of spam messages.

According to the Metropolitan Police, Anderson took control of the infected computers, on occasion activating their webcams to spy on their owners. During the investigation, screen grabs were found on Anderson’s computers taken from webcams as well as copies of private documents including wills, medical reports, CVs, password lists and private photographs.

Anderson was arrested in 2006 and will be sentenced later this month.

DC Bob Burls of the Police Central e-Crime Unit, who was involved in the m00p investigation, will be detailing what it is that makes botnets the Internet weapon of choice at the VB Seminar on 25 November in London. See http://www.virusbtn.com/seminar/ for details.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.