Bad Week for Botnets

Two zombie networks infamous for stealing banking information and spewing spam were hit with a right-left combination last week by botnet fighters.

Using the power of the federal Racketeer Influenced and Corrupt Organizations (RICO) Act, Microsoft, along with organizations representing the financial services industry, took down two command-and-control servers running botnets based on Zeus, a malware family known for stealing the logins to banking accounts.

Meanwhile, Kaspersky Lab, Dell SecureWorks and other organizations squelched an attempt to revive the Kelihos botnet, which was one of the largest spam- spewing networks in the world before it was taken down last year.

Whac-a-Mole Game

Microsoft’s efforts are garnering praise, but the significance of the offensive is still questionable. That’s because — unlike some botnets with centralized command-and-control servers — Zeus botnets are decentralized. Anyone who has the money to buy the software can set one up.

It’s like a whac-a-mole game right now, in which Microsoft can keep getting court orders and seizing servers, and taking control over domain names used for these botnets, but these guys can register new domains and buy new servers very easily,” observed Brett Stone-Gross, a senior security researcher at Dell SecureWorks.

“It’s like trying to take down an army of cockroaches,” said Avivah Litan, a security analyst with Gartner. “You can’t really get them all.”

The Kelihos network is also decentralized, but it uses peer-to-peer communication to operate, which bot battlers could exploit to take over the Net.

“We injected a fake peer entry list with an IP address under our control, so all bots connected to us and turned it into a centralized botnet connected to us,” Stone-Gross explained.

Once in the bot fighters control, the net was neutralized.

Massive Card Breach

MasterCard and Visa have been alerting their members for more than a week about “a potential account data compromise event” at a U.S.-based entity.

Both companies revealed last Friday that they were investigating the breach after it was reported by security ace Brian Krebs, who estimated that the breach could affect as many as 10 million credit card numbers.

MasterCard and Visa stated that the breach did not affect their systems.

Meanwhile, some 50,000 cardholders were at risk due to a breach affecting Global Payments, according to The Wall Street Journal.

A New York City taxi and parking garage company appears to be connected to the breach, according to Gartner Security Analyst Avivah Litan.

A Central American gang may be behind the breach, and they may have compromised an administrative account to do it, she added.

The credit card companies said they’ve turned the case over to federal law enforcement authorities for investigation.

Regulators Can Undermine Security

Government regulators are typically considered White Hats in the battle with cyber low-lifes, but a report released last week on information security threats fingered them as a source of data insecurity.

The culprit is government-ordained transparency, according to Steve Durbin, global vice president of the Information Security Forum, which produced the report, “Threat Horizon 2014: Managing Risks When Threats Collide.”

“The movement toward making organizations more transparent in disclosing security breaches, challenges and weaknesses will make organizations more vulnerable to attack because stating them makes them more obvious,” Durbin told TechNewsworld.

Privacy demands, while not weakening security directly, will force many businesses to reassess their markets rather than comply with regulatory demands, he added.

“Privacy will be distracting to other security efforts that are going on,” said Durbin. “Privacy requirements are going to be imposing a heavy compliance burden, forcing organizations to decide whether or not they’re going to invest in the necessary security to comply, or whether they’re going to exit certain markets because they’re not prepared to comply with some of these regulations.”

Breach Diary

March 25. LulzSec posted to the Internet information from 171,000 accounts of On March 29, the site claimed it found no evidence it was hacked. However, comparisons of the data posted to the Internet and information at the site shows consistencies between the two.

March 25. Anonymous posts to Internet more than 1,400 email addresses, many from Newfoundland and Labrador.

March 25. More than 2,000 names, email and postal addresses, and phone numbers of UK wholesaler Waveney Wholesale posted to Internet by hacker called “SONLCS.”

March 27. U.S. Federal Trade Commission announces settlement with RockYou for data breach in 2009 that exposed information on 32 million users to hackers. RockYou agreed to pay a US$250,000 civil fine as part of the terms of the settlement.

March 30. California Child Support Agency reports that backup cartridges containing records for 800,000 individuals were lost March 12 in transit from a facility in Colorado to California.

Calendar of Events

April 28-29. Drone Summit: Killing and Spying by Remote Control. Mount Vernon Place United Methodist Church, 900 Massachusetts Avenue NW, Washington, D.C. Sponsored by Reprieve and the Center for Constitutional Rights. $20-$100.

May 14-16. FS-ISAC & BITS Annual Summit. Turnberry Isle Resort and Club, 19999 West Country Club Drive, Miami. Sponsored by Financial Services-Information and Analysis Center. $1,250-$1,750. Registration deadline April 20.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels