"A new spambot hiding in its own traffic"

[Westwind]

Since we're seeing this problem, a bit of background for you.

 

These WordPress problems have caused my host for the Equilism forums to change our TOS several times, and they keep trying to crack down on customers that fail to keep WordPress upgraded.  The Equilism server was down for a extended time recently due to the problem.

 

Generally, visitors to these compromised WordPress sites get infected when they are using out of date software (like Windows XP) and anti-virus programs that are not updated.  Their computers are then part of the BotNet, and act according to commands they recieve from a botnet server.

 

Here is a report of a new botnet from two days ago:

 

 

The smokescreen: a new spambot hiding in its own traffic

Feb 7, 2014 

 

CMS WordPress is in the spotlight again. Researchers detected another aggressive kind of malware that spreads from compromised sites running that popular CMS. At the moment, more than 200 infected sites are known.

Wigon.PH_44 is a spambot. Researchers have already found it to be a close relative (rather than a new version) of another infamous malware called Pushdo/Cutwail. A major spam botnet identified anonymously was first reported in 2007. By 2009, it had become the largest network of spammers with up to 51 million messages sent per minute, which was approximately equal to 46.5% of the total world spam traffic. In August 2010, researchers from several major universities knocked out 20 of the 30 control servers of Cutwail, but they did not manage to eliminate it completely. Therefore, it has kept on operating.....

 

http://business.kaspersky.com/the-smokescreen-a-new-spambot-hiding-in-its-own-traffic/

[Vulcan Prime]

Why do people make these?

[Westwind]

And...there's a new Java botnet exploit as well.  Keep your Java up to date, they fixed this last June.

 

Once infected, a computer that has been compromised by the Java based malware - most likely through a malware hosting website - is pulled into a botnet and then controlled to launch distributed denial of service (DDoS) attacks against other websites to knock them offline.

Kaspersky detected this threat as HEUR:Backdoor.Java.Agent.a, while the infection vector is CVE-2013-2465, an integer overflow bug in Oracle Java SE 7 Update 21 and earlier, Jave SE 6 Update 45 and earlier, Java SE 5.0 Update 45 and earlier, and OpenJDK 7.

"To make analysing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator," Kaspersky said in a blog post.

"In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class - which means that in order to decrypt all the strings in the application, you have to analyse all the classes in order to find the decryption keys."

 

 

Why do people make these?

 

There are a variety of reasons.  I also recent read an article of a botnet that will reside on your computer, and use it to "mine bitcoins".

 

Another reason is to use a large number of computers to perform a Denial of Service attack against target servers.  For example, a group like Anonymous could control a botnet and send it commands to engage in a DOS attack against...say, the United States Department of Defense.  

[Winnipeg]

Java is evil...if you don't need it, uninstall it.  It's the bane of my existence at work...hard to keep up to date, and full of security holes.

 

Current Version is Java 7 Update 51, if you are behind either upgrade or uninstall it.  If you have Java 6, GET RID OF IT ASAP.

[Yy4u]

Does this apply to all OS's?

Linux Mint 13 LTS(Maya)

[Eli]

I'm 7 update 51

[Winnipeg]

Generally speaking Java is cross platform so yes, it should be update 51 for pretty much everyone.

 

http://www.java.com/en/download/manual.jsp

 

That said, you're on Linux, so you may not be running Sun/Oracle Java RE, you might have the OpenJRE and I don't know what their current version is.  Or you might not have Java installed at all.

[Yy4u]

OpenJDK 6

Updated to OpenJDK 7.51

[Westwind]

Another example

A “massive and concerted attack” has been launched by a bot system on numerous bitcoin exchanges, Andreas Antonopoulos has revealed.

 

This has lead to popular exchange Bitstamp putting a temporary halt on all bitcoin withdrawals.

 

Antonopoulos, who is the chief security officer of Blockchain.info, said a DDoS attack is taking Bitcoin’s transaction malleability problem and applying it to many transactions in the network, simultaneously.

“So as transactions are being created, malformed/parallel transactions are also being created so as to create a fog of confusion over the entire network, which then affects almost every single implementation out there,” he added.

 

[Consular]

Gods computer security is a pain.