This Week In Computer Security

This week saw a lot of activity on botnet control and disruption as several corporations struggled to disrupt or destroy major botnets and their command-and-control facilities. Botnets are responsible for some of the more incipient and insidious issues that the internet struggles with, including Distributed Denial of Service attacks (DDoS), email spam, and identity/banking theft which funnels millions of dollars to organized crime rings. In fact, this week a report which was released stated that 80% of digital crime may come from organized rings.

As usual, rumblings from the Anonymous underground have resulted in a few noteworthy items — most notably the remains of LulzSec breaching a US Military dating site and the upcoming “Operation Blackout”. The former is regarded with some cautious optimism in the Anonymous community while the latter is generally panned as a bad idea/impossible.

Zeus/Spyeye Botnet Taken Down, Creators Named:

Microsoft orchestrated the takedown and seizure of servers for two Zeus botnets this week, nabbing servers from datacenters in Pennsylvania and Illinois. Microsoft also file ‘John Doe’ lawsuits against the perpetrators behind the botnet, and (surprisingly) attempted to name several persons via their online pseudonyms as the creators of both Zeus and Spyeye (a zeus variant). These lawsuits were filed under the RICO and Computer Fraud and Abuse acts. As part of the operation, Microsoft took control of 800 domain names used to control computers inside of the botnets in order to ensure the infected computers will remain safely in the hands of security professionals.

Read More: http://securitywatch.pcmag.com/microsoft/295850-microsoft-s-botnet-takedowns-disrupt-zeus-operations

More Botnet Operator Woes:

CrowdStrike and Kaspersky Labs co-ordinated an attack on the Helihos-B botnet this week, attempting to disrupt the Facebook-distributed worm which was infecting over 100,000 computers. This infection level was after attempts to take it down six months ago, which seemed only to cause the owners of the botnet to work harder to increase the botnet with a new version to it’s recent levels.

Due to the peer-to-peer nature of the botnet, it is somewhat difficult to destroy or control except by infiltration of the peer-to-peer network, which is the approach that the task force took to try to sinkhole (steer to a location under task-force control) the botnet. This technique was combated by malware authors releasing a new version of their botnet to steer away the botnet back into owner hands, and is the reason why the botnet is still operating today despite the efforts of the task force.

Read more here: http://www.theregister.co.uk/2012/03/29/kelhios_bot_not_dead_yet/

Visa/Mastercard Payment Processor Breach:

Brian Krebs of Krebsonsecurity reports that last week non-public “alerts” wre sent to banks from Vias and Matercard warning about cards which may have been compromised in a credit card processor breach. 482 credit unions may have compromised members and over 56000 Visa and Mastercard accounts were compromised total. Of those, 876 accounts had fraudulent activity according to PSCU.

You may remember the Heartland Payment Processor breach a while back which involved over 130 million credit card thefts. Hopefully this breach won’t prove to be as severe but there have been no official announcements from Visa or Mastercard as of yet to confirm the breach or comment on the damage.

Read More: http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

LulzSec, Round 2:

LulzSec dumped nearly 108,000 account details from military dating site militarysingles.com on Sunday. The dump includes military email addresses and email addresses to some premiere US corporations such as microsoft. The passwords obtained from the dump could be used to infiltrate these emails which could post a secondary security risk (assuming the same passwords are used). In a funny twist, admins for the site initially denied being breached but were forced to backpedal when LulzSec members edited site pages to claim otherwise.
This is further proof that the LulzSec offshoot of Anonymous is still around and in functional operation. Expect to see more breaches in similar style (read: SQL injections/web-based attack vectors) from LulzSec and affiliated groups even with the absence of it’s upper-echelon.

Read More: http://www.informationweek.com/news/security/attacks/232700290

Original post