Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 30 Oct 2014, 10:13
All times are UTC - 4
 Forum index » Off-Topic Area » Security
The ‘indestructible’ botnet
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 1 Posts_count  
Author Message
aarf

Joined: 30 Aug 2007
Posts: 3620
Location: around the bend

PostPosted: Sun 03 Jul 2011, 18:11    Post_subject:  The ‘indestructible’ botnet
Sub_title: TDL4_Top_Bot
 

http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot
_________________

ASUS EeePC Flare series 1025C 4x Intel Atom N2800 @ 1.86GHz RAM 2063MB 800x600p ATA 320G
_-¤-_

<º))))><.¸¸.•´¯`•.#.•´¯`•.¸¸. ><((((º>
Back to top
View user's profile Send_private_message Visit_website 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11125
Location: Arizona USA

PostPosted: Sun 03 Jul 2011, 22:58    Post_subject:  

Quote:
....The way in which the new version of TDL works hasn’t changed so much as how it is spread - via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.

Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services

The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.....

....Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.

According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.

Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.

Why not Russia? Rolling Eyes
Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Mon 04 Jul 2011, 03:31    Post_subject:  

How can a curious person find out if his computer is affected?

was it a Ms or some other big company or who was it that asked European Union to set up some test that the ISP would only allow a computer access if the owner could show that it was run with the prescribed anti virus and router settings and so on. A kind of certification of every computer before allowing them to run at all on the internet.

Would that stop the indestructable botnet?

Telling 4 million users to look for virus on their computers is not easy.
Them will not trust the warning or advice to be a fake and that they got a spam message instead.

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
dru5k1


Joined: 11 Apr 2010
Posts: 72

PostPosted: Wed 13 Jul 2011, 06:09    Post_subject:  

nooby wrote:
How can a curious person find out if his computer is affected?


you can use f-prot or clamav http://puppylinux.org/wikka/ClamAV, (these are mainly for usb-drives and suspect downloaded files (that you'll be sharing to someone's windows computer) though, and maybe windows hdds)

don't bother with rkhunter or chkrootkit on puppy, because they don't work
Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 13 Jul 2011, 06:58    Post_subject:  

Yes I tested one of these and them seems to give very many false positives.

I do have free AntiVirus on Windows but I never log in to windows so I guess them are a year old or something.

Fprot are them really known to have latest malware detection?

I mean more like what did happen to you. AFAIK none of those did warn you.

What you noticed was a slow down and then him told you about it.
Had him not revealed that he did it then you would still wonder what the slow down was about?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
dru5k1


Joined: 11 Apr 2010
Posts: 72

PostPosted: Wed 13 Jul 2011, 08:56    Post_subject:  

no - I knew 'straight away' something was happening - puppy works FAST and almost never slows down

ok, so clamav can have false-positives, well fprot (in puppy-lucid repo -in puppy package manager) is said to have less, you can try that (I'm assuming you are using 5.25, some earlier versions of puppy I think have an fprot auto-installer - so if the puppy community decided that fprot was to be included it just may be better ryt?)

ontopic: good read. sophisticated stuff.
Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 13 Jul 2011, 10:05    Post_subject:  

Thanks dru5k1 , I am using Snow 5 that is based on many ideas but maily on Lupu 513 I guess. But sure I ahve 525 installed too so I could test Fprot on that one thanks for explaining how it works.
_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 1 Posts_count  
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0568s ][ Queries: 11 (0.0028s) ][ GZIP on ]