Security researcher Jose Nazario from Arbor Networks has discovered an account on Twitter that acted as command and control (C&C) center for controlling computers that are part of botnets.

The Twitter account was being used to send a single line of text, which is actually a command for computers in the botnet to visit malicious Web sites, and to download or update information-stealing malware. The dispatched status messages, which may look like gibberish, are in fact base64-encoded text strings.

The malicious bot and the downloaded malware involved in this botnet attack, however, are both detected and blocked by eSafe.

Botnet herders are in constant search for alternative mediums to control their botnet-infected computers more stealthily and less costly than command and control centers. Some have used P2P, ICQ, or IRC, but, apparently, this is the first time in which Twitter is used as a substitute to direct botnet computers.

After having his account suspended on Twitter, this botnet herder tried another microblogging websites like Jaiku, and Tumblr, according to Jose Nazario.

An official website of the Iranian government was compromised. A hidden Iframe tag which retrieves an obfuscated malicious scripts which exploit multiple vulnerabilities was injected into the website. Visitors of the governmental website may end up with a Trojan downloader taking over their system.

During the last month we have been tracking a large botnet network, based upon El Fiesta tookit. Computers that were forcibly joined to the Botnet were exposed to information theft and were used for sending spam emails via live.com and via an internal SMTP engine installed by Trojan downloaders.

Image 1: The Iranian governmental website

Image 2: The Iranian governmental website page code compromised

Image 3: The obfuscated exploit page

Upon execution of the obfuscated code, the following vulnerabilities are exploited:

• Adobe Acrobat and Reader JBIG2 image stream buffer overflow
• Adobe Acrobat and Reader Multiple Arbitrary Code Execution
• NCTsoft NCTAudioFile2 ActiveX buffer overflow
• Microsoft 'msdds.dll' COM Object Heap Memory Vulnerability
• Microsoft Access Snapshot Viewer ActiveX
• MS Internet Explorer XML Parsing Buffer Overflow
• Microsoft Data Access Components (MDAC) remote code execution
• Microsoft Internet Explorer VML stack buffer overflow
• MS Internet Explorer WebViewFolderIcon remote code execution
• Firefox  No Script local exploit
• FireFox behavior vulnerability

Upon successful exploitation, Trojans are installed on the infected computer making it part of the Hacker’s Botnet, which is being managed by El Fiesta toolkit. During the past month we have observed half a million infected hosts controlled by this Botnet server.

Image 4: El fiesta toolkit exploits and overall infected hosts (part1)

Image 5: El fiesta toolkit exploits and overall infected hosts (part2)

Image 6: Botnet Server statistics

Once our ‘Honeypot’ clients were controlled by the ‘El Fiesta’ botnet, they were used for sending Spam emails via live.com and via an internal SMTP engine installed by the Bot Trojans. The Spam emails contents were supplied by another web server hosted in Ukraine.

Image 7: An infected client sending Spam via live.com mail account

Image 8: An infected client sending Spam via internal SMTP engine

Image 9: The spam web server supplies the spam email header and content to be sent by the Bot client

One of the Trojans installed by the Botnet downloads a rouge Anti-virus program called Guarddog 2009. The rouge website is hosted on the same server of the El Fiesta toolkit.

Image 10: The Trojan downloader code

Image 11: The rouge Anti-virus program

North Korea is blamed for a series of massive DDoS (distributed denial-of-service) attacks on government and commercial websites in US and South Korea.
These politically motivated attacks first began on Saturday July 04, Independence Day in the US; following is a list of the US and South Korean websites targeted so far.

The latest cyber attacks remind us of the attacks against Georgian government websites last year during its conflict with Russia over South Ossetia (See our blog post).

As the social networking threats angle is picking up a lot of traction lately <pat_on_own_back>,  the folks at Netragard have posted a great write-up on using social networks as an attack tool – involving both social engineering as well as technical exploits. The post can be found here, and I just want to quote a couple of sections that I feel very strongly about:

“The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn't read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile” … “After the payload was created and tested we started the process of building an easy to trust facebook profile. Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles.”

Needless to say that the newly created fake profile, which could just as well have been hijacked, went a long way in terms of enabling the attackers (who were commissioned to perform a penetration test this time) to gain access to internal company resources quite easily.

eSafe AID – the Attack Intelligence Datacenter has recently discovered a new massive Web attack, operated by RBN, in which an exploit code is being injected on compromised legitimate websites. The injected obfuscated malicious script points to a remote obfuscated hidden IFrame that leads to another obfuscated exploit. The last chain of this multistage Web attack includes Adobe PDF and Windows media encoder exploit variants.

The attack stages:

The first obfuscated exploit code has a low detection rate by Anti-virus vendors. eSafe detects the exploit as JS.Agent.au

The obfuscated exploit code:
 

Virus Total results:
 
 

The attack stages in brief:

1. A user visits a legitimate hacked website where an obfuscated script leads to other hacked websites.
2. The second stage hacked websites, located in Ukraine, contain obfuscated hidden IFrames that lead to the hacker’s server.
3. The obfuscated exploit code on the hacker sever contains Adobe PDF and Windows media encoder exploit variants.
4. Affected systems are automatically joined to a bot controller located in Luxemburg.

Tracking the footprints of these domains leads to the infamous RBN (hosting illegal sites, DDos attacks, Hacking, and pornography).