Experts from across the security industry collaborated this week to quarantine more than 110,000 Microsoft Windows PCs that were infected with the Khelios worm, a contagion that forces infected PCs to blast out junk email advertising rogue Internet pharmacies.

Most botnets are relatively fragile: If security experts or law enforcement agencies seize the Internet servers used to control the zombie network, the crime machine eventually implodes. But Khelios (a.k.a. “Kelihos”) was built to withstand such attacks, employing a peer-to-peer structure not unlike that used by popular music and file-sharing sites to avoid takedown by the entertainment industry.

Update, 11:07 a.m. ET: Multiple sources are now reporting that within hours of the Khelios.B takedown, Khelios.C was compiled and launched. It appears to be spreading via Facebook.

For the full article, see here.

The post Researchers clobber Khelios spam botnet appeared first on The Citizen Lab.

Twitter bots — zombie accounts that auto-follow and send junk tweets hawking questionable wares and services — can be an annoyance to anyone who has even a modest number of followers. But increasingly, Twitter bots are being used as a tool to suppress political dissent, as evidenced by an ongoing flood of meaningless tweets directed at hashtags popular for tracking Tibetan protesters who are taking a stand against Chinese rule.

It’s not clear how long ago the bogus tweet campaigns began, but Tibetan sympathizers say they recently noticed that several Twitter hashtags related to the conflict — including #tibet and #freetibet — are now so constantly inundated with junk tweets from apparently automated Twitter accounts that the hashtags have ceased to become a useful way to track the conflict.

For the full article, see here.

The post Twitter bots target Tibetan protests appeared first on The Citizen Lab.

Security firm Symantec has uncovered a massive botnet that may have lured millions of unwitting Android users into downloading malware infected apps from the official Google Android Market.

The Trojan, dubbed ‘Android.Counterclank‘ by Symantec, was packaged into at least 13 free games published by three different publishers on the official app download site. The following apps are known to be affected:

Published by iApps7 Inc:

Counter Elite Force
Counter Strike Ground Force
CounterStrike Hit Enemy
Heart Live Wallpaper
Hit Counter Terrorist
Stripper Touch Girl

(…)

For the full article, see here.

The post Millions caught up in Android botnet appeared first on The Citizen Lab.

In a surprise filing made late Monday, Microsoft said a former technical expert at a Russian antivirus firm was the person responsible for operating the Kelihos botnet, a global spam machine that Microsoft dismantled in a coordinated takedown last year.

In a post to the Official Microsoft Blog, the company identified 31-year-old Andrey N. Sabelnikov of St. Petersburg, Russia as responsible for the operations of the botnet. Microsoft’s amended complaint filed with the U.S. District Court for the Eastern District of Virginia states that Sabelnikov worked as a software engineer and project manager at a company that provided firewall, antivirus and security software.

Microsoft doesn’t specify where Sabelnikov worked, but according to Sabelnikov’s LinkedIn page, from 2005 to 2007 he was a senior system developer and project manager for Agnitum, a Russian antivirus firm based in St. Petersburg. One of the company’s most popular products is Outpost, a free firewall program. Sabelnikov’s profile says he most recently worked for a firm called Teknavo, which makes software for companies in the financial services sector.

For the full article, see here.

The post Worm operator worked at antivirus firm, says Microsoft appeared first on The Citizen Lab.

Microsoft this week provided an update to its ongoing investigation of the Kelihos botnet case and now alleges that a Russian citizen is responsible for the creation and operation of the botnet. The news comes on the heels of an October 2011 takedown of the botnet, which Microsoft says harmed thousands of victims worldwide.

“Microsoft alleges that Andrey N. Sabelnikov, a citizen of Russia, wrote the code for and either created or participated in creating the Kelihos malware,” a Microsoft representative told me late Monday night. “Additionally, the company alleges that he used the malware to control, operate, maintain, and grow the Kelihos botnet.”

Microsoft named this new defendant in an amendment to its civil lawsuit against those responsible for the botnet. He joins more than 20 other defendants in the case, though Mr. Sabelnikov has now been identified as the key player in the creation of the botnet. The accusation against Mr. Sabelnikov came about thanks to the cooperation of some previous defendants and new evidence, Microsoft says.

For the full article, see here.

The post Microsoft names creator of Kelihos botnet appeared first on The Citizen Lab.

It’s full disclosure time.

In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure — now offline or migrated to a different place — of Koobface 1.0.

The analysis is based on a single mistake that the botnet master made – namely using his personal email for registering a domain parked within Koobface’s command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.

For the full article, see here.

The post Dancho Danchev exposes Koobface botnet master appeared first on The Citizen Lab.

A new Department of Homeland Security (DHS) and National Institute for Standards and Technology (NIST) effort to establish voluntary best practices for how ISPs should notify their customers whose machines are part of a botnet has met with some resistance from the service provider community.

The Messaging Anti-Abuse Working Group (MAAWG), which is made up of ISPs, email providers, and security vendors including AT&T, Cisco, McAfee, Facebook, and Verizon, sees the federal effort as unnecessary and redundant, and is balking at the idea of the government legislating how ISPs handle bot-infected customers. MAAWG issued its own set of best practices (PDF) two years ago for mitigating bots, and several ISPs today already have their own bot notification mechanisms in place, according to MAAWG.

“There is no need for mandated action in this area since the market is already moving forward. Many ISPs are already doing a great deal to combat the menace of bots and malware. All over the U.S., ISPs currently have notification systems in place to tell their users they are infected and — whether they deliver these warnings via email, phone, walled gardens, or inline warnings — the warnings are being delivered,” says Michael O’Reirdan, chairman of the MAAWG. “Other ISPs currently have pilot programs or technology development efforts in place, and there will be more deployments in the near future.”

For the full article, see here.

The post ISP backlash over bot notification initiative appeared first on The Citizen Lab.

The US government is looking at telling ISPs how to deal with compromised customers and botnets.

They’re a bit late to the party, though. Most of the major commercial ISPs have been implementing significant botnet controls for many years now. Control involves a number of different techniques, but notification has been designed into the system from day 1.

“There is no need for mandated action in this area since the market is already moving forward. Many ISPs are already doing a great deal to combat the menace of bots and malware. All over the U.S., ISPs currently have notification systems in place to tell their users they are infected and — whether they deliver these warnings via email, phone, walled gardens, or inline warnings — the warnings are being delivered,” says Michael O’Reirdan, chairman of the MAAWG. “Other ISPs currently have pilot programs or technology development efforts in place, and there will be more deployments in the near future.”

O’Reirdan says ISPs handled the spam battle on their own, and can also do so for battling bots. It has become a business issue for them, he says. “No one had to mandate anti-spam platforms: ISPs put them in place to deal with the menace of spam because, if they had not, they would have lost customers if customers’ mailboxes were overrun with spam. The same is happening with anti-bot platforms. It is becoming a ‘table stakes’ issue for ISPs, and legislating in this arena will merely lock the response of ISPs in stone to conform with the legislation rather than allow innovation and development to meet the rapidly varying nature of the bot challenge posed by the bad guys,” he says. —Kelly Jackson Higgins

The ISPs have taken a leadership position in the area of protecting consumers from botnets. This has been a major discussion point at MAAWG for years. Many ISPs have worked closely with vendors to create detection and notification systems to mitigate and clean botnet infections.

For the full article, see here.

The post U.S. government looking at telling ISPs how to deal with compromised customers and botnets appeared first on The Citizen Lab.

The event will mark the launch of the new U.S. Department of Commerce and U.S. Department of Homeland Security effort to promote the creation of a voluntary industry code of conduct to address the detection, notification, and mitigation of botnets. Over the past several years, botnets have increasingly put computer owners at risk. A botnet infection can lead to the monitoring of a consumer’s personal information and communication, and exploitation of that consumer’s computing power and Internet access. Networks of these compromised computers are often used to disseminate spam, to store and transfer illegal content, and to attack the servers of government and private entities with massive, distributed denial of service attacks. The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.

To read more about the event, see here.

The post CSIS event: ISP role in fighting malware appeared first on The Citizen Lab.

Microsoft grabbed headlines Wednesday with its report about the successful takedown of the Kelihos botnet, but while the company detailed the achievements of its Digital Crimes Unit, it failed to mention the major role security firm Kaspersky Lab played in the operation.

Microsoft’s Kelihos takedown announcement centered on the fact that its specialized team of lawyers succeeded in naming defendants in a botnet-related federal court complaint for the first time — such cases usually involve unknown parties.

The named defendants were Alexander Piatti and his Czech-based company dotFREE Group SRO, which operated an SLD (second-level domain) registration service in the .cz.cc name space. This service was abused by the botnet’s operators to set up hosts for their control infrastructure. A temporary restraining order was obtained by the Digital Crimes Unit in the U.S. District Court for the Eastern District of Virginia, forcing VeriSign to suspend the cz.cc domain.

To read the full article, click here.

The post Microsoft fails to credit Kelihos takedown partner appeared first on The Citizen Lab.