Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/28/2011
03:37 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

LulzSec Went After Qakbot, Mariposa Bots

Meanwhile, Anonymous offering bot-herding, other hacker training for its recruits via IRC, security expert says

Had the now-defunct LulzSec hacking group had its demands met earlier this month for getting botnet intelligence from startup Unveillance, it could have wrested control of a portion of the infamous Qakbot's command-and-control infrastructure that's under the purview of the security firm.

The bots Unveillance had sinkholed are Qakbot-infected machines as well as some Mariposa-infected machines, which could have been a treasure trove of botnet firepower for the hacking group, security experts say. Qakbot is a Trojan that spreads like a worm, and its goal is to steal financial accounts and ultimately help siphon money. The botnet has been spotted on the rise, most recently infecting 1,500 Massachusetts state PCs and possibly exposing personal information of some 250,000 state residents.

Karim Hijazi, CEO and president at Unveillance, which uses sinkhole servers to pose as botnet servers that capture communique from orphaned bots, says his firm controls a large portion of the Qakbot botnet's command-and-control infrastructure via its sinkhole servers. "I believe [LulzSec] wanted it for use for a variety of reasons," Hijazi says. "Fraud, information-stealing, reverse-proxy, [etc.]."

In addition, Unveillance sinkholed some Mariposa bots, which LulzSec was also interested in obtaining. Although law enforcement controls the Mariposa command-and-control servers themselves, there are still plenty of machines worldwide infected with the bot malware. "We still see over 4 million events/communications from infected machines part of Mariposa per hour and over 100,000 unique IP addresses an hour," Hijazi says.

LulzSec wanted Mariposa for DDoS purposes, says Pedro Bustamante, senior research adviser for Panda Security. "It’s important to note that even if LulzSec [was able] to completely hack Unveillance and take over their systems, this will not have an impact on LulzSec getting access to the Mariposa botnet," Bustamante says. "The reason is that the DNS records for the Mariposa command-and-control servers are under the control of law enforcement, and are only being redirected to Unveillance for sinkholing purposes ... we can change the DNS records for the main C&C domains and point them somewhere else as to minimize the impact" of any theft of those existing Mariposa bots, he says.

Clues to LulzSec's botnet intentions began to surface last month, when Unveillance discovered some unusual traffic patterns around its network. On May 25, Hijazi noticed something funny was going on with his email account as well. "An email I saw on my phone was showing as already-read on my computer," even though he had not opened the message yet, he recalls.

Minutes later, he witnessed an email in his inbox go from "unread" to "read" and then back to "unread" again. "That was a really compelling event," he says. Between that and the unusual traffic trying to get past Unveillance's firewalls, something was definitely going amiss: "It was lockdown time," he says.

In the wee hours of the morning, Hijazi received an email with his Infragard password in the subject line, and a message asking if he wanted "to talk," and signed "Love, Friends." He gathered his team at 4:30 a.m., and they began brainstorming and shoring up security.

It wasn't until later in an online chat with the hackers that Hijazi learned what the attackers really wanted: "They ... [were] saying, 'We want your botnet information' or they would 'dox' us," he says. Among their demands was Qakbot information and its sinkholes: "They wanted [me] to convey ownership of the domain for DDoS'ing. They wanted command and control of those DDoS botnets," Hijazi says.

When Hijazi refused, they demanded money, but he replied that his firm was a start-up and didn't have any money. "On Friday, they dumped my emails online, and InfraGard was taken down," he says.

While Anonymous -- from which LulzSec originally spun off -- has been best known for using "crowdsource" distributed denial-of-service (DDoS) attacks using the Low Orbit Ion Cannon (LOIC) tool, the group also has relied on established botnets to take down websites it targets.

Meanwhile, Hijazi says the AntiSec operation headed by Anonymous is hosting a new hacker training school via an IRC chat room for new recruits. "New information about their 'new' AntiSecPro hacker training school shows intent to use the ZeuS source code to train new recruits [bot-herders] how to compile and deploy a ZeuS botnet," Hijazi says.

Aside from the Zeus training and offering source code for Zeus 2.0.8.9, the "#school4lulz" training includes language injection via HTTP, IDS evasion, SQL injection techniques, botnet C&C protocol selection, takeover mitigation, social engineering skills, war-driving, and how to find an individual's personal information online, Unveillance says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7779
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
CVE-2020-7778
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.