Well after nearly 24 hours of nervous twitching and countless hours of tweaking and adding new info, PG finally got this article prepared and done. Turns out there was so much info, it will be broken up into two separate articles, the second of which wi enjoy the read.
by Chris Boyd, Security Research Manager; Wayne Porter, Sr. Director Greynets Research
Has it been too long? Withdrawl symptoms after the last bust? I can only apologise - but when you're defending the Net from Suckers (Kung-Fu style), sometimes you really have to deep-dive before you slam the bad guys in a ditch.
Usually I like to build up to the big payoff at the end of a lengthy tease. However, this bust is different so excuse me while I drop ninety tons of planet Earth on you.
We have, by means of a hot tip from a kickass guy named Rince, (and numerous chats since then...he social engineered those hax0rs good) found and analysed over 40 files, hunted down the connections between them all and uncovered a ring of Botnet herders using a custom built script that, powered by remote tools, scans vulnerable payment databases and attempts to steal customer details - names, addresses, credit card numbers - the whole nine yards. Even better, there is evidence to suggest this was being fired around...you guessed it, via Instant Messaging.
Acting on an anonymous tip, FaceTime Security Labs researchers have uncovered two "botnet" networks that collectively represent up to 150,000 compromised computers, one of which is being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location.
In addition, after systematic research of the various groups involved, we have uncovered a number of websites where up to forty (40) or more files are being shared around this community, and reworked for individual Botnets to push the problem even further. Commercially available remote admin tools (similar to the ones employed here) are used to gain complete access of the end-user's PC - files can be uploaded, downloaded, or whatever the Botmaster feels like doing with the machine.
However, what the Botnet master really feels like doing, is downloading the payment database application to your PC, then scanning for misconfigured shopping carts using you as the fall guy.
Let us explain further...if an end user clicks on a malcious link passed to them via Instant Messaging, Remote Administration Server, a commercially available application produced by Famtech, is automatically installed via a "beh.exe". The install is designed to hide the application in the systray with no interaction from the end user. Once this application is installed, the end user's computer is compromised and can be accessed remotely with additional malware applications installed on the desktop.
Look for more to come from Chris and Wayne on this in the near future as they provide even more chilling details on how the bot herders carry on their business of reaping in the money and ripping off even their own so called business associates
Moderator edit: added quotation notation to avoid confusion. jgweed
Edited by jgweed, 15 March 2006 - 11:56 AM.