Botnet platform helps cybercriminals bid for zombie PCs

By Robert Westervelt, News Editor 18 Jun 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Researchers at security vendor Finjan Inc. have discovered a new platform used by cybercriminals to buy and sell batches of zombie PCs and other tools used to carry out attacks.

Called the Golden Cash network, the trading platform allows botnet herders to sell portions of their botnet to the highest bidder. Batches of 1,000 malware-infected PCs can be purchased from $5 to $100, depending on location, Finjan said.

In addition to offering the latest versions of attack toolkits, the global network partners with its members to distribute the Golden Cash bot, which collects FTP-credentials of legitimated websites through infected PCs. Finjan said its researchers were able to identify about 100,000 domains, including corporate domains, whose credentials were stolen, enabling access to the servers.

"Looking at the list of compromised PCs we found, it is clear that no individual, corporate or governmental PC is safe," Yuval Ben-Itzhak, chief technology officer of Finjan said in a statement. Ben-Itzhak heads the vendor's Malicious Code Research Center (MCRC).

Cybercriminals have been buying and selling botnets, proxy servers and attack toolkits on Web forums notorious for criminal activity. When the Conficker worm reached its peak earlier this year, security researchers warned that those behind the infection could sell off portions of it on the black market. But Ben-Itzhak points out that the Golden Cash platform is the first organized network of its kind, creating partners to distribute its bot and infect more PCs.

The Golden Cash platform also includes a malware center, where buyers can search for the latest malware that fits their needs, according to Finjan's Cybercrime Intelligence Report. The center includes a listing of the latest malware and their download locations.

Once infected, PCs are put in a continuous loop with buyers using them to infect other websites, steal passwords and other sensitive information and finally putting them up for resale through the Golden Cash network.

For managing and building the Golden Cash bots, cybercriminals are using the Zalupko Trojan, according to Golan Yosef, a security researcher at Finjan. In a blog posting on Finjan's MCRC blog, Yosef outlined how the botnet worked. Its command and control server remained undetected from security vendors for a longer time because it used another website as a proxy that tunnels the bots communication to and from the C&C server, Yosef said.

"In fact, we found Zeus Trojan logs on the C&C server from June 2008," Yosef said. "Normally, we find logs that are about 3-4 month old."

The command and control server is hosted in Texas. The registrant country is China. The proxy website, which tunnels traffic to the command and control server, is hosted in Krasnodar, Russia, Yosef said.

Tags: Web Application Security,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Threat and Vulnerability Management Zeus botnet temporarily disrupted, but back in full force Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary