Description
Reports that indicate a server (or a machine/ connected PC via VPN, NAT, ...) has joined a Sinkhole server operated by a security organization but did not arrive through the usage of an HTTP referrer.
Since the Sinkhole server is only accessed through previously malicious domain names, the activity detected indicates that this server must be infected or is providing VPN services to an infected host.
More details about these reports: https://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
Details about reported drones
-
Drone type: Sality
The virus is a polymorphic file infector which modifies executable files by appending its encrypted body to the end of the files. To reach its code, the virus replaces the code at the entry point with a polymorphic sequence holding the description routine.
Affected systems: Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
More details:
http://www.bitdefender.com/VIRUS-1000630-en--Win32-Sality-2-OE.html
- Drone type: downadup
Worm/Downadup is a malicious software that once executed, has the capability of replicating itself and infecting other files and programs. These type of malware, called viruses, can steal hard disk space and memory and slow down or completely halt your PC.
Affected systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
More details:
- http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
- http://www.avgthreatlabs.com/virus-and-malware-information/info/worm-downadup/
- http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
- Drone type: Beebone
Win32/Beebone is a family of Visual Basic-compiled trojan downloaders that download and run other well-known malware, such as Win32/Vobfus, Win32/Fareit, Win32/Zbot, Win32/Sirefef, Trojan:Win32/Necurs.
More details:
- http://home.mcafee.com/virusinfo/virusprofile.aspx?key=3255551#none
- http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Beebone
- http://threatpost.com/vobfus-worm-beebone-trojan-create-malware-infection-loop
- http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32beebonebr
-
Drone type: Glupteba
The trojan serves as a backdoor. It can be controlled remotely.
More details:
- http://www.virusradar.com/en/Win32_Glupteba.G/description
- https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=588
- https://www.sonicwall.com/us/en/esblogs.html?id=63
-
Drone type: stealrat
StealRAT was a botnet that piggy backed onto many breached WordPress sites back in July of 2013. StealRAT is a advancement in mass-mailing or spamming. As new spam detection is released and put into place, spammers must find ways to circumvent these new technologies. TrendMicro was one of the first companies to discover this piece of malware, the methods of the malware consists of 3 essential things, as stated in their blog post:
- Compromised website for sending spam
- Compromised systems for harvesting and delivering the spam data
- Compromised website for delivering the payload
Source: http://zerosecurity.org/2014/06/stealrat-pops-back-2014
More details:
- http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf
- Drone type: IRCBot
The IRCBOT malware family uses Internet Relay Chat (IRC) to send and receive commands from a bot master that operates each specific variant. IRCBOT malware are known to propagate via removable drives using software vulnerabilities. IRCBOT can also use instant messaging programs like Yahoo! Messenger, MSN Messenger, and Windows Live Messenger to propagate.
More details:
- http://www.symantec.com/security_response/writeup.jsp?docid=2011-040711-0927-99
- http://about-threats.trendmicro.com/Malware.aspx?language=au&name=IRCBOT
- http://about-threats.trendmicro.com/us//archive/malware/BKDR_IRCBOT.AGF
-
Drone type: pushdo
Pushdo is a botnet primarily used for spamming. Recently it has been observed launching Distributed Denial of Service (DDoS) attacks against certain SSL-enabled websites. The Pushdo malware is also known as Pandex and some components are known as Cutwail.
Pandex is Symantecs name for that Trojan. Trojan.Pandex is a Trojan horse that sends spam from a remote server and gathers email addresses from the compromised computer.
More details:
- https://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99
- http://www.iss.net/threats/pushdoSSLDDoS.html
- http://en.wikipedia.org/wiki/Cutwail_botnet
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129
-
Drone type: Ransomware
Ransomware is a type of malware that stops you from using your PC. It may then tell you that you have to pay money, complete surveys, or perform other actions to unlock and use your PC.
Some types of ransomware are also called "FBI Moneypak" or the "FBI virus". They often use the FBI or local police logos and ask you to pay a fine using the legitimate money transfer service Green Dot MoneyPak.
Most ransomware shows a notification that says your local authorities have detected illegal activity on your PC. They then demand you pay a "fine" (the ransom) to avoid prosecution and to get access to your files again.
More details:
- http://en.wikipedia.org/wiki/Ransomware
- http://news.techworld.com/security/3343528/ransom-trojans-spreading-beyond-russian-heartland/
- http://www.ic3.gov/media/2012/121130.aspx
- http://www.fbi.gov/news/stories/2012/august/new-internet-scam/new-internet-scam
- http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
- http://en.wikipedia.org/wiki/CryptoLocker
- http://www.sophos.com/en-us/support/knowledgebase/119006.aspx
-
Drone type: sinkhole
These IP addresses are all the devices that joined our Sinkhole server that did not arrive through the usage of an HTTP referrer. Since the Sinkhole server is only accessed through previously malicious domain names, only infected systems, or security researchers should be seen in this list.
More details:
- http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
-
Drone type: torpig
Torpig, also known as Sinowal or Anserin (mainly spread together with Mebroot rootkit), is a type of botnet spread by a variety of trojan horses which can affect computers that use Microsoft Windows. Torpig circumvents anti-virus applications through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer and can perform man-in-the-browser attacks. (Source: http://en.wikipedia.org/wiki/Torpig)
Also known as Win32.Anserin.C [Computer Asso, Troj/Torpig-k [Sophos]
More details:
- http://en.wikipedia.org/wiki/Torpig
- http://www.spamfighter.com/News-11683-Rootkit-Torpig-Described-as-Most-Dangerous-Malware.htm
- http://www.symantec.com/security_response/writeup.jsp?docid=2005-112315-0608-99
- http://www.symantec.com/connect/blogs/flow-mbr-rootkit-trojan-resumes
- http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Torpig-A.aspx
-
Drone type: Trojan.Simda
Trojan:Win32/Simda is a multi-component trojan that downloads and executes arbitrary files. These files may include additional malware.
More details:
- http://www.virusradar.com/Win32_Simda.B/description
- http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Simda
- http://www.virusradar.com/Win32_Simda.B/description
- http://www.avgthreatlabs.com/virus-and-malware-information/info/simda/
-
Drone type: urlzone
Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.
More details:
- https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base#Urlzone
- http://www.pcmag.com/article2/0,2817,2353610,00.asp
- http://krebsonsecurity.com/tag/url-zone-trojan/
- https://threatpost.com/inside-urlzone-trojan-network-100609/72203
- http://labs.m86security.com/2009/09/malware-analysis-trojan-banker-urlzonebebloh/
-
Drone type: zeus
Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers using versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. (Source:http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29)
More details:
- http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29
- https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base#Zeus
- https://zeustracker.abuse.ch/statistic.php
- http://www.antisource.com/article.php/zeus-botnet-summary
- https://www.youtube.com/watch?v=CzdBCDPETxk
- http://www.b3b.ch/2010/12/12/zeus-le-dieu-des-virus-contre-les-banques/
- http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/
-
Drone type: zeus3np2p
New variants of the Zeusbot/SpyEye cybercrime toolkit are moving away from reliance on command-and-control (C&C) servers towards a peer-to-peer architecture.
More details:
- http://www.theregister.co.uk/2012/02/27/p2p_zeus/
-
Drone type: Other
If the Drone type is not listed above, you can search for more information here:
- https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base
- http://www.bitdefender.com/site/Search/
- http://www.symantec.com/security_response/landing/threats.jsp
- http://www.avgthreatlabs.com/virus-and-malware-information/
- http://www.microsoft.com/security/portal/threat/threats.aspx
- http://windows.microsoft.com/en-us/windows/security-essentials-download
- http://about-threats.trendmicro.com/us/threatencyclopedia
0 Comments