Archive for botnet

Sep
18

Botnet Causes Click Fraud

Posted by: | Comments (0)

The Bahama botnet, so coined from Click Forensics, has found a means to mask their clicks and traffic as legitimate clicks and because of this click fraud will be seeing a surge.

It is really an elegant solution. First off its a botnet, so these clicks are coming from a variety of IPs which gets past the basic click fraud filter (too many clicks from the same IP automatically gets flagged as fraudulent). Second the botnet masks the source of the clicks. So instead of the PPC networking seeing the clicks come from some non-disclosed location in the Bahamas, the network sees the click as coming from a university, government office, or even libraries. Thirdly, this is not a strong arm tactic, the intervals between fraudulent clicks is interspersed, thus the network could click an ad then wait an hour to click it again or it could wait six minutes or 38 minutes, whatever.

The means by which the infection spread was also equally elegant. Remember not too long ago that the New York Times was tricked into putting a malicious ad on their web site? That had a hand in this. Also the Facebook virus scare dubbed Fan Check likewise had a hand in this. The malware used in the virus removal kits for the Fan Check “virus” and the malware used with the Times ad are eerily similar to the malware used with the Bahama botnet.

The problem with an attack like this is, its very hard to determine what is fraud and what isn’t. I would liken it to spam. Some spam is very easy to catch just like some click fraud is clumsy and easily found. Its when the fraud begins to mimic normal human patterns is where you have the difficulty and if the code for the Bahama botnet becomes more refined it may be nigh impossible to separate fraud from truth.

Categories : Security
Comments (0)

The latest botnet attack named Gumblar has been attacking the Internet for a few weeks. ScanSafe named this attack Gumblar because it functions out of the website gumblar.cn. Researchers and security experts believe Gumblar infects a site through the FTP. Weak passwords, poor permissions, etc. open the doors to the Gumblar Trojan.

First thing to do if you suspect your site has been compromised is to check it. There are numerous ways of doing this, you could use Google Chrome and go through your site, you could do a search for pieces of Gumblar code, or you can use a utility such as Malwarebytes.

Code injected into a site can be small (a few lines of code) or can be a varietiable War and Peace. The code to search for is (function(  and .replace(. The code is normally found before <body> tags in HTML code or at the end of a .JS file. The code, so far, only compromises HTML, JS, and PHP files.

Now that you found it, the next step is up to you. You can opt to remove all the code or you can lockdown your FTP first. This really depends on what your site does. If it has a lot of traffic then I would suggest removal first then lockdown. Getting that code off of your site so it doesn’t affect your audience is a top priority.

To do this you could use third party software or you can do it by hand. Personally, I always go for by hand since I know that I will find all iterations of the problem. Using the search method, you can comb through your files quickly, deleting all of the Gumblar code. Also you should delete any folder that has only image.php files in them.

Locking the site down starts with changing the FTP password. Make sure the new one is long, and filled with characters, numbers, letters, etc. Once that is done look through folder and file permissions, if you site requires that some files/folders need write permissions that is fine but make sure only those things have them.

Gumblar’s rate of infection has grown by 188% over the last week, but with a little effort, your site can keep from becoming a statistic.

Categories : Commentary
Comments (1)
Apr
23

Cybergangs, Botnets, and Automation

Posted by: | Comments (0)

In their blog, security firm Finjan discusses how a single team of cybercriminals are able to control one of the largest botnet networks on planet. The botnetwork is over 1.9 million computers and continues to grow. 1.9 million computers!

Let’s distance ourselves from the fact that this is criminal activity and the operations are of illegal. 1.9 million computers being controlled by a small group of people. How can this happen? How does a group of people send out and process instructions to some 1.9 million computers? Well the answer to that is easy, automation.

The hackers built an interesting control panel that tells them how many bots they have, the IP addresses, etc. Which comes in handy when they desire to trade zombied computers with other criminal outfits. The hackers also have a command line instruction set where they can tell some or all computers in the net to download trojans and malware. These programs can be thought of upgrades in that they increase the amount of commands a hacker can do with a computer. For instance, the blog identifies two such scripts Seneka and Zch. These to two files can read email addresses, communicate to other computers, execute processes on the computer, inject code into the processes, visit websites, register background services, etc.

Essentially the hackers uploaded a whole new set of services and controls to the computers they hacked and using the above two scripts can make it easier to add more later. Based in the Ukraine, six people are able to control 1.9 million computers around the world. And they do it using automation.

If six hackers can control so many computers from a single server, what can you do for your customers with the help of automation?

Categories : Commentary
Comments (0)

About Us

WebHostBlog comes from the creators and former staff of WebHostMagazine.com. WebHostBlog has been a source for Web hosting information and marketing tips since 2003. Along with news and information on the Web hosting industry WebHostBlog.com has covered topics such as business strategy and marketing and continues to be a quality resource for host related subjects. Read More

Contact Us

We work long hours, however we are always interested in hearing what you have to say. So if you have any ideas, comments, questions, death threats, or have a business proposal let us know!

For information on getting a hold of us, you can find our contact information on our Contact Us page

Special Thanks

Our staff has been working with Web Hosts and Web Host finders and news and information sites for over 20 years now and on behalf of those who knew us at The Ultimate Web Host list, Web Host Directory, Web Host Magazine, Web Host Blog and other sites, we'd like to say thank you for helping to build this amazing industry. And we'd like to give a special thanks to many of you who have contributed to these pages, and to Web Host Magazine when we owned and ran it for 14 years. Thanks for your help and advice!
. . . . .