It has been reported that
a global network named as “Avalanche” which
consists of collection of highly secure infrastructure of servers which are
used by the cyber criminals for hosting various malware distribution services,
phishing campaigns, botnet operations has been taken down. It is believed that
the malware are distributed by means of specially crafted links in emails or
malicious attachments. The malware that are distributed using this covert
network are basically information stealing, banking Trojans and ransomware.
This worldwide network was capable of providing the following services:
- Provides botnet operators an extra
layer of protection against takedown and domain blocking.
- Supports malware hosting and
distribution services.
- Supports hosting of various
phishing campaigns.
- Launching of DoS attacks.
- Host various money laundering schemes.
Also, it has been
reported that this fast flux network was advertised in the underground online
cybercriminal forums.
Working:
This universal network
make use of DNS techniques to hide cybercrimes behind the ever changing network
of compromised hosts acting as proxies. These proxy machines are the
compromised systems or machines that are already a part of one or the other
botnet. These machines then can help the attacker in hiding its identity behind
these machines over the network thereby making it nearly impossible to identify
the attacker’s machine.
Impact:
Malware authors use
Avalanche services to compromise various machines, which are then capable of
performing the following functions:
- Stealing of user credentials and
other sensitive data, such as banking and credit card information.
- Capable of encrypting user files
and demand ransom amount of money against the decryption key.
- Providing cyber criminals an
unauthorized remote access to the infected computer.
- Capable of serving or being a part
of conducting distributed denial-of-service (DDoS) attacks.
Associated malware:
The various malware
families that are using this fast flux network are listed below:
- Windows-encryption Trojan horse
(WVT) (aka Matsnu, Injector, Rannoh, Ransomlock.P)
- URLzone (aka Bebloh)
- Citadel
- Gameover Zeus
- Dridex
- VM-ZeuS (aka KINS)
- Bugat (aka Feodo, Geodo, Cridex,
Dridex, Emotet)
- newGOZ (aka GameOverZeuS)
- Tinba (aka TinyBanker)
- Nymaim/GozNym
- Vawtrak (aka Neverquest)
- Marcher
- Pandabanker
- Ranbyus
- Smart App
- TeslaCrypt
- iBankingTrusteer App Trojan
- Xswkit
- Corebot
- GetTiny
- Rovnix
- QakBot (aka Qbot, PinkSlip Bot)
Countermeasures:
- Users are advised to visit “cyber
Swachhta Kendra” for advise on disinfecting their systems. Visit www.cyberswachhtakendra.gov.in
- Scan infected system with updated
versions of Antivirus solution
- Disable Autorun and Autoplay
policies.
- Use limited privilege user on the
computer or allow administrative access to systems with special
administrative accounts for administrators
- Limit or eliminate the use of
shared or group accounts.
- Do not visit untrusted websites.
- Do not download or open attachment
in emails received from untrusted sources or unexpectedly received from
trusted users.
- Enforce a strong password policy
and implement regular password changes.
- Enable a personal firewall on
workstation.
- Configure your email server to
block or remove email that contains file attachments that are commonly
used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- Disable unnecessary services on
agency workstations and servers.
- Set Internet and Local intranet
security zone settings to "High" to block ActiveX Controls and
Active Scripting in these zones
- Always change Default login
credentials before deployment in production.
0 comments:
Post a Comment