Webs.com Botnet Activities

Security visualization, Various

Webs.com is a Web hoster how permit his users to create a personal, group, or small business website for free. Webs.com is also providing a free subdomain for each created account (ex : http://yourname.webs.com).

Since the start of our HoneyNet in February 2009 we have directly observe that some malware’s where located on Webs.com how participate actively to a bonnet construction and propagation.

Webs.com server, how is hosting the malware’s, has the IP 216.52.115.50. Since February 2009 to end August 2010, Webs.com botnet is composed of few different malware hoisters, has generate 2 978 events and 70 attackers have call the botnet files located on the hoster servers.

US, Germany and Colombia are the countries how are the most participating to the botnet activity in term of events. US and China are the countries how are hosting part of the botnet since more than 100 days.

August 2010 was the more active month in term of events, March 2010 the month with the most distinct attackers. February and April 2010 the months with the most detected hosters.
Since Jun 2010 we can see that the activity of the botnet is increasing drastically.
Interesting point the Webs.com, FileAve.com, the Kortech.cn and the Interfree.it botnets are linked together between some few hosters. Just check the available Afterglow visualization of the interaction between the botnets.
I have generate some stats and graphs, with all the associated raw datas, how are available here.

Some videos of DLL Hijacking exploitation with Metasploit

Various, , , , , ,

Didn’t have time in August (holidays) to write a complete blog posts on the DLL Hijacking thing. So I only did some YouTube videos, how explain better the dangerousity of this flaw. But what is interesting in this story, is the “Acros” position on the HDMoore proposed coordinate disclosure process and the collision between security researchers on the same vulnerability without knowing that they are working on the same thing but thousand of milles away from each other.

[youtube DjewBjJR0HA]

[youtube gtLTUZvOYc0]

[youtube EeztydiJTeU]

[youtube O_bX0I9hF1s]

Increasing WEB Proxy CONNECT Request from China

Various, ,

Since 28 August we have detect some increasing Web Proxy CONNECT Request from China. All the source IPs are different and most of these source IPs are only trying one or two connections.

Here under a live graph on the “Web Proxy Connect Request”. An Afterglow visualization, all datas (timestamps, source IPs, source IPs countries, source IPs ASN) are available by clicking on the following link.

1 month SIG 2001675 IDS Events
1 month SIG 2001675 IDS Events

e107 RCE EDB-ID 12715 under monitoring

Security visualization, Various,

Previously I wrote a blog post about the ByroeNet/Casper-Like bot scanners, and relate that the most important evolution of these scanners where the integration of e107 RCE (EDB-ID : 12715) and LFI vulnerabilities exploitations. I created a rule to monitor precisely the activity of theses e107 dedicated exploitations.

Here under you can find real time graphs for the e107 RCE vulnerability.

Monthly event activity for rule 1010043
Monthly event activity for rule 1010043
Montly TOP 10 Source IPs for rule 1010043
Montly TOP 10 Source IPs for rule 1010043