Botnets

If you still think that cyber crime is just over hyped and not that serious like real crime  and "hacking" is just done by a bunch of smart kids who have disproportionate amount of free time - think again! check this video out from Google Tech Talks How to Steal a Botnet and What Can Happen When You Do

Here is a text summary from another blog.The UCSB folks took control of the botnet by figuring out the domain name generation algorithm and then creating the domains before the bad guys could create it.Of course once the bad guys figured out, they changed the domain generation algorithm code and downloaded the new version on the infected machines.The interesting part was I watched this video around the time Google - China stand off was going on and then the video also mentions Torpig downloads a list of about 200 banks from around the world to launch its phishing attacks and then they mention for some reason in the video that not one of the banks was from China :-)

The gist is that when you typically visit sites you are not supposed to visit(you know the type I am talking about) this may happen.

1. They entice you with a irresistible pop up to click on or they may exploit some vulnerability of the browser to install the mebroot rootkit on your system.This is called as Drive By Download i.e. downloads which you did not explicitly ask for.
2. Mebroot is a rootkit which infects the Master Boot Record.I always thought messing with the MBR wasn't that easy but Symantec says otherwise "The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector0 as a standard user is a relatively easy task."
3. Next Mebroot opens up a backdoor and downloads another Trojan horse called Torpig  
4. And then you are pretty much screwed.Torpig injects itself into to some 29 different dlls and actively sends everything from your key strokes (keylogger) to your Http Form data back to command and control servers.It also does phishing attacks from your browser

• You can't just block the ip of its command and control server from your firewall because it uses an extensive algorithm to calculate the domain names of the command and control servers almost every day and the criminals create the new domains for running command and control servers
• Using https does not help because torpig has already injected itself into your browser, so it will send the form POST data even before the browser can encrypt it
• Anti-Phising software won't help because again since Torpig is part of your browser now, you will see bankofamerica.com on your browser window and not some fake URL, but the page it shows is still fake and it will just send the details you enter to the command and control servers
• And it can use the mebroot backdoor to update its executable code regularly, so the algorithms keep changing