Archive for the ‘vx scene’ Category

Fewer viruses

Friday, February 29th, 2008

One of the most prolific and well known groups from the vx scene has closed up shop this February:

Can’t say that we’ll miss the virus writing from 29A.

This Spanish-based group released their first “zine” back in the mid-90’s — that was ten years and eight issues ago.
Unfortunately, we’re seeing that the activities of these guys in 2008 is being replaced with the sort of scam software that we’re calling “Rogueware“, password stealing of all sorts, and ongoing botnet activity. The motivations behind malware development continues to move away from virus writing for reputation and towards malware development for financial gain.

Posted in Bot, Password stealing, vx scene | No Comments »

Notes from the underground II

Wednesday, January 2nd, 2008

AV veteran Peter Ferrie of Symantec noticed that the vx scene he has been fighting for so long has been winding down. The scene’s virus writers are beginning to post their farewellz and shoutz on the 29A forums and others.

He also points out that the trojan scene has steadily been replacing the activity of vx writers:
“We are striving to put them out of business. Once they’re all gone, those Trojans will keep us in business for a long time. Not that we want them, either.”

Even those trojan groups are beginning to disappear. The ChaseNET forums, a major international source of “Remote Administration Tool” (RAT for short, otherwise known as “Trojan Horse”) activity since 2004, are closing down as well. This shutdown curiously coincides with the Fbi arrest of longtime ChaseNET member “Digerati”. He faces up to five years in prison and a $250,000 fine if convicted of conspiracy to commit computer fraud, as we posted previously last year.
While the oldest of the groups might be drying up, unfortunately there are more growing to replace the vxers in different parts of the world. Recently released “Zines” from these newer groups publish technically sophisticated source details of password stealing, advanced rootkitting techniques, and more. These zines follow the trend away from virus writing for reputation to password stealer writing for profit. Plug in the slow cooker, cuz we’ll see more “Bot Roast” style arrests in 2008.

Unfortunately, we are also seeing more posts overseas from individuals seeking bot herding partners, looking to install more adware on victims’ systems and raise revenues for those involved. This sort of collaboration and malware should also continue throughout 2008, as we have been seeing a high level of this activity at the end of 2007.
Some of the most prevalent malware ThreatFire currently is seeing comes from the Zlob or Popuper families that are distributed in this manner. And here is one of the requests that we are seeing on an overseas forum regarding rogueware installs:
We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots.”

Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as “Digerati”. His deal includes a two year prison term.

Posted in Adware, Bot, ChaseNET, Fbi, Password stealing, RAT, Rootkit, Zlob, vx scene | No Comments »

Botnet arrests and indictments around the world from Bot Roast II

Monday, December 10th, 2007

Two teen botnet herders that went by the aliases Akill and Digerati were arrested by the fbi and New Zealand authorities.
“The FBI estimates that more than one million computers have been infected and puts the combined economic losses at more than $20 million.”
The arrests are a part of the Fbi’s ongoing ‘Bot Roast II‘.

The arrest and past behavior of the Penn State student Ryan Brett Goldstein that went by the handle “Digerati” also is being discussed on the underground forums where he shared advice and code since around 2000. Rumors surrounding his bot herding and bot update techniques, his activities of accidental university server DoS attacks, and intentional DDoS’ing groups of other underground coders continue to circulate.

Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as “Digerati”. His deal includes a two year prison term.

Posted in Bifrost, Bot, Fbi, vx scene | No Comments »