Microsoft Settles with Defendants in Nitol Botnet Case

Last month, we reported about an operation conducted by Microsoft to disrupt the Nitol botnet. The operation, titled Operation b70 was a result of a study conducted by Microsoft which discovered pirated copies of Windows embedded with malware. As a part of the operation  Microsoft’s Digital Crimes Unit had asked to be allowed to take control of the domain which was used to host the botnet.

Assistant General Counsel for Microsoft Digital Crimes Unit,Richard Domingues Boscovich has stated in a blog post that they have reached a settlement with Peng Yong, operators of domain. He states:

Today, I am pleased to announce that Microsoft has resolved the issues in the case and has dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of, Peng Yong, has agreed to work in cooperation with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to:

· Resume providing authoritative name services for, at a time and in a manner consistent with the terms and conditions of the settlement.

· Block all connections to any of the subdomains identified in a “block-list,” by directing them to a sinkhole computer which is designated and managed by CN-CERT.

· Add subdomains to the block-list, as new subdomains associated with malware are identified by Microsoft and CN-CERT.

· Cooperate, to the extent necessary, in all reasonable and appropriate steps to identify the owners of infected computers in China and assist those individuals in removing malware infection from their computers.

In accordance with the settlement, Peng Yong will work with Microsoft and Chinese Computer Emergency Response Team to remove all malware associated with the domain and bring to justice all those responsible for spreading the malware.

Richard also shared some statistics regarding the blocked domains.

Of note, in 16 days since we began collecting data on the 70,000 malicious subdomains, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious subdomains. In addition to blocking connections to the malicious domains, we have continued to provide DNS services for the unblocked subdomains. For example, on Sept. 25, we successfully processed 34,954,795 DNS requests for subdomains that were not on our block list.

The operation is a part of Microsoft’s larger MAPS program intended to provide protection to the users of its Windows operating system.

Via: Technet 

Flame Command & Control Server Password Cracked

Flame was arguably the next big thing in the state sponsored malware section after Stuxnet. If you are not aware, Flame is a malware that was used to infect computers in the Middle East for espionage purposes.

Flame was investigated by a joint effort of Kaspersky, Symantec, ITU-IMPACT and CERT-Bund/BSI. Symantec had earlier failed to crack the password of Flame’s Control Centre and had put out a blog post asking for help in cracking the hash, 27934e96d90d06818674b98bec7230fa. Dmitry Bestuzhev of Kaspersky cracked the hash to find the clear text password as 900gage!@#. We are not yet aware of the method he used to crack the hash.

The decoding of the hash led to the researchers being able to see the Command-and-Control servers for the Flame malware. Kaspersky has posted a detailed blog post analyzing the C&C. All of the servers were running a 64-bit version of Linux called Debian. The programming languages used where PHP, Python and bash and virtualization was run under OpenVZ.

An initial look at the C&C revealed that the attackers had used a minimal interface with no terms such as bot or botnet, possibly to avoid suspicion of hosting company. There was no way to send commands to the C&C as well.

To send a command or set of commands to a victim, the attacker uploaded a specially crafted tar.gz archive, which was processed on the server. A special server script extracted the archive contents and looked for *.news and *.ad files. These files were put into corresponding directories “news” and “ads”. The C&C allows an attacker to push an update to a specific victim, or all victims at a time. It is possible to prioritize a command which allows to organize an order of commands (i.e. collect all data and only after self-removal). The priority and target client ID was transferred in an unconventional way. They were stored in the filename that the attacker uploaded to a C&C.

The researchers also discovered three protocols – SP, SPE, FL and IP which were used to communicate with different clients of which, Flame was identified as FL. This suggests that there are three more Flame like malware in the wild which have not been discovered yet.

The analysis of the C&C shows that servers were first setup on 03 December, 2006 which suggests that Flame was operational for much longer than what we had first thought. The scripts used by the operators also contained other valuable information, the nick name of the developers. Kaspersky hasn’t published their names and has only identified them as D, H, O and R in the blog post.

You can read more about the Kaspersky’s analysis of Flame’s C&C here and a whitepaper by Symantec on Flame here [PDF].

New Android Malware Targets China Mobile Subscribers

Android-MalwareSecurity has always been a problem in Android due to its open ecosystem. Not only are apps in the Play Store not pre-screened, but users can easily download apps from third-party markets with even less stringent security. While most of us are aware of only a handful of app repositories – like the Amazon AppStore – Chinese users are accustomed to using dozens of them. Now, security firm TrustGo is reporting that several of the popular Chinese app stores have been infected with a malware called Trojan!MMarketPay.A@Android.

The MMarketPay malware is distributed through repackaged versions of popular apps like GoWeather. The Chinese app stores that have been identified to be affected are nDuoa, GFan, AppChina, LIQU, ANFONE,, TalkPhone,, and AZ4SD. The app targets subscribers of China Mobile, which is the world’s largest mobile phone operator with more than 655 million subscribers. Total number of affected users is estimated to be in excess of 100 million.

Mobile Market is an Android app store offered by China Mobile to its subscribers. Its biggest draw is its mobile payment system. Users can purchase and download any app and video they like, and the amount will simply be added to their monthly bill. The workflow is as follows:

  • Customers login at M-Market website ( Not login required, if customer is using CMWAP as Access Point.
  • M-Market will send a verification code to the customer via SMS, if he purchases paid apps or media.
  • Customers receive the verification code and input it in M-Market for verification.
  • Once the verification is completed, the market will download apps automatically. China Mobile will add this order to customers’ phone bill.

The MMarketPay malware bypasses China Mobile’s authentication system by changing the APN to CMWAP and intercepting the SMS. Once installed, it proceeds to order paid apps and purchase premium videos without letting the consumers know. Infected users are extremely likely to rake up huge bills without even being aware.

Internet Shuts Down for those Infected with DNSChanger on July 9

The final deadline for those affected by the DNSChanger to reset their DNS servers is getting nearer. But reports suggest that there are still more than 500000 computers that use the rogue servers. And, as the date reaches July 9th, all of the computers that still use the rogue settings will be cut off from the internet, as the FBI shuts down the temporary servers that were allowing them to connect to the internet until now.

For those unaware, DNSChanger malware was used to alter the DNS settings of the infected system to certain rogue servers that redirected the infected users to rogue websites.  The FBI had raided those responsible and had obtained control of their rogue servers in an operation called Operation Ghost Click that we had reported earlier.

Even though the malware has been removed, many still use the same DNS settings. Up until now, the FBI had been using temporary DNS servers to let the infected users remain connected to the internet, by replacing the rogue servers with the temporary ones. The deadline to shut down these temporary servers had been extended once, in order to give ISPs more time to help their customers to remove the rogue settings. But apparently, a large number of computers are still using the same settings as mentioned before.

There are various ways to check if your computer is infected with DNSChanger. All major anti-virus vendors will detect it and will warn you. Also, sites such as and have been setup to help anyone infected with the removal process.

Flame: World’s Most Advanced Malware Discovered

Security researchers at Kaspersky Labs have discovered a new variety of malware that was used to spy on Middle Eastern countries. The attack has been highly targeted, infecting about 5000 computers across Iran, Israel, Sudan, Saudi Arabia and other unnamed countries. The malware, called Flame, affects Windows machines, and once infected, it can record audio conversations, take screenshots, sniff network traffic, intercept keyboard, etc.

Functionally, it can be said that Flame is similar to Stuxnet or Duqu but differs from them in several aspects. It is much more complex than either Stuxnet or Duqu. For those unaware, Stuxnet was used to target Uranium enrichment plants in Iran, while Duqu was used to steal sensitive information. While both Stuxnet and Duqu were single pieces of malware, Flame is a collection of modules consisting of a Trojan, a backdoor and a worm. While the payload size of Duqu was 300KB and that of Stuxnet was 500KB, Flame is a whopping 20MB in size. “The reason why Flame is so big is because it includes many diff
erent libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine,” explained Alexander Gostev of Kaspersky Labs in a blog post.


Flame has the ability to add new modules later to improve its functionality, making it even more dangerous. Considering the sheer complexity and the limited targeting of Middle Eastern countries, one can only assume that this might be a work of a nation state. According to Hungary’s Laboratory of Cryptography and System Security,

The results of our technical analysis support the hypothesis that [the worm] was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities. It is certainly the most sophisticated malware we [have] encountered. Arguably, it is the most complex malware ever found.

Flame still remains undetected by the 43 major anti-virus vendors.

Iran’s Computer Emergency Response Team is investigating the virus and has posted some features as shown below.

·         Distribution via removable medias[sic]

·         Distribution through local networks

·         Network sniffing, detecting network resources and collecting lists of vulnerable passwords

·         Scanning the disk of infected system looking for specific extensions and contents

·         Creating series of user’s screen captures when some specific processes or windows are active

·         Using the infected system’s attached microphone to record the environment sounds

·         Transferring saved data to control servers

·         Using more than 10 domains as C&C servers

·         Establishment of secure connection with C&C servers through SSH and HTTPS protocols

·         Bypassing tens of known antiviruses, anti-malware and other security software

·         Capable of infecting Windows XP, Vista and 7 operating systems

·         Infecting large scale local networks

You can read a detailed Q&A about the Flame malware, published by Kaspersky here.

G-DATA, Avira, and Kaspersky Top Performers in New Antivirus Shootout

Respected antimalware product testing lab Av-Comparatives has just published the results of their latest file detection shootout. The on-demand file detection tests used as many as 291388 malware samples on twenty different antivirus applications. The only big name missing from the tests is Symantec who didn’t want to be included in the on-demand comparatives.


The top performers in the tests were G-Data and Avira. To anyone who follows antivirus shootouts from the likes of Av-Test or Av-Comparatives, this shouldn’t come as a surprise. Both G-Data and Avira have been dominating the on-demand tests for the past several years. G-Data isn’t very popular in the US, but its dual engine antivirus product (BitDefender and Avast) has consistently been a top performer as far as detection is concerned. G-Data and Avira managed to identify 99.7% and 99.4% of the virus samples respectively.

Although G-Data and Avira have always been among the very best when it comes to detection rates, they are known to falter when it comes to removing malware. This makes them great choices for a brand new system, but not something you can rely on to heal infected systems. In such cases, you might want to look at the Kaspersky, which came in third with a 99.3% detection rate. It’s pleasing to see Kaspersky in the top 3, as the Russian firm had been slipping over the past few years.

The worst performer in the tests was Microsoft Security Essentials, which managed to detect only 93.1% of the threats. Sophos, F-Secure, Panda, BitDefender, BullGuard, McAfee, Fortinet, eScan, Webroot, and Avast managed to detect more than 98% of the threats. However, Webroot also had an astoundingly high number of false positives.
Head over to for the full report.

Total detection rates (clustered in groups):
1. G DATA 99.7%
2. AVIRA 99.4%
3. Kaspersky 99.3%
4. Sophos 98.9%
5. F-Secure, Panda, Bitdefender,
BullGuard, McAfee 98.6%
6. Fortinet, eScan 98.5%
7. Webroot 98.2%
8. Avast 98.0%
9. ESET 97.6%

10. PC Tools 97.2%
11. GFI 97.0%
12. AVG 96.4%
13. Trend Micro 95.6%

14. AhnLab 94.0%
15. Microsoft 93.1%

Court Extends the Date to Cut off Computers affected by DNSChanger from Internet

A federal Judge has extended the date to cut off computers affected with the DNSChanger malware from the internet.

DNSChanger is a malware that replaces the default DNS servers of the infected computers with rogue DNS servers which send the victim to websites that steals your information. It is believed that around four million computers were infected by this malware including half of all Fortune 500 companies and Government agencies.

As we had previously reported, the crackdown on DNSChanger malware was part of an FBI Operation called Operation Ghost Click which resulted in the arrest of six Estonian men who were thought to be behind the creation of malware.

FBI has been trying to help the affected users by replacing the rogue servers with temporary servers to keep them connected to the internet. And, so far, they have replaced around 100 Command and Control Centers in the US, since then, according to Computer World.

[…] the FBI seized more than 100 command-and-control (C&C) servers hosted at U.S. data centers. To replace those servers, a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.

Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet.

Previously, the Southern District of New York Court had order the US Government to take down the temporary servers, that had replaced the rogue servers by March 8. Now, that deadline has been extended to July 9 to give the law enforcement officials some more time to the respective ISPs to help clean their customer’s PCs.

The work done by the law enforcement agencies and the ISPs have indeed reduced the number of affected users, according to a report by a security firm, IID. But still there are thousands of users who are still affected by the malware and will be cut off from the internet in four months, if proper action is not taken.

To check whether you system is infected by DNSChanger, you can use this free tool provided by Quick Heal.

Check Out My Homemade Video Facebook Scam

Another new video scam is spreading on where users are being enticed with names of celebrities and more spreading a so called "homemade video".

Homemade Video Facebook Scam

The Facebook scam is spreading with the following message and uses names of celebrities and friends as well.

OMG! CHECK OUT THIS? Check Out my homemade video, View the Suck Video of my Partner. My Sex Video for you. View My xXx Site. Watch H O T S 3 X Video happened On TV.

The site in question fools the user by spoofing the Facebook website and asking users to disable their Antivirus software. However, DO NOT DO IT because the app may install virus or malware on your computer.

If you click on the video link will download an executable which will spoof the VLC player and install viruses and Trojans on your computer. So stay away from it. There have been several other nasty video scams on Facebook lately including the Justin and Selena bedroom hidden camera scam and Whitney Houston death scam among others.

In addition to downloading virus/malware on your computer it will also post the message on your wall thus making your friends a target.

As a precautionary measure, always check which applications you use and remove unwanted or suspicious ones. If you aren’t sure how to do it, you can always check our guide on removing apps from Facebook. In addition to that, don’t forget to check out our article about Avoiding Facebook Lifejacking and Clickjacking scams.

With over 800 million users on Facebook, the social networking giant has always been the main target for spreading scams. It is quite difficult to identify scams on Facebook. Here is a post on How to Identify and Avoid Facebook Scams. Bookmark Techie Buzz Facebook Scams or Subscribe to Scam Alert Feed. We always keep you updated with the latest scams spreading on Facebook.

Got #droidrage? Tweet to Get Your Android Replaced with a Windows Phone


Stories of Android devices being infected with malware are not uncommon these days. We have seen a recent Juniper Networks report which stated that Android malware increased by 472%. Yet another report, this time by McAfee, says nearly all malware in Q3 was targeted at Android.

Given that the operating system and the marketplace are open and without any gate-keepers, it is not surprising at all. What is a benefit to developers (no obstacles to their creativity), comes with a huge price because it is also extremely open for abuse by the bad guys. Now that Android has a huge installed base, it is an easy target for malware infestation.

Today, it was reported that Google has removed 22 apps from the Android market in the past several days because they were bundled with malware. San Francisco security firm Lookout Software claimed that the malware in these apps is called RuFraud, and it essentially send dummy SMS messages to create financial benefit  for the malware makers.

Not to waste the opportunity, Microsoft’s Windows Phone evangelist Ben Rudolph immediately jumped on twitter and created an instant promotion. The tweets read as follows:



Windows Phone (especially after Windows Phone 7.5 Mango released) has been universally praised for its elegance, simplicity and beauty. The problem for Microsoft is that iOS first, and Android now, have created a certain impression of a smartphone in the minds of consumers. While Android in some ways is a clone of iOS with grids and pages of app icons, Windows Phone is very unique in its approach of Live Tiles and Hubs. It has proven difficult for Microsoft to get this message across easily, and as a result the sales have been dismal.

Promotions like this help in not only getting these devices in the hands of folks using competing platforms, but also creating a buzz around the promotion itself. Note that Ben had earlier run a similar promotion for users of Blackberry affected by a long downtime of Blackberry services. At the time, he had said he received over 1,500 responses!



This is a very good and opportunistic move by Ben. It assures him the attention of disgruntled users who will be more open to switching, and in return they get a free phone too! That makes it an absolute win-win situation!