Just last month researchers from the security firm Finjan, unveiled an underground botnet-trading network, dubbed the Golden Cash botnet. The researchers found that the network was a trading platform, similar to that of eBay, where malicious individuals engage in the selling, purchasing and leasing of networks of compromised machines. These networks, also known as botnets, are used in order to commit illegitimate deeds such as mass spamming, DoS attacks and the stealing of sensitive information.
Golden Cash was also found to provide it's customers with exploit and attack toolkits packed with obfuscated code and malware. A price list was drawn up for customers, the prices determined by the supply and demand of botnets in each country, with prices ranging from $100 for 1,000 bots in some countries, to as little as $5 for 1,000 bots in other countries.
Golden cash trapped it's victims by getting them to open or click on legitimate websites that have been injected with malicious iFrames. They were then directed to another website where further infection took place as a backdoor Trojan was dropped. One of the Trojans utilized by Golden cash goes by the name of Zalupko. This Trojan comes with “built-in” FTP-grabbing capabilities. It is with the help of stolen FTP credentials that more legitimate websites were infected and used as mouse traps for potential victims. The command and control server was found to be hosted in Texas and the registrant country is China. Not surprisingly, the proxy website that channeled the traffic to the command and control server was found to be hosted in Krasnodar, Russia.
| Alias Names of Zalupko |
| Trojan.Alupko.30 |
| Trojan-Spy.Win32.Agent.amdz!A2 |
| Win-Trojan/Downloader.27648.HO |
| TR/Agent.AMPG |
| W32/Trojan2.GNGU |
| SHeur2.ABEB |
| Trojan.Downloader.Zlob.ACVL |
| Trojan.Agent.ATV |
| Backdoor:Win32/Koceg.AB |
| Win32/Zalup |
| Sus/Behav-1021 |
| Trojan.Adelicker |
Table 1. Alias names of Zalupko
An FTP server (File Transfer Protocol) is generally utilized as a central compartment for file distribution. It basically gives you the ability to provide a network file storehouse to your external users. Unfortunately, like we have seen with the Zalupko Trojan, FTP also opens up a lot of doors to attackers. There are a few methods that you could use to protect your FTP server, and one of them would involve configuring it to not accept anonymous logins and only give access to port 21 (the FTP default port) via the firewall to that server. However, Others would argue that this method is not necessary as usernames and passwords are sent to FTP servers via plain text.
Here are a few other tips to secure your FTP server:
- After loading the FTP service, ensure that you install the latest service packs and security fixes.
- If using a Microsoft OS, ensure that you use NTFS as the drive file system, it is more efficient.
- The FTP root directory, files and subdirectories should only allow read-only permission to anonymous users.
- Get two NICs: One should be a publicly accessible IP for remote users, and the other a private IP for internal administration.
- Place the FTP root directory on a different drive from the Web root and the OS, should your FTP server also be your web server.
All in all, the creation of the Golden cash network is a clear indication that cyber-crime is becoming more and more of a profession, and a profitable one at that! Now more than ever, I cannot stress enough the importance of having good anti-virus, anti-spyware and anti-everything software. Just as important, is ensuring that your security software is always updated and install all the latest patches. It's time for users to be proactive and not reactive when it comes to computer infections, practice cautious browsing or risk becoming a botnet zombie.
User Comments