http://arstechnica.com/security/2012/09/google-hackers-carry-on/
3 years later, hackers who hit Google continue string of lethal attacks
Attackers armed with a seemingly unlimited number of 0day exploits, report says.
Symantec researchers have found that same obfuscation technique deployed in trojans that malware operators installed by exploiting zero-days discovered earlier this year in Adobe's Flash Player (cataloged as CVE-2012-0779) and Internet Explorer (CVE-2012-1875).
Researchers have dubbed this approach "watering hole" attacks and say they're "similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him."
The researchers noticed that many of these watering hole attacks used more than one zero-day exploit. What's more, the timing of these changes was suspicious. As soon as one zero-day exploit was identified, it would be replaced by one that had yet to be discovered. Other similarities included the malicious executable files used and the encryption in booby-trapped documents sent to victims in e-mail.
http://www.scmagazine.com/new-pushdo-variant-infects-more-than-100k-computers/article/257666/
New Pushdo variant infects more than 100k computers
A new variant of the revived Pushdo trojan has infected more than 100,000 computers since the beginning of August, and it's using a new technique to trip up researchers trying to study the botnet.
As is the case with most botnet scenarios, computers that are infected with Pushdo attempt to communicate with their command-and-control server for instructions. The twist here is that the botmasters have customized the malware so that it simultaneously delivers HTTP requests to some 300 lesser known, but legitimate, websites, which mixes in with traffic meant for the command-and-control hub
"The purpose of the HTTP requests to legitimate sites is to make it harder to identify C2 (command-and-control) traffic, [which] also uses HTTP,"
in some cases, the sites receiving the bogus HTTP traffic are flooded to the point that they are knocked offline.
The botnet's purveyors also have been known to strike up deals with rogue online pharmacies, in which they are paid to drive traffic to these shady companies through links.
Once machines are infected with Pushdo, the botnet is used to deliver malicious emails with links to websites that foist banking trojans, such as Zeus, Torpig and Bugat. Sometimes, the messages are made to look like credit card statements or they contain an attachment disguised as an order confirmation.
Pushdo also installs a rootkit and is able to hide other malware, which makes it harder for anti-virus programs to detect."
Stone-Gross recommended keeping web browsers and software up to date, in particular Adobe Flash, Reader and Java. Most exploits take advantage of vulnerabilities in these commonly used products to infect computers.
