The rogue detects fake infections and prevents legit softwares execution, displaying alert messages to scare users.
This means it's possible to prevent twitter loading user-content images without doing HTTPS inspection - something that's a bit of a broad brush, but given the fairly hefty amount of adult content swilling around Twitter, it's far from being the worst idea!
Smoothwall users: Twitter images are considered "unmoderated image hosting" - if you had previously made some changes to unblock CSS and JS from twimg, you can probably remove those now.
Terminate bot till next reboot:
Visit URL option:
Update bot option:
List of dns recod to modify:
The botmaster was running a support site at the url betabot.ru that i've monitored since... i don't know almost the begining till the end.
I've really collected a lot of datas and was constantly flagging new C&C urls even before they was active.
Inquiries sent to the betabot team (before they started the support forum):
Some clients kits:
Finally some people got busted using these informations..
If you want an example.. 'Spit Fyre' ex super moderator at Trojanforge who reside in the same country as me.
If you wonder why he disappeared you know why now.
Spit Fyre requesting an admin of Hackyard to delete his account after he got cops at door:
Some of his domains:
• dns: 1 ›› ip: 126.96.36.199 - adress: DARKNESS.SU
• dns: 1 ›› ip: 188.8.131.52 - adress: WEED.SU
• dns: 1 ›› ip: 184.108.40.206 - adress: MEZIAMUSSUCEMAQUEUE.SU
• dns: 1 ›› ip: 220.127.116.11 - adress: UMBXD15896.SU
• dns: 1 ›› ip: 18.104.22.168 - adress: STYXB1TCH35.SU
• dns: 1 ›› ip: 22.214.171.124 - adress: J1NXFYR3.SU
Anyway it's useless to talk about him and others betabot clients who had visits, the current status of betabot is stalled now and someone even made a builder for the 126.96.36.199 version.
Betabot was a creative malware, plagued by bugs though.
Google cracks down on Chrome extensions that inject ads and degrade users’ browsing experiences (31 March). Google also added information about unwanted software to their Safe Browsing API last month (24 March).
Three cheers for open information: Check out DreamHost’s first ever Transparency Report!
ESET analyses “Casper” malware used against Syrian targets and likely developed by the same group behind the Babar and Bunny malware (5 March).
SiteLock demonstrates what it looks like to infect a website (19 March).
Other security news
Qualys: GHOST remote code execution exploit (17 March).
Fortinet: Cross-site scripting vulnerability discovered in WordPress Photo Gallery plugin with 12 million downloads (20 March).
Today I began to notice quite a massive and very unusual attack that leverages vulnerabilities in older versions of the FancyBox for WordPress plugin.
A typical malicious injection looks like this:
Such attacks use the documented exploit code to inject malicious code into the “padding” value.
The exploited vulnerability had been fixed on February 4th. Nonetheless, many blogs failed to update the plugin and hackers routinely find such blogs and infect them.
The today’s attack also uses this exploit and modifies the “padding” value, but the code it injects cannot be called malicious:
When visitors load such “infected” pages, they see this warning:
WARNING: This version of the Fancybox for WordPress plugin has expired!
Please upgrade to the latest version!
And when they click on the “OK” button, they automatically get redirected to the Fancybox for WordPress changelog page in the official WordPress plugin repository.
On one hand, this infection makes blogs unusable since it redirects visitors to WordPress plugin repository before they can read anything. On the other hand, it is very hard to ignore such a warning — if site owners want people to visit their sites they have to upgrade (or remove) the vulnerable version of the plugin ASAP.
Now is the time to check if your blog shows such warnings. If you don’t see them, it’s not a reason to relax and wait for such a hard push to upgrade. Make sure all your themes and plugins are up-to-date now.