Arbor Networks: Security to the Core

A couple of things to note today, some malcode and some political hacking and attacks.

First is a new fast flux phishing malcode delivery scheme targeting CareerBuilder. Lures bring you in to a number of sites and launch malcode onto your system. Pretty classic technique these days, been used heavily for banks in the past couple of weeks. Now we’re on to CareerBuilder.

Here’s what the page looks like if you go there:

It’s a fast flux botnet, apparently doing double flux too. Here’s what the DNS graph looks like (mimicking the graphics shown on the RBN Exploit blog)

The domain names being used so far include

• bniyime.com
• btyonro.com
• chortom.com
• ggolrrle.com
• nbviox.com
• njieme.com
• vcveebnu.com
• veeimor.com
• vertumru.com
• carertre.com

Much of that list comes from Gary Warner’s always excellent blog. So, as many of you may be in the job market, keep in mind that not everything from CareerBuilder is really from them.

The second is a pair of politically motivated attacks. The Democratic Voice of Burma is once again under DDoS. This one has been seen before, and it’s unfortunate that it’s happening again. I’ve been digging for information and hope to have some to share soon. At present I don’t have anything I can share.

The second bit of political hacking are reports that defacements have shut down Iranian clerics’ Web sites. I don’t see any DDoS activity around this yet but we are seeing some defacements, some apparently on sites that run buggy OSS codebases, so it’s not surprising that they got owned.

Links to more news about this: Cyber attack launched on Shiite websites: Iran report via the AFP.

This entry was posted on Friday, September 19th, 2008 at 2:41 pm and is filed under ATLAS, Attacks, Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.