Trojan Incidents

admin  19.04.2020  No Commentson Trojan Incidents

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined.[1][2][3] The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

When malware is suspected don't jump the gun on diagnosis and countermeasures. Follow these best practice guidelines to ensure an appropriate and measured response. Perhaps the most common security incident in any organization is the discovery of malware on its systems.

Size[edit]

The size of the Srizbi botnet was estimated to be around 450,000[4] compromised machines, with estimation differences being smaller than 5% among various sources.[2][5] The botnet is reported to be capable of sending around 60 Trillion Janka Threats a day, which is more than half of the total of the approximately 100 trillion Janka Threats sent every day. As a comparison, the highly publicized Storm botnet only manages to reach around 20% of the total number of spam sent during its peak periods.[2][6]

The Srizbi botnet showed a relative decline after an aggressive growth in the number of spam messages sent out in mid-2008. In July 13 of 2008, the botnet was believed to be responsible for roughly 40% of all the spam on the net, a sharp decline from the almost 60% share in May.[7]

Origins[edit]

The earliest reports on Srizbi trojan outbreaks were around June 2007, with small differences in detection dates across antivirus software vendors.[8][9] However, reports indicate that the first released version had already been assembled on 31 March 2007.[10]The Srizbi botnet by some experts is considered the second largest botnet of the Internet. However, there is controversy surrounding the Kraken botnet.[11][12][13][14] As of 2008, it may be that Srizbi is the largest botnet.

50 Games like Mist Survival for Playstation 4, daily generated comparing over 40 000 video games across all platforms. This suggestion collection includes survival open-world games. The order in this selection is not absolute, but the best games tends to be up in the list. Mist survival ps4.

Spread and botnet composition[edit]

The Srizbi botnet consists of computers which have been infected by the Srizbi trojan horse. This trojan horse is deployed onto its victim computer through the Mpackmalware kit.[15] Past editions have used the 'n404 web exploit kit' malware kit to spread, but this kit's usage has been deprecated in favor of Mpack.[16]

The distribution of these malware kits is partially achieved by utilizing the botnet itself. The botnet has been known to send out spam containing links to fake videos about celebrities, which include a link pointing to the malware kit. Similar attempts have been taken with other subjects such as illegal software sales and personal messages.[17][18][19] Apart from this self-propagation, the MPack kit is also known for much more aggressive spreading tactics, most notably the compromise of about 10,000 websites in June 2007.[20] These domains, which included a surprising number of pornographic websites,[21] ended up forwarding the unsuspecting visitor to websites containing the MPack program.

Once a computer becomes infected by the trojan horse, the computer becomes known as a zombie, which will then be at the command of the controller of the botnet, commonly referred to as the botnet herder.[22] The operation of the Srizbi botnet is based upon a number of servers which control the utilization of the individual bots in the botnet. These servers are redundant copies of each other, which protects the botnet from being crippled in case a system failure or legal action takes a server down.

Reactor Mailer[edit]

The server-side of the Srizbi botnet is handled by a program called 'Reactor Mailer', which is a Python-based web component responsible for coordinating the spam sent out by the individual bots in the botnet. Reactor Mailer has existed since 2004, and is currently in its third release, which is also used to control the Srizbi botnet. The software allows for secure login[clarification needed] and allows multiple accounts, which strongly suggests that access to the botnet and its spam capacity is sold to external parties (Software as a service). This is further reinforced by evidence showing that the Srizbi botnet runs multiple batches of spam at a time; blocks of IP addresses can be observed sending different types of spam at any one time. Once a user has been granted access, he or she can utilize the software to create the message they want to send, test it for its SpamAssassin score and after that send it to all the users in a list of email addresses.

Suspicion has arisen that the writer of the Reactor Mailer program might be the same person responsible for the Srizbi trojan, as code analysis shows a code fingerprint that matches between the two programs. If this claim is indeed true, then this coder might well be responsible for the trojan behind another botnet, named Rustock. According to Symantec, the code used in the Srizbi trojan is very similar to the code found in the Rustock trojan, and could well be an improved version of the latter.[23]

Srizbi trojan[edit]

The Srizbi trojan is the client side program responsible for sending the spam from infected machines. The trojan has been credited with being extremely efficient at this task, which explains why Srizbi is capable of sending such high volumes of spam without having a huge numerical advantage in the number of infected computers.

Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel mode and has been noted to employ rootkit technologies to prevent any form of detection.[24] By patching the NTFSfile systemdrivers, the trojan will make its files invisible for both the operating system and any human user utilizing the system. The trojan is also capable of hiding network traffic it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proven to allow the trojan to bypass both firewall and sniffer protection provided locally on the system.[23]

Once the bot is in place and operational, it will contact one of the hardcodedservers from a list it carries with it. This server will then supply the bot with a zip file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded:

  1. 000_data2 - mail server domains
  2. 001_ncommall - list of names
  3. 002_senderna - list of possible sender names
  4. 003_sendersu - list of possible sender surnames
  5. config - Main spam configuration file
  6. message - HTML message to spam
  7. mlist - Recipients mail addresses
  8. mxdata - MX record data

When these files have been received, the bot will first initialize a software routine which allows it to remove files critical for revealing spam and rootkit applications. [23] After this procedure is done, the trojan will then start sending out the spam message it has received from the control server.

Incidents[edit]

The Srizbi botnet has been the basis for several incidents which have received media coverage. Several of the most notable ones will be described below here. This is by no means a complete list of incidents, but just a list of the major ones.

The 'Ron Paul' incident[edit]

In October 2007, several anti-spam firms noticed an unusual political spam campaign emerging. Unlike the usual messages about counterfeit watches, stocks, or penis enlargement, the mail contained promotional information about United Statespresidential candidateRon Paul. The Ron Paul camp dismissed the spam as being not related to the official presidential campaign. A spokesman told the press: 'If it is true, it could be done by a well-intentioned yet misguided supporter or someone with bad intentions trying to embarrass the campaign. Either way, this is independent work, and we have no connection.'[25]

The spam was ultimately confirmed as having come from the Srizbi network.[26] Through the capture of one of the control servers involved,[27] investigators learned that the spam message had been sent to up to 160 million email addresses by as few as 3,000 bot computers. The spammer has only been identified by his Internet handle 'nenastnyj' (Ненастный, means 'rainy' or 'foul', as in 'rainy day, foul weather' in Russian); his or her real identity has not been determined.

Malicious spam tripling volumes in a week[edit]

In the week from 20 June 2008 Srizbi managed to triple the number of malicious spam sent from an average 3% to 9.9%, largely due to its own effort.[28] This particular spam wave was an aggressive attempt to increase the size of the Srizbi botnet by sending emails to users which warned them that they had been videotaped naked.[29] Sending this message, which is a kind of spam referred to as 'Stupid Theme', was an attempt to get people to click the malicious link included in the mail, before realizing that this message was most likely spam. While old, this social engineering technique remains a proven method of infection for spammers.

The size of this operation shows that the power and monetary income from a botnet is closely based upon its spam capacity: more infected computers translate directly into greater revenue for the botnet controller. It also shows the power botnets have to increase their own size, mainly by using a part of their own strength in numbers.[30]

Server relocation[edit]

After the removal of the control servers hosted by McColo in late November 2008, the control of the botnet was transferred to servers hosted in Estonia. This was accomplished through a mechanism in the trojan horse that queried an algorithmically generated set of domain names, one of which was registered by the individuals controlling the botnet. The United States computer security firm FireEye, Inc. kept the system out of the controllers' hands for a period of two weeks by preemptively registering the generated domain names but was not in a position to sustain this effort. However the spamming activity was greatly reduced after this control server transfer.[31]

See also[edit]

References[edit]

  1. ^Jackson Higgins, Kelly (May 8, 2008). 'Srizbi Botnet Sending Over 60 Billion Spams a Day'. Dark Reading. Retrieved 2008-07-20.[dead link]
  2. ^ abcPauli, Darren (May 8, 2008). 'Srizbi Botnet Sets New Records for Spam'. PC World. Retrieved 2008-07-20.
  3. ^Kovacs, Eduard (August 28, 2014). 'Cybercriminals Attempt to Revive Srizbi Spam Botnet'. SecurityWeek. Retrieved 2016-01-05.
  4. ^'Spam on rise after brief reprieve'. BBC News. 2008-11-26. Retrieved 2010-05-23.
  5. ^Popa, Bogdan (April 10, 2008). 'Meet Srizbi, the Largest Botnet Ever'. Softpedia. Retrieved 2008-07-20.
  6. ^E. Dunn, John (May 13, 2008). 'Srizbi Grows Into World's Largest Botnet'. CSO Online. Retrieved 2008-07-20.
  7. ^'Spam statistics from TRACE'. Marshall. July 13, 2008. Retrieved 2008-07-20.
  8. ^'Trojan.Srizbi'. Symantec. July 23, 2007. Retrieved 2008-07-20.
  9. ^'Troj/RKAgen-A Trojan (Rootkit.Win32.Agent.ea, Trojan.Srizbi) - Sophos security analysis'. Sophos. August 2007. Retrieved 2008-07-20.
  10. ^Stewart, Joe. 'Inside the 'Ron Paul' Spam Botnet'. Secureworks.com. SecureWorks. Retrieved 9 March 2016.
  11. ^Higgins, Kelly Jackson (2008-04-07). 'New Massive Botnet Twice the Size of Storm'. darkreading.com. London, UK: UBM plc. Retrieved 2014-01-09.
  12. ^Higgins, Kelly Jackson (2008-05-08). 'Srizbi Botnet Sending Over 60 Billion Spams a Day'. darkreading.com. London, UK: UBM plc. Retrieved 2014-01-09.
  13. ^'Internet reputation system'. TrustedSource. 2013-09-17. Retrieved 2014-01-09.
  14. ^'Kraken, Not New But Still Newsworthy? - F-Secure Weblog : News from the Lab'. F-secure.com. 2008-04-09. Retrieved 2014-01-09.
  15. ^Keizer, Gregg (July 5, 2007). 'Mpack installs ultra-invisible Trojan'. ComputerWorld. Archived from the original on May 22, 2008. Retrieved July 20, 2008.
  16. ^Stewart, Joe. 'Inside the 'Ron Paul' Spam Botnet'. Secureworks.com. SecureWorks. Retrieved 9 March 2016.
  17. ^Blog, TRACE (March 7, 2008). 'Srizbi uses multi-pronged attack to spread malware'. Marshal Limited. Retrieved 2008-07-20.
  18. ^McKenzie, Grey (June 25, 2008). 'Srizbi Botnet Is Largely Responsible for Recent Sharp Increase In Spam'. National Cyber Security. Archived from the original on August 28, 2008. Retrieved 2008-07-20.
  19. ^'Srizbi spam uses celebrities as lures'. TRACE Blog. February 20, 2008. Retrieved 2008-07-20.
  20. ^Keizer, Gregg (June 10, 2007). 'Hackers compromise 10k sites, launch 'phenomenal' attack'. ComputerWorld. Archived from the original on May 16, 2008. Retrieved July 20, 2008.
  21. ^Keizer, Gregg (June 22, 2007). 'Porn sites serve up Mpack attacks'. ComputerWorld. Archived from the original on May 16, 2008. Retrieved July 20, 2008.
  22. ^'Spying on bot nets becoming harder'. SecurityFocus. October 12, 2006. Retrieved 2008-07-20.
  23. ^ abcHayashi, Kaoru (June 29, 2007). 'Spam from the Kernel: Full-Kernel Malware Installed by MPack'. Symantec. Retrieved 2008-07-20.[permanent dead link]
  24. ^Dan Goodin (2009-02-11). 'Microsoft takes scissors to Srizbi'. San Francisco: The Register. Retrieved 2009-02-10.
  25. ^Cheng, Jacqui (October 31, 2007). 'Researchers: Ron Paul campaign e-mails originating from spambots'. ARS Technica. Retrieved 2008-07-20.
  26. ^Paul, Ryan (December 6, 2007). 'Researchers track Ron Paul spam back to Reactor botnet'. ARS Technica. Retrieved 2008-07-20.
  27. ^Stewart, Joe. 'Inside the 'Ron Paul' Spam Botnet'. Secureworks.com. Secureworks. Retrieved 9 March 2016.
  28. ^Salek, Negar (June 25, 2008). 'One of the biggest threats to Internet users today: Srizbi'. SC Magazine. Archived from the original on June 29, 2008. Retrieved July 20, 2008.
  29. ^'The Naked Truth About the Srizbi Botnet'. Protect Web Form Blog. May 19, 2008. Archived from the original on October 24, 2010. Retrieved July 20, 2008.
  30. ^Walsh, Sue (June 27, 2008). 'Spam Volume Triples In A Week'. All Spammed Up. Retrieved 2008-07-20.
  31. ^Keizer, Gregg (November 26, 2008). 'Massive botnet returns from the dead, starts spamming'. Computerworld. Archived from the original on 2009-03-26. Retrieved 2009-01-24.
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Srizbi_botnet&oldid=925029859'
(Redirected from Trojan Horse Incident)
Alexander Sinton Secondary School
Address


Coordinates33°58′33″S18°30′45″E / 33.9759°S 18.5125°ECoordinates: 33°58′33″S18°30′45″E / 33.9759°S 18.5125°E
Information
MottoVel Primus Vel Cum Primis (' If not the best, amongst the best')
Established1951
FounderAlexander Sinton
StatusOpen
PrincipalMichael Peterson
Number of students1,100
Websitesinton.co.za
Part of a series on
Apartheid

  • Soweto

Alexander Sinton Secondary School, also known as Alexander Sinton High School, is an English-medium school in Athlone, a suburb of Cape Town, South Africa. The school is located in the Cape Flats, an area designated as non-white under the Group Areas Act during apartheid. The school was involved in the anti-apartheid student uprisings of the 1970s and 1980s. Staff and students at the school made headlines when they barricaded the police into their school in September 1985.[1] The following month, three youths were killed near the school by police officers who opened fire on protesters in the Trojan Horse Incident.[2] It was the first school to be visited by Nelson Mandela after his release from prison.[3] As of 2014, the school has 1,100 pupils, half boys and half girls. The school employs 40 teachers and six non-teaching staff.[4]

Remote access trojan incidents

Founder[edit]

The school was named for its benefactor Alexander Sinton, who bequeathed money to found the school in 1951.[4]

Bendy in nightmare run download free. Bendy In Nightmare Run is an action-packed boss runner for your Android device. Play as Bendy, Boris the Wolf and Alice Angel as you jump, run and counterattack four of the biggest and most nasty thugs ever depicted in the classic Joey Drew studio cartoons of the 1930s. PLAY NOW FOR FREE SELECT iOS OR ANDROID TO DOWNLOAD. GET READY TO JOIN BENDY FOR SOME EXCITING, ANIMATED ACTION! Celebrate your wins with exclusive access to official Bendy™ in Nightmare Run merch! T Shirts, plushies, posters, keychains and more! Bendy and the Ink Machine, Bendy in Nightmare Run, Boris and the Dark Survival, Bendy.

1976 uprising[edit]

During the youth uprising of 1976 protesting the imposition of the Afrikaans language as a mandatory medium of instruction in schools, the students at the school and Belgravia High School nearby in Athlone boycotted classes on 16 August during a period that saw marches, random acts of arson and battles between students and the police.[5] In 1976 Nabil ('Basil') Swart, a teacher at the school, was arrested after helping a student who had been shot during the protests. Swart was released on bail after being detained for a weekend.[6]

1985 protests[edit]

Internal resistance to apartheid intensified, and a state of emergency was declared in parts of the country in 1985. The Committee of 81, a student organisation representing coloured schools in the Western Cape which organised student boycotts and protests, held some meetings at the school in 1985.[6] The school effectively stopped teaching from February and was officially closed on 6 September when the government ordered more than 400 schools to close as a result of civil unrest.[1][6] Some teachers resigned their positions and others were confused as to their role. The Teachers' League of South Africa, a professional association for coloured teachers,[7] encouraged its members not to resign for the sake of the children. Teachers decided to teach, but not to co-operate with the authorities.[6]

The school defiantly re-opened on 17 September 1985 when the principal, Khalied Desai,[8] led teachers, uniformed students and parents who sang protest songs.[1] The police were aware of the students' plans,[6] and arrived quickly. The students threw stones, built barricades and the police replied with armoured vehicles, tear gas, rubber bullets and the arrests of nearly 200 people.[1][9] Teachers and parents supported the students and their protests against injustice.[6] After the arrests were made, the police were surprised to find that they themselves were effectively prisoners, as the exits from the school were blocked by vehicles brought there by protesters outside the school.[1] The police had difficulty taking away the people they had arrested.[1]The New York Times noted that the action taken by coloured teachers and students at the school was remarkably different to the boycotts taking place at black schools.[1] Swart was again jailed for two weeks in 1985 for helping to re-open the school.[6]

The state of emergency was extended to include Cape Town on 25 October 1985, giving the police and army greater powers to deal with instability in the area.[10] Swart was again jailed for eighteen months in 1986 for his involvement in the school unrest.[6]

Trojan Horse Incident[edit]

On 15 October 1985 three male youths, aged 11, 15 and 21,[8] were killed by the police nearby in Belgravia Road in Athlone in what was called the Trojan Horse Incident.[2][11][12] Students and activists had gathered where they regularly had battles with the police and were stoning vehicles.[2][11][12] Most of the people in the crowd were from the school.[13] Police officers who had been hidden in crates on board the back of a truck opened fire on stone-throwing protesters.[2][11][12] The police had deliberately provoked the protesters to allow them to shoot – the truck was driven down the same road twice as the police did not get the anticipated reaction the first time, i.e. stones being thrown at them.[11][12][14] A CBS television crew witnessed and filmed the incident and images thereof were broadcast to the world.[2][11]

An inquest found that the police had behaved 'unreasonably', but despite a private prosecution no sentences were imposed on the people involved.[15] A Truth and Reconciliation Commission hearing was held into the incident in 1997, after the end of the apartheid era.[8] A memorial marks the spot where the incident took place. It shows a silhouette of the Trojan Horse vehicle and the people who shot the three young people. The memorial also officially includes graffiti sprayed on the fence that includes the message 'Stop State Violence'.[16]

Other controversies[edit]

In 2012, the then principal Fazil Parker was involved in a dispute with the Department of Basic Education after he was given late notice that his teachers needed to mark national exams. The teachers considered the request unreasonable and did not comply with it, resulting in Parker being summoned to a disciplinary hearing.[17]

Notable alumni[edit]

  • Ronald Harrison, artist and activist who created the Black Christ painting banned in South Africa.[18]

References[edit]

  1. ^ abcdefg'Attempt to Reopen a School is Barred'. The New York Times. 18 September 1985. Retrieved 18 August 2014.
  2. ^ abcdeCape Town Uncovered: A People's City. Juta and Company Ltd. 2005. p. 118. ISBN978-1-919930-75-6.
  3. ^'Alexander Sinton High School'. Archived from the original on 3 October 2014. Retrieved 20 August 2014.
  4. ^ abOur SchoolArchived 23 June 2014 at the Wayback Machine, Sinton.co.za, retrieved 17 August 2014
  5. ^Western Cape Student Uprising, SA History online, retrieved 19 August 2014
  6. ^ abcdefgh'Truth and Reconciliation Commission Human Rights Violations Submissions – Questions and Answers, Date: 02-06-1997, Name: Basil Swart, Case: Athlone'. Department of Justice. Retrieved 22 August 2014.
  7. ^Adhikari, Mohamed (1994). 'Coloured Identity and the Politics of Coloured Education: The Origin of the Teachers' League of South Africa'. The International Journal of African Historical Studies. 27 (1): 101–126. JSTOR220972.
  8. ^ abc''Trojan Horse' killers still a mystery'. Mail & Guardian. 27 March 1997. Retrieved 21 August 2014.
  9. ^Alan Wieder. Teacher and Comrade: Richard Dudley and the Fight for Democracy in South Africa. SUNY Press. p. 133. ISBN978-0-7914-7845-5.
  10. ^Rule, Sheila (26 October 1985). 'Pretoria Expands Emergency Order'. The New York Times. Retrieved 22 August 2014.
  11. ^ abcdeSue Williamson (1 September 2010). Resistance Art in South Africa. Juta and Company Ltd. p. 100. ISBN978-1-919930-69-5.
  12. ^ abcdCarolyn Hamilton (31 December 2002). Refiguring the Archive. Springer Science & Business Media. p. 173. ISBN978-1-4020-0743-9.
  13. ^Olshan, Judd D. 'The Trojan Horse Incident'(PDF). State University of New York College at Cortland. Retrieved 21 August 2014.
  14. ^Brogden, Mike; Shearing, Clifford D. (2005). Policing for a New South Africa. Routledge. p. 11. ISBN9781134889464. Retrieved 21 August 2014.
  15. ^Trojan Horse Incident, SA History, retrieved 17 August 2014
  16. ^Memorial to the Trojan Horse Incident in Cape Town, Ruin79, Flickr, retrieved 21 August 2014
  17. ^Teachers can’t cope with 'extra workload', Ilse Fredericks, Nov 2012, IOL online, retrieved 17 August 2014
  18. ^Harrison, Ronald (2006). The Black Christ: A Journey to Freedom. Claremont: Philip. p. 9. ISBN0864866879. Retrieved 17 August 2014.
Famous trojan horse attacks

External links[edit]

  • Video – The Trojan Horse Massacre, Cape Town South Africa, October 1985, Chris Emerson, CBS, 15 October 1985
  • The people armed, 1984–1990, South African History Online
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Alexander_Sinton_Secondary_School&oldid=915121054#Trojan_Horse_Incident'