According to Internet Security Vendor NetWitness computer network security firm. A botnet has been terrorizing corporate computers around the World over last 18 months.

The malicious program, or botnet, can commandeer the operating systems of both residential and corporate computing systems via the Internet. Such botnets are used by computer criminals for a range of illicit activities, including sending e-mail spam and stealing digital documents and passwords from infected computers. In many cases they install so-called keystroke loggers to capture personal information.

“Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information, but that viewpoint is naïve,” said Alex Cox, the NetWitness analyst that discovered Kneber when installing his company’s software at a company. The new botnet he said, has been used to harvest a wide variety of data from corporations.

According to a white paper published by NetWitness Thursday — which includes some interesting analysis among the product pitches – the company’s researchers found 75 GB of stolen data, which contained more than 68,000 stolen credentials obtained over a four-week period. More than 3,500 of those were Facebook credentials, another 2,500-plus were Yahoo usernames and passwords.

 If you want to know more about botnet check this article from Symantec.

The top five sources of infected computers are Egypt, Mexico, Saudi Arabia, Turkey and the U.S.

The two main Bredolab variants detected this month were W32/Bredo.G and W32/Bredolab.X, most notably included in fake DHL invoice spam campaigns.

Derek Manky, project manager, cyber security and threat research, Fortinet commented: “We’re seeing record levels of scareware building off volume from September, and the danger in these threats is only becoming more serious as the methods for delivery evolve and the blending of attacks bring more complexity.
“As we’ve seen in the consistency of repeated threats, the old schemes are still proving to be good methods. Enterprises and consumers must take equal responsibility in understanding the disguises of these threats and implementing a multi-pronged security solution that addresses the different and changing characteristics of tried and true tactics,” he added

During the month of October 2009 Scareware tactics have reached all time high, with worst ever attacks reported. Seven of the top ten malware variants detected linked back to scareware, with scareware tactics diverging to include botnets, corrupted advertisements and SEO attacks.

The most notable development in October 2009 was the preponderance of AntiVirus Pro 2010 rogue security software, which when installed will contact a remote server in order to obtain malicious payload and receive updated copies; a trojan downloader named Bredolab which is now downloading AntiVirus Pro 2010 installers and the ZBot keylogger; and the ongoing development of affiliate programs that tempt participants with a handsome pay-out on each software download purchased. Tools and kits are readily available to participating affiliates, accelerating the distribution of scareware and other malicious components.

Read the full October Threatscape report, which includes the top threat rankings in each category.

MBGF-DAC-6500-BB01#sho log

Nov  9 07:54:21: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:54:52: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:55:22: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:55:52: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:56:11: %SEC-6-IPACCESSLOGS: list 12 permitted 10.0.0.1 256 packets

Nov  9 07:56:22: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:56:52: %IP-4-DUPADDR: Duplicate address 10.12.0.1 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:57:11: %SEC-6-IPACCESSLOGS: list 12 permitted 10.0.0.2 263 packets

Nov  9 07:57:11: %SEC-6-IPACCESSLOGS: list 12 permitted 10.0.0.7 200 packets

Nov  9 07:57:22: %IP-4-DUPADDR: Duplicate address 10.12.0.1 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:57:52: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

MBGF-DAC-6500-BB01#

Last week at 3 A.M I received a call from our Help Desk, stating our applications are not running in one our departments. I logged remotely to our Network and try figured out what is problem. Upon carefully looking at the logs in our Cisco 6513 core Switches I figured out a duplicate IP address is created which happens to be the Standby IP address for the Core Switch for HSRP.

I figured out the PC by looking the at mac address generated in the log and closed the network connection for that particular PC and the problem was solved.

If you face similar problems its better to change the HSRP Standby IP address in Core Switches and then try figure out the infected PC. Once the PC is figured out close the network connection and make sure the Trojans are removed. Upon cleaning the infected PC you can reconfigure the HSRP Standby IP address to the previous one.

Once I get the complete solution to fix this problem I will post it.