{"id":17231,"date":"2019-12-18T07:20:53","date_gmt":"2019-12-18T15:20:53","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/12\/18\/news-10967\/"},"modified":"2019-12-18T07:20:53","modified_gmt":"2019-12-18T15:20:53","slug":"news-10967","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/12\/18\/news-10967\/","title":{"rendered":"MyKings botnet spreads headaches, cryptominers, and Forshare malware"},"content":{"rendered":"

Credit to Author: Gabor Szappanos| Date: Wed, 18 Dec 2019 14:16:38 +0000<\/strong><\/p>\n

\n

There’s a pretty good chance everyone who reads this story will have had some degree of interaction with a botnet we call MyKings (and others call DarkCloud or Smominru), whether you know it or not. For the past couple of years, this botnet has been a persistent source of nuisance-grade opportunistic attacks against the underpatched, low-hanging fruit of the internet. It’s probably knocking at your firewall<\/a> right now. They certainly wouldn’t<\/a> be the first<\/a>.<\/p>\n

This botnet is a relentlessly redundant attacker, targeting primarily Windows-based servers hosting any of a variety of services: MySQL, MS-SQL, Telnet, ssh, IPC, WMI, Remote Desktop (RDP), and even the servers that run CCTV camera storage.<\/p>\n

While much has been said about individual components of the botnet, in a report on MyKings SophosLabs is releasing today<\/a>, principal malware researcher Gabor Szappanos writes that his goal is “to provide a full picture of the operation of the botnet” looking at all its tools and behaviors, globally.<\/p>\n

<\/span><\/p>\n

Attacks by the MyKings botnet operators follow a predictable pattern: The botnet attempts a stable of different attacks against a server. Unpatched, or underpatched, Windows servers may be vulnerable to a wide range of attacks, the goal of which is to deliver a malware executable, more often than not, a Trojan named Forshare.<\/p>\n

The infected endpoints we observed totaled about 43900 unique IP addresses. This number includes only those endpoints that have a public IP address; internal addresses were not counted (we found 10973 more using internal NAT ranges) but then we would have less confidence that we were counting unique computers.<\/p>\n

\"\"<\/a>The countries with the highest population of infected hosts include:<\/p>\n