theKestrel wrote:Do not go around and change peoples passwords. That does jack in solving this problem and makes a legit response difficult. It's already being handled. When this thing hit in July, there was 60k bots. In just 4 weeks, we got it under 25. So whatever you are doing to "clean this up"; stop. It's not helping. My team has been tackling this the right way from day one.
Nope, we don't change any passwords, even we don't make any action yet, but we observed the crooks were following successfully infected devices and went into the routers via backdoor after got infected , they did it. So most of the "owned" routers are not in default passwords anymore. Please be noted this fact and this is what had happened now
They then implemented the malicious DNAT routing as 2tiers proxy of another window basis payload malware for the stealer campaign via spams. We have at least 500- nodes recorded as infected with 100+ are online currently (was 65) and serves as malware download proxy infecting word wide.
If you want to handle this internally you'd better move soon. It's not only the US problem, since the malware proxied by those routers are hitting world wide here. And most of the router proxy used are US ones. The windows malware served by those proxy routers are Upatre/Dyre.
theKestrel wrote:Hey bud, shoot me a PM. We need to talk about this. It's a bit more complicated than you think. And actually I've been notifying orgs one by one and helping them learning about the infection. I've been notifying folks for two months now. So the question is will you help me do this RIGHT.
PM is fine. Feel free to PM me at will.