Planet Antispam

Box Of Meat: VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?

2010-03-15T18:17:52+00:00

VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?:

‘The co-opting of APT [Advanced Persistent Threat] by the marketing folks have led to the point that people are classifying any malware, rootkit or bot as “APT”. Zeus is not APT, Aurora is not APT. APT is a level of threat, a description of the sophistication, patience and talent behind an attack. The attacks are targeted, typically involving both an exploit and social engineering. Emails containing PDF exploits don’t get spammed to everyone in the organization, they are sent to key individuals with convincing messages. Bots aren’t your commercial, off-the-shelf variety. They are custom built, hard to detect and typically have multiple instances and functions so an initial remediation sweep will appear successful but miss the deeper, quieter processes.

The attackers monitor the state and success of their attacks and channels. As one channel goes down, they activate another. If a node containing valuable data is cleaned, they’ll reinfect it from another computer. They know what they are doing.’

Spamresource.com: Now Hiring: Email Service Providers

2010-03-15T11:53:27+00:00

Here's one more post with a few job offerings listed. If email deliverability, best practices, and industry interaction are your areas of email expertise, maybe one of these positions might be for you. I'm receiving no compensation for posting these; I'm doing this only as a favor to people out there who might be looking for work.

Waltham, MA-based email service provider Constant Contact is looking to hire for the position of Director, Industry Relations & Standards. "This person will actively participate in the email and related industry bodies and will be responsible for developing and communicating Constant Contact's strategy and direction with respect to email authentication, reputation systems ensuring the overall health of the email ecosystem. 30% travel required, will provide relocation assistance." Click here for more information.

Seattle-based email service provider WhatCounts is looking to hire an Email Delivery Manager. From a paid job posting on Deliverability.com: "The Email Delivery Manager is responsible for helping our customers achieve and maintain high email deliverability rates to the inbox, detect and analyze delivery issues, as well as educate our customers on email best practices. This position will also manage the customer experience for those enrolled in the SmartStart Plus and Delivery Plus programs."

And finally, Indianapolis-based email service provider ExactTarget is looking to hire a Deliverability Consultant in London. From the posting: "The ExactTarget Deliverability Consultant is responsible for monitoring and maintaining high email deliverability rates, detecting and analyzing problems, and maintaining industry relationships, as well as educating clients and enforcing email privacy and permission email standards." Note that this is a London-based position; telecommuting is not offered. For more information, visit ExactTarget's Career page and click on the Deliverability Consultant position. (In the interest of full disclosure, please note that I am employed by ExactTarget.)

Spamresource.com: Now Hiring: Microsoft

2010-03-15T11:51:38+00:00

Someone dropped me a line to let me know that Microsoft is looking for a spam fighter. Since I know a lot of smart people looking for work thanks to the economic downturn, I figured it would be good to pass this along.

"'Do you have anything which doesn’t have quite so much SPAM in it?' We do, thanks to a global team of knowledge engineers who work to apply regular expression based rules to the inbound email of our Forefront Online Protection for Exchange customers. Anti-spam response is a team within the Microsoft Malware Protection Center whose expertise not only benefits the productivity of our corporate customers but also provides insights in to emerging malware, phishing and other threats which are distributed by email."

Think you've got the right stuff? Click here for more information or to apply.

Spamresource.com: Now Hiring: Sears

2010-03-15T11:51:18+00:00

(Hey, I know the job market is tough right now, and a lot of good email-savvy technology specialists, deliverability experts, and marketing managers are looking for work. To that end, I'm going to continue to share job postings periodically. Hope this helps folks with their job hunt. --Al )

Sears Holdings Corporation in Downtown Chicago is looking to hire a Production Director - Email.

The Production Director -- Email will be responsible for establishing and maintaining production processes and timelines for the addressable marketing channels. The incumbent is responsible for the development of long term relationship with multiple business units to maintain a high level of customer satisfaction in the production of e-mail advertising. Serves as the leadership interface in the production of e-mail advertising. Develops enhancements to production process and outcome as the primary resolution provider between IMC, planning teams, business teams and associated work teams.

RESPONSIBILITIES:

Manages the teams responsible for successful and timely handoff from planning to understand strategic messaging intent for assigned e-mail campaigns.
Directs all aspects of the email production process and systems that support email planning to ensure accuracy of data input.
Monitors production system (IMPACT) capabilities and actively initiates dynamic enhancements that support realization of operational opportunities.
Monitors advancements in email technology and makes recommendations regarding internal enhancements as appropriate.
Develops production flow enhancements that can be institutionalized across the function.
Review and monitor email production to ensure quality and standards are maintained across the process.

To apply for this position, please contact John Bertucci, Executive Recruiter for Sears Holdings, at jbertu0 AT searshc.com, or feel free to contact me if you need help getting in touch.

Spamresource.com: Now Hiring: Cloudmark

2010-03-15T11:50:42+00:00

It's a good week to be looking for a job if you're a spam fighter or email expert. I've got yet another job posting to share! Jamie Tomasello kindly wrote in to let me know that Cloudmark is looking to hire an Abuse Operations Analyst.
From the posting: "Cloudmark's Security Operations Center provides customers with the peace of mind that a team of highly skilled engineers and analysts are monitoring their systems for new threats and reacting quickly when such threats occur. As a member of this team you will be working with some of the largest Service Providers and Mobile Operators to ensure the highest level of threat detection, analysis and response.

"[As an Abuse Operations Analyst,] you will participate in 24/7 monitoring customer systems for new threats and use best practices to ensure these threats are stopped quickly, provide customers with weekly and monthly reports detailing new threats and attacks, how those attacks were stopped and what impact they had on the customer system, and work closely with our Tactical Accuracy and Professional Services teams to provide customers with a multi-pronged approach to accuracy."

Click here for more information about this position or to apply.

Spamresource.com: On Defending Jigsaw & Similar...

2010-03-15T11:50:00+00:00

This morning, an anonymous commenter attempted to drop a truth bomb on my post about how Jigsaw was blacklisted by Spamhaus. (They still are, by the way.)

In his comment, he points out that postal junk mail sucks (which I agree with), but he doesn't make it clear why it was important to share that tidbit with us. That spam is a suitable substitute for junk mail? I'm not buying it.

Also, he points out that "e-mail is new, and shiny." Actually, no, email has been around since the 1960s, and Internet (then ARPANET) email in a form similar today, using @ signs in addresses, since 1971.

He then goes on to point out that business contact databases charge too much money for spammers to be able to utilize them. Your bargain basement with a "$99 millions list" bought on Ebay? Maybe. Somebody selling big ticket items, who can still make money even with a higher customer acquisition cost? Hardly. I have actually seen companies buy lists from entities like Zoominfo, Jigsaw, and Netprospex, mail to them, and get busted for spamming. Most recently, I saw a domain registrar threaten to take away a domain after it was used in spam email sent by somebody who bought and mailed to one of these lists.

But hey, I could be completely wrong. In a different comment on my post, somebody called KADIGIGURU wrote, "The DMA publishes a B2B Guide to Ethical Marketing Best Practices. I am a Jigsaw customer, and they've walked me through how to use their (and other sources) data while following both Can Spam AND the DMA Guide to the letter!"

I replied that I'd be happy to discuss in further detail, or even offer up the opportunity for a rebuttal post. He never responded.

Where is that rebuttal? What are those ethical guidelines to follow when marketing to a purchased list of email addresses? Does that even exist? Even if somebody tells you "don't spam this list," while selling it to you, is it said with a wink and a nod? Anybody care to tackle this? (I'm not looking to provide an opportunity for a company representative to shill, so that offer is not open to Zoominfo, Jigsaw, and Netprospex.)

Spamresource.com: Classmates.com Settles Lawsuit over Deceptive Emails

2010-03-15T11:49:38+00:00

TechFlash reports: "Seattle-based Classmates.com has agreed to pay up to $9.5 million to its users to settle a lawsuit that accused the social network of sending emails that made people believe their old friends from high school were reaching out to connect -- only to discover, after paying for a membership, that their long-lost buddies were nowhere to be found."
Did you know that Classmates.com is owned by United Online, the same company that owns internet service providers Juno and Netzero?

(H/T: Slashdot)

CAUCE North America: Canada's Electronic Commerce Protection Act: It's ON!

2010-03-13T23:16:20+00:00

From: <Minister.Industry@ic.gc.ca>
Date: March 10, 2010 4:46:47 PM EST
To: neil@cauce.org
Subject: The Electronic Commerce Protection Act

Thank you for your e-mail in which you express concerns regarding the Electronic Commerce Protection Act (ECPA).

The Government of Canada understand the detrimental impact that text message spam, email spam and related online threats pose to both business and consumers. As a result, during the last election campaign, the Prime Minister promised to introduce anti-spam legislation.

Further to the Prime Minister’s commitment, the proposed ECPA was tabled during the last session of Parliament in the House of Commons on April 24, 2009. It prohibits the sending of unsolicited commercial electronic messages. The proposed legislation will deter the most harmful forms of spam and related misleading online activity—such as identity theft, phishing and spyware—from occurring in Canada or being sent from Canada.

As well, with the international cooperation provisions built into the legislation, Canada will be able to work with their counterparts to combat spam.

The federal government is committed to the passage of the ECPA and will act to reintroduce the bill as quickly as possible.

I hope this information will prove useful to you and would like to thank you for taking the time to express your views on this issue. I look forward to seeing this important piece of legislation passed by Parliament.

Yours sincerely,

Tony Clement

Terry Zink: Microsoft sues spammer for spimming

2010-03-13T19:24:00+00:00

Instant messaging spam, or spim (Spam over IM), is not something I have a lot of experience with. However, yesterday (Thursday, March 11), Microsoft announced that it reached a settlement with Funmobile, a company it sued last July, accusing it of using its service to spam users. From ZDnet:

Microsoft said on Thursday it has reached a settlement with Funmobile, the Hong Kong-based company it sued last July over accusations that Funmobile was using instant messaging spam to trick users into giving up their account information.

The software maker said it has obtained an injunction against Funmobile requiring it to refrain from 'spimming' — sending IM-based spam — to customers or contacts of Windows Live Messenger, and to make a cash payment to Microsoft.

"The successful resolution of this case sends a clear signal that Microsoft does not tolerate abuse of its networks, and we will continue to take action to protect our customers," said Microsoft associate general counsel Tim Cranton in a statement.

Microsoft had accused Funmobile of targeting users on its Live Messenger network to gain their personal information. Live Messenger has more than 320 million users, according to the company.

In the suit, Microsoft cited a number of attacks, including IMs that appear to be coming from users the victims know [TZ – emphasis mine]. It also described phishing attacks that mimic the look and feel of an outside service or an official Microsoft support page.

The company said the successful use of these tactics allowed third parties to obtain these users' personal account information, then exploit it by sending mass spam and phishing messages to the contacts of those users.

"Such attacks on instant messaging services are more than just a nuisance; they are a threat to user privacy," said Cranton.

Technically speaking this is not phishing since phishing, by definition, is the attempt to trick somebody into providing financial information. The tactic is here is known as spoofing and belongs to the broader area of attack known as social engineering. It plays on the psychology of brand recognition. Companies like Coca-Cola rely on their brand to sell their product around the world. People feel good when they are in a foreign place but see the familiar logo of Coke; they are in a restaurant, and so they order one (note: I do this regularly when I travel outside of the US and Canada). Images of familiarity when we are in unfamiliar territory causes our brains to release chemicals – endorphins – that make us feel good. That comfort level breaks down some of our barriers.

If we were to see a message coming from someone we don’t recognize, instantly our guard is up and we are less likely to be complicit in a spammer’s (spimmer’s?) request. However, by impersonating somebody we know, if we don’t realize right away that this is a spoof, our brains release endorphins and we enter a more suggestible state. This is because we recognize the brand of our own personal social network. We like to talk to people we know; we are comfortable with them and therefore our guards are down. The chances of us being more complicit in the release of private information is higher when we are more suggestible.

This isn’t Cranton’s or Microsoft’s stance, however. It’s more of an incidental. The greater point is that Microsoft has Terms of Service and abusive users of its service are subject to being shut down. This also plays into Gary Warner’s blog post where he advocates that “bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door.” While Microsoft’s actions in this case is not about using law enforcement to shut down a botnet, they aren’t far away from it by using the legal arena to force an abusive service to stop doing it. Hopefully, this will cause Funmobile to think twice before they start “phishing” other users. Hopefully even more, it will cause other services like Funmobile to do the same.

Sophos Blog (Spam Category): A Change From Dirty Laundry…

2010-03-13T16:50:49+00:00

Yesterday evening my student daughter arrived home for the weekend bringing a bag full of laundry, one full of books and, for a change, the laptop belonging to one of her housemates.

It seems that towards the end of last year the impoverished student could not afford to renew his AV subscription and has been, in effect, unwittingly running a malware honeypot on his laptop since it lapsed.

Fortunately for him he managed to acquire a particularly vicious FakeAV last week. The spoofed alerts and flashing warnings alarmed him but since he could not afford to pay the ransom to the bad guys he ignored them. That he couldn’t visit several legitimate websites irritated him but it was not until the FakeAV prevented him from accessing iTunes that he began to complain loudly to the whole household, at which point my daughter called me for advice.

“Bring the laptop home and I’ll see what can be done” was my suggestion.

So while a colleague and I have been working on this sunny Saturday, the dirty laptop has been receiving some rather special attention here at SophosLabs. I’m pleased to report that the months of accumulated malware was all detected by Sophos and that the laptop is now clean. What’s more it should remain clean since it is now running an up to date anti-virus package.

It was fortunate for my daughter’s housemate that he acquired such a visible piece of malware, one that loudly announced its presence to the whole household a few days before she had planned to come home for this Mother’s Day weekend.

So all’s well that ends well.

But I can’t help wondering how many other youngsters are running the risk of surfing the internet without the safeguard of a good anti-virus tool and just how much malware they may unwittingly be spreading. Perhaps we parents should take responsibility for teaching our offspring the Facts Of Online Life and first and foremost should be the golden rule, do not surf without protection.

Spamnation: Hotmail Hijack #5

2010-03-13T12:55:16+00:00

MXLogic has posted a short article under the title Web Security Breaches Rock Hotmail, which hints at the existence of a previously undisclosed security issue with the popular webmail service. The article is short on useful details, but the ultimate source seems to be a Windows Live help document about account compromises.

MillerSmiles Phishing News: Weekly analysis - 6th March 2010 to 13th March 2010

2010-03-13T12:00:00+00:00

MillerSmiles provides its weekly phishing analysis for the week of 6th March 2010 to 13th March 2010

Terry Zink: Another one (partially) bites the dust

2010-03-12T18:11:42+00:00

Following in the footsteps of Lethic, Waledac and Mariposa, yet another botnet has been taken offline. Not completely, though, it was only a partial disconnect. The Zeus botnet, also known as Zbot, is a trojan password stealer that captures passwords and sends them to the attacker. From ITWorld:

March 10, 2010, 04:10 PM — IDG News Service —

Internet service providers linked to the notorious Zeus botnet have been taken down, knocking out a third of the command-and-control servers that run the network of hacked machines.

Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning.

The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks. "There's lots of Zeus and Fragus exploit kit [sites]," he said. Whoever was behind the takedown "just decided to knock out a large area of cybercrime, and this was probably one of the easiest ways to do it."

Troyak is based in Kostanay, Kazakhstan, according to whois records. The company could not be reached immediately for comment.

The Zeus Tracker administrator, who asked not to be named, said that at first he thought that there had been some type of technical error in the Zeus code. On further investigation, he discovered that Troyak had been taken offline, which in turn knocked the networks hosting the botnet servers off the Internet.

Unlike the Waledac “takedown”, which was removed with a court order, and Mariposa takedown which was done by police authorities, or even the Lethic takedown done by Neustar which operates the .us ccTLD, this time around it was done by eastern European network providers. Thus, this takedown more closely resembles the 2008 McColo takedown which resulted in spam levels plummeting by 40% (our figures) to 70% (others’ figures). According to The Register, the network providers Ukraine-based Ihome and Russia-based Oversun Mercury severed their ties to the ISPs in question (Troyak and Group 3). Unfortunately, it also meant that the legitimate customers on those ISPs also had their ties to the Internet disconnected. I bet their customer support desks had their phones ringing off the hooks. I can just imagine the conversation.

Customer: Why can’t I connect to the Internet? I’m paying for your service!
Response: Well, sir, no one can. We’ve been disconnected.
Customer: What? Why?
Response: For engaging in cybercrime.
Customer: Oh. Well, that explains it.

Cisco issued a statement that this takedown “depeered” the botnet. What this means is that the drones that perform the actual password stealing, fast-fluxing, etc, can no longer (temporarily) make contact with command center. The drones are aimless, kind of wandering around with no direction, no purpose and no motivation (a lot like the entire population of Canada would have been had we lost the gold medal game in hockey two weeks ago at the Olympics). It’s kind of like if a military unit were out in the jungle taking orders from central command, and central command is knocked out, the unit will stand around forever doing nothing. The unit is still there, but they are not going to do anything until they get their orders. Since their orders will never come, they will never do anything. It’s classic bureaucracy in action.

It’s important to note three points:

The entire C&C center wasn’t taken down, only about a third of it
It will be rebuilt eventually. The orphaned drones no doubt had some of their instruction locations hard coded, or maybe specified in a config. The botnet operators will send out new malware with new instruction set locations, and users will install the software. These systems will become re-infected and point to other locations upon which to download updates and the whole cycle will start all over again. It will take time, true, but Zeus will be back.
Those who took down this botnet wish to remain anonymous. Whatever their reason is, they aren’t claiming responsibility.

I’ll have a bit more about Zeus/Zbot in my next post.

All Spammed Up: King of Informercial Scams Avoids Jail for Spamming Judge

2010-03-12T13:28:34+00:00

Sleazy informercial king Kevin Trudeau’s 30-day jail sentence has been stayed by the courts. He was slammed with it for orchestrating a spam email campaign designed to influence the judge in his case. He’s currently on trial in Civil Court fighting a complaint by the FTC that the advertising for his “natural cures” book is misleading. He was first sued by them in 1998 and banned from making false claims in the future, ordered to pay $500,000 in consumer redress and pay another $500,000 for a performance bond to ensure compliance. In 2004 he was sued again for ignoring the order and making false claims about a product called Coral Calicum. He was ordered to pay $2 million in fines and damages and banned from doing informercials except for informational publications like books, provided he make no misrepresentations. He again ignored the order which is why he is in court again. Trudeau has long been hawking his natural cures as the answer to everything from obesity to drug addiction.

In an effort to avoid further prosecution Trudeau urged his supporters to email the judge to tell him what his cures did for them and to urge him to find in his favor. The judge said his inbox was overwhelmed with spam and demands that the complaint against Trudeau be dropped and found him in contempt of court. Trudeau was scheduled to report to jail today. The court gave no reason for the change of heart but said the stay was contingent on no more spam campaigns being aimed at the judge or the court.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

King of Informercial Scams Avoids Jail for Spamming Judge

Sophos Blog (Spam Category): Phishing craigslist - but is it malware?

2010-03-12T05:02:52+00:00

Malware has traditionally been easy to spot and classify, mainly because it was created to serve a specific nefarious purpose and nothing else. In the ongoing arms race between malware authors and the security industry, stealth and other ‘in plain sight‘ technologies are emerging as clear favorites.

Case in point is a recent Craigslist phish, disguised as a phone update - nothing new about malware pretending to be something it isn’t, but that’s not where the story ends. Examining the executable shows that it is nothing more than a RAR self-extracting (SFX) archive - and thus not inherently malicious.

Contained within the archive are two seemingly innocent files; a HOSTS file and an internet shortcut (.url file). The internet shortcut points to craigslist and draws little or no suspicion when the object is scanned in isolation. The HOSTS file likewise contains mappings for various craigslist sub-domains, but without prior knowledge of the state of the HOSTS file, or dynamic resolution of the domains it is difficult to determine whether the mappings are legitimate (especially so when considered in isolation.)

When deployed as a complete package however, the HOSTS file remaps craigslist to some other IP so that when the internet shortcut is launched it goes to somewhere other than stated destination…in this case, a craigslist phish requesting login information.

So is it malware? Are any of the components malware? Clearly when these benign components are found acting in unison, malicious behavior is observed [1], but what about detection?

Traditional signature-based malware detection is obviously incapable of dealing with such multi-component threats, requiring instead a wider context-based observe-correlate-classify approach which draws from a variety of information sources such as reputation, nearest neighbour and behavior.

Because matches dont start fires, people do!

Spam Wars Dispatches: Another Money Mule Recruitment Letter

2010-03-11T21:25:17+00:00

Jobs, jobs, jobs! If you want to earn some fast cash by ripping off small businesses so that:

a) your criminal bosses in Eastern Europe collect big time; and
b) you may get caught owing a bank many thousands of dollars (somewhere just under $10,000) you already wired to Eastern Europe

then reply to the following spam message:

Subject: Job position REF47732
From: Shelly Dubois

Compliments

I am a manager of the HR department of a large multinational company. Our company is met in many departments, such as:
- real estate
- companies setting-up and winding-up
- bank accounts opening and maintenance
- logistics
- private undertaking services
- etc.

We need employees in USA:
- salary 2.500 dollars + bonus
- 1 - 2 working hours per day
- free timetable

If you are interested in this job, please, send us your contact information: Shelly@[removed]-target.net
Full name:
Country:
E-mail:
Mobile phone-number:

Note! We are searching Americans only! >

Please mention your name and write the phone number. Our manager will contact you to fix an interview.

And here's a variation that just came in:

Subject: Finance Manager vacansy for USA
From: Jim Woods

Compliments

I am the personnel department manager and I am appealing to you in the name of the large-scale and first-rate partnership. Our company takes an active part in the life of its subsidiaries, for example:
-property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We have vacancies to be filled by American residents only:
- salary 2.500 dollars + bonus
- underemployment
- flexible working schedule

If you would like to work with us, please provide us the following information: Jim@[removed]-target.net
First name:
Surname
Country of residence
Place of residence
E-mail box
Contact phone number

Attention! We need American residents only.>

Please provide us with your Personal data (Phone number and First and Last name) and our manager will contact to you to make a brief interview.

The email address domain was registered a couple of days ago. No web site exists at that domain (at least at the default location), but the Apache server is alive (somewhere in Russia).

Unfortunately, a lot of Americans are under financial stress these days. Offers like these, despite sounding too good to be true, will yield plenty of applicants — lambs to slaughter.

Michael Boyd Clark: FanBox.com Spam

2010-03-11T20:53:46+00:00

I just got a message from someone I don’t know, with a return address of fbNOREPLY@myfanbox.com. The message was: 7b1d91231a87fb75e0054e886a0dea57

-fake name- says you should see this video clip.

-fake name- thinks you will really like this YouTube Video. Check it out!

This email was sent by -fake name- using the Application: Youtube Video Seach. You can stop receiving emails here.
- , ,

I’ve now blocked all of these domains: myfanbox.com fanbox.com fanboxapps.com sms.ac fanboxnotes.com

216.180.243.10 13/Mar/2010:10:13:32

Copyright © 2010 PlanetMike's Technology Journal. This Feed is for personal non-commercial use only. If you are not reading this material at http://www.planetmike.com or in your news aggregator, the site you are looking at is guilty of copyright infringement. Please contact copyright@planetmike.com so we can take legal action immediately.

FanBox.com Spam

Box Of Meat: CyberCrime & Doing Time: PKK Hackers Arrested in Turkey

2010-03-11T18:07:52+00:00

CyberCrime & Doing Time: PKK Hackers Arrested in Turkey:

‘…the hackers are associated with the Kurdistan Workers’ Party, or PKK, and were taken to Diyarbakır for further questioning. This article calls the hacker team the “Cold Attack Team”, and says that it took orders from leaders in Kandil in Iraq and in Europe regarding what websites to hack and what messages to place there. It also mentions that the hackers distributed a PowerPoint attachment via email which would trojan the readers computer.’

Terry Zink: What do my stats say on Waledac’s takedown?

2010-03-11T17:24:00+00:00

In my previous post, I wrote that other security researchers didn’t find much impact after Microsoft obtained a court order to take down 270+ domains associated with the waledac botnet. What do my own statistics say?

Waledac is one of the smaller botnets that send us spam traffic; but since we are enterprise mail while Hotmail is consumer, the attack vectors may be quite different. Anyhow, here’s how many distinct IPs we were seeing in the month of February before and afterwards:

Going by this, we didn’t really see much difference either. Waledac kind of bounced around before and afterwards with no real drop off in uniqueness. I then decided to compare the rest of the botnets I track and none of the other ones showed any distinguishing feature either.

Except for one.

While this may be an anomaly or a reporting error in my script, the rustock botnet was affected for a short period of time following waledac’s disruption. A day after the takedown, the amount of mail it sends us went to almost zero:

You can see that it kind of oscillates around but it never gets lower than a thousand. Yet on Feb 23 (don’t let the date on the chart fool you, Excel is being weird for some reason), the amount of post-RBL spam that we get from rustock nearly disappeared. That has never happened before, rustock may fluctuate within a range but it never disappears. Admittedly, this could simply be a reporting error in my script. We have had other problems that seem to have arisen around Feb 22 for some strange reason. The problem is that none of the other botnets that I track show this odd behavior of nearly vanishing after waledac was taken offline. So, there are some possibilities here:

My data is valid. If so, then that means that there is a link between rustock and waledac. Perhaps rustock uses the waledac domains to spam, not waledac itself. Rustock also recovered quickly so perhaps waledac also recovered quickly, or else rustock has a robust infrastructure and is self-healing.
My data is invalid. I have a reporting error in my script, or some of our logs didn’t rotate, or perhaps the list of IPs didn’t download properly. I grant this as a possibility but then it means that the rustock reporting is an anomaly, or I need to revisit my other data.

Indeed, if it is point 1 then we have established a relationship between the two botnets.

Update: Upon further investigation, I discovered that my script had a reporting problem on Feb 23. It turns out that another set of numbers that I track demonstrate that every other botnet had similar disruptions in their total patterns, not just rustock. As it turns out, it was too good to be true.

That means that my data is invalid, and all I have been able to confirm is that the waledac botnet take down a couple of weeks ago doesn't appear to have made much of an impact.

Box Of Meat: Globe and Mail: Ontario adds Internet safety to elementary curriculum

2010-03-11T17:06:51+00:00

Globe and Mail: Ontario adds Internet safety to elementary curriculum:

‘Next fall, there will be specific sections in the curriculum for grades 4 and 7 about Internet safety and the potential risks of online activities. …there will also be “age appropriate” discussions about online dangers in Grades 1 through 8.’

John Graham-Cumming: My bio

2010-03-11T15:58:43+00:00

Occasionally I get asked for some sort of official bio. Here's one people can use:John Graham-Cumming is computer programmer and author. He studied mathematics and computation at Oxford and stayed for a doctorate in computer security. As a programmer he has worked in Silicon Valley and New York, and the UK and France. His open source POPFile program won a Jolt Productivity Award in 2004.He is

All Spammed Up: New “Chuck Norris” Botnet On The Loose

2010-03-11T13:41:00+00:00

Look out Waledec, Zeus and Conficker! Chuck Norris is in town. A new botnet named after the iconic action star is targeting and infecting routers, or as one writer joked “The Chuck Norris botnet doesn’t infect routers, it stares them down until they infect themselves.” The botnet, first discovered by Czech researchers, looks for badly configured routers and infects them by guessing the default password. It uses the remote access feature to take control.

It takes over MIPS-based devices running Linux by launching a password guessing dictionary and changes the DNS settings of the router, and then redirects the user to a poisoned webpage that downloads even more malware. It also scans the network for other devices to infect. Experts say the botnet has infected machines from South America to Asia. There’s no information on exactly how many machines have been compromised, who is behind it, but like other botnets, its goal is to steal personal information like passwords and bank account numbers. Some researchers say it may also conduct DDoS attacks.

For a botnet named after Chuck Norris (it got the name from a line in its code: “in nome di Chuck Norris” which means “In the name of Chuck Norris”) the malware it delivers has a surprising weakness. Since it is installed in the router’s RAM, a simple restart will remove it. To protect against it, make sure all routers and modems on your network are not using the default password and that each device has a unique and hard to guess one.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New “Chuck Norris” Botnet On The Loose

Amir Lev: Ask Amir #4: What's a Web reputation service?

2010-03-11T11:39:21+00:00

This week in Security Levity, I want to talk about 'web reputation' and how it's used to protect users from malicious Web sites, or sites with malicious content for some other reason.

Enemieslist: Links Roundup

2010-03-10T22:08:55+00:00

Terry Zink: No love for Microsoft’s Waledac takedown

2010-03-10T18:58:33+00:00

A couple of weeks ago, I wrote on the story that Microsoft had obtained a court order to take down numerous domains associated with the Waledac botnet. It’s now been a period of time since then, did the takedown actually affect spam levels out of waledac?

According to Spamhaus in a statement granted to ZDNet, it had little effect, if any:

The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday.

"The amount of spam coming from Waledac [before the takedown] was less than one percent [of all spam], and that hasn't changed much," said Spamhaus chief information officer Richard Cox. "There's been a slight change, nothing major, and we would expect it to be a lot different."

According to Cox, and Sophos Labs, Microsoft’s targeting of Waledac is odd because it is such a small botnet and accounts for so little traffic:

"I've been chatting to colleagues, and we don't understand why Microsoft took these measures [against Waledac]," said Cox. "There are other botnets, for example Zeus, that do immense harm fraud-wise."

Computer security company Sophos agreed that it had seen no appreciable difference in the amount of spam coming from Waledac after Microsoft's action.

"We can't see a direct correlation between [Microsoft's] takedown efforts and a reduction in spam from Waledac," said Fraser Howard, a principal researcher at Sophos Labs.

In addition, there has been no noticeable reduction in spam volumes overall, according to Howard.

"If the botnet contributed significantly to spam, we would have expected to see a sharp step down in spam volumes," said Howard. "There is no distinct difference between before and after the takedown."

Not everyone agrees that the Waledac takedown was fruitless, though.

Security company F-Secure said on Wednesday [March 3] it had seen a drop in spam coming from Waledac zombies, and a decrease in the number of binary samples from Waledac-related messages.

"Microsoft might have decapitated [Waledac], it should be interesting to watch," said F-Secure researcher Sean Sullivan.

Sullivan said the ability of the botnet to spread malware may have been severely inhibited by Microsoft's action. From 8 February to 21 February, F-Secure detected 58,913 instances of Waledac malware attempting to circumvent F-Secure security software. After the takedown, from the 22 February until 3 March, F-Secure detected 1,113 instances.

Despite this respite in Waledac attacks, Sullivan said F-Secure would not be surprised to see the botnet come back.

So, according to this article, and some other sources I have talked to, here is the reaction to Microsoft’s take down:

Waledac was a small player to begin with
The takedown didn’t do much at all
Although in some places, it did have a noticeable effect
Waledac will be back eventually

The reason for Waledac’s resiliency is that while several domains were taken offline, Waledac also relies on peer-to-peer traffic. In that regards, it doesn’t matter if a domain is taken down because the nodes are not communicating with it anyway. Thus, if that is the case, then it suggests that Waledac doesn’t rely on domains for spam distribution and instead uses it for something else, such as pointing to payload in spam.

Ed Falk: And another botnet goes down

2010-03-10T18:20:35+00:00

Via Slashdot: IT World reports that the Zeus botnet was partially knocked offline when its supporting ISPs, Troyak and Group 3, were disconnected by their upstream servers. IT World is reporting that the Zeus botnet lost a third of its command-and-control servers overnight.

According to IT World, the Zeus botnet was responsible for a wave of financial fraud that caused hundreds of millions in losses over the past year.

The first and most effective such takedown ocurred just over a year ago when McColo was taken down by its upstream providers. The Rustock and other botnets were knocked offline, resulting in a 60-70% drop in spam overnight.

Box Of Meat: Wired: 10 Years After: A Look Back at the Dotcom Boom and Bust

2010-03-10T15:58:19+00:00

Wired: 10 Years After: A Look Back at the Dotcom Boom and Bust:

a bit off-topic for Box of Meat…or is it?

All Spammed Up: Could Better URI Filtering Cure Email Spam?

2010-03-10T15:30:28+00:00

A highly desirable goal of businesses and web users is the complete eradication of spam from the internet. That is perhaps a bit too much to hope for, but certainly the goal of reducing spam is something we can all keep working towards.

One of the more effective methods of reducing spam in recent years is through IP filtering. This technique involves checking the IP address of the computer or server that is trying to send you email against a list of known or highly suspect spam sources. The lists are provided by various third party organizations such as Spamhaus and are typically integrated into the products sold by security vendors.

The best part of this technique is that the check occurs at the earliest stage of the initial communication between the two servers. If the IP address is considered to be a spam source then the connection is terminated before time and server resources are wasted by accepting any further part of the email content.

This meant greater efficiency in spam protection systems compared to earlier techniques that involved checking the entire message content for certain keywords or strings that matched a database of known spam. This technique is still used today, but it is only performed on email that first passes the IP filtering checks.

Some estimates put the amount of spam that is typically stopped by IP filtering at around 80-90%. That is up to 90% of spam (not of total email traffic) that can be prevented by IP filtering, usually with very few false positives.

The remaining 10-20% poses a bigger challenge. These emails need to be checked more thoroughly for other characteristics such as:

Sender address/domain
Email body content such as text or URI (Uniform Resource Identifier, often called a URL by web users)
Images and file attachments

This is because spam emails can come from trustworthy sources such as webmail providers and ISPs in which specific accounts have been compromised by a phishing attach. As a result they cannot be blocked reliably on the basis of sender address/domain.These checks are also computationally more expensive and more prone to false negatives when new spam techniques emerge. One of these new techniques is the use of URL shortening services to cloak malicious website addresses.

URL shortening sites typically do not police the links that people create using their services, which elevates the risk of them being used for malicious purposes. However, the services do often provide an API that can be accessed by other applications, which has led to the emergence of sites and web browser add-ons that can be used to manually check a shortened URL before it is clicked on.

This process is manual and tedious though, and relies on the weakest point in spam prevention – the end user. Only the most security conscious end user will do this check even some of the time.

But the combination of URI filtering and URL shortening APIs offers the chance for the problem to be attacked from two angles. Email security products could possibly detect shortened URLs and perform a check against the provider’s API to determine the actual destination address. That destination address can then be checked against URI filtering lists for known malicious sites.

Though this check may be effective it is not particularly efficient. Email servers will need to send API requests and wait for responses before determining if an email is malicious or not. And it does not solve the issue of these services being used by spammers in the first place.

As an alternative, the URL shortening services could make use of URI filtering lists when providing shortened URLs to their anonymous users, and deny the creation of short URLs that lead to malicious sites. This might eliminate the problem at the source.

As a positive flow on effect of this type of change the use of shortened URLs by spammers on social networks and other non-email communications would also be reduced, reducing the risk of several different threats at once.

These checks are obviously not being performed by shortening services yet. I tested several spam URLs from a URI filtering list on a few of the popular services and none of them prevented me from creating a shortened URL. I wonder if soon we will see them forced into action as spammers exploit their systems to the point where they are completely untrusted and actively blocked by security systems.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Could Better URI Filtering Cure Email Spam?

Sophos Blog (Spam Category): Internet Explorer 0-day targeted in spam runs

2010-03-10T15:27:27+00:00

Hot on the heels of the Patch Tuesday announcements yesterday (see blog or links to vulnerability assessment pages), came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806).

Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link.

the tried and tested “delivery failed, please confirm address details” messages
request for details confirmation for insurance quote

Example messages are shown below.

In either case, clicking on the link takes the victim to a web page which kickstarts the infection process.

Generic detection for the exploit scripts seen thus far has been added as Troj/ExpJS-R. A script used to query the browser/OS version before loading the exploit script (or redirecting to a games site) has been added as Troj/JSRedir-AW.

The malicious payloads installed in such attacks are liable to change of course, but the ones seen thus far have been either proactively detected as Mal/Dropper-Y, or added as Troj/Dloadr-CYS.

SophosLabs will continue monitoring for new attacks looking to exploit this vulnerability. In the interim, aside from keeping your protection up to date, take note of the following from the Microsoft announcement:

Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected.

If you are an IE user and have not yet upgraded to version 8, take a hint! It is strongly recommended that you do so. Aside from not being affected from this particular issues, there are a whole bundle of other security related features you are missing out on otherwise.

The SophosLabs vulnerability assessment page for the IE 0-day vulnerability will be updated accordingly.

John Graham-Cumming: An Olympic honour for Alan Turing

2010-03-10T12:40:56+00:00

Over at The Guardian I write:Last year I led a campaign to obtain an apology for the mistreatment of the British mathematician Alan Turing. Turing's prosecution for homosexuality led to the death of a true genius at the age of only 41 in 1954. On 10 September last year, Gordon Brown issued an apology that recognised Turing's stature as one of the greatest Britons. But Britain has a final

Terry Zink: What’s the break down of spam?

2010-03-10T00:20:00+00:00

I see on Symantec’s Twitter feed that roughly 82% of all spam is pharmaceutical spam.

Pharmaceutical spam now accounts for 81.9% of all spam. Europe is more likely to receive it than other regions, and Asian ones least of all.

My own statistics do not confirm this, but they do confirm that pharmaceutical spam is the largest source of spam that we receive network wide. That it accounts for 82% is a realistic number.

I decided to take a random look at my junk mail quarantine for one of my email accounts. Below is a snapshot:

[Click for larger image]

This is from my latest spam quarantine snapshot, there are 19 messages (I removed one false positive because I am on a discussion list that is prone to FPs due to its content). Of the 19 messages, 15 are pharmaspam, or 79%. That’s pretty close to Symantec’s numbers, in fact, I’d say it confirms their numbers. This is, of course, non-scientific and not statistically valid, but it’s nice to know that if I want cheap pharmaceuticals, I can always check my spam folder.

Incidentally, from the Microsoft Security and Intelligence Report, version 7, here’s the breakdown of spam that we saw in the first half of 2009:

If you add the Pharmacy categories together it is around half. Non-pharmacy product ads includes Rolex watches which is what the other messages are in my spam folder. So, my stats agree with Symantec’s even if the numbers are not quite the same. Of course, these numbers are a little old right now so new ones could obviously re-orient things and tip the balance into pharmaspam’s “favor” even more.

Sophos Blog (Spam Category): Patch Tuesday Continues.. Now With IE Vulnerability!

2010-03-10T00:13:28+00:00

This patch Tuesday had been quiet, perhaps too quiet.

It turns out there is also a new advisory for Internet Explorer.

For a more complete list, please see the SophosLabs Vulnerability Analysis page.

Silent Noise: Do you have gas?

2010-03-09T21:35:37+00:00

Then Aker Kvaerner may have some kind of work for you.
I may judge it wrong.
Not sure if only having gas qualifies, but you never now.
You could be the right person for the job.

It's of course a scam.
It seems to origin from 41.206.15.2, in Africa. Maybe a hacked UebiMiau installation.
Went via 200.152.205.3, in Brazil before ending up in one of "my" email boxes.

I would not contact the email address info.akrecruitment01@yahoo.co.uk.
But I fart in the scammers general direction.

The spam:

--
Aker kvaerner oil and Gas Company 
Human Resource Department

Sophos Blog (Spam Category): March Patch Tuesday …. pay attention Mac users

2010-03-09T18:35:44+00:00

This patch Tuesday has been relatively quiet with Microsoft only issuing two patches, of which, both bulletins they rate as only important.

Privately disclosed vulnerabilities in Movie Maker, Movie Producer and Excel could lead to remote code being executed with the same privileges as the current user.

Apple users take note: Microsoft Office 2004 and Office 2008 for the Mac’s are currently affected by the MS10-017. As such, Mac Microsoft Office users will need to download and install an update to protect themselves.

Unfortunately, today’s patches do not address the VBScript RCE IE vulnerability mentioned in Microsoft’s advisory from the first of this month ( Advisory 981169 ).

For more information about these threats, please see the SophosLabs Vulnerability Analysis page.

Spamresource.com: Twitter Has Spammers, Too

2010-03-09T16:29:07+00:00

I'm a pretty heavy user of Twitter. I've got a few followers, I pay attention to what a lot of people say, and I know a number of people that follow what I say. I enjoy this new method of interacting with people-- it's been a lot of fun. But, like every other way of electronic communication, spammers were bound to discover it and attempt to exploit it eventually. In the Twitter-sphere, the way spam works might be a bit different than in email, but I'll be darned if it doesn't just jump right out at me, with my background in spam fighting and email best practices.

Here's a few of the different kinds of spam I've seen on Twitter.

Generic spambots. They follow everybody in the world until they get shut down. Since my Twitter handle starts with an "A", I'm guessing I show up somewhere relatively near the top of some huge list of Twitter usernames. Their tweets all seem to be things like, "Hello, I am from Russia and I am lonely, will you click on my profile?"
Targeted spambots. They watch for certain keywords that people tweet, then immediately follow those people. I learned this the hard way when I started talking about "payday loans" (as I'm tracking a number of co-reg email senders), and suddenly I've got a bunch of new followers who all want to help match me with the right instant loan.
Brainless content republishers. I watch a few different Twitter queries over time, to look for articles to link to, and to help find Twitter users that I might be interested in following. Here is an example of one of those. What they've done here is mis-used a neat tool called TwitterFeed. They're watching a whole bunch of RSS feeds for blogs other than their own and posting the first sentence or two of each blog post and linking to it. Why do this? It looks to me as though the intent is to make them look like an active Twitter user with knowledge to share. Except, they've got nothing; they're just blindly linking to other peoples' posts, via a robot, every time a new post is written. That's far different than manually choosing to re-tweet a link to a blog post you personally find interesting. (In case you're wondering about this person or company's respect for social customs, check out their fabulous Free Blast Offer: Send to 10,000 email messages to any list, even if it's not opt-in. Looks like an email spammer who found a new way to spam.)
Useless marketers who have no concept of personal space and try to inject themselves into conversations even when they've got nothing to add. Laura Atkins and I have noticed this a few times lately, and I ran into it again tonight. I asked on Twitter if anybody had any recommendations for a good thriller to read on my Kindle. From reading his stream, this guy clearly is watching for terms like "Amazon" and "Kindle" and then replying, with a link to Amazon with his affiliate link embedded. What is this guy actually adding to the conversation? Nothing, that's what.

What do you think - are there other kinds of Twitter spammers that I'm forgetting to include here?

Spamresource.com: Spamhaus: Waledac Botnet Culling Had Little Effect

2010-03-09T16:27:57+00:00

Tom Espiner of ZDNet UK Reports. "The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday.

"'The amount of spam coming from Waledac [before the takedown] was less than one percent [of all spam], and that hasn't changed much,' said Spamhaus chief information officer Richard Cox. 'There's been a slight change, nothing major, and we would expect it to be a lot different.'"

John Graham-Cumming: Did Monbiot try to understand climate science?

2010-03-09T14:35:25+00:00

In The Guardian's Comment is Free section there's an article by George Monbiot called The trouble with trusting complex science which argues that:The detail of modern science is incomprehensible to almost everyone, which means that we have to take what scientists say on trust.He does this in the context of climate change science. I wonder if he actually tried to read the key paper that describes

All Spammed Up: Microsoft Slays Waledec

2010-03-09T14:15:11+00:00

Microsoft notched an important legal victory this past week. A court awarded them a restraining order that has effectively cut Waledec off at the knees. The decision was the result of a lawsuit filed on February 22^nd and will result in traffic being cut off to 277 domains that hold the command and control servers that run the botnet. All of the domains are located in China and will be blacklisted by VeriSign. Without its command and control servers Waldec is essentially dead because its millions of zombies can’t contact home for instructions.

According to Microsoft, Waledec is one of the 10 largest botnets in the world and responsible for most of the spam hawking fake and shady internet pharmacies, male enhancement products and designer knock offs. They had this to say about Waledec on their blog:

Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

While Microsoft claims victory, it’s more than likely short lived. As we’ve seen in the past with shutdowns like McColo, it doesn’t take long for the cybercriminals behind botnets to regroup and start anew, and they are getting better and better at it everyday.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Slays Waledec

Terry Zink: Malware in a nutshell

2010-03-08T23:17:02+00:00

I was browsing YouTube today and I found an online video starring David Perry of Trend Micro. Perry explains the nature of various web-based threats using building blocks. It’s actually a pretty good introduction for those who don’t understand the threat landscape very well.

See the video below.

\/param>\/embed>\/object>\/div>";" alt="" />

Spam Wars Dispatches: 419er Disease of Choice

2010-03-08T23:14:23+00:00

A common ploy among advance-fee scammers is the attempt to rend the recipient's heart because the rich sender now has a terminal illness and wants to make sure his or her booty winds up in good hands — rather than in the hands of his or her greedy and untrustworthy family members. This is a triple scam because the dying person wants the recipient to use the funds to distribute among charities — really assuming that the recipient is supremely greedy, and plans to take the money and run once the sender kicks the bucket. In other words, the scammer is assuming his victims will try to scam the dead scammer. In the process, however, it is the email recipient who will be the only one scammed out of fake processing, storage, transfer, and other fees that ultimately never yield a penny.

The medical trend I've noticed in such 419 scam messages arriving here recently has been an enormous outbreak of esophageal cancer (often with the correct spelling of the fake diagnosis). That's a safe choice, unlike one Nigerian woman who claimed some years ago to be riddled with prostate cancer.

The Internet Patrol: Fake Amazon Cancellation Email Hides Canadian Pharmacy Spam Links

2010-03-08T21:42:34+00:00

Not content with sending fake Amazon confirmation emails, the outfit sending out the Canadian pharmacy spam is now sending out fake Amazon.com order cancellation emails, too, claiming that your Amazon order has been cancelled. "Amazon.com - Your Cancellation (0046-68878-96071)" says the email's subject (although the "order number" may ...

All Spammed Up: Bank/Customer Lawsuits Over Phishing Scams Rising

2010-03-08T13:30:35+00:00

Over the past week there have been two instances of banks and customers suing over phishing attacks. In the first, Texas-based Hillary Machinery Inc, fell victim to a phishing attack and had over $800,000 stolen from their account. Their bank, PlainsCapital, was able to recover around $600,000, but when Hillary Machinery requested the bank refund the remaining $200,000, PlainsCapital slapped them with a lawsuit. The suit asks that the court certify their security procedures to be reasonable and that it processed the fraudulent ACH transfers in good faith. Hillary Machinery was stunned.

In the second case, a Michigan supply company is suing its bank, claiming it does not adequately protect its customers from phishing attacks. Experi-Metal Inc claims that Comerica Bank encouraged phishing attacks by sending customers an email asking them to click on a link to download an update to the bank’s security software. This is a well worn trick used by phishers and the company says by doing so it made customers more willing to trust fake emails claiming to be from Comerica. Experi-Metal lost over $500,000 to a phishing attack.

In response the bank said that it was the fault of the Experi-Metal employee who fell for the phishing scheme and handed over the company’s banking credentials. Furthermore they said, the phishing site would have been obviously fake “”to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” Ouch. Basically they are insisting it’s not their fault that the employee was stupid enough to fall for the phishing email, but does Comerica hold some responsibility for its practice of sending out emails with links directing customers to download a security update? (The bank has switched to a different system. The employee apparently trusted that the phishing email was real because of the previous one) What do you think? When a phishing attack happens who should be held responsible, the victim or the bank?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bank/Customer Lawsuits Over Phishing Scams Rising

Silent Noise: Referrer spam ends up in malware - stars-vs-stars. com

2010-03-07T11:02:33+00:00

Beware of referrer spam in your weblogs.

At the moment stars-vs-stars. com (hosted on ecatel btw) redirects to http:||olympionik.limewebs. com/xplaymovie.html,
which again redirects to various malware/domains at 69.10.38.27 (trouble-free.net - Michael Lavrik), an infamous IP for hosting malware.
During the last two days, the following domain names have been used:
greatmultimediaservices. com, multimediautilites. com, digitalbluemultimedia. com.
digitalbluemultimedia.com is the active one as I write this.

Poor detection at virustotal.com, 4-8 vendors recognize the malware.

Terry Zink: How much do botnets re-use their IPs?

2010-03-06T20:11:00+00:00

One of the assumptions that I have long held about botnets is that they grab a compromised computer, spam it like crazy and then abandon it once it lands on an RBL. Eventually, this RBL delists it due to dormant activity, and later on the botnet reawakens and reacquires that IP and spams with it again. In other words, the botnet recycles (or re-uses) its IPs to spam but with sufficient time within spamming cycles that RBLs thinks that they are relatively safe to delist. After all, who wants an RBL that grows without bound?

I don’t have a good way to test this over a longer historical time frame, but I do have a shorter way to test this. Each day, I collect stats on botnets and dump all of the IPs for each botnet into a file in its own subdirectory. I planned to have the script delete the file, but I have discovered that that these files of historical spamming IPs are handy to have around. Incredibly handy, actually.

All I have is a month’s worth of data, but I figured this would be an interesting check. To test this, I went through the 14 botnets that I keep track of and counted all of the total IPs that it is sending spam from. I then did the Linux cat | sort | uniq | wc –l that prints all of the IPs, sorts them, gets the unique entries and counts them up. This gives me a Total Count, a Unique Count, and a % unique. If a botnet has 100 IPs and 98 of them are unique, then it means that the % Uniqueness is 98%. It implies that the spammer uses new originating sources of spam each day, which means that we cannot use the previous day’s spamming IPs to predict where today’s spam will come from. The results are below, the IPs are all normalized against the smallest botnet (waledac) to display the relative size of each botnet sending us spam (note that this is all post-RBL data):

You can see from this above that each botnet almost never re-uses its IPs. Only darkmailer and waledac do it with any consistency, and surprisingly enough, so does rustock. But even then, 5 out of every 6 IPs are IPs that it has not used before (in the previous one month, ie, Feb 5 – March 5).

I then decided to see whether or not there is any overlap between the botnets. Perhaps they are unique amongst themselves, but what about amongst each other? It turns out that there is 86.7% uniqueness amongst them. I would say that the number is this low only because rustock pulls down the average and accounts for so many of the IPs.

Based upon this snapshot of data, I conclude the following:

Spammers do not recycle their IPs amongst the same botnets at regular intervals, at least if the interval is less than one month. They get new ones each day.
Spammers do not share IPs amongst each other, at least if the interval is less than one month.
It is depressing how many new sources of IPs they are able to get, per day.
However, I can not make any definitive conclusions because once an IP gets blocked at our network edge (ie, is on an RBL), I don’t have visibility. So, my above conclusions are based upon post-RBL mail which may not be reflective of all spam.

Sophos Blog (Spam Category): SEO blogger victim of malicious SEO attack

2010-03-06T14:11:30+00:00

On Friday evening I was talking to a North American customer who had been fighting with infections caused by SEO poisoning. They mentioned a particular search term that could generate new samples of FakeAVs. The funny thing was that the website hacked by the SEO poisoner was a blog of someone trying to promote legitimate business use of SEO technologies..

If you click on any of the links returned by the search you would be redirected to an Indian site containing this image:

After allowing scripts on an unprotected/filtered machine I quickly saw the pop up:

Eventually, you will be prompted to download an executable

Quick Scanning

>>> Virus ‘Troj/FakeAV-AYU’ found in file packupdate_build9_195.exe

The Indian websites are actually detected as malware:

Quick Scanning

>>> Virus ‘Mal/FakeAvJs-A’ found in file Security Threat Analysis.html

So customers searching behind a Sophos web security appliance, or browsing with the BHO enabled would be blocked from accessing the Indian website.

For those customer who don’t have a Sophos web security appliance or don’t use IE there is hope. Sophos will soon be opening a beta for Endpoint Security and Control 9.5 which includes “Live Web protection for fixed and mobile endpoints, blocking access to malicious URLs”. To register for this Beta or find out more about the Beta Program follow this link.

Ed Falk: More problems for Cryptome

2010-03-06T12:36:16+00:00

Last week, I wrote about the whistle-blowing website Cryptome, which was shut down by Network Solutions after a DMCA complaint from Microsoft. Microsoft relented under the bad publicity and withdrew their complaint and Cryptome is now back on the air.

Today, it seems that Cryptome's problems are not over yet. As reported by SlashDot, Paypal has taken it upon themselves to freeze Cryptome's accounts in preparation for dropping them completely.

I guess the moral of the story is: if your site is at all controversial, don't depend on Paypal.

MillerSmiles Phishing News: Weekly analysis - 27th February 2010 to 6th March 2010

2010-03-06T12:00:00+00:00

MillerSmiles provides its weekly phishing analysis for the week of 27th February 2010 to 6th March 2010

John R. Levine: Are portable e-mail addresses possible?

2010-03-06T06:11:08+00:00

News reports say that the Israeli government is close to passing a law that requires portable e-mail addresses, similar to portable phone numbers. Number portability has been a success, making it much easier to switch from one provider to another, and address portability might ease switching among ISPs. But e-mail is not phone calls. Is it even possible?

The bill's sponsors apparently assume that e-mail messages work enough like phone calls that whatever they do to make phone numbers portable can work the same way for mail. Unfortunately, they're wrong.

Every time you make a phone call, software in the phone system checks to see if the number you're calling has been ported. Since phone numbers are geographically assigned, there is a shared porting database for each calling area in which the calling switch looks up the dialed number (DN) to get the routing number (RN). If the number hasn't been ported the DN is the same as the RN, but if it has, RN is a number assigned to the switch to which the number has been ported. Then the call is routed based on the RN, but it also sends along the DN so the target switch knows who the call is for. The shared databases are run by a neutral party (Neustar in the US) and every telco pays to support it. The system was designed this way so that numbers that have been ported away don't put an extra load on the "donor" system from which it was ported.

Email doesn't work like that. There is a DNS lookup for the domain name, the part of the address after the @ sign. but all mail within the same domain is routed to the same place. For the small minority of Internet users who have their own domains, they can change the domain's DNS records to change where the mail goes, but for users who get their addresses from their ISP or their employer, it's tied to the ISP or the employer. You can imagine a system in which every mail delivery did a DNS lookup of the e-mail address first, but that's not how the mail system works.

But since this is a government mandate, is there any way to make this sort of work?

There were two other approaches for phone number portability proposed and discarded, call release and call forwarding. In call release, the call first goes to the original switch, which sends back a status message saying the number has been ported to another switch, and the calling switch then reconnects to the other switch. Call forwarding should be familiar to everyone--the called switch places a call to the real destination switch and connects the incoming call to it.

E-mail has analogs to both of these. For something like call release, the SMTP standard has always had a status code that a recipient system can send back to a sending system to say that the recipient has moved, and giving a new address. As far as anyone can tell, nobody has ever used that code, but it's there if anyone wants to give it a try. Mail forwarding, on the other hand, is very common.

The least awful way I can think of to make something like this work for email is that the user's new provider can contact the old provider on the user's behalf, and request the address be forwarded. So long as it's forwarded, the new provider pays the old one a modest monthly fee, mostly to give the providers an incentive to cancel the forward when the user leaves. The fees would probably net out in most cases so the costs would be mostly administrative.

Mechanically, that kind of setup would not be very hard. Administratively, it would be a nightmare. If the forwarded mail starts to bounce are they allowed to turn it off? Does the old provider do its usual spam filtering? (What if the user left because the filtering was lousy and lost a lot of real mail?)

Another possibility would be for the old provider to keep mail accounts active even though the account is otherwise turned off, and let people pick up mail from its mail server. This is surprisingly common now, often by accident. For example, I cancelled my BT broadband account in July when I left England, but the associated mail account still works, seven months later. Mechanically this still isn't hard, but if it's a required service, now each ISP now has a permanent obligation to provide mail service to people from whom they no longer get any income, and with whom they have no other relationship. How do they know when to turn off the mail? If the user doesn't pick up the mail for a month? Six months? A year?

So my main advice is to forget it, since there's little evidence that this is a service so important it needs to be mandated. On the other hand, ISPs might find a small new income stream by selling forwarding service, like many post offices do. If the user is willing to pay $20/yr, that'd probably cover the cost of keeping a mailbox open, and would solve the problem without having to invent new rules and mechanisms.

Box Of Meat: SophosLabs: All browsers are (not) created equal

2010-03-05T21:51:58+00:00

SophosLabs: All browsers are (not) created equal:

“It is going to be very interesting to follow the browser race now that Microsoft had to offer an alternative web browser with Windows Update and new Windows installations. So, are we going to see other browser equally used and equally targeted by malware writers? Could we expect a flood of newly discovered vulnerabilities when vulnerability researchers change their focus?”

Box Of Meat: Word to the Wise: Improving the email interface

2010-03-05T20:50:52+00:00

Word to the Wise: Improving the email interface:

“The way to get the functionality inserted as a standard part of the software/web interface, is to get users to ask for it. In order to get users to ask for it, the best way to start is to create a plug-in that they like and use. If they like it in their Outlook interface at work, then they’ll ask for it in their webmail interface at home.”

Spam Wars Dispatches: Phony YouTube Malware Lure

2010-03-05T20:44:23+00:00

Look out folks, especially Windows users. A message claiming to originate from YouTube has an unwanted surprise.

The message Subject: line is:

Subject: YouTube Open the WORLD for you.

The body of the message consists of one publicly hosted image snapshot of a YouTube home page:

If you click anywhere on the image, you may download a malware file (.scr extension) from a hijacked web site.

Danger, Will Robinson!!

Spam Wars Dispatches: Warez Seller Omits a Step

2010-03-05T20:30:29+00:00

I suppose there are plenty of takers for so-called downloadable or OEM software pitched by countless spam messages over the years. In the "old" days, it was just pirated software the buyer would get (if he or she got anything in return for $59). In more recent years, however, these warez sellers profit still further by embedding malware into the packages.

Thus, I got a laugh out of a spam message today that listed three easy steps to getting cheap software:

Subject: Windows7 much more stable
Hello, Dannyg
What does the "Downloadable Software" mean?

Step 1 - Download soft archive and save it on your computer.
Step 2 - Extract archive.
Step 3 - Install it and use!

Visit our Windows and MAC store

Dannyg, D33W-3459 your personal code to get 30% discount on all products.

You see, the seller left out one more item:

Step 4 - Hand over your computer and passwords to us without knowing it!

Box Of Meat: PCWorld: FBI Embeds Cyber-investigators in Ukraine, Estonia

2010-03-05T19:50:50+00:00

PCWorld: FBI Embeds Cyber-investigators in Ukraine, Estonia:

‘Troy wouldn’t comment on what cases the agents were working, but he said, “those countries were selected for a reason.”’

Terry Zink: Not a great week for outbound spam

2010-03-05T19:06:27+00:00

It hasn’t been a great week this week (March 1-5) for some of our customers who use us for outbound mail relay. I’m not going to name names because there have been a wide variety of users, but every single day this week we have had one or two organizations that have been sending abusive content to the rest of the Internet. A normal week is one or two violations. We’ve had 8 or 9 so far and we haven’t even hit Saturday yet.

Now, I will admit that the script I use to track the egregious violators was written by me, and this script had an error that I only managed to fix on Feb 25. So, it’s possible that we had a lot more violators each week, I just didn’t know about it. What’s weird is that my script worked sometimes but not always, I had to do some debugging and I found that another script that it points to got moved and so for some reason it was working part of the time but not all of the time. Why it worked some of the time makes no sense to me since it was pointing to a non-existent piece of code…

Anyhow, the point is this week we have seen piles and piles of outbound spam emitting from our network. It’s been so bad that I have been prompted to accelerate my plans to mitigate it by coming up with some band-aid solutions. I am experimenting with auto-additions of known bad users from organizations with checkered reputations. In other words, if you were bad before, then we will auto-add users to a banned_sender list until they clean up their act and there will be no notification that we are going to do this.

Automation of actions like this are risky. But we can’t keep going like this because these spam campaigns are happening in the middle of the night. Three hours later they are done. Our reaction time needs to be quicker and human response just isn’t fast enough.

Sophos Blog (Spam Category): All browsers are (not) created equal

2010-03-05T17:17:25+00:00

My friends often ask me about steps they can take to keep their systems at work and home free from malware. Apart from the usual recommendation to use alternative, less targeted and therefore slightly more secure operating system like Linux or OSX (OpenBSD would also be an interesting alternative) I used to mention that a change of the web browser would also be very helpful.

Internet Explorer is still the most commonly used browser with a little above 60% market share, but its market share is steadily in decline in the last couple of years. I am fairly sure that one of the main reasons people move to Firefox or Chrome is perceived lack of security. Internet Explorer is the most common target for malware and various exploit packs although the latest versions have proved to be much more resilient to various attacks. With most of the users finally making the switch away from IE6 we hope that the exploits will be even less successful in the future. This of course means that attackers are changing their focus to other products like Adobe Reader of Flash, the most commonly used internet applications after browsers. Exploiting Flash or Adobe Reader allows the attacker to abstract the browser version and often the browser itself. Adobe’s attitude to security also does not help.

It is going to be very interesting to follow the browser race now that Microsoft had to offer an alternative web browser with Windows Update and new Windows installations. So, are we going to see other browser equally used and equally targeted by malware writers? Could we expect a flood of newly discovered vulnerabilities when vulnerability researchers change their focus?

One of the browsers that could benefit from the new browser equality is Opera whose download numbers allegedly tripled since the beginning of the new regime. It is well known that attacks come with the platform popularity and perhaps this is why a new Opera vulnerability with the accompanying proof of concept code was disclosed the day before yesterday.

The vulnerability is a classic integer overflow in opera.dll which can be triggered if the attacker changes the value of the Content Length header of the HTTP response. The integer overflow eventually causes an access protection exception due to an attempted write to a non-allocated memory page. I had a quick look at the proof of concept exploit, which only causes browser to crash to find if the bug is easily exploitable. Since I could not find anything obvious with my 101 level exploit development skills I decided to leave it to exploit development experts and go back to analysing malware and protecting Sophos users.

Sophos Blog (Spam Category): Who’s watching you really?

2010-03-05T15:31:24+00:00

This morning while I was enjoying my coffee I received an event notification for my personal Facebook account. It was for a group called “See Who’s Spying On Your Profile - GET NOTIFIED -”. and “See Everyone Who Views Your Profile”. Immediately, my security hat went on and I started to investigate.

At first glance, they are both pyramid schemes. In both, you become a fan, then you have to suggest the page to 50 of your friends to move onto the next stage. From there the tactics diverge slightly. In the first one, you need to take a marketing quiz that asks for all sorts of personal info, and you need to put in your Facebook username and password, so they can “monitor” your profile. AND you have to provide them with your mobile number. Now wait a minute… why would they need my mobile number?

Hang on. That seems a bit “phishy” to me. Let’s check what they have to say on their wall.

Sure enough, based on the comments left on the page, this “notify” feature doesn’t work. This group had over 58,000 fans.

In the second one, it was not so much a phish as a way to get you to download a toolbar. In the invite is a shortened URL that leads to a download site. It’s a “social network” toolbar that has various “widgets” for social sites such as Facebook, Twitter, Flickr, etc. This group had over 300,000 members.

So wait a minute, more than 358,000 people have willingly given their login details with little thought. They were so concerned with who was “spying” on their profile (there’s been a lot of media about insurance companies accessing social media sites as a way to deny claims), that they fell for the bait - hook, line and sinker. If you are concerned about who is viewing your Facebook profile, please check out these links to lock down your privacy settings.

http://www.sophos.com/security/topic/facebook.html
http://www.sophos.com/security/best-practice/facebook/

All Spammed Up: 3000 Credit Cards Compromised in Data Breach

2010-03-05T13:43:55+00:00

3000 credit card numbers belonging to customers of electronics retailer Small Dog Electronics have been compromised in a data breach. The breach left the sensitive data exposed for almost a month between late December and late January. The company claims it is PCI compliant and that it was subjected to a penetration test. They are now pursing the issue with that tester. The CEO, Don Mayer said the security flaw has been fixed but had no other details, admitting he did not even know what language their ecommerce system was written in.

“I’m very proud of our staff in terms of their reaction. We have dealt with this very responsibly, and notified customers immediately of the breach,” Mayer added. “We are doing everything in our power to reclaim our customers’ trust and provide the credit monitoring services that are necessary.”

Small Dog’s customers appear to be less satisfied with the company’s response, claiming the letters sent explaining the incident offer no compensation or credit protection and that although the company will provide the service if asked, many don’t realize they can ask.

Should a company offer credit protection in the event of a data theft? I believe so. It’s an important step in keeping your existing customers’ trust and gaining that of potential new customers. Data breaches are a growing threat. Last year the average total cost of a data breach was $6.75 million for an average of $204 per compromised record. Security experts say there are three main causes of data breaches, System glitches, which account for 36%, malicious attacks, which account for 24%, and the most common cause, negligence or simple human error, which accounts for a whopping 40% of all data breaches.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

3000 Credit Cards Compromised in Data Breach

Sophos Blog (Spam Category): Adservers compromised in latest Zbot push

2010-03-05T11:56:24+00:00

As we have commented before [1,2] when content served up from adservers is compromised, the effects can be far reaching, potentially exposing huge numbers of victims to the malicious code as they innocently browse legitimate sites. The problem is further complicated by the fact that legitimate ad content is often heavily obfuscated, in order to evade ad-blocking technology [3].

During the latter half of this week we have seen a whole batch of compromised adservers injected with malicious JavaScript to silently load malicious content from a remote site. A significant number of popular sites that load ads content from these servers have therefore been affected by this attack.

The injected malicious JavaScript can be seen at the top of the ads content:

Adstreams compromised in this way are being blocked by Sophos products as Mal/Iframe-F.

Readers may recognise the target domain, masquerading as a legitimate Google Analytics site. It was mentioned in the ISC handlers diary yesterday [4].

So what happens when the compromised ads are loaded by the browser?

301 redirect from google-analitics dot net to a salefale dot com subdomain.
malicious script (detected as Mal/ObfJS-BP) which attempts to load further malicious Flash (Troj/SWFExp-N), Java (Troj/Clsldr-U) and PDF (Troj/PDFJs-B) content in order to deliver the payload.
payloads seen thus far have been Zbot (detected as Troj/Zbot-MU) and Bredo (detected as Mal/Bredo-E).

It would appear that salefale dot com is now inactive, though we can expect the attack to simply move to new sites.

Terry Zink: Authorities take down the Mariposa botnet

2010-03-05T00:33:05+00:00

There are a number of sources talking about the takedown of the Mariposa botnet, here are a few of the good ones:

The Associated Press details the story and talks about the technical aspects of the takedown.
Boing Boing only has an excerpt. Nothing too detailed.
Panda Labs, who assisted in the disruption, has their own blog about their participation and the actions that they took.
Symantec adds something to the discussion with their analysis on the chief piece of malware in the botnets (W32.Pilleuz, aka Win32/Rimecud.R)
Gary Warner, over at the University of Alabama, has a great discussion on botnets. He urges the anti-botnet community to move from a model of taking botnets with technology to taking down spammers within the legal framework.

In case you haven’t been reading through the security space lately and mine is the only blog you read, here’s the 411 rundown: Spanish authorities, working with researchers from Panda Labs, Defence Intelligence and a couple of other educational institutions, took down the Mariposa botnet (Mariposa is the Spanish word for “butterfly”). The Mariposa botnet is an absolutely enormous with around 12 million (!) nodes doing its bidding. It was involved in things like credit card phishing and identity fraud.

Yet the thing about the Mariposa botnet was not its sophistication, but rather its lack of sophistication of the people running it. It wasn’t a bunch of cybercrooks in Eastern Europe running it, but everyday ham-and-eggers like you and me. To be sure, the infrastructure of Mariposa was sophisticated with VPN traffic and hiding behind other drones, but what ultimately led to its downfall was one of its operators making a mistake. In December, the botnet was knocked offline and the people running it weren’t making money. Driven by hubris, one operator attempted to regain control of it – by connecting to it via his home computer. That was his critical mistake; he sent a flood of DOS traffic to Defence Intelligence, the Canada-based organization responsible for assisting in taking it offline. However, it was this direct connection that left a trail to him and allowed authorities in Spain the chance to move in and make the arrest.

The people behind it were not tech-heavy hackers, but instead were cyber criminals who outsourced most of the work in an attempt to move to crime online.

Is such a takedown effective? Here’s Gary Warner’s take:

Those of you have heard me speak in person know that I believe the answer to these botnets and their continued survival must be the Criminal Justice process. When McColo was shut down (see Analyzing the Aftermath of the McColo Shutdown or Brian Krebs' Major Source of Online Scams and Spams Knocked Offline) spam had a significant world-wide drop in volume, but it rebounded. Why? Because no bad guys went to jail.

Our friends at FireEye are doing amazing botnet work (see their blog @ FireEye Malware Intelligence Lab, but without convictions, even the successful botnet takedowns, like their work on Smashing the Mega-D/Ozdok Botnet eventually rebound.

Cautions are already being expressed as a result of the Waledac take-down, that by using TECHNOLOGY to do the takedowns instead of CRIMINAL JUSTICE APPROACHES that we are just helping to rapidly evolve the capabilities of the various cyber criminals who make their living through spam.

We have to move from DISABLING the C&C networks, to MONITORING the C&C networks. Bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door.

My own approach is that the fight against spammers is a multi-pronged approach. No one company really has a handle on it and instead a combination of techniques is required. In no particular order:

Vendors must build software that is secure.
Users must make sure that their software is up to date with latest patches.
Users must use security software.
Anti-abuse technology (spam filters, corporate firewalls) must be effective to disrupt the spammers’ cost models.
Law enforcement must move to take down cyber criminals.
Governments must pass laws clearly defining and/or updating laws surrounding electronic abuse.
Spammer infrastructure must be disrupted.
Organizations need to monitor and mitigate abuse, reactively and proactively.

So, realistically, advocating one solution over another has its merits but we are still a long ways away from stamping out abuse. If spammers can hit users with different types of threats (Black SEO, rogue A/V, spam, DOS attacks, etc), then anti-abuse proponents must similarly have a large arrow full of quivers with which they can use to strike back.

Box Of Meat: CSO: Security B-Sides: Perfect Authentication Remains Elusive

2010-03-04T21:21:57+00:00

CSO: Security B-Sides: Perfect Authentication Remains Elusive:

“Everyone realizes passwords have their shortcomings. But alternatives like two-factor authentication are not as powerful as one would expect. The problem? As always — human behavior.”