The researchers reviewed millions of spam message and found that over 69,000 unique domains hosted the websites found in the spams and of those, 70% were located in China, making it a definite spam haven.

“It is very normal that more than one-third of the domain names we see each day in spam messages come from China,” wrote Gary Warner, director of research in computer forensics at the university. “When one also considers the many ‘.com’ and ‘.ru’ domain names which are also hosted in China, the problem is much worse.”

The so-called bulletproof providers actively recruit spammers and cybercriminals, going as far as to post ads on the underground websites where they are known to socialize. These hosts ignore take down requests and abuse reports and even make IP addresses hard to trace. A Chinese domain name can be had for a mere 15 cents, which only adds to the problem.

The researchers aren’t sure all the providers hosting the spam domains are bulletproof however. They speculate that a few may simply not have the resources or understanding to deal with the problem. Curiously enough, while the Chinese government had made headlines and waves with its increasing attempts to censor the Internet in the name of fighting porn, they have had nothing to say about the spam problem. It’s not known if they are even aware that there is one!

To make matters worse the list of FTP credentials is stored on a server in China in plain text, making it available to anyone who stops by. Experts say they were all stolen within the past 2 weeks and most are still valid.

The ZBot Trojan has also been spotted in several email attacks masquerading as everything from a ticket confirmation from Delta Airlines to a critical update for Microsoft Outlook. If downloaded it steals personal information using a keylogger.

It’s crucial to make sure any unused FTP credentials on your website are disabled and that active ones have their passwords changed regularly. As we saw recently when hundreds of government sites in the UK were compromised and redirected visitors to internet pharmacies selling Viagra or porn sites, hackers are eager to infect legit sites. If they hit yours it could be a real nightmare for you and your customers, so stay alert and keep an eye on your servers and FTP logins!

Over time the problem has grown to the point where it is now very frustrating for their staff.  They’ve asked me for some suggestions on how to fix this problem, so I presented them with these options.

Requiring Authentication for Exchange Server 2007 Distribution Groups

The default behavior for newly created distribution groups in Exchange Server 2007 is to require that all senders be authenticated, or the message is simply rejected.  This is useful, however, for a vast majority of Exchange Server 2007 organisations their distribution groups existed prior to the upgrade to Exchange Server 2007.  In these cases the authentication requirement is not enabled.To require authentication for a distribution group simply open the group properties, navigate to the Mail Flow Settings tab, open the Message Delivery Restrictions and then tick the box marked “Require that all senders are authenticated”.

While this solution has the desired effect of preventing spam from reaching the distribution group, it also prevents other legitimate outside email from reaching the list.

Filtering Distribution Groups by Sender

The authentication requirement will prevent legitimate outside email from reaching important distribution groups.  To resolve this through the same Message Delivery Restrictions you can instead control which senders are permitted to send to the distribution group.

This method causes some extra administrative burden for the email server admins because each permitted sender must first be added as an Exchange Contact.  Furthermore if you want the distribution group to receive emails from internal staff you need to ensure they are also added to the list, either directly or via a group.

Obscuring Distribution Group Email Addresses

One method that most email admins will try at least once in their career is to obscure the email address of distribution groups to make it harder to guess, or to make it impossible to send to from outside the organization.  In Exchange Server 2007 this is achieved by using Email Address Policies that apply only to distribution group objects.

For example, the policy may apply a string of characters to the email address to make it harder to guess, such as allstaff_ksf2ui2[at]company.com.  While this does have the effect of making it nearly impossible to guess it does nothing to prevent exposure of the email address if it were included in an email sent outside the organization.

A second technique is to use an SMTP domain that is invalid outside of the organization.  For example allstaff[at]groups.company.com or allstaff[at]company.local.  This has the effect of nullifying any exposure of the email address outside the organization but similar to the earlier filtering techniques it prevents legitimate outside email from reaching the group.

Implementing an Anti-Spam Solution

Although the customer was seeking a free solution once I explained each of the options above it became clear to them that these techniques would either be ineffective, require too much effort to maintain, or would prevent legitimate business use of their distribution groups.

Instead they agreed to trial an anti-spam solution, which satisfied them by preventing spam and other unwanted emails in an effective and easy to manage way, and which they ultimately purchased and are now happily getting on with their business without the constant hassle of spam.

Zbot even contains a list of specific sites to monitor including Facebook, MySpace, Bank of America, Amazon, HSBC, Paypal, Blogger, and just about every bank you can think of. This Trojan means business. Once a user on an infected machine accesses one of the sites on the list, a built in keylogger is activated and records their information. The stolen information is then uploaded to a remote server.

Zbot has been spotted in several previous attacks. One pretended to be a notice from UPS, another a ticket confirmation from Delta Airlines and a third a notice from Western Union. The gang behind the attacks is said to be hiding out in Russia.

To protect yourself and your users, remember that common sense is a hacker’s worst enemy. They are hoping people will trust that it a real update from Microsoft even though it’s well known that Microsoft pushes their patches through on the second Tuesday of each month only and never ever sends them via email. If you get an update from anywhere other than the Microsoft Update console, chances are it’s fake. Make sure you have a policy in place regarding software installation. It’s probably best to restrict everyone but the IT department from doing any at all.

The web site containing the form then asks the victim to mail a printed copy of the form to an address. The print-and-send is just a ruse though, the data is actually captured through a hack when the victim presses the “print” button. The email, like many such scams, attempts to create a sense of false security, by claiming the print-and-send routine is being done for the victim’s safety.

Officials still have not been able to trace the source of the fraudulent email sender, who is using a bot network to send the emails. The ATO recommends that people delete emails like this immediately, and advises that they do not ask people to provide personal information by email. The same holds true for most, if not all, tax collecting agencies in other countries.

News of the pop icon’s tragic death from what appears to be a sudden cardiac arrest caused an overwhelming spike in traffic that crashed Google, Wikipedia, AIM and Twitter for short periods and caused Facebook to slow to a crawl. Spammers and scammers are jumping at the chance to take advantage of all that traffic. Exploiting headlines and holidays is one of their favorite tricks. The last big headline they used was the Swine Flu outbreak, and before that President Obama’s inauguration.

Security experts are advising people to get their news only from reputable sources, and it goes without saying that you should never ever reply to a spam message. At best it will just bounce back due to a faked header, at worst it’ll just get you put on a list of people that respond to spam, meaning you’ll become a prime target for spammers.

          Sky News Online has reported a Habitat spokesman as saying: “This was a mistake and it is important to us that we always listen, take on board observations and welcome constructive criticism. We will do our utmost to ensure any mistakes are never repeated.”

The company has not issued an apology on Twitter but did quietly delete all the spam tweets it posted. It’s not clear why they felt hashtag spamming was okay to do, although they told a blog that it was done without their knowledge. That sounds a little hard to believe but it wouldn’t be the first time a rouge employee was blamed for a blunder that became a PR nightmare.

The moral of the story? Twitter can be a valuable tool to help you reach out to customers and potential customers, but tread carefully and follow the rules. Spam is no more acceptable there than it is anywhere else.

What is Email Marketing?

Email marketing is quite simply the legitimate use of email for communicating with customers.  The problem today is that many people cannot tell the difference between email marketing and email spam.  In fact some spammers can’t even tell the difference, branding themselves as “internet marketers” and operating with no regard for the problems that they cause.

Kevin Garber from Melon Media in Sydney, Australia says, “Increasingly the determining factor of what is or isn’t ’spam’ is in the eye of the recipient, so often legitimate email marketing and spam can be lumped in the same bucket.”

With such as grey line between the two, where can email users begin when trying to make the distinction?  “Genuine spam however is often designed to confuse and trick recipients.  It is also usually very difficult to tell who the sender of genuine spam is,” Garber says.  “Legitimate email marketing at least attempts to do everything by the book - including full disclosure of who the email is from and clarity of all commercial offers.”

Adding to the confusion is the problem of email marketing being confused for spam when the end user simply forgets that they signed up to receive it.  As Microsoft’s Terry Zink points out from experience, “It’s not at all uncommon for users to regularly submit non-spam messages as spam.  The most common of these are opt-in newsletters.  Mail the user opted into at one point but no longer wants to receive.”

The Challenge of Email Marketing

Spam presents two significant challenges to legitimate email marketing.  Firstly it hinders the ability of businesses to have their email communications reach interested customers.  Belinda Jackson of Web Chameleon says, “Getting legitimate email marketing delivered has become more of a challenge with more and more spam hitting people’s inboxes.  Tighter spam control at different levels of the delivery process means that some email does not get delivered.  This of course, is a challenge for those of us who wish to only send valued Email Marketing to their clients and opt-in subscribers.”

Sometimes these problems can be technical in nature, caused by an overly aggressive content filter or keyword blacklist configure by the email administrator.  Other times the problem can arise when servers used by email marketers end up on RBLs such as SpamHaus.  This is particularly an issue when the email administrator has an objection to any emails that do not directly relate to their company’s business activities.

“Both corporate mail administrators and independent blacklists have at various stages blacklisted us,” says Garber.  “All were resolved but clients suffered periods of inconvenience.”

Engaging in Email Marketing

For businesses that wish to use email marketing they need to plan their strategy correctly to avoid being viewed as a spammer.  Both Jackson and Garber agree on some important steps to take.

• Only send marketing emails to opt-in recipients
• Always include a clear reminder in the email so the recipient knows how you acquired their email address
• Never buy lists of email addresses for marketing purposes
• Have a visible and simple way for the recipient to unsubscribe, and make sure it works
• Use a reputable email marketing service that treats deliverability as a high priority
• Be aware of the anti-spam laws of your jurisdiction and operate within those boundaries

Solving the Problem for Businesses

Because email spam is an international problem the real solution must be a global one.  Garber proposes that global legislation combined with a “global law enforcement team with the mandate to track down all genuine spam campaigns and press charges” could go a long way to resolving the issue.  In the meantime, “Users have generally adapted to the problem, but the industry should continue to be vigilant in seeking a mix of technical and legal based solution to this problem.”

Despite what some email administrators might think, doing away with email marketing entirely is not the solution.  As Jackson puts it, “The reality is that a lot of people actually enjoy getting marketing letters and brochures in their letterboxes much like many people enjoy receiving commercial emails and newsletters that provide value and that they have subscribed to.”

With this in mind it is important to understand that poorly implemented anti-spam systems can ultimately hurt legitimate business activities.  A balance must be struck between preventing spam and allowing businesses to engage in effective email marketing campaigns with their customers.

          “Alan Ralsky was at one time the world’s most notorious illegal spammer,” U.S. Attorney Terrence Berg said after the plea. “Today Ralsky, his son-in-law Scott Bradley, and three of their co-conspirators stand convicted for their roles in running an international spamming operation that sent billions of illegal e-mail advertisements to pump up Chinese ‘penny’ stocks and then reap profits by causing trades in these same stocks while others bought at the inflated prices.”

The pair and nine others operated a penny stock pump and dump scheme. They sent out unsolicited emails to millions hyping a worthless Chinese penny stock. When unsuspecting victims fell for the come ons and bought shares, it artificially inflated the stock’s worth. Ralsky and the others then sold their shares for huge profits and left their victims hanging.

They used forged headers, proxy computers and domains registered under fake names to send their spam without being detected. Prosecutors plan to recommend 35 to 43 months in prison, a term Ralsky agreed to as part of his plea deal. The deal also includes a fine of up to $1 million and an agreement on Ralsky’s part to assist government in future investigations.

But they do get away with it, and they do fool people. Apparently, a fairly high percentage. A recent survey showed that a shocking number of Web users can’t identify different types of phishing. The survey asked over 1,000 respondents to identify fraudulent phishing sites, by showing two Web sites side by side. One of the sites had obvious give-aways, and the other was legitimate–but a shocking number of people couldn’t tell the difference. Eighty-eight percent were fooled by a web site with obvious spelling errors. Sixty-eight percent were fooled by a bogus Web site that didn’t have the characteristic padlock symbol common to sites using the https protocol, and 42 percent were fooled by sites that had strange numerical domain names, and 33 percent were fooled by sites that asked for account information that should not be necessary.

Another surprising statistic, and one that is somewhat embarrassing for us Yanks, is that out of the seven countries included (US, Germany, Sweden, Australia, India, Denmark, and UK), the US respondents were least likely to identify the give-away signs that should tell you you’re at a phishing site.

The other type of spam uses a new technique-blank messages. Spammers are sending messages with no subject line or body with the sole purpose of finding out what addresses are valid, usually within specific domains and presumably to harvest those addresses for future spam and/or phishing attacks.

Additionally, malicious spam masquerading as delivery failure notices from Western Union continues to flood the net. This type of spam informs the recipient that a Western Union money transfer could not be completed and directs them to open the included attachment, print out the receipt and bring it to their local Western Union office to get the money back. The scammers are hoping to find a few greedy souls who think they’ve gotten a chance to receive some free money. The attachment actually contains a nasty Trojan.

It’s important to keep all anti-virus products up to date and make sure you have an effective spam filter installed on your network, and as always make sure your employees know to never click on links or open attachments in emails from people they don’t know.

Some products also support one or more of a relatively new type of prevention - email authentication.

What is Email Authentication?

When the SMTP protocol was first created all users were trustworthy and hence there was no need to include any significant level of security within the protocol.  This has lead to many of today’s problems such as address spoofing.  Several  email authentication schemes have appeared on the scene to try and authenticate that an email using different methods, each with positive and negative aspects.

Sender Policy Framework

Sender Policy Framework (SPF) allows domain owners to use DNS TXT records to specify which email servers are allowed to send email for that domain.  This technique works on the assumption that the DNS records for a domain name are correct and trustworthy.  However there are a few weaknesses with this approach.

Firstly there has not been widespread adoption of this method by domain owners.  As such it is not practical for email administrators to block emails that fail an SPF test.  For example, if the owners of the domain example.com have no SPF record in their DNS zone then spammers are free to continue forging example.com email addresses.

The method also does not prevent spam being sent through authorized servers.  Senders can still forge the email address of other users of that domain, which makes it ineffective for blocking spam sent from popular web-based email systems that have millions of users.  Furthermore, the SPF test assumes that the authorized server is not an open relay or otherwise compromised.

SPF also breaks completely when email forwarding occurs, which is very common.

Finally, SPF is impractical in any scenario where emails are being sent via an unexpected server, such as home users sending via their ISP.  The domain owner would need to add SPF records for all possible servers that their end users might need to use, which is a significant administrative burden.

DomainKeys Identified Mail

DomainKeys Identified Mail (DKIM) is a technique whereby an email sender adds a cryptographic signature to the email header that can be used by the recipient to verify both the source and the integrity of the message content itself.  A receiving server can check the signature using a public key published in the sending domain’s DNS zone to prove that it was sent by an authorized server.  Although this may be more effective than SPF it also carries some weaknesses.

The signature-based authentication can be broken by any modification of the email in transit, such as a message footer inserted by anti-virus software.  Other common factors such as mailing list servers also cause message contents to be modified went forwarded on to their destination.

As with SPF DKIM is also ineffective at preventing spam sent by people abusing authorized servers, again this is a serious problem with popular web-based email systems.

DKIM also imposes significant processing overhead on the receiving server, which may cause load and scalability issues for businesses wishing to adopt this technique to prevent spam.

However one of the advantages of DKIM is that it can be used to better identify non-spam emails when used in combination with other techniques.  For example, an email that passes an open relay test for the sending server (either at the time of receipt or by membership on a list of known safe mail servers) that also passes a DKIM test is likely to not be spam and can bypass any further processor intensive scanning such as content filtering.

Penny Black

Penny Black is the codename for a Microsoft project taking a unique look at preventing spam using a “sender pays” system.  Under such as system the cost of sending unsolicited email is increased to make it impractical for spammers to send millions of spam emails.  The cost is not monetary, rather it is applied as computational effort.  Where currently an email message takes fractions of a second to send, Microsoft proposes increasing this to a much larger amount such as 10 seconds.

For normal email users this would cause few problems because they send a low volume of email.  Spammers would be forced to invest in more computing resources to continue sending out millions of spam emails, however this would not be an issue for them as long as they can still leverage large botnets of compromised pc’s across the internet.

The proposal only impacts unsolicited email.  For large corporate networks who engage in high volumes of email they can whitelist the domains of trusted partners so as not to impose the additional costs on them.  This may become easier as enterprise email systems such as Exchange 2010 introduce new features like Federation that allow secure authentication and sharing between organisations.

Summary

Development of anti-spam frameworks continues and there are positive outcomes within reach.  At this stage though it is unclear which of the frameworks will become widely adopted and become part of the standard for email communication.  A likely outcome will be that more than one framework is adopted and each is treated a separate calculation of the “likelihood” of an email being spam as opposed to a definitive pass/fail result.  For businesses choosing an anti-spam solution today the best approach is to implement one that already contains support for one or more of these developing frameworks.

The most disturbing part of the attacks is that many of the sites belong to elementary schools and are visited by students. The hackers behind the attack apparently have no problem directing children to porn sites. Even the search results for these sites have been changed to refer to porn and shady pharmacies.

It’s not known who’s behind the attack and the UK government has not yet had any comment. One thing is sure however, and that’s that they need to take a serious look at the security and software on their sites. It’s poorly designed software and careless security (such as not disabling unused FTP logins) that lead to these types of attacks. Experts warn that it’s possible that people who are infected by compromised sites may begin to file lawsuits against them for negligence.

However I’m not sure that’s the way to go-after all it is up to each of us to properly secure our computers and use up to date anti-virus software!

Another attack, said to originate from Portugal, is much more dangerous. The messages contain a link claiming to lead to exclusive video of the crash site, but instead lead to a malicious site that downloads a Trojan on to the visitor’s computer. The Trojan is designed to scan the system and steal passwords and usernames.

A third attack uses blackhat SEO techniques to poison search results related to the crash with malicious links that lead to sites that push downloads of rogue anti-virus programs, a type of scareware.

Experts recommend getting your news reports from well known and trusted sites only and keeping all anti-spam and and anti-virus programs up to date at all times.

Exploiting headlines and hot topics is a common tactic for spammers and malware distributors, who tailor their attacks to popular holidays, new stories, and popular celebrities and scandals. When they exploit a tragedy however, it becomes particularly distasteful.

Air France Flight 446 crashed in the middle of the Atlantic on May 31, killing all 228 people aboard. It is now the worst air disaster since 2001.

According to the University report, there are numerous programming errors and flaws in the software, and once it has been installed, it is possible for a botnet operator to create a rogue web site to take advantage of the flaws, and take control of user computers.

There are two major vulnerabilities; the first is in how the software processes the web sites being monitored, and the second is in how it installs its updates. Both flaws allow remote sites to execute arbitrary code. The researchers made it as clear as possible in the report, saying, “Any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet.” And what’s worse, the flawed software can be used to install malicious software on a computer along with the filter update.

Good work on the part of the University of Michigan researchers, but they missed the mark on one front. Their recommendation that “users protect themselves by uninstalling Green Dam immediately” would be good advice, were it not for the Chinese government’s mandate–users in China have no choice but to run the software. The researchers also conclude that if Green Dam is deployed in its current form, it will “significantly weaken China’s computer security,” and that’s the real heart of the matter here–the deployment is a done deal. And because only one particular filtering product is mandated, there is little incentive to refine the product, and great incentive for abuse.

“We have everything — their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009,” read the message on the Full Disclosure message board. “We are offering them for the highest bidder.”

To prove their claim they showed information related to the company’s operating systems, IP addresses, and software vendors. It’s not yet certain if the message is telling the truth. Full Disclosure claims that the majority of the posts made on its site are hot air,  and T-Mobile seems to concur:

          “Following a recent online posting that someone allegedly accessed T-Mobile servers, the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised. Reports to the contrary are inaccurate and should be corrected. T-Mobile continues to monitor this situation and as a precaution has taken additional measures to further ensure our customers’ information and our systems are protected. As is our standard practice, customers can be assured if there is any evidence that customer or system information has been compromised, we would inform those affected as quickly as possible”, said a company spokesperson.

Interestingly, no one seems to be able to contact the hackers who are offering the stolen data for sale. Emails sent to them by reporters received no response.

Spoofed Sender Addresses

An inherent weakness of the SMTP (email) protocol is that the email address of the sender is not verified or authenticated.  During an SMTP session the “RCPT from:” command specifies the “From” address for the email, and the sender is free to specify anything they like here.

This has resulted in the problem of emails claiming to be from such addresses as support@paypal.com to trick the recipient into trusting the message contents.  This has also led to other problems such as backscatter, in which the genuine owner of a spoofed email address receives all of the NDR’s and “bounce backs” that spammers cause.

Spotting a spoofed sender address requires looking at the message headers.  This is something that most email users would not consider doing, nor would they even know how to do it.  Furthermore, some web based email services make it impossible to inspect full message headers using their web interface.

Because spoofed sender addresses will fool all but the most savvy email users they are best defended against with a good quality anti-spam system.

Fear, Urgency, and Call to Action

Spammers are similar to legitimate marketers in that they are trying to get a person to take a desired action.  Of course the key difference is that spammers are malicious criminals, and genuine marketers are not.  However because their goal is essentially the same many of their tactics are also the same.

Most phishing scams will use fear to spur the target of their scam into action.  In a recent spam email I received this came in the form of a bank account warning.

“We recently have determined that different computers have logged into your Internet Banking account and multiple password failures were present before the logons.”

If the spammer is successful in causing fear, the next step is to communicate urgency.  Much like the department store sale that is “one week only!” the spammer uses a deadline to try and cause an urgent response before any thought can be given to the validity of the message.  In the case of my bank phishing scam the same date as the email was sent was specified as the deadline.

“If this is not completed by June 9, 2009, we will be forced to suspend your account indefinitely as it may have been used for fraudulent purposes.”

The fear is reinforced by the stated consequences of inaction.  Account suspension sounds plausible because mainstream media regularly reports on internet banking fraud and identity theft.  Now that the victim is sufficiently scared and willing to take immediate action the spammer presents the last piece of the phishing scam, a clear and simple call to action.

“To confirm your banking account records click on the link below.”

The link will typically take the victim to a web form that uses logos and visual styling for the bank in question where they willingly submit their banking username and password.

Because these classic marketing techniques are still effective against many people the best defense is a spam content filter that will detect and block these types of phishing attempts.

Phishing Wrapped in Authenticity

Although there is still a long way to go when it comes to end user education about spam, the overall awareness is slowly improving.  Because of this spammers take a little more care when attempting phishing scams so as to avoid alerting a victim that they have just been scammed.

For example, in the bank phishing scam I mentioned earlier the email uses logos and other branding to make it appear authentic.  Also, the link to the website to collect usernames and passwords looks like a HTTPS URL, but actually goes to a different HTTP address.  Many people would think to check that the link starts with https://, but not verify that it actually took them to that web address once they clicked on it.

In one recent Paypal phishing email almost the entire contents of the email were entirely genuine.  The sender address was not spoofed, rather it was simply sent from a domain name that included the word “paypal” in it.  All of the images used in the email came from Paypal and eBay servers, and the included warning not to provide your password even linked to the real Paypal’s FAQ page.  The only obvious red flag was the form embedded in the message from a remote server in Switzerland, which was only able to be determined by inspecting the HTML source of the email message, something most email users would not think to do (and again, is made more difficult by the interface on popular web based email services).

When 95% of an email is authentic looking, and the other 5% is only going to be spotted by a savvy user, the best defense is an anti-spam system that will detect and block the message before it is received by the spammer’s target.

Humans Are Still Easily Tricked

The common element of the spam techniques mentioned above is that they are still very effective against regular people despite being used for many years.  I do not foresee a time in the future when the majority of email users are savvy enough to spot every spam or phishing message that arrives in their inbox.  Now and for a long time ahead of us there will remain a strong need for effective anti-spam systems to protect email users.

The emails being sent tell customers that their certificates have expired and must be re-downloaded, or that an updated version is available. A masked URL directs them to a fake version of the certificate pick up site. If the customer fills out the form they not only have their login info stolen, but they are then asked to download the “certificate” which is really the Waledac Trojan. The malware scans their systems for personal and financial information. Waldec also adds the infected computer to its botnet and uses it to send out even more malicious spam.

Bank of America is aware of the scam and recommends that customers call them to verify any emails they receive, and to remember they will never be asked for their user name and password via email.

If you’re not paying attention, it looks like it could be from an email administrator, and the disguised link that is included in the email appears to be a link to a Microsoft web site. Of course, it is not, and most users would know better–but it’s casting a very wide net and is likely to catch more than a few victims by the time it’s done.

The phishing attack is quite ingenious. It’s easy enough to bluff somebody out of their user name and password, or even to steal it. But full control of the account can be had if the attacker also gets the mail server information.

It’s not clear what is being done with the infected systems but the experts say that they are most likely being added to a botnet for spamming purposes and/or having personal info stolen from them via keyloggers and other malware.

The domain hosting the malware is in the Ukraine where the notorious Russian Business Network is located. The RBN is a known haven for spammers, phishers, hackers and other cyber criminals. It’s not known if they are directly linked to the attack however.

Site owners are advised to disable FTP access or change the log in credentials used for it. They should also scan their site for any suspicious looking code or improperly configured apps.