Microsoft notched an important legal victory this past week. A court awarded them a restraining order that has effectively cut Waledec off at the knees. The decision was the result of a lawsuit filed on February 22^nd and will result in traffic being cut off to 277 domains that hold the command and control servers that run the botnet. All of the domains are located in China and will be blacklisted by VeriSign. Without its command and control servers Waldec is essentially dead because its millions of zombies can’t contact home for instructions.

According to Microsoft, Waledec is one of the 10 largest botnets in the world and responsible for most of the spam hawking fake and shady internet pharmacies, male enhancement products and designer knock offs. They had this to say about Waledec on their blog:

Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

While Microsoft claims victory, it’s more than likely short lived. As we’ve seen in the past with shutdowns like McColo, it doesn’t take long for the cybercriminals behind botnets to regroup and start anew, and they are getting better and better at it everyday.

A new botnet called Spy Eye has an interesting twist. Once installed it searches for traces of the Zeus Trojan, and if found, deletes it. Called “Kill Zeus”, the feature is meant to give Spy Eye exclusive control over the infected computer. It’s also capable of stealing data as it is transferred to Zeus’ command and control servers, drops a keylogger on to the system, steals and deletes cookies in IE and Firefox, and can update itself via email. Spy Eye works much like Zeus, targeting financial information and bank accounts. The FBI says Zeus is responsible for over $100 million in losses and damages.

Like Zeus, Spy Eye comes as a toolkit that allows anyone with $500 to set up their very own botnet. It may be the new kid on the block but it’s far from alone. Three other botnets, Filon, Clod, and Bugat, have also been recently discovered.

A research team from two Californian universities has developed what it believes will be a game changing approach to defeating spam.

The researchers used a captured spam bot to analyze a sample of the spam emails that it produced and then used this information to reverse engineer the template that the spam emails were based upon.  Once this template was known 100% of further spam emails from that bot were successfully blocked while avoiding any false positives on one million genuine email messages in the test.

Leading anti-spam products in the market today claim up to 99% accuracy for spam detection and use sophisticated analysis techniques such as Bayesian filtering to reduce false positives.  However a large part of the fight against spam remains reactive.

Continue reading Researchers Analyze Bots to Beat Spam, But Will it Work?»

Compromised computers spew spam.

In judo, an attacker’s assets are turned into liabilities by a defender. The attacker’s attributes like weight and size are leveraged against the aggressor and used to neutralize him or her with a flip. A similiar tactic to fight spam propogated by botnets has been developed by an octet of researchers.

The team from the International Computer Science Institute in Berkeley, Calif. and University of California in San Diego–Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver, and Stefan Savage–have developed a way to flip the software running a botnet so it assists spam fighters in blocking the cyber junk spewed by the malware.

Continue reading Botnet judo fights spam with a flip»

Experts say the Bredolab botnet is now linked to a spam engine called Webwail that has led to a huge spike in its activity. The spam it’s pumping out is nothing new-fake notifications from UPS claiming a package could not be delivered and directing the recipient to open the attached file to print out an invoice needed to pick it up. The attachment contains a hidden exe file that downloads the Cutwail Trojan and Webwail.

Webwail is a sophisticated engine that has library updates, a scripting engine and the ability to crack CAPTCHAs in 30 seconds or less. The engine also reports errors back to its command server so changes can be made quickly. Currently it’s being directed to create Hotmail accounts.

Captcha cracking is a hot business thanks to engines like Webwail. Botnet hearders and spammers advertise for people willing to crack them for .60 to .80  per 1000 CAPTCHA solved. Spammers want the free webmail accounts they can get by solving them so they can spam from an address not likely to be blocked by a spam filter.

Bredolab spent the holidays delivering the Zbot banking Trojan. Considered simplistic in the botnet world, Bredolab is little more than a “loader” that connects to a remote server, collects files, and executes them. Some experts think such loaders could be our next big threat.

Surprised researchers have discovered that MP3 spam has returned. It was last seen in 2007 and like PDF spam, was thought to have been discarded by spammers in favor of simple link spam. However, late last week security researchers discovered a brand new spam campaign using MP3 attachments. The MP3 was of a computerized voice hawking the website of a fake Canadian pharmacy that offers shady male enhancement pills and Viagra, with the audio from Meg Ryan’s famous scene in “When Harry Met Sally” playing in the background. There were random characters in the lyrics tag, an attempt to evade spam detectors that work by noting MD5 file hashes.

The campaign lasted just 24 hours but sent out over 500 million messages, accounting for 1.2% of the global spam volume for that time period. It’s believed that the Cimbot botnet is responsible for the spam. It boasts a network of between 10,000 and 20,000 zombies, most which are located in Europe. Cimbot had previously launched an image spam campaign hawking the same products and leading to the same Canadian pharmacy website.

Researchers say the groups behind two botnets have teamed up to distribute malware. The bot herders running the Avalanche and ZBot botnets are now working together to promote notorious banking Trojan Zeus.

The Zbot botnet is known for its massive spam campaigns that link to Zeus and Avalanche is known as a hot spot for phishing scams. Presumably the two groups decided that by working together they could increase their profits. The criminal groups behind the scheme are anonymous and little is known about them. They are using each other’s infrastructure, an arrangement not uncommon in the cybercrime world, where botnet operators often rent out the services of their botnets.

          Vincent Hanna, an investigator for anti-spam organisation the Spamhaus Project, told ZDNet UK on Friday that the two groups are using each other’s infrastructure on a commercial basis. “There are people who supply botnets, and there are people who ‘rent’ capacity on these botnets,” Hanna said in an email interview. “We see that the same viruses are emitting mails that benefit [the] different groups, either through spammed URLs or attached malware.”

Zeus was recently discovered making itself cozy on a site hosted by Amazon’s EC2 service. It was using the cloud based service as a C&C control center and sending out fake Christmas card spam that contained links to the malware.

Amazon promptly disabled the infected site when it was notified and it is no longer serving files to the botnet.

The University of Alabama’s Spam Data Mine has discovered a new malicious spam campaign that is designed to steal social security numbers as well. The messages are made to look like an alert from the Social Security Administration and have subject lines such as “Review your annual Social Security statement” and “Watch for errors on your Social Security Statement” and direct the recipient to click the included link to visit the SSA’s website. The link redirects to a legit-looking but malicious fake of the actual government website. The page asks visitors to input their social security number before proceeding. Next, it presents them with a page asking them to download their Social Security statement and review it for errors, promising tax breaks and refund payments if any errors are found.

The UAB Spam Data Mine says when the link is clicked the Zbot Trojan is download. This is a widespread and nasty banking Trojan that steals logins, banking info and other personal information. It installs a keylogger that records all information typed in websites by the infected computer, and also adds the machine to the Zeus botnet.

Zeus has been around for a while now and shows no signs of slowing down. It is also pummeling Facebook with phishing emails and sending out fake FDIC and IRS alerts in separate spam campaigns. Another variant of the Zbot Trojan is being spread via messages claiming someone has posted compromising photos of the recipient on the web. The messages direct them to the site where the alleged photos are on display, but the downloadable “photo archive” is actually Zbot.

Since this latest campaign is so new, it is still undetectable by many major anti-virus programs but that will likely change very soon.

A new wave of malicious spam makes promises of a free MacBook Air but delivers malware instead. The spam messages were only recently detected and arrived with the subject line “Congratulations!” The body of the message reads “Congratulations! You have won todays Macbook Air. Please open attached file and see details.”

The file is an .exe file that installs malware on to the system. The malware has been identified as TROJ_AGENT.AWYQ.  Once installed it drops TROJ_CUTWAIL.GO, which adds the infected computer to the Cutwail/Pusdo botnet. A spam module is downloaded along with one or more “Campaign modules” which contain third party malware from a number of different sources. It’s also programmed to connect to web based email providers it detects the the infected computer has logged into like Hotmail, Yahoo! and GMail and send out copies of itself.

Cutwail/Pushdo is one of the largest botnets in the world, sending out millions of spam messages a day.

Authorities in the UK have arrested two people suspected of distributing the Zeus Trojan. The arrests were made by the Metropolitan Police’s Central e-Crime Unit and are the first ever in connection with the Trojan, which has infected hundreds of thousands of computers across the globe.

Detective Inspector Colin Wetherill of the PCeU said: “The Zeus Trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world. The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Zeus records banking account numbers, logins and other personal info and adds the infected computer to the ZBot botnet, which then uses the computer to pump out malicious spam designed to spread the infection.

Authorities would not identify the two suspects, saying only that they are a man and woman in their 20’s. They are being charged under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Security experts say Zeus is spreading so fast because there is a toolkit available that allows anyone to customize the malware, create their own versions, and use it to commit bank fraud.