Here’s a look at the Zeus botnet’s top spam campaigns:

1. An unauthorized transaction billed to your bank account- Although most people should know that if their bank spots a fraudulent transaction they will call you or send you a letter - not email you, this subject line is alarming enough to get some people to open it and wind up getting phished or infected with malware.
2. DHL Tracking number #######- This is one of the oldest campaigns. A variation uses UPS instead of DHL, but in both cases the included attachment has a hidden executable that contains malware.
3. FDIC has officially named your bank failed bank- An obvious attempt to exploit the economic crisis. Too bad the horrible grammar gives it away.
4. Hello- This is why it’s often advised not to send emails this way. Many spam filters flag messages with “Hello” or “Hi” as the subject because of campaigns like this.
5. Notice of Underreported Incomeir- The glaring misspelling gives this away as spam right away.
6. Review your annual Social Security statement- This has been around for a while as well. The scammers are hoping there are still folks out there who don’t know that the SSA sends out your statement via postal mail about 6 months before your birthday each year.
7. Welcome to Friendster- An obvious attempt to exploit a brand. Unfortunately for them Friendster isn’t quite as popular as it used to be.
8. You have received a file from (email) via YouSendIt.- This campaign is banking on people’s natural curiosity to be peaked enough to open it.
9. Your Flight Ticket #####- Delta was one of the more recent airlines to be exploited by this campaign. The scammers are hoping that when someone gets the fake ticket and cheery note informing them that their credit card has been charged over $800 that they’ll be upset enough to not think first and open the attached paperwork, which delivers a Trojan.
10. Your Order with Amazon.com- This is a blatant phishing campaign. Every link in the fake notification leads to a fake Amazon login page. It’s pretty easy to spot though because the total amount due, which is listed twice, is always two different amounts and there is plenty of broken English as well.

The folks over at InformationWeek are reporting that the Pushdo botnet has been crippled. Thanks to a combined effort on the part of several security researchers, Pushdo, also known as Cutwail, has had the majority of its command and control servers shut down. Pushdo pumps out enormous amounts of spam, much of it malicious, and is responsible for a massive DDoS against hundreds of commercial and government websites earlier this year.

Compromised computers spew spam.

          “We identified a total of 30 servers used as part of the Pushdo/Cutwail infrastructure, located at eight different hosting providers all over the world,” said Thorsten Holz at cybercrime intelligence service LastLine. “We contacted all hosting providers and worked with them on taking down the machines, which lead to the take-down of almost 20 servers. Unfortunately, not all providers were responsive and thus several command & control servers are still online at this point.”

The shutdowns resulted in Pushdo’s huge flood of spam sharply plummeting.

Is this a good thing? Of course. Will it last? Not likely.

Botnet herders have learned from the McColo shutdown. Their command and control systems have become more complex and widespread so that when something like this happens, they are usually back in business within days rather than weeks or months. Many botnets are not programmed with long lists of domains so that if they try to connect to one and get no response they can move on to the next one and so on until they are able to connect.

It will be interesting to see how long it takes Pushdo to bounce back!

Security researchers say the massive Rustock botnet is currently responsible for 40% of the world’s spam volume. This is particularly impressive considering the number of infected computers under its control has dropped from 2.5 million to 1.3, probably as a result of increased detection by anti-virus software. Still, even with the reduction in size it is still pumping out nearly 50 billion spam messages a day.

Compromised computers spew spam.

Most of that spam is pharmaceutical, hawking counterfeit prescription drugs offered by the infamous group of Canadian Pharmacy websites. The drugs, which are freely distributed without a prescription, are made in India and China and are not regulated or inspected in any way. The group behind the Canadian Pharmacy scams is said to be connected to the Russian Mafia.

Rustock was thought to be using Transport Layer Security to encrypt its spam in an effort to make detection difficult but appears to have abandoned the practice, probably due to the affected it had on bandwidth and processing speed.

The botnet has been thriving since its recovery from the McColo shutdown back in November 2008. When the cybercriminal-friendly ISP had its service terminated by its upstream providers, Rustock went dark, but the herders behind it acted quickly to switch its command and control servers to another host and began developing ways to keep it from depending on a single host, which has kept it from further shut downs. Botnets are now programmed with a list of different domains and IPs to contact for instructions, so if one goes down, a new one can easily and quickly be found.

A new spam campaign has begun spreading across the net. Disguised to look like a ticket purchase email from Midwest Airlines, it is an attempt to spread the Zbot Trojan. The email thanks the recipient for using the company’s new “Buy Airline Ticket Online” feature and provides the login details of an account that was created in their name along with the receipt for a purchase of over $800 that was charged to their credit card. It goes on to tell them the ticket is in the email’s attachment.

Of course the feature, receipt, ticket, and charge are all fake and if the user opens it the Zbot Trojan is downloaded and installed.

Zbot is distributed by the Zeus botnet and is a virulent banking Trojan that has stolen millions from bank accounts around the world. Last month alone it was responsible for stealing over $1 million from customers of a bank in the United Kingdom. Once installed it monitors the system and strikes when the user visits a site on its list. These include e-commerce sites and most major banks, credit card companies, and other financial institutions. Once a site is visited a keylogger drops and records the login info, then sends it back to the command and control server. After the stolen information is used to transfer funds from the account to the criminals, a fake statement is created to hide the crime.

Investigators and researchers aren’t sure who is behind ZBot, but given that the C&C servers are located in Eastern Europe some suspect the stolen funds are being siphoned to the Russian mafia.

The folks over at Softpedia have an interesting article about a new spam campaign being run by the Cutwail botnet. It’s pumping out hundreds of millions of messages claiming to be Social Security statements:

          “Due to possible calculation errors, your annual Social Security statement may contain errors. Open attached file to review your annual Social Security statement,” the rogue messages read. The attachment is an archive file called statement.zip

They come with a zipped attachment that the message claims is the actual statement, but it really contains a variant of the Zbot Trojan. It downloads keyloggers and other malware designed to steal banking log ons and other personal information as well as a rootkit that allows a hacker to control the system remotely.  Zbot is programmed with a list of popular e-commerce and banking sites such as eBay, Paypal, Bank of America and and Amazon and when one of them is visited, the keylogger activates, records the log in info and sends it back to its command and control server.

Zbot has been around for three years and in the last 6 months infections have skyrocketed. The U.S. has been most affected, claiming 75% of all Zbot infections globally. The UK is second.

For the record the Social Security Administration only sends out statements via postal mail. They usually go out once a year about 6 months before your birthday. It’s not surprising that they are trying to use the SSA in their campaign as previous campaigns have exploited the IRS and other agencies.

Security experts are warning about a new phone scam exploiting Microsoft. The scammers are making phone calls claiming to be from the company’s tech support department. The fake Microsoft representatives call and explain that critical errors have been detected in the recipient’s operating system and they want to help correct them. To do so they walk them through several “diagnostic” steps, one of which is to download a program from a website the scammer sends them to. If the recipient goes along, they will have given the scammers remote access to their computer. They then turn their system into a zombie, add it to a botnet and start pumping out spam. Some variations of the scam use the remote access to launch a phishing attack, scanning the system for any personal information. A few bold scammers have even demanded payment for their “help”! So far the scam calls have been reported in Australia, the UK, and the United States. It’s not yet known exactly what botnet is behind the attacks.

If you or any of your employees get such a call, hang up immediately. Should someone in your company fall for the scam, take the infected computer off your network and off the internet completely until it can be cleaned out. An even better idea would be to keep computers containing sensitive data such as financials and employee info isolated from the network and internet in the first place. If it’s not connected it can’t be infected very easily.

Microsoft says they are aware of the calls and are investigating.

A new spam campaign is using fake Amazon emails to distribute malware. At first glance the spam messages look exactly like the confirmation emails the e-commerce site sends after a purchase has been made and show that an expensive item has been bought. This is obviously meant to cause alarm and entice the recipient to click on the order number link to check out what they think is a fraudulent transaction. Upon closer look however it’s obvious the emails are fake. The clues that reveal this include the absence of the customer’s name, two different order totals listed, and the presence of a “Click Here to See Items” link instead of the actual product.

The links lead to a Korean website called booksalon that attempts to download a Trojan on to the visitor’s computer. The Trojan adds the infected computer to a botnet and uses it to pump out even more spam. The people behind this wave of malicious spam appear to be amateurs because their attempt is both sloppy and impatient. The emails list several different order totals and use formatting that make it pretty clear they aren’t the least bit familiar with the English alphabet, and once the malicious link is clicked the attack commences with brute force.

So far no one has been able to pinpoint exactly who is behind this latest spam campaign or what botnet is being used. It’s possible this is an entirely new one. Amazon has not yet had any comment about the issue.

The malware that created the largest zombie network of its time two years ago has been spotted in the wild again by security researchers. The bad app called Kraken–after  a sea beast first mentioned in the Odyssey by Homer–is  estimated to have infected some 320,000 machines since April, or about half the size it was at its height in 2008.

Kraken is designed to turn its infected machines into spam puking monsters. A typical Kraken computer churns out 600,000 electronic junk mail messages an hour.

The original version of Kraken gushed spam about designer watches, like Rolexes. The current version focuses on old standbys like products for male organ enhancement and ameliorating erectile dysfunction.

What makes Kraken particularly pernicious is its resistance to detection. According to Virustotal, a service that analyzes suspicious files, the top three virus detection programs have been unable to detect samples of the latest iteration of the malware.

What’s more, Kraken exploits domain names offered by dynamic DNS services to exert its command and control of its zombie machine empire. Since the addresses are extensions of legitimate domain names,  the system hinders counter measures by domain registrars. In some ways the technique is more resistant to White Hat interdiction than registering second level domains for nefarious activity with louche registrars.

This latest incarnation of the malware is a bit puzzling to White Hats because it’s being spread by a separate botnet. The degree of collusion between the Black Hats spreading Kraken and those controlling it is still a mystery to malware fighters.

The botnet currently sewing Kraken is using something called the Butterfly framework as the foundation for its misdeeds. The framework is a for-hire kit used to design bad apps for infecting computers running Microsoft’s Windows operating system.

Continue reading Kraken menace reemerges from “butterfly”»

A Russian ISP known to be friendly to cybercriminals has been knocked offline. PROXIEZ-NET was known to be hosting over a dozen command and control servers for the massive Zeus botnet. Zeus is an information thief that targets banking info and logon credentials for popular e-commerce sites like Amzazon.com and eBay. The bots C&C servers also allowed the attackers to have complete control over the computers it infected. They were able to do everything from shut the computers down to wiping their hard drives completely. Those servers are now cut off from the net because PROXIEZ-NET’s upstream provider DIGERNET has refused to provide further service to them.

          In a BBC News interview, ZDNet UK editor Rupert Goodwins said this takedown is yet “another skirmish in the fight to decapitate the malware networks, in this case by disconnecting the control networks used to co-ordinate trojans and rootkits”.

Any legitimate services that may have been using PROXIEZ-NET should probably be thankful for the action as it’s likely that they were or would eventually have been blacklisted. Should PROXIEZ-NET be able to find a new provider, they will almost certainly be ostracized by the online community due to their reputation.

The shutdown brings to mind the 2008 shutdown of notorious ISP McColo, which hosted numerous spammers and several of the top botnets at the time, including Rustock.  Those botnets were crippled by the shutdown and global spam levels plummeted by 75%. Sadly, that didn’t last for long as several months later new hosts had been found and the botnets returned with a vengeance.

The second man involved in a series of computer attacks on local ISPs back in 2006 is set to plead guilty. Thomas James Frederick Smith will plead guilty in a Dallas courtroom next month. He and partner David Edwards are looking at 5 years in prison after admitting they created  a botnet and used ISPs T35 and The Planet to test it on. The pair used the botnet, which boasted 22,000 zombies, to launch a DDoS attack on The Planet and to hack into T35, steal its user database and deface its website.  Smith then posted a message to a forum for webmasters where he tried to play innocent:

          “I found out today at around 11:40 PM that the t35 Website was Completly [sic] defaced,” he wrote in the post. “I posted it to a few news sites and noticed after posting them that the Mysql dumps were actually up for grabs… How are all the users going to be compensated? Im [sic] sure EVERYONES [sic] password was in that file…”

The pair was trying to rent out their botnet to other cybercriminals. The going rate was 15 cents per zombie. Botnet rental has become increasingly popular among cybercriminals and has become yet another way to cash in. In a similar vein, do-it-yourself botnet kits have also become very popular, so much so that the criminals that sell them have begun operating like legitimate software companies, offering warranties, upgrades, and even tech support.

Smith and Edwards are due to be sentenced later this summer.