A security firm has put together a top 10 most wanted list of botnets. These botnets are responsible for pumping out the majority of the global spam volume which is now at a whopping 230 billon messages a day. Most of them have originated in Eastern Europe which makes the criminals behind them very hard to track down. Lets take a look at the list:

1. Rustock- Responsible for 43% of the global spam volume this is the biggest active botnet on the web. It pumps out millions of pharmaceutical spam messages for the infamous Canadian Pharmacy and others.
2. Mega-D- Coming in second with 10.2% of total spam volume, this is one of the longest running botnets around. It too sends out mainly pharmaceutical spam and gets its name from one of the fake drugs it hawks.
3. Festi- This newcomer is responsible for 8% of the total world spam volume and seems to work in tandem with the Pushdo bot net.
4. Pushdo- This is  a very complex botnet that carries out multiple campaigns and distributes malware as well as spam. Currently responsible for 6.3% of the total spam volume.
5. Grum- This is another pharmaceutical spam spewing botnet, currently responsible for 6.3% of total spam volume.
6. Lethic-Responsible for 4.5% of total spam volume and also acts as a spam proxy.
7. Bobax- Responsible for 4.3% of total spam volume. Pumps out pharmaceutical spam.
8. Bagle- Primarily acting as a proxy, Bagle is responsible for 3.5% of the total spam volume.
9. Maazben- With 2% of the total spam volume, Maazben sends only casino related spam.
10. Donbot-Another pharmaceutical spam spewing botnet responsible for 1.3% of total spam volume.

Compromised computers spew spam.

John Leydon over at The Register posted an interesting article recently. It seems that botnet herders have learned how to avoid honeypots. Honeypots are the name given to traps set by security firms-groups of unprotected computers designed to lure botnets so that they can study their command structure and malware deliveries. This helps them come up with ways to detect and fight back against them. Now that the herders know how to spot and avoid them, they may lose this valuable tool.  While many firms say they are aware of this and working on the problem, some are skeptical and say the seriousness of the issue is being exaggerated.

I personally disagree. I mean seriously, does this surprise anyone? Botnet herders and other cybercriminals are getting better and better at avoiding detection and protecting themselves. When McColo was abruptly shut down in 2008 it knocked several botnets offline for MONTHS. Thanks to improved technology, recent similar shutdowns have resulted in botnet downtime shrinking to just hours or days. No matter how good we think we are at detecting malware, blocking spam and fighting botnets, the cybercriminals will always be a step ahead. They are constantly changing and evolving. These folks will never wind up on an episode of America’s Dumbest Criminals. These people are smart, creative, and determined and because of that we need to take every warning seriously. We are woefully unprepared for a major cyberattack or act of cyberwarfare, and until that changes we’ve got to stay on the ball.

Security experts have discovered that the infamous Storm botnet is making a comeback. The original Storm roared to life two years ago, pumping out a whopping 20% of the world’s spam at its peak.  To spread itself it sent fake greeting cards and exploited news headlines and popular events.  This new variant uses the old code and sends fake anti-virus software and spam hawking celeb videos, internet pharmacies, and dating sites.

“This is an example of the reuse of code that worked very effectively in the past,” Don DeBolt, director of threat research at CA, told SCMagazineUS.com. “It’s a good lesson to understand about malware and the internet that when one method works in the past, it’s often reused again in the future. We have to constantly keep our guard up and look at the reissuance and redistribution of legacy malware.”

Storm was one of the largest and most powerful botnets ever until its ISP, Intercage, was shut down. Intercage hosted the botnet’s command and control servers and the shut down abruptly severed those connections. In addition researchers discovered a way to infiltrate the bot, adding to its woes. It died a quiet death and was replaced by Waledec, which itself was recently incapacitated by a court order that slammed the door shut on almost 300 of its domains.  The shuttered domains were being used to host the botnet’s command and control servers. Without them it quickly succumbed but don’t rule it put for the count just yet. If Storm is any indication, cats aren’t the only ones with nine lives.

Here’s a look at the top 5 botnets and what they’re up to:

Compromised computers spew spam.

5. Bagle- This botnet has been around since 2004 and undergone many transformations. It now acts as a proxy for spammers. Its 500,000 or so zombies push out over 14 billion pieces of spam a day.

4. Rustock- This botnet was knocked offline by the McColo shutdown but roared back to life. It’s not known exactly how many zombies are under its control but it pumps out about 17 billion pieces of spam a day, most of it pharmaceutical and imaged based. It’s known for forging legit business newsletters to do its dirty work and also infests Twitter. Impressive considering the bot is only active for 4 hours a day!

3. Pushdo/Cutwail- This bot was born the same time as Storm, but has outlived it. Pushdo installs itself on the zombie computer and downloads Cutwail, which turns it into a spamming machine. Its 1.5 million zombies pump out 19 billion pieces of spam a day, most of it hawking fake pharmaceuticals, online casinos, malicious links and phishing schemes.

2. Bobax- Despite its small size (only 100,000 zombies) this botnet manages to pump out over 27 million pieces of spam a day. Its handlers are constantly adjusting it to make it harder and harder to trace and they appear to be renting the botnet out to spammers rather than doing the dirty work themselves.

1. Grum-  This botnet is super-sophisticated, acting as  both a botnet and a rootkit. It targets files used by  autorun registries and despite only having 600,000 zombies pumps out a whopping 40 billion spam messages a day, all of it hawking  various pharmaceuticals, which lately is by far the most popular kind of spam flooding the net.

A new survey has revealed the net is being subjected to a high tech crime wave. Over 100 attacks per second hit the world’s computers, and 1 every 4.5 seconds succeeds in an infection. Malware has soared to a record high, increasing by 71% in 2009 compared to 2008’s figures. The enormous surge is credited to the equally increasing popularity of do it yourself toolkits that allow anyone from novice to ubergeek to run their own criminal operation. Some of the kits are free, while others, like the one that allows users to run their own version of Zeus, go for about $700. The sale of these malicious tools has become a booming part of the underground economy itself. Some distributors run their operations like legitimate software enterprises right down to offering technical support to users.

The criminals themselves are becoming more sophisticated as well. Intelligence has become an important part of the game as scammers analyze social networking pages and other online information in order to gather information that will help them personalize their phishing attacks and malicious spam. Spam is getting more and more polished and targeted as scammers rush to stay ahead of increasingly educated users.

The survey also found two new emerging cybercrime hotspots. Brazil and India are making waves due to the fact that although their infrastructure has improved and brought high speed internet to much of the country, their education on security issues has lagged far behind. This gives cybergangs a definite advantage.

86% of more than 3700 respondents were aware of the concept behind a bot.

More than 80 percent of the keyboard jockeys on two continents know what bot networks do. They just don’t know what they’re called.

In its 2010 annual report on email security and awareness, the Messaging Anti-Abuse Working Group (MAAWG) discovered that 84 percent of computer users is six countries–United States, United Kingdom, Canada, France, Germany and Spain–were familiar with the “concept” of a bot. That is, the idea that malware existed that could control a computer without its owner’s knowledge and use the machine to proliferate spam and steal personal information.

However, 53 percent of the same sample of some 3700 respondents confessed that they’d never heard of the term “bot” or “botnet.” Another 25 percent had heard of the terms but didn’t know what they meant.

Users least likely to have heard of bots were women (38 percent), people 55 or older (36 percent) and users inexperienced with Internet security (22 percent).

The greatest awareness of the bot concept was found in Germany (91 percent). In the United States, 82 percent of the respondents had knowledge of bots. That’s five percent higher than it was in last year’s survey.

Continue reading Bot awareness is high; however, so is user naiveté»

Virtualization has been a growing trend in business computing over the last few years.  Companies are able to use virtualization to reduce costs and improve efficiency.  What started at the server level is also infiltrating desktop computing, with virtualized desktops now showing up in a lot of environments.

Another recent trend has been the appearance of botnets that have the ability to detect when they are being studied by security researchers.  Often this study is taking place using honey pots, which are fake systems set up by researchers to be deliberately infected with malware so that they can study its behaviour.

This has lead some security experts to predict that soon it will be common for botnets to actively look for the signs of a honey pot and either deactivate those systems, or perhaps even generate DDOS attacks against the researchers.

The CTO of database security firm Imperva, Amichai Shulman, suggests that “Most honeypot machines are based on a virtualization platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there.”

The intersection of these two trends could have a positive outcome for businesses concerned about botnets infecting their corporate systems.  If botnets actually did begin shutting down when virtualization platforms were detected, then the use of virtual desktops could in itself prevent a botnet from becoming active. Continue reading Will Virtualization Protect Businesses from Botnet Infection?»

A research team from two Californian universities has developed what it believes will be a game changing approach to defeating spam.

The researchers used a captured spam bot to analyze a sample of the spam emails that it produced and then used this information to reverse engineer the template that the spam emails were based upon.  Once this template was known 100% of further spam emails from that bot were successfully blocked while avoiding any false positives on one million genuine email messages in the test.

Leading anti-spam products in the market today claim up to 99% accuracy for spam detection and use sophisticated analysis techniques such as Bayesian filtering to reduce false positives.  However a large part of the fight against spam remains reactive.

Continue reading Researchers Analyze Bots to Beat Spam, But Will it Work?»

It has been a big year for the internet with social networks continuing to grow at an amazing pace, search engines scrambling to keep pace with user demand for fresh news, and as always spam and malware causing havoc around the world.

A look at the year’s major spam event shows some consistent trends.

• Season spam such as Valentine’s Day and Christmas remains predictable
• Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
• Spam networks are becoming more distributed and resistant to shutdown attempts
• Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
• Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers. Continue reading 2009, The Year in Spam»

Billionth spam received by Project Honey Pot.

Project Honey Pot announced earlier this month a dubious achievement. It had attracted its one billionth spam message. The ejunk purported to be from the U.S. Internal Revenue Service and informed its recipient:

“After the last annual calculation of your fiscal activity we have determined that you are eligible to receive 760,635 tax refund under section 501(c)(26) of the Internal Revenue Code. Please submit the Tax Refund Request form and allow us 3-9 days to process it.

“Yours faithfully,
“Sarah Hall Ingram, Commissioner”

Although the spammers forgot to put a dollar sign in front of the refund amount, they were accurate in some other details in the message. There is a section 501(c)(26) of the Internal Revenue Code. It lists non-profit organizations exempt from some federal income taxes, and subsection (26) includes in that category “State-Sponsored Organization Providing Health Coverage for High-Risk Individuals.”

Sarah Hall Ingram is an IRS commissioner, but not the IRS commissioner, as the letter would lead one to believe. However, she is the commissioner of the agency’s Tax Exempt/Government Entities Division, which would be a believable source for the message.

Project Honey Pot is a community of tens of thousands of web and email administrators from more than 170 countries around the world who are working together to track online fraud and abuse.

According to the Project, the IRS spam was sent from bot malware running on a compromised machine in India. It noted that the email address used by the bot was originally harvested on Nov. 4, 2007 by a grim reaper that has sent more than 53 million messages to the address since that time.

Continue reading Project Honey Pot: One billion spams and counting»