Virtualization has been a growing trend in business computing over the last few years.  Companies are able to use virtualization to reduce costs and improve efficiency.  What started at the server level is also infiltrating desktop computing, with virtualized desktops now showing up in a lot of environments.

Another recent trend has been the appearance of botnets that have the ability to detect when they are being studied by security researchers.  Often this study is taking place using honey pots, which are fake systems set up by researchers to be deliberately infected with malware so that they can study its behaviour.

This has lead some security experts to predict that soon it will be common for botnets to actively look for the signs of a honey pot and either deactivate those systems, or perhaps even generate DDOS attacks against the researchers.

The CTO of database security firm Imperva, Amichai Shulman, suggests that “Most honeypot machines are based on a virtualization platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there.”

The intersection of these two trends could have a positive outcome for businesses concerned about botnets infecting their corporate systems.  If botnets actually did begin shutting down when virtualization platforms were detected, then the use of virtual desktops could in itself prevent a botnet from becoming active. Continue reading Will Virtualization Protect Businesses from Botnet Infection?»

A research team from two Californian universities has developed what it believes will be a game changing approach to defeating spam.

The researchers used a captured spam bot to analyze a sample of the spam emails that it produced and then used this information to reverse engineer the template that the spam emails were based upon.  Once this template was known 100% of further spam emails from that bot were successfully blocked while avoiding any false positives on one million genuine email messages in the test.

Leading anti-spam products in the market today claim up to 99% accuracy for spam detection and use sophisticated analysis techniques such as Bayesian filtering to reduce false positives.  However a large part of the fight against spam remains reactive.

Continue reading Researchers Analyze Bots to Beat Spam, But Will it Work?»

It has been a big year for the internet with social networks continuing to grow at an amazing pace, search engines scrambling to keep pace with user demand for fresh news, and as always spam and malware causing havoc around the world.

A look at the year’s major spam event shows some consistent trends.

• Season spam such as Valentine’s Day and Christmas remains predictable
• Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
• Spam networks are becoming more distributed and resistant to shutdown attempts
• Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
• Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers. Continue reading 2009, The Year in Spam»

Billionth spam received by Project Honey Pot.

Project Honey Pot announced earlier this month a dubious achievement. It had attracted its one billionth spam message. The ejunk purported to be from the U.S. Internal Revenue Service and informed its recipient:

“After the last annual calculation of your fiscal activity we have determined that you are eligible to receive 760,635 tax refund under section 501(c)(26) of the Internal Revenue Code. Please submit the Tax Refund Request form and allow us 3-9 days to process it.

“Yours faithfully,
“Sarah Hall Ingram, Commissioner”

Although the spammers forgot to put a dollar sign in front of the refund amount, they were accurate in some other details in the message. There is a section 501(c)(26) of the Internal Revenue Code. It lists non-profit organizations exempt from some federal income taxes, and subsection (26) includes in that category “State-Sponsored Organization Providing Health Coverage for High-Risk Individuals.”

Sarah Hall Ingram is an IRS commissioner, but not the IRS commissioner, as the letter would lead one to believe. However, she is the commissioner of the agency’s Tax Exempt/Government Entities Division, which would be a believable source for the message.

Project Honey Pot is a community of tens of thousands of web and email administrators from more than 170 countries around the world who are working together to track online fraud and abuse.

According to the Project, the IRS spam was sent from bot malware running on a compromised machine in India. It noted that the email address used by the bot was originally harvested on Nov. 4, 2007 by a grim reaper that has sent more than 53 million messages to the address since that time.

Continue reading Project Honey Pot: One billion spams and counting»

A new report by security researchers has revealed that Spain is currently the country with the most infected computers. A whopping 44.5% of all computers in that country are infected with malware and part of a botnet.  The United States is a distant second with 14.4%.  The countries with the least infections are Peru, Sweden, and The Netherlands, all who have an infection rate of less than 1%.

The report also found that malware and botnets have increased by 30%. While social  networks like Facebook and Twitter have been especially hard hit, email is still popular with spammers and scammers. Over 94% of all emails sent are spam. Pharmaceutical spam is the most prevalent, followed by porn, male enhancement and fake designer goods. Brand abuse is also rising, with everything from the AARP to the Hollywood Reporter finding themselves exploited by spammers. One such brand, UPS, is being used  in spam messages spreading the Bredolab Trojan and the sending of those messages has been rising sharply.

Bredolab has been very active in helping to increase the Cutwail botnet, which was briefly derailed when Pricewert, the rogue ISP hosting it, was shut down. As expected it quickly found a new home and bounced back to life. Security experts expect spam and malware levels to continue to increase throughout the holiday season.

In a new report by the Government Accountability Office, NASA was reprimanded over its lax security practices and told to shape up.  NASA has reported nearly 1300 security incidents in the last 2 years, and although it has taken some steps to improve its IT issues, the GOA says it still has far to go.

“NASA remains vulnerable to similar incidents going forward,” the report finds. “Control vulnerabilities and program shortfalls make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts.”

The security breaches reported at NASA include malware infections, data theft, the theft of several laptops containing data on a prototype hypersonic jet, a space telescope and a lunar orbiter, 82 computers being made part of a botnet thanks to the installation of rootkits, and the infection of 86 other computers with the Zoneback Trojan, and others infected with the Coreflood Trojan.

The GAO made 200 recommendations addressing 129 weaknesses. NASA says it is continuing to improve its IT management and better train its employees on proper security practices. Kind of scary that a high tech agency like NASA could be so careless when it comes to security!

Despite the shutdowns of several spam friendly ISPs, the number of botnets sending out spam has increased. The newest kid on the block is the Maazben botnet, which was first discovered in May.  It joins veteran botnet Rustock in spewing out millions of online casino spams each day. Rustock is responsible for 10% of all spam sent, while Maazben is responsible for 1.4%. That doesn’t seem like much but that volume has doubled since August.

While the monster botnet Cutwai, responsible for nearly 46% of all spam sent at its peak, was severely crippled by an ISP shut down, botnets Grum and Bobax have quickly jumped in to make up for it, and together are responsible for 39% of all spam sent.

Botnets are also beginning to be used for more than just spewing spam and stealing passwords.  The Gumblar botnet infects websites and uses them to distribute malware, and the Bahama botnet uses the computers it infects to commit click fraud. What’s more, the sheer number of botnets around now has made DDoS attacks easier and cheaper than ever. While such attacks don’t result in profits, they are still used to muzzle critics, knock online competitors out, and otherwise send an unpleasant message to an individual or group.

Botnets are here to stay. They are growing more sophisticated and powerful everyday and it is going to be more and more difficult to stay ahead of them.

In February of this year the BBC World News took an inside look at the Russian malware scene and discovered a thriving market for paid malware development and support services.   For a very low cost spammers are able to purchase the tools they need to command thousands of computers for their own botnet.  The enterprising malware authors will even sell them an ongoing support plan to help them adapt their tools to get around the latest anti-malware detection software.

Now SC Magazine reports that as much as 10% of the malware available to spammers is open source.  Open source refers to code that is freely available for users to download, modify, and re-use for their own purposes.  It is widely regarded as an effective way to gain popularity for a piece of software, and also to improve the quality of the code itself as it’s inspected by savvy users.

Though this is not the first time open source malware has appeared, the sudden increase highlights the seriousness of the spam and malware problem on the internet.  Years ago these same coders were content to cause havoc with malicious email viruses and denial of service attacks.  Now they turn their attention to making a profit, and are engaging in practices like giving away open source code to promote their skills.

With this trend towards open source malware the adaptability of malicious code will only increase, both through paid services by the malware authors as they customize their code for their customers, and through independent modification by those who download the free tools and change them to suit their own purposes. Continue reading Open Source Ethos Infects Malware Community»

When Latvian ISP Real Host was shut down earlier this month, many believed it would have a similar effect as the shut down of McColo last November. That shutdown cut worldwide spam levels by 90% when several botnets hosted by the ISP were knocked offline. Unfortunately spam levels have since bounced back ferociously.

When Real Host was shut down, experts believed the Cutwail botnet it hosted would go down with it, at least for awhile. Instead it was back to business as usual in less than 48 hours later. Cutwail is responsible for roughly 20% of of all spam sent. It’s also responsible for numerous phishing attacks, malicious websites, and rogue anti-virus software. Cutwail is responsible, along with Mega-D and Donbot, for sending 21 billion spam messages a day.

Security experts say cybercriminals have learned from the McColo shutdown and have adjusted their botnets so they are no longer dependent on a single host for their control and command servers and have backups in place. They have even begun using other ways to control their botnets-just a few weeks ago a massive botnet was discovered to be using Twitter to communicate with its command servers. It appears simply shutting down a scammer-friendly ISP is no longer going to be effective.

The Sydney Morning Herald reports that security researchers investigating the recent Twitter spam and denial of service attacks found at least one account that was using Twitter to control a botnet.

          “Jose Nazario with Arbor Networks said he found a Twitter account that was used to send out what looked like garbled messages. But they were actually commands for computers in a botnet to visit malicious websites, where they download programs that steal banking passwords.”

Social networking services such as Twitter have recently become associated with spam and phishing attacks due to the lack of inbuilt protection from malicious users.  This new development of using Twitter messages to control botnets takes the issue another step forward. Continue reading Botnets Now On Twitter»