A security firm has put together a top 10 most wanted list of botnets. These botnets are responsible for pumping out the majority of the global spam volume which is now at a whopping 230 billon messages a day. Most of them have originated in Eastern Europe which makes the criminals behind them very hard to track down. Lets take a look at the list:

1. Rustock- Responsible for 43% of the global spam volume this is the biggest active botnet on the web. It pumps out millions of pharmaceutical spam messages for the infamous Canadian Pharmacy and others.
2. Mega-D- Coming in second with 10.2% of total spam volume, this is one of the longest running botnets around. It too sends out mainly pharmaceutical spam and gets its name from one of the fake drugs it hawks.
3. Festi- This newcomer is responsible for 8% of the total world spam volume and seems to work in tandem with the Pushdo bot net.
4. Pushdo- This is  a very complex botnet that carries out multiple campaigns and distributes malware as well as spam. Currently responsible for 6.3% of the total spam volume.
5. Grum- This is another pharmaceutical spam spewing botnet, currently responsible for 6.3% of total spam volume.
6. Lethic-Responsible for 4.5% of total spam volume and also acts as a spam proxy.
7. Bobax- Responsible for 4.3% of total spam volume. Pumps out pharmaceutical spam.
8. Bagle- Primarily acting as a proxy, Bagle is responsible for 3.5% of the total spam volume.
9. Maazben- With 2% of the total spam volume, Maazben sends only casino related spam.
10. Donbot-Another pharmaceutical spam spewing botnet responsible for 1.3% of total spam volume.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 10 Most Wanted Spam Producing Botnets

Compromised computers spew spam.

John Leydon over at The Register posted an interesting article recently. It seems that botnet herders have learned how to avoid honeypots. Honeypots are the name given to traps set by security firms-groups of unprotected computers designed to lure botnets so that they can study their command structure and malware deliveries. This helps them come up with ways to detect and fight back against them. Now that the herders know how to spot and avoid them, they may lose this valuable tool.  While many firms say they are aware of this and working on the problem, some are skeptical and say the seriousness of the issue is being exaggerated.

I personally disagree. I mean seriously, does this surprise anyone? Botnet herders and other cybercriminals are getting better and better at avoiding detection and protecting themselves. When McColo was abruptly shut down in 2008 it knocked several botnets offline for MONTHS. Thanks to improved technology, recent similar shutdowns have resulted in botnet downtime shrinking to just hours or days. No matter how good we think we are at detecting malware, blocking spam and fighting botnets, the cybercriminals will always be a step ahead. They are constantly changing and evolving. These folks will never wind up on an episode of America’s Dumbest Criminals. These people are smart, creative, and determined and because of that we need to take every warning seriously. We are woefully unprepared for a major cyberattack or act of cyberwarfare, and until that changes we’ve got to stay on the ball.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Importance of Taking Warnings Seriously

Security experts have discovered that the infamous Storm botnet is making a comeback. The original Storm roared to life two years ago, pumping out a whopping 20% of the world’s spam at its peak.  To spread itself it sent fake greeting cards and exploited news headlines and popular events.  This new variant uses the old code and sends fake anti-virus software and spam hawking celeb videos, internet pharmacies, and dating sites.

“This is an example of the reuse of code that worked very effectively in the past,” Don DeBolt, director of threat research at CA, told SCMagazineUS.com. “It’s a good lesson to understand about malware and the internet that when one method works in the past, it’s often reused again in the future. We have to constantly keep our guard up and look at the reissuance and redistribution of legacy malware.”

Storm was one of the largest and most powerful botnets ever until its ISP, Intercage, was shut down. Intercage hosted the botnet’s command and control servers and the shut down abruptly severed those connections. In addition researchers discovered a way to infiltrate the bot, adding to its woes. It died a quiet death and was replaced by Waledec, which itself was recently incapacitated by a court order that slammed the door shut on almost 300 of its domains.  The shuttered domains were being used to host the botnet’s command and control servers. Without them it quickly succumbed but don’t rule it put for the count just yet. If Storm is any indication, cats aren’t the only ones with nine lives.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Storm Botnet Coming Back to Life

Here’s a look at the top 5 botnets and what they’re up to:

Compromised computers spew spam.

5. Bagle- This botnet has been around since 2004 and undergone many transformations. It now acts as a proxy for spammers. Its 500,000 or so zombies push out over 14 billion pieces of spam a day.

4. Rustock- This botnet was knocked offline by the McColo shutdown but roared back to life. It’s not known exactly how many zombies are under its control but it pumps out about 17 billion pieces of spam a day, most of it pharmaceutical and imaged based. It’s known for forging legit business newsletters to do its dirty work and also infests Twitter. Impressive considering the bot is only active for 4 hours a day!

3. Pushdo/Cutwail- This bot was born the same time as Storm, but has outlived it. Pushdo installs itself on the zombie computer and downloads Cutwail, which turns it into a spamming machine. Its 1.5 million zombies pump out 19 billion pieces of spam a day, most of it hawking fake pharmaceuticals, online casinos, malicious links and phishing schemes.

2. Bobax- Despite its small size (only 100,000 zombies) this botnet manages to pump out over 27 million pieces of spam a day. Its handlers are constantly adjusting it to make it harder and harder to trace and they appear to be renting the botnet out to spammers rather than doing the dirty work themselves.

1. Grum-  This botnet is super-sophisticated, acting as  both a botnet and a rootkit. It targets files used by  autorun registries and despite only having 600,000 zombies pumps out a whopping 40 billion spam messages a day, all of it hawking  various pharmaceuticals, which lately is by far the most popular kind of spam flooding the net.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 5 Botnets

A new survey has revealed the net is being subjected to a high tech crime wave. Over 100 attacks per second hit the world’s computers, and 1 every 4.5 seconds succeeds in an infection. Malware has soared to a record high, increasing by 71% in 2009 compared to 2008’s figures. The enormous surge is credited to the equally increasing popularity of do it yourself toolkits that allow anyone from novice to ubergeek to run their own criminal operation. Some of the kits are free, while others, like the one that allows users to run their own version of Zeus, go for about $700. The sale of these malicious tools has become a booming part of the underground economy itself. Some distributors run their operations like legitimate software enterprises right down to offering technical support to users.

The criminals themselves are becoming more sophisticated as well. Intelligence has become an important part of the game as scammers analyze social networking pages and other online information in order to gather information that will help them personalize their phishing attacks and malicious spam. Spam is getting more and more polished and targeted as scammers rush to stay ahead of increasingly educated users.

The survey also found two new emerging cybercrime hotspots. Brazil and India are making waves due to the fact that although their infrastructure has improved and brought high speed internet to much of the country, their education on security issues has lagged far behind. This gives cybergangs a definite advantage.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Widespread Cyber Attack Hitting Web

86% of more than 3700 respondents were aware of the concept behind a bot.

More than 80 percent of the keyboard jockeys on two continents know what bot networks do. They just don’t know what they’re called.

In its 2010 annual report on email security and awareness, the Messaging Anti-Abuse Working Group (MAAWG) discovered that 84 percent of computer users is six countries–United States, United Kingdom, Canada, France, Germany and Spain–were familiar with the “concept” of a bot. That is, the idea that malware existed that could control a computer without its owner’s knowledge and use the machine to proliferate spam and steal personal information.

However, 53 percent of the same sample of some 3700 respondents confessed that they’d never heard of the term “bot” or “botnet.” Another 25 percent had heard of the terms but didn’t know what they meant.

Users least likely to have heard of bots were women (38 percent), people 55 or older (36 percent) and users inexperienced with Internet security (22 percent).

The greatest awareness of the bot concept was found in Germany (91 percent). In the United States, 82 percent of the respondents had knowledge of bots. That’s five percent higher than it was in last year’s survey.

When it comes to viruses that cause bot infections, users appear to be in a state of denial, according to the data gathered by the surveyors. For instance, even among users who had previous encounters with malicious software, 43 percent of them revealed that they didn’t expect to be infected by a bot. German computerists were the most confident that they were immune from bots (62 percent). British (26 percent) and Spanish (23 percent) respondents were the least confident nationalities about bot infections.

Past dealings with spam appear to have no influence on a user’s attitude toward bot infections. Almost half of those who opened spam messages in the past believed they weren’t susceptible to bot infections in the future. A similar number, 46 percent, of respondents who avoid opening junk mail felt immune from bot infections.

Should a bot infect their computer how will an email user know it? Some 66 percent of them told the surveyors that they expect their anti-virus software to alert them to it. Computerists 55 and older, who, according to the report, are more likely to keep their anti-virus software up to date, were more likely to depend on anti-virus alerts (70 percent) than those under 35 (63 percent).

Other tip offs cited by users were abnormal or sluggish computer performance (52 percent) and identification of a program they didn’t install (52 percent).

For fighting bots, email users tend to look to their service providers for protection (65 percent) or the anti-virus software companies (54 percent). More users aged 55 and older (77 percent) were inclined to hold service providers accountable for stopping the spread of viruses, fraudulent email, spyware and spam than 18-34 year olds (57 percent) and the 35-54 age group (67 percent). The same was true for holding the feet of AV companies to the fire on the issue–55-plus, 62 percent; 18-34, 52 percent; 35-54, 54 percent.

Only 48 percent of the respondents felt they were accountable for fighting viruses and spam. That was slightly higher for 55-plus respondents (51 percent) and lower for 18-24 year olds (45 percent). Although they didn’t embrace a primary role in battling malware, a majority of the respondents (56 percent) rated themselves as being very or fairly good at stopping virus and spam.

They also let other stakeholders in the email ecosystem off the hook for combating malware. Only 37 percent held software companies accountable; 35 percent, government and consumer protection agencies; 22 percent, social networking sites; 20 percent, computer manufacturers; 19 percent, computer and software retailers; 15 percent, consumer advocacy groups; and 12 percent, professional associations.

Once infected, users are most likely to try and address the problem themselves. Following the do-it-yourself approach (36 percent) was have a friend or family member help with the repair (32 percent) and take it to a repair shop (31 percent). It’s interesting how those numbers vary by region. For example, respondents in Canada (43 percent) and Spain (42 percent) preferred taking their computer to a repair center above other choices. In the United States, survey members were closely divided between a repair center (35 percent) and self-repair (34 percent). Germany (44 percent) and U.K. (36 percent) respondents strongly endorsed self-repair; France (42 percent), friends and family.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bot awareness is high; however, so is user naiveté

Virtualization has been a growing trend in business computing over the last few years.  Companies are able to use virtualization to reduce costs and improve efficiency.  What started at the server level is also infiltrating desktop computing, with virtualized desktops now showing up in a lot of environments.

Another recent trend has been the appearance of botnets that have the ability to detect when they are being studied by security researchers.  Often this study is taking place using honey pots, which are fake systems set up by researchers to be deliberately infected with malware so that they can study its behaviour.

This has lead some security experts to predict that soon it will be common for botnets to actively look for the signs of a honey pot and either deactivate those systems, or perhaps even generate DDOS attacks against the researchers.

The CTO of database security firm Imperva, Amichai Shulman, suggests that “Most honeypot machines are based on a virtualization platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there.”

The intersection of these two trends could have a positive outcome for businesses concerned about botnets infecting their corporate systems.  If botnets actually did begin shutting down when virtualization platforms were detected, then the use of virtual desktops could in itself prevent a botnet from becoming active.

As it stands now virtualizing desktops does offer some benefits for malware prevention.  Virtualized desktops will usually operate in a more locked down state than hardware-based desktop fleets.  This is not always because of poor administration of the hardware fleet, often it is more due to the administrative effort required to secure a hardware fleet making it more prone to exception or error than a centralized virtual desktop environment.

The rapid deployment capabilities of virtualized desktops also mean that any malware infections that do occur can be quickly dealt with by destroying that particular instance and provisioning a new one.

It will be interesting to see if botnets do continue along this trend of attempting to detect honey pot systems, and whether that does deliver an unintended benefit to businesses that are embracing desktop virtualization.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Will Virtualization Protect Businesses from Botnet Infection?

A research team from two Californian universities has developed what it believes will be a game changing approach to defeating spam.

The researchers used a captured spam bot to analyze a sample of the spam emails that it produced and then used this information to reverse engineer the template that the spam emails were based upon.  Once this template was known 100% of further spam emails from that bot were successfully blocked while avoiding any false positives on one million genuine email messages in the test.

Leading anti-spam products in the market today claim up to 99% accuracy for spam detection and use sophisticated analysis techniques such as Bayesian filtering to reduce false positives.  However a large part of the fight against spam remains reactive.

Adding this new technique into the protection mix may tilt the playing field in the good guys’ favour for a little while but the constantly evolving threat landscape online will find a way to get around it soon enough.  Fighting spam comes down to a numbers game – if there are more people who want to send spam than there are researchers and professionals fighting it then the war will go on for a very long time.

The spam and malware industry has already become well known as a sort of underground marketplace where anyone can buy the software and email lists they need to begin a spam campaign.  The business model behind these ventures has become so well established that ongoing maintenance plans are even available for the spam tools and malware available.  For a fee a malicious coder will develop a new variant of a tool for you that circumvent any detection that has been implemented by security vendors.

It is easy to expect this same type of service offered to botnet operators who will need a constant supply of new email templates to avoid detection by any vendor who uses this new spam analysis technique.  In fact it is also easy to expect that bot software will no longer contain all of the template information in its code and will instead regularly download new variations from other sources to hamper attempts reverse engineer it.  Most bots are already self-updating and constantly evolving into new variants anyway.

The full details of this new research will be unveiled in March and it will be very interested to see just how practical it will be to integrate this new technique into current anti-spam products.  The turnaround time required to discover and capture a new bot, analyse it, create detection signatures, and then deploy those to a global customer base may be more than enough for spammers to successfully send out their campaigns.   By the time protection is achieved the next bot variant already exists.

As far as the overall impact on spam this technique may have little to no impact at all.  Although it may prevent some spam that is sent directly from the computers compromised by bots it will not have any effect on bots that serve other purposes such as taking over webmail or social networking accounts for use by spammers.

As an anti-spam development this research is interesting but I have some doubts about its practicality and effectiveness.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Researchers Analyze Bots to Beat Spam, But Will it Work?

It has been a big year for the internet with social networks continuing to grow at an amazing pace, search engines scrambling to keep pace with user demand for fresh news, and as always spam and malware causing havoc around the world.

A look at the year’s major spam event shows some consistent trends.

• Season spam such as Valentine’s Day and Christmas remains predictable
• Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
• Spam networks are becoming more distributed and resistant to shutdown attempts
• Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
• Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers.

The BBC gets itself into hot water when it buys a botnet to research a story and then uses it to send messages to potential victims.

April

Security vendor PGP exposes hundreds of customer email addresses by not using the BCC field for a broadcast email.

Global spam volume makes a complete return to the level it was at prior to the McColo shutdown.

Researchers discover the first ever SMS virus in the wild, capable of spreading between mobile phones via text messages.

Twitter suffers its first major malware outbreak due to a cross-site scripting attack by a bored teenager.

May

The Swine Flu outbreak gives spammers a new hot topic to exploit in their latest scams, with fake drugs and “survival guides” offers flooding mailboxes.

The Cutwail botnet, previously seen during the Valentine’s Day spam season, makes a fresh start pushing fake weight loss products, and Acai Berry scams appear all over the internet.

June

Air France flight 446 crashed in the Atlantic ocean, giving spammer a new tragedy to exploit.

A UK furniture company makes a major PR blunder by using Twitter hashtags for the Iranian conflict to promote their products.

Michael Jackson dies, nearly causing an internet meltdown as search engines, social networks and news websites struggled to copy with the unprecedented burst in traffic.  Spammers quickly jumped on the public thirst for details about Jackson’s death with new spam messages.

July

The ZBot Trojan appears in a new attack that uses a fake Microsoft update notice to trick users.

A botnet launches a major DDoS attack against US government websites to coincide with the July 4^th holiday.

Spammers begin using free URL shortening services to bypass spam filters.

August

Another Twitter phishing/spam combo attack appears causing disruption for users.

Twitter, Facebook and other sites were all knocked offline for several hours due to a targeted DDoS attack against a pro-Georgian blogger.  The event was so prominent in the news that spammers began exploiting it with email and search engine keyword spam to cause further denial of service and compromise more computers.

Another spammer ISP is shutdown but this time the effect is nowhere near as successful as when McColo was taken offline, suggesting spammers are building more resilience into their networks.

September

A South Australian woman shares her experience of being the victim of identity theft when her Facebook account is hacked and used to scam money from her friends.

Popular blogging software WordPress becomes the target of a new worm that attempts to insert spam links in thousands of blogs.

A new Koobface worm variant appears targeting Facebook users.

October

A court order leads to an innocent Gmail user losing their email account when Google is forced to close it down.  The court order was granted after a bank employee accidentally emails customer information to the Gmail account.

A list of over 50,000 email addresses and passwords for major online web and email services appears on the internet.

A thriving marketplace of open source malware is uncovered by security researchers.

Geocities shuts down, taking with it thousands of spammer’s websites.

Facebook wins a massive $711 million judgement again one of the world’s biggest spammers.

November

The first Christmas season spam starts to appear to exploit the rising trend in online shopping.

Researchers successfully kill the Mega-D botnet.

Twitter job spam starts appearing promoting “get rich quick” schemes to exploit high unemployment rates.

An Australian amateur programmer writes an iPhone virus that causes relatively harmless infection on jailbroken iPhones.  His code is quickly repurposed by people with more malicious intent, and a security vendor is criticized by the wider community for rewarding him by offering him a job.

December

A New Zealand man is fined $15 million by the US FTC for operating a worldwide spam gang.  The same man faces charges in Australia soon after.

The Koobface worm adds a Christmas theme to its Facebook phishing attempts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

2009, The Year in Spam

Billionth spam received by Project Honey Pot.

Project Honey Pot announced earlier this month a dubious achievement. It had attracted its one billionth spam message. The ejunk purported to be from the U.S. Internal Revenue Service and informed its recipient:

“After the last annual calculation of your fiscal activity we have determined that you are eligible to receive 760,635 tax refund under section 501(c)(26) of the Internal Revenue Code. Please submit the Tax Refund Request form and allow us 3-9 days to process it.

“Yours faithfully,
“Sarah Hall Ingram, Commissioner”

Although the spammers forgot to put a dollar sign in front of the refund amount, they were accurate in some other details in the message. There is a section 501(c)(26) of the Internal Revenue Code. It lists non-profit organizations exempt from some federal income taxes, and subsection (26) includes in that category “State-Sponsored Organization Providing Health Coverage for High-Risk Individuals.”

Sarah Hall Ingram is an IRS commissioner, but not the IRS commissioner, as the letter would lead one to believe. However, she is the commissioner of the agency’s Tax Exempt/Government Entities Division, which would be a believable source for the message.

Project Honey Pot is a community of tens of thousands of web and email administrators from more than 170 countries around the world who are working together to track online fraud and abuse.

According to the Project, the IRS spam was sent from bot malware running on a compromised machine in India. It noted that the email address used by the bot was originally harvested on Nov. 4, 2007 by a grim reaper that has sent more than 53 million messages to the address since that time.

“Every time Project Honey Pot receives a message we estimate that another 125,000 are sent to real victims,” the group revealed in a Web posting. “Our billionth message represents approximately 125 trillion spam messages that have been sent since Project Honey Pot started in 2004.”

In that posting, the group disclosed an interesting ranking of states based the number of compromised machines operating within a nation’s borders divided by the number of security professionals operating in it. Based on that methodology, the country with the best IT security was Finland, followed by Canada, Belgium, Australia, the Netherlands, United States, Norway, New Zealand, Sweden and Estonia. The state with the worst IT security was, not surprisingly, China, followed by Azerbaijan, South Korea, Columbia, Macedonia, Turkey, Vietnam, Kazakstan, Macau and Brazil.

Botnets remain the number one delivery choice of spammers, the Project noted, and the number of active bots has increased at a staggering rate since mid decade.

“Since 2004, active bots have grown at a compound annual growth rate of more than 378 percent,” it reported. “In other words, the number of bots has nearly quadrupled every year. In 2009, you could find nearly 400,000 active bots engaged in malicious activity on any given day with several million active over the course of any month.”

In addition to ranking countries by their IT security, the Project ranked nations by their populations of harvesters. The group explained that identifying where spammers are located is difficult.

“Rather than sending spam directly, spammers primarily use ‘bot’ machines in order to effectively launder their identities,” the group explained. “These bots are PCs that have been compromised by a virus and whose owner usually does not know they are being used to send spam.”

“The process is not unlike the stereotypical scene in a movie where the villain keeps his phone call from being traced by relaying it through a number of connections,” it explained. “Similarly, spammers’ use of bots can make their messages look like they are coming from somewhere completely different than their actual location. As a result, lists of spam origin countries tell you very little about where the spammers are actually located.”

There’s one activity, however, that spammers can’t launder: harvesting email addresses. Unlike distributing spam, which can be done from many machines at once, harvesting requires crawling from site to site, in serial, snatching email addresses. Since machines used for harvesting tend to be more permanent and stable, their location reveal where spammers are likely to be hiding out, the Project reasoned.

Where are the harvesters located? Their number one fav place is the United States, followed by Spain, the Netherlands, United Arab Emirates, Hong Kong, Romania, Great Britain, China, South Africa and Germany.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Project Honey Pot: One billion spams and counting

A new report by security researchers has revealed that Spain is currently the country with the most infected computers. A whopping 44.5% of all computers in that country are infected with malware and part of a botnet.  The United States is a distant second with 14.4%.  The countries with the least infections are Peru, Sweden, and The Netherlands, all who have an infection rate of less than 1%.

The report also found that malware and botnets have increased by 30%. While social  networks like Facebook and Twitter have been especially hard hit, email is still popular with spammers and scammers. Over 94% of all emails sent are spam. Pharmaceutical spam is the most prevalent, followed by porn, male enhancement and fake designer goods. Brand abuse is also rising, with everything from the AARP to the Hollywood Reporter finding themselves exploited by spammers. One such brand, UPS, is being used  in spam messages spreading the Bredolab Trojan and the sending of those messages has been rising sharply.

Bredolab has been very active in helping to increase the Cutwail botnet, which was briefly derailed when Pricewert, the rogue ISP hosting it, was shut down. As expected it quickly found a new home and bounced back to life. Security experts expect spam and malware levels to continue to increase throughout the holiday season.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spain Leads World in Botnet Infections

In a new report by the Government Accountability Office, NASA was reprimanded over its lax security practices and told to shape up.  NASA has reported nearly 1300 security incidents in the last 2 years, and although it has taken some steps to improve its IT issues, the GOA says it still has far to go.

“NASA remains vulnerable to similar incidents going forward,” the report finds. “Control vulnerabilities and program shortfalls make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts.”

The security breaches reported at NASA include malware infections, data theft, the theft of several laptops containing data on a prototype hypersonic jet, a space telescope and a lunar orbiter, 82 computers being made part of a botnet thanks to the installation of rootkits, and the infection of 86 other computers with the Zoneback Trojan, and others infected with the Coreflood Trojan.

The GAO made 200 recommendations addressing 129 weaknesses. NASA says it is continuing to improve its IT management and better train its employees on proper security practices. Kind of scary that a high tech agency like NASA could be so careless when it comes to security!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

NASA Reprimanded Over Lax Security Practices

Despite the shutdowns of several spam friendly ISPs, the number of botnets sending out spam has increased. The newest kid on the block is the Maazben botnet, which was first discovered in May.  It joins veteran botnet Rustock in spewing out millions of online casino spams each day. Rustock is responsible for 10% of all spam sent, while Maazben is responsible for 1.4%. That doesn’t seem like much but that volume has doubled since August.

While the monster botnet Cutwai, responsible for nearly 46% of all spam sent at its peak, was severely crippled by an ISP shut down, botnets Grum and Bobax have quickly jumped in to make up for it, and together are responsible for 39% of all spam sent.

Botnets are also beginning to be used for more than just spewing spam and stealing passwords.  The Gumblar botnet infects websites and uses them to distribute malware, and the Bahama botnet uses the computers it infects to commit click fraud. What’s more, the sheer number of botnets around now has made DDoS attacks easier and cheaper than ever. While such attacks don’t result in profits, they are still used to muzzle critics, knock online competitors out, and otherwise send an unpleasant message to an individual or group.

Botnets are here to stay. They are growing more sophisticated and powerful everyday and it is going to be more and more difficult to stay ahead of them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Botnets Emerging

In February of this year the BBC World News took an inside look at the Russian malware scene and discovered a thriving market for paid malware development and support services.   For a very low cost spammers are able to purchase the tools they need to command thousands of computers for their own botnet.  The enterprising malware authors will even sell them an ongoing support plan to help them adapt their tools to get around the latest anti-malware detection software.

Now SC Magazine reports that as much as 10% of the malware available to spammers is open source.  Open source refers to code that is freely available for users to download, modify, and re-use for their own purposes.  It is widely regarded as an effective way to gain popularity for a piece of software, and also to improve the quality of the code itself as it’s inspected by savvy users.

Though this is not the first time open source malware has appeared, the sudden increase highlights the seriousness of the spam and malware problem on the internet.  Years ago these same coders were content to cause havoc with malicious email viruses and denial of service attacks.  Now they turn their attention to making a profit, and are engaging in practices like giving away open source code to promote their skills.

With this trend towards open source malware the adaptability of malicious code will only increase, both through paid services by the malware authors as they customize their code for their customers, and through independent modification by those who download the free tools and change them to suit their own purposes.One of the most immediate impacts of this increased adaptability will be the elevated risk of infection for computers that lack effective antivirus and antispam protection measures.  Security products that are slow to update their detection signatures may fail to detect new variants of the open source code in time to stop them from taking over computers.

Similarly businesses that do not take an effective multi-layered approach to their security are also likely to face more risks.  Consider that malware infects computers through multiple attack vectors such as email, poorly configured firewalls, social networking, pirated software, and unsecured wireless networks.  Each of these must be addressed with a robust solution that can deal with the increased risk.

On the upside, the open source malware does enable security vendors to gain access to the malicious code as well for analysis and inclusion in their detection engines.  For those that take advantage of this opportunity their customers will benefit from speedy definition updates and better protection than those who rely on vendors who do not.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Open Source Ethos Infects Malware Community

When Latvian ISP Real Host was shut down earlier this month, many believed it would have a similar effect as the shut down of McColo last November. That shutdown cut worldwide spam levels by 90% when several botnets hosted by the ISP were knocked offline. Unfortunately spam levels have since bounced back ferociously.

When Real Host was shut down, experts believed the Cutwail botnet it hosted would go down with it, at least for awhile. Instead it was back to business as usual in less than 48 hours later. Cutwail is responsible for roughly 20% of of all spam sent. It’s also responsible for numerous phishing attacks, malicious websites, and rogue anti-virus software. Cutwail is responsible, along with Mega-D and Donbot, for sending 21 billion spam messages a day.

Security experts say cybercriminals have learned from the McColo shutdown and have adjusted their botnets so they are no longer dependent on a single host for their control and command servers and have backups in place. They have even begun using other ways to control their botnets-just a few weeks ago a massive botnet was discovered to be using Twitter to communicate with its command servers. It appears simply shutting down a scammer-friendly ISP is no longer going to be effective.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ISP Shutdown Does Little Damage to the Cutwail Botnet

The Sydney Morning Herald reports that security researchers investigating the recent Twitter spam and denial of service attacks found at least one account that was using Twitter to control a botnet.

          “Jose Nazario with Arbor Networks said he found a Twitter account that was used to send out what looked like garbled messages. But they were actually commands for computers in a botnet to visit malicious websites, where they download programs that steal banking passwords.”

Social networking services such as Twitter have recently become associated with spam and phishing attacks due to the lack of inbuilt protection from malicious users.  This new development of using Twitter messages to control botnets takes the issue another step forward.Typically a botnet is made up of computers connected to broadband connections that have been compromised in some way, usually by either tricking the owner into installing malicious software (a browser toolbar, fake antivirus software, or a porn dialer) or by exploiting a vulnerability in the operating system or web browser that they are using.  A lot of these attacks occurred over email, which lead to the need for the email anti-spam protection software most of us are using today (either on our own computers or on the email servers of our businesses and ISPs).

Botnets were often controlled using IRC channels, which were quick and easy for spammers to set up anywhere in the world and control remotely.  Over time IRC traffic became almost synonymous with botnets, and despite its legitimate intended uses it is really only used by tech enthusiasts so most businesses simply block IRC traffic at their firewall.  Many consumer broadband modems and routers also block IRC traffic by default.

Twitter on the other hand simply works over the HTTP protocol, which is almost always open on business and consumer firewalls.  Most Twitter clients will even work seamlessly through web proxies.  This makes the use of Twitter for controlling botnets a very serious problem.

There is no doubt that social networking such as Twitter can be a valuable tool for businesses to use to communicate with their customers.  However the lack of content filtering exposes the end user to attacks such as messages with URLs that lead to web pages designed to trick the user or exploit a software vulnerability.  The URLs are often masked with URL shortening services making malicious URLs more difficult to detect at a glance.  Even a message from a known, trusted friend may be an attack because of the tendency for people to willingly give away their Twitter password to third party services.

The security challenge here is complex.  Businesses would like to trust their users to engage in social networking for work and for pleasure, but even the best online security training for staff will still leave gaps as people’s awareness and attentiveness wanes over time.  Blocking the services entirely is undesirable, which just leaves blocking of URL shortening services in email and at the web proxy as a counter-measure.  This of course cripples one of Twitter’s more useful benefits, the ability to quickly share interesting and useful links.

Ultimately the best on-premises solution a business can implement will still be vulnerable without better inbuilt security measures for social networks.  But as long as these networks remain free and open for anyone to use they will often lack the resources to invest in security even as they continue to attract malicious users.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Botnets Now On Twitter

My last post on international spam fighting attracted a comment from reader Andreas Kroll.  Andreas asks “Why is it really so hard to tackle spam?”

That is a good question, and one we don’t often stop and think about.  The war against spam carries on with each side adjusting to the other’s new techniques with new ways of defeating them.  This constant shifting of the landscape makes anti-spam a very fluid, dynamic industry with rapid technology changes.  Of course to the regular person using their computer for email and internet access they are probably wondering what all of the clever people at anti-spam company are really doing about it.

Let’s take Andreas’ comment for example.

“Spam in itself is the repeated sending of (nearly) identical messages to a lot of people.”

This would be true if all spam messages were created equally.  I’m sure we’re all familiar with viagra spam, or Nigerian 419 spam, or lottery spam, but if you sat and looked at 10 viagra spam emails in your Junk email folder you won’t find two the same.  Spammers will simply use an email template with a series of variable portions, and run scripts to insert a variety of values into those fields.  A short spam email with just 10 fields, each with 10 possible values, means 10,000,000,000 unique spam emails can be produced.

“It cannot be so hard to distinguish a mail that reaches several thousand people from a mail intended for a small group or a single person.  (With the exception of newsletter postings, which you have (hopefully) opted in)”

Legitimate commercial email and newsletters contain many similar characteristics to a typical spam email such as commercial terminology, urgent tone, and a call to action (eg “click here”).

This is one of the major challenges faced by both anti-spam companies and by email marketers.  The anti-spam company doesn’t want to inconvenience businesses and email recipients by blocking legitimate marketing, and the email marketer wants to avoid being labeled a spammer and losing all of their customers because they can’t guarantee a high delivery rate.

“So if you can identify the mails and you can identify the routes these mail take, why can’t you go backwards in the routing step by step, identify the responsible server, identify the responsible admin and give him/her the choice to cooperate in the fight against spam or be excluded from mail traffic by a BAN list.”

There are two answers for this.  Firstly, not all spam originates from email servers.  A lot of spam will come from armies of compromised home and business computers called botnets.  Some of it will come from compromised or misconfigured servers such as open relays, or email servers not correctly set up to avoid backscatter.  Many of these botnets and open relays do end up on blocklists such as Spamhaus that can be used by email administrators to perform connection filtering.

“ISPs not willing to shut of spam senders will have to be shut off from the network completely. I cannot understand why a provider allowing to distribute that crap through his network is still on the internet.”

Back in November 2008 a victory against spam was won when an ISP responsible for as much as 75% of the internet’s spam was shutdown.  As effective as this was in the fight against spam unfortunately it only further highlighted the challenges of international spam fighting as the operators were able to simply set up shop elsewhere in another country and continue spamming the internet.

But for most legitimate ISPs outbound spam filtering is not something they can be very aggressive with, nor is it always going to be effective.  Firstly, an ISP does not want to disrupt their customers’ email by causing any false positives (legitimate email marked as spam).  False positives may damage their customers’ businesses and cause financial losses, which could lead to law suits against the ISP.

Secondly, most ISPs permit customers to send directly out to the internet over SMTP without having to relay through any ISP mail servers.  This is actually the preferred method for most email administrators because it makes troubleshooting email delivery much easier.

“Local law should make the ceo personally responsible for the damages.”

This is the main issue in the war on spam.  Anti-spam legislation (where it exists at all) is local, but the problem is global.  According to some reports Australia is one of the most spammed countries in the world, despite having strict anti-spam laws.  These laws are only effective at stopping Australian businesses from sending spam.  If a spammer in Russia or Korea sends me some spam then Australian authorities have no power to punish or stop them.

My answers to Andreas’ comment may make it seem like the fight against spam is hopeless, and that spammers are winning.  The reality is that while spam continues to be a problem causing nuisance and financial loss for businesses and individuals everywhere, any place that has an effective anti-spam solution in place that is from a quality vendor, is well configured, and is well maintained will be blocking most spam already.  Fighting spam is difficult and costs both time and time, but it can be done.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why is it Really So Hard to Tackle Spam?

Spam levels have risen by an astounding 141% since March, according to a new report just released. Botnets are largely responsible for the rise and the number of computers added to botnets has risen to 14 million, a 16% increase. Roughly 150,000 computers a day are infected by malware and added to botnets.

Not surprisingly, South Korea was hardest hit, reporting a 45% increase in botnet activity over last quarter. Most of that comes from the massive DDoS attack that hit the country earlier this month. The same attack also affected most government websites here in the U.S. as well as the New York Stock Exchange and many major business sites.

The report also found that spam volumes grow by over 117 billion e-mails a day, and that malware isn’t far behind. Malware writers are now offering their products to botnet operators as a way to increase their reach.
Malware that takes advantage of Windows’ Auto-Run feature is also on the rise. The malware lets hackers take over the feature even if the victim hasn’t clicked on anything. Such attacks have far outpaced more well known malware such as the Conficker virus.

Spam and attacks on social networks also rose. Facebook, Twitter, and MySpace are all heavily exploited by cybercriminals to spread spam, malware and conduct phishing attacks. In May alone, spam on social networks led to nearly 4500 files containing the Koobface virus.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Volumes Shoot Up 141%

Not surprisingly, spammers have begun a new attack exploiting the upcoming Valentine’s Day holiday.  New spam messages with subject lines such as “Falling in love with you”, “I belong to you”, and “I love being in love with you” have begun hitting inboxes. Security experts say the attack started on January 22nd. The body of the messages contain romantic sounding one liners like “Me and You”, “In Your Arms”, and “With all my love”, and a link. The link directs the recipent to a web page displaying 12 heart images and inviting them to click on one. Doing so downloads a malicious program called “love.exe” or “you.exe” which turns the infected computer into a zombie and adds it to the Waledec botnet, which is believed to be run by the same folks responsible for the Storm botnet. So far the botnet is sending an average of 11,000 messages per hour.

This is the same group responsible for the Obama spam sent earlier this month. That spam attempted to lure people to a fake Obama/Biden site with a link to a fake news story claiming Obama had abruptly declined to accept the presidency of the United States. This new botnet is growing so quickly it’s being called the new Storm botnet. It appears that the group behind it isn’t in a hurry to learn any new tricks because the old ones are still working just fine.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Valentine’s Day Spam Attack Underway

Security experts have issued warnings about a new type of spam hitting inboxes across the globe. Called “piggyback spam”, it looks like the typical spam message hawking things like shady pharmacies, fake watches, loans, etc, but rather than links to websites where the products can be ordered, these spams are full of links to malicious files having nothing to do with what the message is about. If a recipient clicks on any of them, a file download dialog box opens. If the recipient foolishly continues with their download, a variety of malware including a keylogger and a Trojan that takes over the machine and adds it to a botnet, is installed on their PC.

Experts believe this new type of spam is being used by cybercriminals as a way to increase their botnets.

Botnets are getting more and more sophisticated. In addition to sending out huge amounts of spam and hitting websites with DDoS attacks, botnets can tell if the machines they take over are already part of a rival botnet and take them out of it, and can even find and disable anti-virus software. New ones are popping up regularly, and even the shut down of botnet haven McColo has done nothing to slow them down. It did knock out 3 of the largest, Mega-D. Srizbi, and Rustock, but it only took a couple of weeks for them to reappear from their new base somewhere in Estonia.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New “Piggyback” Spam Circulating Worldwide