With Christmas just around the corner, the FBI can’t be accused of waiting until the last minute to get their Christmas shopping done. This week, the U.S. law enforcement agency – in partnership with several U.S.-based and international agencies – gave users around the world an early present when it announced the culmination of a two year operation dubbed ‘Operation Ghost Click’, which netted the Feds six Estonian nationals and saw the Christmas tree lights yanked on the infamous DNSChanger malware scam.

It’s been a busy year for the law enforcement community and its ongoing war against Internet crime, which has experienced some success with the takedown of two major botnets in Rustock and Coreflood. But global law enforcement agencies have frantically been creating a shopping list of new targets for investigation, which undoubtedly include a carousel of security breaches, both in major corporations and government departments, the wafting scent of state-sponsored and industrial hacking, the persistent and growing threat of hacktivism, and a raft of other exotic security threats. All of the above are wreaking havoc on the connected world, so when law enforcement wins one for the little guys, we damn well want to give credit where credit is due. We even have to send out kudos for coming up with a sexy name for a two-year long operation that saw six dirtbags paraded away in handcuffs. ‘Operation Ghost Click.’ How cool is that?

Anyone familiar with malware should be all-too-familiar with the DNSChanger scam, a Trojan horse distributed through multiple means, particularly spam e-mails. When activated, DNSChanger modifies DNS settings so that legitimate URLs are redirected to malicious sites bent on stealing information and earning ad revenues for the scam artists. Since 2007, DNSChanger has infected over four million unsuspecting computers, both Mac- and Windows-based. A half million of those are estimated to have been infected in the U.S., and the total haul for DNSChanger is estimated at $14 million over the past four years – reason enough for the joint collaboration of the FBI, NASA, the Estonian Police and Border Patrol, and the National High Tech Crime Unit of the Dutch National Police Agency, to name a few of the involved partners.  The full list of parties responsible for the takedown can be found on the FBI’s official news release here.

DNSChanger and its Mac OSX variants – known as OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C – prompted antivirus and antimalware developers to create tools to detect and remove its malevolent ass, but the malware continued to propagate, which is where Operation Ghost Click comes in. On November 8, two data centers – in New York and Chicago – were raided and more than a hundred command and control servers were taken offline. “To reduce the disruption to infected machines,” The Register reports, “the rogue DNS servers have been replaced with modified machines that are being operated for the next four months by the not-for-profit Internet Systems Consortium.”

Infected users should now be experiencing healthy DNS activity, even if the IP addresses of their systems have been compromised by DNSChanger. Users who wish to check if their systems have been compromised can use the FBI’s rogue DNS checker site. CNET also has some helpful information for Mac users who wish to manually check for DNSChanger infection.

Now for the fun part: simultaneous with the server shutdown, Estonian police took six individuals into custody.  According to The Register,

“Federal prosecutors in Manhattan said the scam was controlled by an Estonian company known as Rove Digital. Six Estonian nationals have been arrested by local authorities, and the federal prosecutors plan to seek the defendants’ extradition to the US. The defendants include Vladimir Tsastsin, 31; Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28; and Anton Ivanov, 26. A seventh defendant, 31-year-old Russian national Andrey Taame, remains at large.”

Each defendant is charged with five counts of wire fraud and computer intrusion crimes, and Tsastisin faces an additional twenty-two counts of money laundering. If convicted, six of these geniuses are looking at 85 years. Tsastsin is looking at an additional ten years for each of the money laundering charges, which, if convicted on all counts, would make him 336 years old by the time he gets out – and they say that bad things don’t happen to bad people!

Some are calling it the biggest cyber-bust ever. Whether or not that’s true, it was still a pretty good day for the law enforcement and Internet security communities. Keep up the good work, and thanks for the early Christmas present!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

‘Operation Ghost Click’ Biggest Cyber-Bust Ever?

The purists may suggest that we should never have made things smaller. They might even postulate that the age of innocence is over, and they would probably be right; but a new age is just beginning, and the dinosaur-sized PC that sits on your desk is now just that: a dinosaur. The ‘Big Ol’ Beast,’ as I like to call mine, sits there and stares at me sometimes, seemingly pleading with me: “pay attention to me!” “Use me!” it begs. “Bigger is better!” it pouts.

I just chuckle and Swype my finger across a shimmering sheet of Gorilla Glass, giggling like a school girl when a word is transposed into the message I’m composing, without my finger ever leaving the virtual keyboard.  Holding a fully functional computer in the palm of my hand is surreal and downright unbelievable, especially when I think about my first computer, an Atari 400 with a flat membrane keyboard, 4 Kilobytes of RAM, and the ability to display a whopping 256 different colors onscreen simultaneously. The wonderment I felt while pounding out (literally – you had to press hard on those keys) games in Atari BASIC seems like only yesterday, but the tech world is a time machine and I’ve been transported into the 21st century – where smaller is better, and just when you thought it was safe to download that new Sudoku game for your shiny new mobile device, you should think again. For as our tech gets smaller, so too does the world we live in.

“Mr. Data – Engage”

Allow me to dispense with a formality: it is Android of which I speak. I’m not going to get into a lengthy debate here, but I’m dismissing the iPhone and iOS from this discussion. While there are many millions who would vehemently disagree with me, I believe the Android OS, and the phones that support it, to be vastly superior to Apple’s offerings – and it appears there are many millions who would agree with me. As a developer who strongly believes in sharing over hoarding, I’m an open-source guy and always have been.

The problem with open-source is that while it promotes the highly admirable philosophies of collaboration, sharing, and (often) freeness, it also sends a message to the lowlifes and scum of the earth. You know the types: those who will scam little old grandmothers out of their life savings. The despicable cross-section of society that often makes me ashamed to admit I’m part of that society. The scammers and spammers – the pond-scum phishermen, as I like to call them.

Security Breach

Herein lies part of the problem: society just can’t turn down something that’s free. If the Android OS has one significant problem, it’s that its open-source nature allows anybody to put free or advertising-supported content on the Android Market. It’s no secret that Google has had their share of problems with previously valid applications being reupped to the Market, replete with all sorts of security exploits. And while it seemed strange to me to install a firewall and antivirus software on my phone, in my mind it was a pure necessity and the first thing I did when I set up my phone. (Note: this is where I tip my hat to Apple’s closed, often oppressive, approach to its marketplace. Oppressive or not, I never sensed a security threat to my iPhone).

Spam Magnet

That device in your pocket is infinitely more dangerous than anything you ever plugged a keyboard and mouse into. The open-source feeling and the sense that you’re holding a teeny-tiny little PC in the palm of your hand provides a false sense of security, one that turns your phone into a spam magnet. It’s easy to forget, especially if you’re not an IT professional, that not all spam filters are created equal. Indeed, the very nature of mobile devices means we use them on the go, making that device in your pocket a spam attack waiting to happen.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bigger is Better: Why Your Pocket is Filled with Spammy Goodness

Myths pervade every society and ours is no different. There are things that we hear, or read on the Internet, that we take as gospel truth because we fail to understand the truth behind the statements.

When it comes to spam, there are many different myths that surround it. None so epic as people flying too close to the sun or men fighting Cyclops on their way home from a far away land; however they are stories that shouldn’t be trusted none the less.

Myth 1 – If I include an unsubscribe link, I am not a spammer.

If you send unsolicited marketing messages indiscriminately, you will be considered a spammer. Including an unsubscribe link is only one of the requirements that marketers must do to be compliant with CAN-SPAM Act laws. Simply placing a link, and even honoring unsubscribe requests, will not help you shed the label of spammer.

To legitimately send bulk marketing messages, your recipients need to opt-in to receive messages from you. A double opt-in process is actually considered a best practice here so that people can confirm that they want to hear from you.

Myth 2 – Anti-spam software or appliance will stop phishing attacks.

While phishers use similar methods as spammers, the differences between the two are quite complex. Enough so that traditional spam filters have a hard time catching phishers who know what they are doing. Since phishing attacks are more sophisticated and targeted rather than random, anti-spam filters have a hard time finding these attacks.

Most quality anti-spam filters, both software and hardware based, include some type of anti-phishing engine that protects users against these attacks. Installing, and properly managing, anti-phishing technology can help prevent users from falling victim to these scams.

Myth 3 – If I click on unsubscribe, I won’t get any more spam.

When a legitimate marketer sends you a message and you unsubscribe, odds are they will remove you from their list. But remember, spammers aren’t legitimate marketers. And if they cared about CAN-SPAM they wouldn’t be sending you junk messages in the first place. What happens when you click unsubscribe is that the spammer realizes that they have an active email address. Knowing this, they will send you more spam. Worse than this, these links sometimes take you to a malicious website where malware will infect your computer so now you have something worse to deal with.

Only click on unsubscribe links from mailers that you know you subscribed to. Everything else you should add to your spam box and simply delete it.

Myth 4 – Spam is an email problem.

When we think of spam we tend to think of email messages offering pharmaceuticals, European lottery winnings or promises of instant riches from a Nigerian prince. But spam keeps up with technology and as we use more and more tools to communicate, spammers have more tools at their disposal to get their messages out. Text messaging, search engines, social networks and blog comments are just some of the newer targets for spammers.

Using appropriate spam fighting techniques for the various ways spam is sent can be a big factor in reducing the amount of junk messages you are sent.

Myth 5 – Educating users is the best way to fight spam.

Even the most technology-wise user will still be sent spam. Once a spammer has a way to contact them, efforts will be made to send them spam. While educated users are less likely to fall for the scams and lofty promises of spam, they are still the recipients of these messages. All it takes is one slip up and they could easily find themselves infected with malware or falling victim to illicit claims.

Education is a key component of any spam fighting strategy but it needs to be complimented with trustworthy anti-spam, anti-phishing and anti-malware technologies.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Common Spam Myths

Three months after it teamed up with the FBI to take down the infamous Rustock botnet, Microsoft announced it has succeeded in getting rid of over half its zombies removed. In March, the botnet’s command and control servers were wiped out, but that left over 1.6 million PCs infected with its malware. Although the infection was more or less dormant since the computers were no longer receiving any instructions or updates, the possibility remained that new C&C servers could be found, thereby reviving the operation.

To seal Rustock’s fate, Microsoft added a disinfection agent to its monthly Malicious Software Removal Tool release. As of the end of June, the zombie count had dropped to 703,000. The company promises to continue their clean-up while hunting down the two Russian men,  Vladimir Alexandrovich Shergin and Dmitri A Sergeev, who are believed to be the masterminds behind the entire Rustock operation.

Rustock was first detected in 2006 and at one time pumped out over 13 billion spam messages a day, most advertising shady internet pharmacies. It met its match in Microsoft, who won a court order to seize its servers. The FBI raided hosting providers across the country and the company went back to court and won the right to examine the hard drives it had taken. This resulted in Rustock ceasing operation almost immediately.

We shouldn’t rest too easy though. The people behind Rustock are no doubt hiding somewhere, licking their wounds and planning a new and improved Rustock, and should they get caught, there’s always another group in the wings more than willing to take their place.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Rustock Clean-Up Efforts Are Proving Effective

Spam-ready tablets off the shelves? Zombie PCs out of the box? Testifying before U.S. Congress this week, a top official for the Department of Homeland Security said that technology being imported into the country is sometimes known to contain preloaded security threats. The disturbing news leaves us wondering what’s next – perhaps our credit card numbers automatically being published to Twitter and Facebook when we sign up for an account?

As if the raging war on spam isn’t bad enough, an ominous moment in U.S. Congress this week should leave an unsettling feeling in anyone who has purchased a PC, tablet, or any other connected device; anyone who worries about the safety of their information, for that matter – in other words, pretty much everyone.

Testifying before Congress at the House Oversight and Government Reform Committee this week, Greg Schaffer –the Department of Homeland Security (DHS) Assistant Secretary for Cybersecurity and Communications – admitted that Homeland Security and the White House are aware that electronics and software imported into and sold in the United States are sometimes pre-installed with malware, spyware, keyloggers, and even the components of botnets. Not only are they aware of these threat-laden devices, various media outlets report, but in fact they have been aware for quite some time.

Fast Company first reported the story on Friday. Schaffer was testifying in a tense exchange between himself and Representative Jason Chaffetz. “When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that ‘I am aware of instances where that has happened,’” but not before a long pause where Schaffer seemingly considered the implications of his answer.

According to PC World, Schaffer didn’t go as far as singling out PCs, tablets, or even DVDs and smart phones.

“Schaffer admitted he is aware of instances when foreign-made technology was built with embedded security risks but did not elaborate on what kind of equipment DHS has encountered. He also pointed out that overseas components are found in many domestically manufactured electronics.” [Emphasis added]

It’s not news that some consumer devices and products have entered the retail world with viruses or other malware. Several years ago, digital picture frames with USB ports were found to be infected, and every so often a piece of software is inadvertently set into the wild with some sort of Trojan or some such malware. What makes this story chilling, however, is Schaffer’s implication that the problem could be far larger than just the odd digital photo frame or errant code in a piece of software. If the malware is actually hard-coded onto a chip – as opposed to pre-installed on a hard disk drive – then these chips could be finding their way into everything that has a wired or wireless connection with the Internet. The problem? Hard drives can be wiped. Onboard chips are like taxes – they’re there for life.

Neal Ungerleider of Fast Company suggests that something sinister may be at work here, drawing from the White House’s Cyberspace Policy Review:

“[In the review] is a small acknowledgment that the Executive Branch knows something weird is happening in imported tech:

‘The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions…The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.’” [Emphasis added]

Don’t Panic!

As disturbingly eerie as this information certainly is, it poses the question: what can we do about it? The answer is readily available. Nothing – at least not as single consumers or even as IT/IS Managers. Some might decide to throw out all their devices and in a Walden moment, return to nature, resorting to carrier pigeons and smoke signals to communicate with the outside world; but most of us recognize that technology owns us now, and for good or for bad, better or worse, we like it. Heck, we love it! We refuse to reject technology because, well, how could we? It makes our lives easier. It makes our lives better, at least if you believe the mantras of GE (We Bring Good Things to Life) and LG (Life’s Good).

Conspiracy Theory

Assume for a moment that the White House and other governments know far more than they’re saying (not a leap at all). Then assume that detecting and removing these hard-coded security risks not only represents a huge difficulty, but rather a virtual impossibility (not a stretch). Now imagine that the threats represented by this built-in malware could be a mixture of state-sponsored and/or private interests – some in it for innocuous concepts like ‘national security’ and some in it for more tangible returns like money. Finally, imagine if the whole truth got out – how it would create such a panic that Greece’s finances would seem rock-solid next to what was left of the global economy. No wonder Schaffer took so long to answer.

As much as it sounds like the stuff that Hollywood is made of, the truth is in there somewhere. If so, then (for all you Star Trek fans) like the Borg, this new threat is lurking and waiting, ready to pounce and assimilate your information, and there’s not a darned thing you – or anyone else – can do about it. Come to think of it, spam is the equivalent of the Borg – maybe even a progenitor of the 24th Century race.

I think I’m going to avoid the rush and post all my personal information on Twitter. I hate waiting.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

U.S. Official Admits Imported Computer Tech is Known to be Infected

The attack appears focus on users of online banking services, especially small businesses and corporations. The messages are not well done. They are badly written and don’t really attempt to hide the fact that the attached file has the double extension .pdf.exe rather than the more legitimate .pdf. A similar campaign hit the net last week, pretending to be an invitation to sign up for a payment processing service. Those messages were very sophisticated and realistic looking, but like the rather sloppy Fed Reserve spam, they carried the Zeus Trojan as their payload. This time the delivery method was a fake Word document with a malicious Adobe Flash control embedded in it. All the recipient had to do to get infected was to open the document.

It’s likely these new spam campaigns are designed to either repopulate an existing botnet or get a new one up and running fast, as well as to make the scammers behind it a tidy profit, either by using the information they steal to clean out bank accounts or by selling that data to other cybercrooks. The drop in volume from Rustock’s takedown is fading fast as new botnets step up to take its place.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zeus Launches Massive New Spam Campaign

On April 13th, the US Department of Justice and Federal Bureau of Investigation announced that they have disabled an international botnet infecting more than 2 million computers responsible for the theft of corporate data, user account details and financial information. The DoJ issued a press release detailing their takedown of Coreflood, malicious code that exploits security vulnerability in Windows operating systems. From the FBI website: “Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.”

Coreflood, according to court filings, is a nasty piece of malicious code that records keystrokes and monitors private communications. Once a computer has been infected, it becomes part of the botnet, which is remotely controlled by Coreflood’s C & C servers. The Coreflood botnet is believed to have been operating for nearly a decade, infecting more than two million computers around the world. The malware then steals user names, passwords and other private information, “allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts,” the DoJ press release reports. Court filings released by the DoJ describe one example where Coreflood was able to take over an online banking session and fraudulently transfer funds into a foreign account by monitoring Internet communications between a user and the user’s bank.

In order to effect the takedown, the US Attorney’s office for the District of Connecticut filed a civil complaint against 13 ‘John Doe’ (i.e., unnamed) defendants and executed criminal seizure warrants along with a temporary restraining order, all of which comprise, “part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet,” according to the government’s website. The complaint filed by the DoJ alleged that the defendants engaged in wire fraud, bank fraud and the illegal interception of electronic communications.

In addition to the civil complaint filed with the U.S. District Court for the District of Connecticut, the FBI seized five command and control servers scattered across the country and 29 domain names used by Coreflood. According to the DoJ, the TRO, authorized the government, “to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.” The FBI also established 5 sinkhole servers to control the flow previously handled by Coreflood. All this action hasn’t removed the malicious code from the zombie computers, a daunting task that the FBI admits will take time and cooperation from those infected. Along with participating Internet Service Providers, the DoJ and FBI will be notifying infected users in order to help clean the infection.

Oddly enough, the government press release also states that, “identified owners of infected computers will also be told how to “opt out” from the TRO, if for some strange reason infected owners want to keep Coreflood running on their computers.” For the paranoid who don’t particularly relish the idea of having the federal government poking around inside their computers, the DoJ provided an assurance that, “at no time will law enforcement authorities access any information that may be stored on an infected computer.”

The bad news is that, as of the writing of this article, the FBI’s offer to help infected users only applies to PCs in the US, so international users are out of luck. The DoJ press release does point to a US Computer Emergency Response Team (US-CERT) information site which provides detail on Coreflood and the Microsoft updates required to immunize against the malware.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” stated US Attorney David B. Fein of the District of Connecticut, where the complaint was filed.  “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”

So, chalk up another victory for the good guys, right? Maybe, but even with the recent takedown of Rustock and now the malicious botnet known as Coreflood, it seems like there is much more work to be done. I don’t know if it’s coincidence or not, but since my recent article on how spam has been reported to be significantly reduced since Microsoft took out Rustock, the spam arriving in my inbox seems to have increased. Significantly. I’d certainly be interested in hearing anyone else’s recent experience. Are these good news stories and affirmative action reason to be optimistic, or are law enforcement agencies only sticking their fingers in one hole in the dike, only to see two more holes spring up elsewhere?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

U.S. Authorities Pull the Plug on Major Botnet, 2 Million Zombie PCs Rejoice (Sort Of)

1. Bayesian spam filtering

This is one of the most popular email filtering techniques used today and involves the use of a statistical technique to judge the “spaminess” of an email to identify unsolicited junk.  Many popular server-side spam filters make use of Bayesian spam filtering.

2. Phishing

In a nutshell, phishing is the attempt to illicitly acquire passwords, credit card details or other personal information using some form of trickery or subterfuge.  This term probably arose as a variant of the word “fishing,” when criminals successfully acquire or “catch” data that they can exploit for financial gain.  In the context of spam, it usually entails the use of an email message disguised as originating from a trusted person or institution so as to gain privileged information from their victims.

3. Vishing

Like phishing, vishing involves trickery to gain access to personal data, but incorporates the use of an actual voice conversation to make the con more realistic.  This is due to the inherently higher level of trust given over the phone, which criminals exploit by using hard-to-trace VoIP services or hacked PBX accounts.  In the context of spam, this might entail the proffering of a contact number by which the victim can ostensibly validate the authenticity of the sender; not realizing the ease by which complex interactive voice response (IVR) systems can be configured.

4. Spam Blog

A spam blog, as its name implies, is simply a home to spam content.  The common frustration with them though, is that they are not easily identifiable due to the inclusion of legitimate content copied from other sites, also known as content scraping.  While not directly related to email, spam blogs are a nuisance because the perpetuators usually try to gain higher search engine rankings by relying on backlinks propagated using spam comments on legitimate sites.

5. Backscatter

Backscatter is the automated email messages that you receive, which includes autoresponder software, “Out of Office” notifications, or even virus notifications from some security appliances.  Where spam is concerned, this pertains mainly to bounced messages from servers that receive emails by spammers to invalid email addresses which have been configured to “bounce” them back to the fake (your) email address.  While annoying, there is unfortunately no easy solution to this problem.

6. Tarpitting

This is a strategy that attempts to slow the propagation of spam by deliberately inserting a pause after the successful receipt of an email.  This feature is enabled by default in Exchange 2010 when an email is sent to an email address that does not exist on the target system; a “User unknown” message is sent after a timeout of five seconds.   Tarpitting is also a viable defense against directory harvest scripts, though caution should be exercised against setting the timeout value too high.

7. DNSBL

DNSBL or DNS Blacklist is a mechanism by which spam are filtered out by identifying and blocking a list of originating IP addresses implicated in unsolicited email activities.  Usually maintained by volunteers, a DNSBL is a fairly low-cost and simple way to isolate the worst spammers, and complements alternative spam filtering technologies well.  A key consideration would be the accuracy of the maintained data, and whether maintainers are responsive to correcting erroneous entries.

8. Trojan and Botnets

As the number of ISPs that tolerate spam activities shrinks, spammers are increasingly making use of computers which have been compromised and remotely commandeered.  Gaining access might entail the use of Trojan software that masquerades as legitimate applications, while botnets are large numbers of such computers under the control of a single person or criminal group.

9. Open mail relay

An open mail relay will allow anyone to send an email through it, and is unfortunately a common configuration in the past.  Thanks to spam activities however, most email servers are now configured with email relaying disabled, and open mail relays are generally blacklisted (See DNSBL above) very quickly.

10. Hashbusting

Hashbusting is a technique where spammers attempt to game spam filters by stuffing in either random text, or content scraped from various sites and amalgamated programmatically into a spam mail.  The result is an email that doesn’t make sense to humans, but could conceivably bypass a Bayesian filter.  In recent times, the inclusion of URL links to malware laden site has also proven to be popular.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

10 Common Spam Terms for New Admins

Compromised computers spew spam.

A massive resurgence of the Waledec botnet has been detected in the past week. Waldec, also known as Storm, had gone dormant at the beginning of the month for reasons still unknown. It’s speculated that the cause may have been a bug in the botnet’s code. However, security researchers say the botnet has received a new variant and resumed pumping out millions of spam messages. It appears to have placed its zombies in a peer to peer network to make it more resistant to shut downs.

Waldec’s last appearance was at the end of 2010 when it launched a campaign of fake Happy New Year greeting cards. The cards directed the recipients to a malicious site that prompted them to download a fake Adobe Flash update. The update contained a Trojan that added the infected computer to the botnet.

It’s estimated that upwards of 80,000 fake e-cards a day were pumped out by the botnet, which then went dark on January 4^th and came back to life on the 12^th. Now it appears to be involved in a new campaign sending out pharmaceutical spam that hawks Viagra and other male aids and enhancement products.

While the new campaign’s spam mails include a link that uses compromised legit sites to redirect to their spam domains, so far the redirects point to harmless spam and not malware. It’s possible this could change in future campaigns as the botnet continues to grow and evolve. It’s not known whether the timing of Waledac/Storm botnet’s return, which coincided with Rustock’s return, is just a simple coincidence or a sign of cooperation between criminal gangs.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Waledac Botnet Comes Back to Life

Starting Wednesday, spam exploiting the site began flooding the net. The messages, with subject lines like “IRAN NUCLEAR BOMB!” forged headers that make them look like they were sent by WikiLeaks, and text claiming President Obama is an imposter, urge the recipient to click on the included link. Doing so sends the recipient to a website that attempts to download a file called wikileaks.jar. If successful, it installs a backdoor Trojan and rootkit onto the infected system which would allow a hacker to have complete control of the system.

While a hacker group calling itself Anonymous has been distributing malware and conducting cyberattacks against Amazon, Paypal, Visa, Mastercard, and other sites it feels have wronged WikiLeaks, it’s not known if this spam campaign is related or if the malware is designed to help the hackers with their attacks.

Businesses concerned about the WikiLeaks attacks should look for information on known and trusted sites and avoid clicking on links in emails claiming to have info. Be careful when searching for info on Google as well; it’s only a matter of time before spammers and hackers start poisoning SE results on WikiLeaks related searches with malicious links.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

WikiLeaks Spam Has Malicious Payload

The messages contain an attachment called snowfairy.zip, which contains a hidden executable. If opened it installs a backdoor Trojan which begins infesting the system with rogue anti-virus software. It’s not surprising to see a fake greeting card campaign, as they are one of the most well known ways of spreading malware, and the holiday shopping season is a busy season for scammers.

So far on one of my email accounts I’ve personally been inundated with spam messages hawking fake Rolexes and male enhancement products. Interestingly enough, there also seems to be a major campaign peddling fake college degrees and diploma mills as well.

It’s pretty likely you may receive e-greetings from customers, vendors, friends and family this holiday season and it’s important to think before you click. Legit card notifications will address you by name, tell you who sent the greeting, and never ask you to open an attachment to view your card.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hallmark Being Exploited Via Holiday Spam

          “This organised online criminal network infected huge numbers of computers around the world, especially targeting UK businesses and individuals. Matthew Anderson methodically exploited computer users not only for his own financial gain but also violating their privacy. They used sophisticated computer code to commit their crimes,” said DC Bob Burls of the Metropolitian Police.

Authorities say Anderson, who was arrested back in 2006, sent out spam containing the ‘Ryknos’ Trojan (aka Breplibot/Stinkx) that allowed the gang to set up botnets and back doors that let them steal personal data. The spam messages exploited current headlines and made up fake news stories such as then British Prime Minister Tony Blair and President George Bush conspiring to raise oil prices. Other pieces of malware distributed by the gang’s spam includes W32/Dogbot spyware worm, Troj/Hackarmy-C, Troj/Santabot-A, Troj/Shuckbot-A, W32/Rbot-BF, and W32/Tibick-A.

In addition to financial data he’s believed to have stolen logins, personal documents, photos and may have even spied on users who owned the infected systems via their webcams. Metropolitan Police also arrested two men they say were his accomplices. One had no charges filed against him and was released and the other was let off with just 18 days of community service.

Anderson will be sentenced on November 22^nd and it’s doubtful he will get off as easily.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Scottish Spammer Pleads Guilty

          “Due to possible calculation errors, your annual Social Security statement may contain errors. Open attached file to review your annual Social Security statement,” the rogue messages read. The attachment is an archive file called statement.zip

They come with a zipped attachment that the message claims is the actual statement, but it really contains a variant of the Zbot Trojan. It downloads keyloggers and other malware designed to steal banking log ons and other personal information as well as a rootkit that allows a hacker to control the system remotely.  Zbot is programmed with a list of popular e-commerce and banking sites such as eBay, Paypal, Bank of America and and Amazon and when one of them is visited, the keylogger activates, records the log in info and sends it back to its command and control server.

Zbot has been around for three years and in the last 6 months infections have skyrocketed. The U.S. has been most affected, claiming 75% of all Zbot infections globally. The UK is second.

For the record the Social Security Administration only sends out statements via postal mail. They usually go out once a year about 6 months before your birthday. It’s not surprising that they are trying to use the SSA in their campaign as previous campaigns have exploited the IRS and other agencies.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Cutwail Botnet Unleashing New Malicious Spam Campaign

The Zeus Trojan is now exploiting Firefox.

Despite its reputation for being more secure than Internet Explorer, Firefox has found itself under fire from the infamous Zeus Trojan.  A new version of the malware is able to exploit Firefox and use it to commit bank fraud. It uses HTML injection to bypass authentication. Previous versions weren’t capable of compromising a bank’s webpage or a user’s transaction so its damage was limited to IE users. Not so anymore.

          “We expect this new version of Zeus to significantly increase fraud losses, since nearly 30 percent of internet users bank online with Firefox and the infection rate for this piece of malware is growing faster than we have ever seen before,” Amit Klein, CTO of Trusteer and head of the company’s research organization, said in a statement.

Zeus has been around since 2006 and is responsible for millions of dollars worth of bank fraud. It distributes itself via its massive botnet, which uses over 3 million zombies to pump out billions of malicious spam messages. Once it infects a system it drops a keylogger which activates when any site on the Trojan’s programmed list is visited. Sites on the list include most major banking and credit card sites, Ebay, Amazon, Paypal, Facebook, and MySpace. Login credentials and other personal info is recorded and sent back to the bot’s command servers. Zeus uses the stolen credentials from social networking sites to pump out it’s spam there as well.

Mozilla denies there are any security issues with their browser, claiming that Zeus affects all programs on the systems it infects.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zeus Takes Aim at Firefox Users

Once installed it opens DHCP and DNS clients along with a network share and port in order to communicate with its command server and presumably adds the system to a botnet.

What makes the malware particularly dangerous is that once the malware is detected and removed, it leaves the legitimate app it infected without its auto update feature, and that could leave it vulnerable to future attacks if it’s left unable to download critical updates. The user would have to completely re-download and reinstall the affected software, and likely wouldn’t know they had to.

Since many software apps like Adobe, Java, Flash, and Windows itself receive near constant updates and patches, having the update function removed could be disastrous. Scammers have exploited Flash, and Java many times and malicious PDFs are a popular distribution method. 56% of all malware currently comes from malicious PDFs. Experts recommend disabling Javascript when visiting unfamiliar websites to help protect yourself, but an even better idea is to avoid visiting unfamiliar websites all together. It’s also a good idea to manually check your apps on a regular basis to make sure they’re properly updated.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Malware Has a Damaging Twist

The Koobface botnet is distributing a new variant of its Trojan that forces the user of the computer it infects to solve a CAPTCHA. The user is presented with a Windows pop up directing them to solve the CAPTCHA provided or their system will be shut down. The solved CAPTCHA is then sent to the botnets C&C channel and used to create a fake Blogspot blog which is populated with content from Google News. Koobface uses SEO techniques to insure these blogs are packed with hot topics and sure to appear at the top of search engines. The links in these fake blogs redirect to a fake Facebook page where the user is directed to download a “flash player update” which is really the Koobface Trojan. The same technique is used to create fake Gmail and Facebook accounts which are also used to distribute the malware. Once Koobface infects a system it steals credit card numbers and other personal information.

The underground economy of human driven CAPTCHA solving is booming as well, further weakening the effectiveness of CAPTCHA systems. Services offering bulk orders of solved CAPTCHAs for Web 2.0 and social media services are exploding and prices are lower than ever. One service offers 1 million solved CAPTCHAs for $800. However, with Koobface taking CAPTCHA solving into its own hands, other malware distributors may follow suit, leading to the CAPTCHA solving industry’s demise.

Google denies that their reCAPTCHA is flawed, claiming the data used in the report is outdated.

           “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” said a Google spokesman. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Researchers Find Flaws in Google’s reCAPTCHA

Amazon’s EC2 service is the latest cloud-based service being exploited by the Zeus Trojan. Security researchers have discovered the Trojan is using EC2 as one of its command and control centers. PCs that have been infected with the malware and turned into zombies report to the service for updates, instructions and possibly even more malware.

         “We believe this was a legitimate service that was purchased and compromised via a vulnerability” such as a weak password, Don DeBolt, CA’s director of threat research, told The Reg. “It could have been any vulnerable system on the internet.”

Other services that Zeus has been using as C & C centers include Twitter, Facebook, and Google Apps. Such sites are attractive to botnet herders because they are cheap, easily available and simply don’t set off any alarms or notifications when the zombies connect to them. Another thing that makes them attractive is that unlike obscure Chinese or Russian domains, blacklisting such popular services simply isn’t likely to ever happen. In effect they are using these services as camouflage.

Amazon shut down the infected EC2 channel after being notified, but it likely won’t keep Zeus down for long. Cybercriminals have invaded the Cloud and are here to stay.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zeus Botnet Using Amazon Service as C&C Server

A new wave of malicious spam makes promises of a free MacBook Air but delivers malware instead. The spam messages were only recently detected and arrived with the subject line “Congratulations!” The body of the message reads “Congratulations! You have won todays Macbook Air. Please open attached file and see details.”

The file is an .exe file that installs malware on to the system. The malware has been identified as TROJ_AGENT.AWYQ.  Once installed it drops TROJ_CUTWAIL.GO, which adds the infected computer to the Cutwail/Pusdo botnet. A spam module is downloaded along with one or more “Campaign modules” which contain third party malware from a number of different sources. It’s also programmed to connect to web based email providers it detects the the infected computer has logged into like Hotmail, Yahoo! and GMail and send out copies of itself.

Cutwail/Pushdo is one of the largest botnets in the world, sending out millions of spam messages a day.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Spam Promises Macbook, Delivers Malware

Authorities in the UK have arrested two people suspected of distributing the Zeus Trojan. The arrests were made by the Metropolitan Police’s Central e-Crime Unit and are the first ever in connection with the Trojan, which has infected hundreds of thousands of computers across the globe.

Detective Inspector Colin Wetherill of the PCeU said: “The Zeus Trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world. The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Zeus records banking account numbers, logins and other personal info and adds the infected computer to the ZBot botnet, which then uses the computer to pump out malicious spam designed to spread the infection.

Authorities would not identify the two suspects, saying only that they are a man and woman in their 20’s. They are being charged under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Security experts say Zeus is spreading so fast because there is a toolkit available that allows anyone to customize the malware, create their own versions, and use it to commit bank fraud.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zbot Trojan Ring Busted

Gumblar uses SQL injection to infect Web servers.

Malware watchers are reporting that Gumblar botnet is working its mischief once again, this time on a larger scale than ever. The malicious software first attracted the notice of White Hats this spring when it used SQL injection attacks to infect legitimate websites–sites such as Tennis.com, Variety, and Coldwellbanker.com–and spread itself to the personal computers of visitors to those netposts. SQL injection attacks are performed on the database layer of an application. They take advantage of vulnerabilities in the layer that can be exploited by input that produces unintended consequences, such as forgetting to authenticate a user’s identity.

After making its initial splash, its activity abated only to experience a revival at the end of the summer. Now it’s running wild again, according to security researchers, infecting hundreds of trusted sites and through them, thousands of PCs.

In its birth form, the badapp poisoned a site’s back end server or used an iFrame or other ploy to redirect a visitor to black server for a proper fleecing and contamination. The use of iFrames has become a popular ruse of cyberbandits. Once injected into a trusted site, it redirects a browser to another iFrame that executes clandestine javascript code on an unsuspecting keyboard jock’s computer. The code then connects to Net places where more code is secretly executed to exploit vulnerabilities in a target system. Crackers leverage those vulnerabilities to gain control of a user’s computer and filch usernames, passwords and other information from the system. It also looks for FTP credentials so it can infect more servers.

Although browsers like Firefox will alert users when they are being redirected from a website, the practice is so common that most users sanction it without a second thought, much as they would when they receive a notice to upgrade a browser extension or plug-in.

The original Gumblar redirected its victims to a couple of nefarious sites, but now, White Hats say, the scamgram is pointing gulls to thousands of servers in more than 200 countries. In the United States alone it’s estimated that more than 7200 servers are spreading Gumblar. A favorite target of Gumbsters are servers with the domain extension .edu or .gov.

The latest version of Gumblar appears to be departing from its iFrame roots, according to security experts. Rather than redirecting muggins to a rogue site, like Gumblar.cn, it’s planting its sickening scripts and felonious payloads directly on a compromised host. That makes fighting the malware that much harder. Instead of focusing on an attack vector consisting of one or two servers, they now have to cope with one made up of thousands of infected servers. Moreover, the scripts are camouflaged so they match the existing file structure at a website and heavy obfuscation is used to foil existing security measures.

According to one malware watcher, Gumblar’s script modifies this key in the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

The alteration ensures that the malware will load any time a browser is launched.

The malicious program also alters sqlsodbc.chm, a default file found in the Windows\System32 directory on Windows XP

Security experts report that the latest strain of Gumblar is fond of infecting Adobe Reader and Flash Player files. They add that infections are so widespread that some PC vendors are finding their support lines inundated with calls about erratic computer behavior that is symptomatic of the cybercancer. That behavior includes spontaneous reboots and failure to reboot completely. In the case of an incomplete startup, the computer’s screen will remain black with only a mouse pointer displayed.

Gumblar’s behavior is leading some security researchers to believe that it is a “botnet for hire” designed to achieve a variety of ends for a variety of Web rats. In some cases, the badapp is merely redirecting traffic to a rogue site to collect page views and collect advertising revenue through click fraud. In other cases, it’s diverting Websters to sites which will infect a target’s system with malware.

Making sure a system’s operating system’s security patches are up to date and an organization’s intrusion prevention signatures  are current can provide some measure of protection from Gumblar, but vigilence when those redirect messages pop up in a browser window will go a long way in thwarting the malware’s malevolent aspirations.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Gumblar has new face on ugly head