Terry Zink's Anti-malware Blog

Is Australia a hot-bed of zombie activity

tzink — Tue, 09 Feb 2010 18:10:44 GMT

A couple of weeks ago, I posted that Australia was getting ISPs to boot infected computers off of their network. I commented on whether or not this was a good policy. However, there was one thing in that article that I wanted to comment on but didn’t, it was this excerpt:

A global report by security technology giant McAfee reveals that Australia now ranks behind only the US and China for the number of "zombie" computers that fell under the control of spammers in 2009. "The `Land Down Under' is proving to be fertile ground for zombie recruiting," the report says.

It estimates Australia accounts for 6.3 per cent of the world's "new zombies", compared with 18 per cent from the US and 13.3 per cent from China. Just two years ago, Australia was not even in the top 10 countries listed in McAfee's Global Threats report.

Australia is now number 3? Behind only the US and China? That sounds a little hard to believe. I say this because it completely contradicts any of the data I have.

Now, I will admit that I only have data on how much spam we receive from each country, and from how many distinct IPs. If I go by the second half of 2009, Australia ranks 24th for distinct number of IPs that sent us spam and 26th for total amount of spam sent. It lags far behind other countries like South Korea, Brazil, India, Poland, Spain, Romania, Ukraine, and so forth.

Now it’s possible that McAfee’s report measure total zombie activity. Zombies do more than send spam – they host spammy web pages, do fast flux, perform black search engine optimization, conduct DOS attacks, and so forth. And obviously, I have gaps in my own data because I don’t measure that. Yet if I go by data in Microsoft’s latest Security and Intelligence Report (covers first half of 2009), Australia ranks far down the list of countries in terms of number of infected computers with malware, drive-by downloads, and so forth. It confirms my data that Australia is not one of the biggest players when it comes to spam.

This leads me to a couple of possibilities:

McAfee has other metrics that we are not collecting that indicates that Australia has lots of zombies and bumps it up the list.
One of us is wrong.

No offense to McAfee, but I’m guessing (emphasis on the word guessing) that it’s (2), and it’s not us that is wrong. It stretches the credibility to assert that Australia is a smaller player in spam and malware infections but is really abusive in everything else. More often than not, if a country is abusive in one category, they are usually abusive in other categories. While it is true they may not be stack-ranked the same in every category of abuse, they usually are pretty close.

Which botnet sends the most spam, part 3

tzink — Fri, 05 Feb 2010 17:50:31 GMT

In part 1 of my series, I looked at which botnet sends the most spam, by total number of messages sent at the recipient level and not the envelope level. In part 2, I looked at which one sends the most spam by total amount of bytes that they emit. Now, I’d like to put it all together; if we normalize the values, which botnet is responsible for sending out the most spam on a daily basis? Depending on how we measure it, there are a couple of answers.

To check this, first I took a look at the average number of message envelopes each botnet sends per day. I then normalized the value and used the lowest sending botnet as a base, assigning it a value of 1. I have removed lethic from this count because it seems to have fallen off the radar (is something wrong with my script?). The table is below:

Looking at this table here, sorting by the average amount of total envelopes each botnet sends per day, it isn’t even close (for the month of January). Rustock, by far, sends more individual spam messages than any other botnet by a factor of 10. Its net is so wide and the other botnets aren’t even in the running. Mega-d is next followed by cutwail2.

But if we measure the amount of bandwidth the individual receiving mail servers have to process, the numbers change. If we take the average number of messages/envelope, multiple by the average message size (kb) and multiple by the average number of message envelopes per day, then we get the total amount of traffic, in bytes, that each botnet sends. Doing this, the numbers change (remember that these are normalized values, not absolute values):

Looking at it this way, the worst botnet is cutwail followed by cutwail2. Rustock drops down to 3rd in the list, a distant 3rd but not far behind cutwail1. The other botnets bring up the rear, only looking out into the distance and wishing they were as cool as the others.

So there you have it, my study on which botnet sends out the most spam. I’ve shown my work and therefore these results should be reproducible in the future. I’m not totally convinced that my scripts are completely accurate and capturing all of the required information, however, as time passes I should be able to refine them and provide an even more accurate analysis on which botnet is the worst.

Which botnet sends the most spam, part 2

tzink — Thu, 04 Feb 2010 22:59:00 GMT

Following up from my previous post, there are a couple of ways to measure which botnet sends the most spam. On the one hand, botnets can send 1 spam message but address it to a lot of different recipients, thus putting the cost of delivery heavily onto the recipient. This means that the spammer can have a small amount of nodes and the recipient has to assume the overhead of splitting the message up and delivery to multiple recipients. On the other hand, a botnet can be very wide and send a lot of messages to a lot of different people, but only address each message to one recipient. In this case, the overhead of delivery is shifted onto the sender since the spammer/botnet has to support and maintain a lot of different nodes.

But the total number of messages is only one way of looking at it. What about the total size of the message? If one botnet sends a 10 messages at 30 kb each, and other sends 100 messages at 3 kb each, the way we measure who sends the most spam varies. They are each sending the same amount of data. Regarding the 10 botnets I have been tracking this month, below is the botnet and the average size per message in kb that they send:

From here, we can see that cutwail1/2 send very large messages, and combining that with my previous post, we can see that they send a lot of messages per email envelope and the messages tend to be quite large. Cutwail imposes a very large strain onto the overall Internet infrastructure. Rustock, conversely, remains very hard to detect in terms of its footprint. It sends on average 1 message per email envelope, and these messages are quite small.

Lethic sends lots of messages per email, but the messages are small. Gheg doesn’t send very email emails per envelope either, but its messages tend to be larger.

So, what can we conclude from these figures? Rustock is a very efficient spammer, and cutwail is very inefficient (where efficiency is defined as how easy they hide themselves and the costs they impose on the recipient). Lethic is a new kid on the block but doesn’t impose large bandwidth costs, while the others are a mixture between the rustock/cutwail contrast.

Of course, can I definitively state which botnet sends the most spam? The answer is that it depends. While the Holy Grail of many businesses is that the more data you have, the better, I have found that this is not the case. Often times, more data only serves to make you more confused and unable to give a straight up answer.

Which botnet sends the most spam?

tzink — Thu, 04 Feb 2010 00:41:33 GMT

Around the Internet, and even on this blog, various analyses have been done on botnets and which one is responsible for sending the most spam. Whether it’s Rustock, Cutwail, or one of the new kids on the block (grum, gheg, or donbot), I don’t really see any consensus on which one is the spammiest.

There are a couple of ways to measure which botnet sends the most spam. You could do it by which one is sending spam from the most distinct IPs. You could also do it by which one sends the most amount of messages. But the most amount of messages has a couple of different ways of measuring it – by total number of envelopes, total number of messages, and total number of bytes.

The envelope level is different from the message level. For you see, a message envelope can have multiple messages. A message might be addressed to multiple recipients, in other words:

From: Guy Incognito
To: Frank Grimes, Lenny Leonard, Carl Carlson

This particular email would be one envelope and three messages, because the message has to get delivered to 3 people. So, at the message level, it is more costly to process a message with multiple recipients. You could scan the message before branching it out, but afterwards when it comes time to deliver the message, you would have to fork it out into each individual messages, and each of these messages costs bandwidth and storage.

At the message level, here are 10 botnets that I have been tracking for around a month along with the average number of recipients per message:

From this perspective, cutwail and lethic are the spammiest botnets. They send spam messages to lots of different recipients which results in higher infrastructure costs for the recipient (not to mention the filterer of the spam). Lethic is a fairly new botnet, I don’t have a lot of stats for it before November 2009. I wonder whether or not it is related to cutwail1/2 at all, seeing as how the behavior is so similar. I’d have to dig into our logs and see what the messages look like in order to see if there are enough similarities.

Rustock is way down the list. Rustock is a very clever botnet, contrasting it from cutwail1/2 and lethic. Rustock’s strategy is to have a botnet base a mile wide and an inch deep. In other words, the number of distinct IPs is far higher in Rustock than any other botnet (it isn’t even close). But the number of messages it sends per envelope is small, approaching 1.0. This allows it to have a wider footprint that is harder to detect. A bursty emission of spam from a small number of IPs is easier to detect than a scattered distribution of it coming from many, many more IPs. On the other hand, while the latter is harder to detect, the former does more damage to a network because of the additional load put onto a network during the peak traffic times.

What about the types of messages it is sending? How big are they and how much bandwidth do they consume? That’s the subject for a future post.

New Facebook worm

tzink — Fri, 29 Jan 2010 18:03:28 GMT

This morning, I was once again browsing through my Facebook lists (man, Facebook really is a gold mine of material for the cybersecurity world, isn’t it?). I came across something a friend of mine posted, it is entitled “My ex-girlfriend of 2 years cheated on me… here is my revenge!” There is a picture of a scantily clad woman with a link off-site. This friend is a different friend than the one I took to Peru and tossed his iPod into the lake.

My brain started making all sorts of not-so-random associations. Recall that a couple of days ago, I posted that I received a Friend invite from a spammer. And in that invite, there was a picture of a woman in a seductive pose. Having an idea that there might be some relation here, I decided to click on the link being pretty certain that I knew what was going to occur. I clicked on the link and Facebook prevented me from going to it – I was told “Sorry, the link you are trying to visit has been reported as abusive by Facebook users.”

Now my curiosity started to kick in. Was it abusive because the material was offensive? Or was it abusive because the content was malware? I decided to go to the link myself and find out for certain. I went to the page and it had another image (non-offensive… actually, neither image was offensive) but it said to click on a link to download the full image set. Right away, I pretty much knew what it was – a social engineering trick that uses seductive images of women to get people (mostly men) to download the images but in reality installs a worm. The invitation to treat is in the original image, and the payload is not what people bargained for. I checked out the WHOIS info and it was inconclusive.

But the story gets more interesting than this.

I just uploaded a post on CircleID this morning. As I normally do from time to time, after creating my post, I decided to read the posts of other authors. I am currently tied for the 19th most prolific author on there, and I like to read the posts of the most prolific writers. One of them is Gadi Evron, a security consultant who used to work for the Israeli government in their cybersecurity space. I have read a bunch of his posts on CircleID and some of the other posts on his web site.

Now here is where the story gets interesting. For some reason, I decided to do a Bing search for his name. I don’t know why I did this, I think I just wanted to check out his web page again. I found his home page and gave it a quick glance and read his Career Highlights. I then read through his most recent tweets. Here is the most recent one (as of 9:55 am PST, Jan 29, 2009):

yet another facebook worm with a sexy lure ("I cheated on my girlfriend, here's my revense" [sic]-- don't click on it!)

Right then, I knew that my initial (subconscious) guess was correct. This new post that my friend had put up was actually a redirection to a malware page. My friend had fallen prey to it and Facebook was right to block it because it links to malicious content. Good for Facebook, they’re on the ball. However, I thought it was pretty neat/strange/coincidental that a bunch of seemingly random events could all be tied together.

So, unlike the last Facebook incident I encountered where I did nothing, this time I around I did something. I went to my friend’s profile and posted that this was a Facebook worm, not a “legitimate” joke. Hopefully he didn’t click on the link or download/install anything.

Australia booting infected computers off their networks

tzink — Fri, 29 Jan 2010 07:46:00 GMT

The Australian has a good article describing the efforts some of their ISPs are making in an attempt to clean up their act: the government is encouraging ISPs to detect computers on their network that are infected and part of botnets, and to communicate to the customer that their system is compromised. Here’s an excerpt:

COMPUTERS infected with viruses could be "expelled" from the internet under a new industry code to control Australia's plague of contaminated PCs.

The federal government has given the internet industry an operate-or-legislate ultimatum to identify "zombie" computers involved in cyber-crime.

The Internet Industry Association - whose members include major internet service providers Optus, Telstra, Vodafone, AAPT, Virgin and Hutchison 3G, as well as industry giants Facebook, Google and Microsoft - is preparing a voluntary industry code to come into force this year.

The move follows industry intelligence that Australia now hosts the world's third-highest number of "zombie" computers infected with malicious software that can attack other PCs, send spam, store child pornography or steal the user's identity.

A draft copy of the voluntary code says the ISPs should identify affected computers and try to contact the users, by phone or email.

It proposes ISPs apply an "abuse" plan to slow down the speed of the customer's infected computer, or to change the customer's password so they are forced to call the ISP help desk.

"(Another action could be to) provide the customer with a timeframe in which to take remedial access and, if this is not adhered to, terminate service."

The code states ISPs should cut off internet access only in the "most extreme of cases", when a customer had refused to install anti-virus software, or where the amount of spam being sent from the customer's account was clogging up the network.

I like the part above that I bolded. It basically says that ISPs take action to coerce the end user into fixing their system. Unless the customer feels a little bit of pain they will not change their ways. Having your password reset or slowing down a computer’s speed (I assume it is the speed of their Internet connection, this is known as “throttling”) will certainly get a customer’s attention.

This line of thinking has been part of my own line of thinking recently as I have attempted to revamp our own outbound spam process. As I have been collecting requirements, one of my selling points has been that unless a customer feels some pain, they won’t address the root cause of their spam problem. We fork our spam out a different pool of IPs, and I find that there is an internal perception that this solves the problem of outbound spam for us. It doesn’t; I want to go beyond the spam problem on our network and try to address the root cause – that the customer is part of an infected botnet, is running malware, and needs to clean it up. Unless they have an incentive to clean it up (such as us shutting off their outbound mail relay privileges) there is insufficient motivation to actually do it. Antispam zealots like me care about stuff like that, but average Joes aren’t into it so much.

Thus, the Australian code of conduct resonates with me. Home users are probably going to be annoyed at being cut off, and many likely won’t know what to do in order to clean up their systems. Still, it’s a good start and may cause some degradation of the user experience in particular, it should raise the user experience (of the rest of the world) in general.

More on Google and the cyberattacks

tzink — Wed, 27 Jan 2010 16:33:34 GMT

The Financial Times has an update on the cyberattacks that targeted Google last week and caused Google to threaten to pull out of China.

Hackers target friends of Google workers
By Joseph Menn in San Francisco

Published: January 25 2010 23:47 | Last updated: January 25 2010 23:47

Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks, raising privacy concerns and pointing to a highly sophisticated operation, security experts said.

Cybersecurity experts analysing the attacks said the hackers spied on individuals and used other sophisticated techniques, making them extremely difficult to stop. The disclosures come amid renewed alarm over cybersecurity after Google said it had been the target of a series of cyberattacks from China.

The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

“We’re seeing a lot more up-front reconnaissance, understanding who the players are at the company and how to reach them,” said George Kurtz, chief technology officer at security firm McAfee.

“Someone went to the trouble to backtrack: ‘Let me look at their friends, who I can target as a secondary person’.”

McAfee discovered that a previously unknown flaw in Microsoft’s Internet Explorer had been used in the attacks. Mr Kurtz said the attackers also used one of the most popular instant messaging programmes to induce victims to click on a link that installed spy software.

Another element of the attack code used a formula only published on Chinese language websites, said Joe Stewart, a researcher for security firm SecureWorks. Mr Stewart also found that some of the code had been assembled in 2006, suggesting that the campaign had been not only well organised but enduring.

The evidence pointed to a government-sponsored effort that only large spy agencies or perhaps some of the most advanced big companies could have withstood, experts said. China on Monday described accusations it was behind cyberattacks as “groundless”.

Sam Curry, vice-president of security firm RSA, said: “This is a loud message for the commercial world, which is: wake up, this isn’t all happiness and goodness and new business.

“Doing business on the internet is as risky as sending ships through the Panama Canal.”

Okay, now I am confused. Is this a cyberattack on Google, or what? The way I read the article, the attackers figured out who the higher-ups were in the company (which means I am safe) and then figured out who their friends and social networks are. How they obtained this, I don’t know. But get this – the hackers then compromised these social network accounts, hoping that they would click the links. Does this mean that the hackers went to all of this trouble to create a targeted spam campaign? That doesn’t read like a cyberattack at all in which information is stolen or services are DOS’ed, it sounds like a spam run. But why would a spammer target a few employees at Google? Spam depends on sending out its garbage to tens, or even hundreds, of thousands of users. At the most, these hackers would get perhaps a few thousand people from a few higher-up Google employees.

That the source code only existed on Chinese sites is certainly suggestive of a Chinese cyberattack but not conclusive of state involvement. Of course, the accusations are hardly groundless.

More Facebook spam

tzink — Wed, 27 Jan 2010 00:48:50 GMT

This morning, I logged into my Facebook account to see what all of my various friends were up to. Is anyone having a birthday? I shall write on their wall some warm wishes. Is anyone doing anything interesting? Perhaps I could like their status. Does anyone have a clever wall post? Perhaps I can post a witty reply.

I logged in and looked at the notifications. One new friend request. “Hello, what’s this?” I asked. “A new friend? Who could it be?” The one thing about Facebook is that whenever you get a friend request, there’s always this momentary twinge of curiosity that is incredibly difficult to resist. I clicked on the Friends link to see who it was.

I saw who it was and experienced several emotions simultaneously – confusion, disappointment, and intrigue. It was from some random woman that I had never met before who was standing in a seductive pose. The name was not a normal name, it looked eastern European. It took me about two seconds to figure out that this was probably a social engineering mechanism; an avenue for abuse. The first thing that entered my mind, after the fog cleared, was that this was going to be the basis of a blog post. I clicked Accept.

I then proceeded to check out her profile. She had about 40 friends and there were a bunch of postings on her wall. Her age was about the same as mine, born in the same year but a few months earlier. In her status, there was a message about checking out her website so I decided to follow the link. I had an inkling of where it would take me… but decided to wait the 60 seconds while the page took an eternity to load (yep, in the world of the Internet, I consider 60 seconds an eternity).

Well, the page loaded and much to my non-surprise, I was taken to a porn page. Not Japanese porn, just typical run-of-the-mill spammer porn, the type you would normally see in a spam message. I sighed, rolled my eyes, shook my head and closed the tab. I then went back and defriended the account. I thought to myself “It figures, Facebook is being attacked this way with spammers signing up for profiles, creating them and randomly searching for people through the Friend Finder.” Well, at least it’s nice to know that I was targeted in this way, I hope it’s because I’m so well known in antispam… but the reality is likely that it was merely a chance occurrence.

I should have reported the abusive account to Facebook. Oh, well, better luck/memory next time.

Spam is solved, we can all go home now

tzink — Tue, 26 Jan 2010 01:08:12 GMT

The NewScientist has an article on an interesting new antispam technique. Here’s an excerpt:

SPAMMERS' own trickery has been used to develop an "effectively perfect" method for blocking the most common kind of spam, a team of computer scientists claims.

Most of the billions of spam messages sent each day originate in networks of compromised computers, called botnets. Unbeknown to their owners, the machines quietly run malicious software in the background that pumps out spam.

Researchers have now come up with a system that deciphers the templates a botnet is using to create spam. These templates are then used to teach spam filters what to look for.

The system, developed by a team at the International Computer Science Institute in Berkeley, California, and the University of California, San Diego, works by exploiting a trick that spammers use to defeat email filters. As spam is churned out, subtle changes are typically incorporated into the messages to confound spam filters. Each message is generated from a template that specifies the message content and how it should be varied. The team reasoned that analysing such messages could reveal the template that created them. And since the spam template describes the entire range of the emails a bot will send, possessing it might provide a watertight method of blocking spam from that bot.

To test their idea, the team installed a previously captured software bot onto a machine. After analysing 1000 emails generated by this compromised machine - less than 10 minutes' work for most bots - the researchers were able to reverse-engineer the template. Knowledge of that template then enabled filters to block further spam from that bot with 100 per cent accuracy.

Knowledge of the spam template enabled filters to block further spam with 100 per cent accuracy.

High accuracy can be achieved by existing spam filters, but sometimes at the cost of blocking legitimate mail. The new system did not produce a single false positive when tested against more than a million genuine messages, says Andreas Pitsillidis, one of the team: "The biggest advantage is this false positive rate."

So, to summarize, a team of researchers downloaded and installed some software that flips a computer into a botnet. This bot then started spewing out spam and the team was able to capture the spam, analyze, and then write spam rules in order to 100% target the spam run.

All you have to do is download the malware, capture the spam traffic, and then use the traffic to build an antispam corpus of rules. In other words, it’s the next step in doing what antispam vendors have been doing since 2002.

In case you can’t tell, I’m not really all that impressed with this spam solution. Yes, it does have a 100% accuracy rate with no false positives. But how practical is it in real life?

You have to capture malware from every botnet – There are lots of different botnets out there, not just one. In order for this solution to be effective at stopping all spam, you would need to capture each type of malware and analyze the spam traffic from all of the botnets, not just a single one. Different botnets have different spam signatures.
You have to capture multiple versions – Malware from botnets, the more intelligent ones, are auto-updating. They periodically phone home and upgrade themselves. And they may not send out traffic in the same ways. You would have to ensure that the software that you have intercepted is capable of analyzing traffic from versions of botnets that send out spam differently.
Botnets do not just send out spam by themselves – Not all botnets spam. Some of them break CAPTCHA’s set up by Windows Live (Hotmail), Yahoo and Gmail. And then, they send out instructions using those compromised accounts to spam from them. Thus, even if these botnets were intercepted in terms of traffic, they wouldn’t solve the spam problem since botnets have multiple uses.
Botnet software is competitive – Some pieces of malware will erase other pieces of malware in an attempt to monopolize the botnet space. So, if you have installed one piece of malware, another piece can come and erase it. You’ll be attempting to capture traffic that doesn’t exist.

Still, this technique is a viable antispam measure if you can capture malware and install it; however, one would need to understand that it is but one tool in the antispam arsenal. It would have to be supplemented with other techniques like IP reputation and sender reputation. As to how practical it is, well, I can’t comment on that because I don’t understand botnet malware very well. But the idea is interesting.

My new Best Buy $1000 Gift Card

tzink — Fri, 22 Jan 2010 17:55:52 GMT

Yesterday, I was browsing through Facebook. I never really look at the ads on the right hand side of the page. Or rather, I should say that I never click on them. However, yesterday, my curiosity was piqued. There was an ad that I had already qualified for a free (free!) $1000 gift card from Best Buy because I was a male of a certain age. I was intrigued. Being in the antimalware space and as someone who has fought spam for years, trying to combat these annoying gift cards that plague user inboxes, I decided to click on the link. Maybe these types of ads were a way to circumvent spam filters. Perhaps social networking is the next big thing for spammers targeting users. Well, perhaps not the next big thing since they are already doing it.

I clicked on the link, and here’s where I was taken to:

“Yep,” I said, “that explains it. All I have to do is enter in my email address, be bombarded by tons of offers every day for the next 50 years, have my address sold to plenty of other folks and there we go – a free $1000 gift card!” As Milton Friedman said, there’s no such thing as a free lunch. Still, I decided to read the official gift offer rules. How much was this free gift card going to cost me?

Here are the terms and conditions:

I have to fill out a form complete with true and accurate information about myself. Fair enough.
I don’t have to complete any Special Offer Surveys, but I do have to complete the Sponsor Offer Surveys. I have to complete 13 Sponsor Offer Surveys in order to get the gift card. And these Sponsor offers are presented to me after the Special Offer surveys. This is a little deceptive, I bet that most people will go to the first couple of surveys, get mentally fatigued and give up. “It’s not worth the effort,” they say. Of course, at this point, they have already handed over all of their details to the spammer, er, I mean marketer.
As I said, you have to complete 13 Sponsor Offers. Oh, and get this – sponsor offers may require you to sample and/or purchase products of interest. Examples are obtaining a loan or extending your credit (including credit cards), transferring a balance or something similar. This $1000 offer is starting to get more expensive than just the cost of time and being spammed for the rest of your life.
Once you have completed a transaction with a sponsor, you are subject to that sponsor’s rules of termination and terms and conditions.
The sponsor has to provide proof that you have completed that Sponsor’s offer. Man, if it gets lost in paperwork (who knows how that could happen) you could be haggling for a while.

After reading through all of this, I can see that it’s not going to be worth my time and effort to go through all of these steps. I mean really, 13 sponsor offers? And I have to buy stuff? I’ll bet it will end up costing me a lot more than $1000 to extend my credit.

How low can you get?

tzink — Sun, 17 Jan 2010 23:56:13 GMT

A colleague forwarded me the following scam today, spammers taking advantage of the recent earthquake in Haiti. It sure didn’t take them long to prey on people’s emotions. Here’s an excerpt:

Human Relief Foundation
755 Romford Road
Manor Park
London
E12 5AW
UK

By now I'm sure you have seen pictures of the absolute devastation in Haiti. As many as 100,000 people could be dead. Survivors are sleeping in the streets among the dead, too afraid to go back into buildings. The people of Haiti need us now to survive, and they will need our help for a long time to rebuild

Human Relief Foundation (HRF) has launched an emergency appeal seeking a total of #120,000,000.00 to deliver assistance to families affected by the devastating earthquake that struck Haiti. Thousands are feared dead, with more than two million people affected and, widespread damage. Critical services such as electricity, water and telephones have been affected.

HRF appeals to the local, national and international community to come forward and donate generously whatever they can to the Haiti earthquake appeal - just as they did with the Tsunami disaster of 2004 and the Kashmir earthquake of 2005. Donations can be accepted in various ways to make a donation contact Email: relief-care@…<redacted.something.cc>

Thank you for everything you are doing to help the people of Haiti

Rebecca Young,

Care2 and ThePetitionSite Team

There's something particularly unethical about preying on the misery of the less fortunate and taking advantage of those who are genuinely concerned for the well-being of others. The Human Relief Fund is an actual organization (or it appears to be, after 5 seconds of research) but the drop box points to a spam site. This particular example of social engineering really is par for the course for spammers.

Google and the cyberattacks

tzink — Sat, 16 Jan 2010 16:50:00 GMT

Well, we’re barely two weeks into 2010 and already we have some interesting geopolitical stories about cyber security. In a one-two punch combination, Google this past week threatened to pull out of China, ostensibly over the issue of censorship. At the same time, they claim that they were the victim of a cyberattack in which the Chinese government attempted to hack into email accounts of anti-government groups. Stratfor (subscription required) has some analysis:

Removed.

This attack illustrates once again the difficulty of tracing Internet attacks. You don’t necessarily need government sponsorship in order to steal information as last year’s attacks on Twitter have proven. Without having more details about the cyberattack, it’s difficult to say what exactly happened. But, I can speculate on some possible scenarios:

The Chinese government is looking to crack down on the human rights activists who use Gmail as their email software. Under orders from certain elements within the government, Chinese hackers used compromised servers in Taiwan to intercept packets from these accounts and relayed offsite where the email messages could be decrypted and broken.

It is difficult to say whether or not Taiwan was acting in cahoots with China. These two countries do not get along. Either the Taiwan servers were compromised due to poor security, or there are Chinese moles in Taiwan. Each are equally likely.
Baidu has links to people in government in China. Attempting to get a leg up on their competition, Baidu requests the government to get them some information (ie, source code) about how Google’s algorithms work. Chinese hackers leap into action, steal data, and turn it over to Baidu. The Chinese government is only too eager to assist their native countrymen in getting a leg up on the competition, whose share of the market has grown from 18% to 31% since 2007.
Or maybe there is no connection. Perhaps some hackers decided to hack into Google and steal the information, and then later sell it to the highest bidder. Given the amount of tools available for free online, this would be a sophisticated attack but might be possible to pull off without state support.

It’s difficult to say what Google’s next move will be. Obviously, they would want to stay in China because that’s where profits are and this might be a cost of doing business. Google is threatening to withdraw from China but it seems very unlikely that they would be willing to cede the country to Baidu (a stock I used to own… and it has popped up 80 points in the past three days and I wish I still owned it). In any case, cyber security is poised to affect the geopolitical scene once again in 2010.

An adventure in Peru, part 7 – Finale

tzink — Fri, 15 Jan 2010 22:47:00 GMT

This story is (mostly) fiction. But it’s quite entertaining if you use your imagination. And who knows? It could have been true.

If you’ve been following my story for the past few posts, you’ll know that I was in dire straits. Somehow, a spammer who I tangled with a year ago had managed to track me down and fight me again, and had learned a few new moves in the meantime. He obviously had learned from before and was making his personal infrastructure more resilient. It was a lot like the McColo takedown in 2008 – spammers were shut down for a few months but eventually responded by making their own infrastructure more resistant to takedown and much more greatly diversified. This spammer was following the same pattern.

This guy had learned moves from the characters in Street Fighter II, something I had shown him a year earlier and now he had stolen my moves. He was imitating me, a lot like a phisher imitating an actual financial institution. The parallels between video games, spam and real life were uncanny. And now he was giving me a spinning pile driver, about to slam me noggin right through the concrete (?) of Machu Picchu.

I knew that I had only a split second to break out of the hold otherwise I would most likely be done for. I was starting to get a bit dizzy from all of the spinning, similar to what happens when I go ballroom dancing and do moves that involve a heck of a lot of rotation. As the ground rushed up, I made my move. I pulled back my right leg a bit and then thrust my knee forward as hard as I could. I connected by hitting the spammer right in the nose. He grunted a bit but retained his grip. Unfortunately (for him), that grip loosened a bit, giving me just enough slack. I grabbed onto his waist with my hands and shoved myself up a bit so that my head would no longer be the point of impact on the ground. A split second later, I braced hard with my arms. He landed on the ground, coming down extremely hard on his posterior. Because of the now-existing gap, my head did not impact with the full force of his body weight. The impact was very hard and body slammed down because of gravity; I felt the strain on my arms and tried to avoid hitting my head but couldn’t. I didn’t have quite enough strength in my arms to keep myself up in the air. I slipped a bit and banged my head slightly, giving myself a concussion as I would later find out.

The spammer, however, was hurt. Landing on himself sent a shockwave of strain through his lower back and legs. “Aagh!” he shouted. He kind of rolled to the side while I blinked a few times and rubbed my head. The world was woozy but at least I was still alive. I staggered to my feet, still holding my head. It was warm and gooey; I looked at it and I saw a red liquid. At the time it didn’t quite register to me what it was but obviously it was blood. I straightened up and looked at the spammer. He was getting to his feet and looked even angrier than before. I then saw him pull out a knife. “Enough of this,” he sputtered. “Come here!” The knife looked like it was an imitation knife, like something he picked up out of his spam folder.

It was at this point that I decided that I couldn’t rely on any of my Street Fighter II moves. This spammer had studied me and knew the counterattacks. It was even likely that he had practiced on a few other anti-spammers over the past year in order to hone his skills (like the bad guy Syndrome in the movie The Incredibles). I was going to have to descend into my role as a former secret agent who was trained in secretive fighting arts. The spammer closed in on me and swung his knife at me. The first time he swung at me, he cut me on my arm but I did not react. He then struck out at me a second time, but as he did I moved into him and enclosed his personal space. That caught him off-guard. I then went into a mental zone and kind of spaced out a bit as my body went into an automatic reaction.

I extended my arms and closed them as quick as I could, smashing my hands over top of his ears and popping his eardrums. His eyes went wide, stunned by this sudden burst of output. I raised up my palm under the bridge of his nose and thrust upwards, pushing his schnoz into the top part of his forehead. I gave him a headbutt in his right eye, right where the iPod-shaped mark was, and then hit him four times in a row on his throat. He staggered backwards but I closed in and refused to let him get away. I kicked him in the knee and as he bent forward I grabbed him by the back of the neck and shoved his head down. At the same time, I brought my knee up, smashing his head into it. It did hurt my knee a bit but I didn’t care. As his head came up I jabbed out my fist into the side of his jaw, grabbed him so he couldn’t fall backwards and pulled him back, and then did the same thing. I then did it again. Blood was exiting his mouth.

I let him go and he collapsed to the ground. He turned back to me. “You can’t win, you know,” he sneered. “If you get rid of me, more will take my place. There are hundreds of us. And we can hide where you can’t touch us! You cannot win!”

I paused. He was right. There were hundreds of spammers around the world, and they could hide. They were in cahoots with other malware writers and figures in the criminal underworld. And even if I took out one, others would take his place. There was nothing I could do to fix this situation.

At that instant, the spammer turned and he threw his knife at me from point blank range, 5 feet away. It flew towards me at a rapid pace headed right towards my face. But at the last instant, I extended my right arm caught it out of mid-air, only 1 inch from my eye. I looked at the knife, tossed it aside and then looked back at the spammer. His eyes were wide with fright. He knew that he had just used his last piece of leverage he had on me, hoping to distract me. I glared at him.

“Get off my mountain,” I growled.

The spammer obeyed. He got to his feet, ran over to the side of the mountain and looked back at me. I started to run after him, but before I could catch him he jumped over the side of the mountain. I peered over the side and saw him tumbling down, down, down the side of it. His body bounced and jolted around in an unnatural manner, and eventually disappeared from sight. We were a mile and a half high, after all.

I reached into my pocket and removed a Kleenex. I wiped my forehead, now realizing that the ooze on it was blood. I shook my head. “That’s going to leave a mark,” I said. I sighed and looked for my baseball cap which had flown off in the melee. I saw it about 20 feet away. I walked over to it, picked it up and put it back on. It stung my head a little, but I didn’t want to be walking around with a big cut and bruise on my forehead.

I climbed back down from the high point, glancing at my watch. We only had about 20 minutes of free time left. I walked around for a while and found my friend who I had been traveling with. I was no longer sorry for losing his iPod (I still haven’t replaced it to this day). “What happened to you?” he asked, kind of motioning with his chin.

I looked myself over. I was covered in dust and dirt and I had a couple of bruises on various parts of my body. I spit up a bit more blood and wiped my mouth. I then looked back at my friend. “Let’s head back to the entrance,” I said. “I want a refund.”

Me and this spammer would meet again one day. And next time we met, I would finish it once and for all.

Google’s rocky relationship with China

tzink — Fri, 15 Jan 2010 18:37:00 GMT

The following article is a reprint from Stratfor (subscription required). I am re-posting it here because it illustrates the difficulties that foreign companies have when attempting to make a profit in China. In case you are unaware, on Tuesday, Jan 12, Google threatened to pull out of China if they didn’t start cracking down on a cyberattacks against them that compromised user’s accounts. I will get into that in a future post.

Removed.

Source.

Another botnet taken down

tzink — Fri, 15 Jan 2010 00:04:58 GMT

A few weeks ago in the beginning of November, I posted a blog post about the highest number of spamming botnets that we see on our network. In roughly the following order, the worst botnets were the following:

Rustock
Bagle-cb
Cutwail
Darkmailer
Grum
Donbot
Bobax
Mega-d
Xarvester

I don’t track these botnets every day, though I do collect the statistics. Every once in a while I take a look to see who’s the worst, and it’s usually Rustock. But lately, another botnet has exploded and often penetrates the top 3 – the lethic botnet.

While I don’t currently have the stats handy (I’m off work recovering from arthroscopic hip surgery due to that stupid spammer who attacked me in Peru), I do know that lethic has managed to penetrate the number one spot for botnets on some occasions. It’s not consistent but it does do it.

Over the weekend, on Jan 10, 2010, the lethic botnet was penetrated by the folks over at Neustar. Following that, spam from lethic plummeted. Even on our own networks, we saw a massive drop in mail from week-over-week on a Sunday, even though Sunday, July 3 was still in the holiday time. Indeed, we are still way below our general network averages for the months of December and early January prior to Jan 10.

Similar to what happened to Mega-D last year when FireEye penetrated it, the botnet’s command-and-control structure was infiltrated in order to take it offline. Disrupting these types of brain mechanisms prevents the botnet from sending out instructions to the worker nodes and sending out spam. Cutting off the head of the dragon pretty much kills it for a short time. Unfortunately, like Medusa’s heads, these things keep growing back.

So, should there be more proactive action on the part of the antispam community to take out botnets? Should there be research into it? Funding? Should ISPs take the initiative to take their customers offline if they detect they are C&C centers?

It’s difficult to say but there is certainly no denying that going after the C&Cs work better than almost any other technique. After McColo, botnets evolved to make their infrastructure more resilient. It’s nice to see that the anti-abuse community is also evolving.