spam

9 reasons the Storm botnet is different

From Bruce Schneier’s “Gathering ‘Storm’ Superworm Poses Grave Threat to PC Nets” (Wired: 4 October 2007):

Storm represents the future of malware. Let’s look at its behavior:

1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.

2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. …

3. Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. …

4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. …

This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn’t show up as a spike. Communications are much harder to detect. …

5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called “fast flux.” …

6. Storm’s payload — the code it uses to spread — morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.

7. Storm’s delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites — anything to entice users to click on a phony link. …

8. The Storm e-mail also changes all the time, leveraging social engineering techniques. …

9. Last month, Storm began attacking anti-spam sites focused on identifying it — spamhaus.org, 419eater and so on — and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy’s reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.

9 reasons the Storm botnet is different Read More »

An analysis of splogs: spam blogs

From Charles C. Mann’s “Spam + Blogs = Trouble” (Wired: September 2006):

Some 56 percent of active English-language blogs are spam, according to a study released in May by Tim Finin, a researcher at the University of Maryland, Baltimore County, and two of his students. “The blogosphere is growing fast,” Finin says. “But the splogosphere is now growing faster.”

A recent survey by Mitesh Vasa, a Virginia-based software engineer and splog researcher, found that in December 2005, Blogger was hosting more than 100,000 sploggers. (Many of these are likely pseudonyms for the same people.)

Some Title, the splog that commandeered my name, was created by Dan Goggins, the proud possessor of a 2005 master’s degree in computer science from Brigham Young University. Working out of his home in a leafy subdivision in Springville, Utah, Goggins, his BYU friend and partner, John Jonas, and their handful of employees operate “a few thousand” splogs. “It’s not that many,” Goggins says modestly. “Some people have a lot of sites.” Trolling the Net, I came across a PowerPoint presentation for a kind of spammers’ conference that details some of the earnings of the Goggins-Jonas partnership. Between August and October of 2005, they made at least $71,136.89.

In addition to creating massive numbers of phony blogs, sploggers sometimes take over abandoned real blogs. More than 10 million of the 12.9 million profiles on Blogger surveyed by splog researcher Vasa in June were inactive, either because the bloggers had stopped blogging or because they never got started.

Not only do sploggers create fake blogs or take over abandoned ones, they use robo-software to flood real blogs with bogus comments that link back to the splog. (“Great post! For more on this subject, click here!”) Statistics compiled by Akismet, a system put together by WordPress developer Mullenweg that tries to filter out blog spam, suggest that more than nine out of 10 comments in the blogosphere are spam.

Maryland researcher Finin and his students found that splogs produce about three-quarters of the pings from English-language blogs. Another way of saying this is that the legitimate blogosphere generates about 300,000 posts a day, but the splogosphere emits 900,000, inundating the ping servers.

Another giveaway: Both Some Title and the grave-robbing page it links to had Web addresses in the .info domain. Spammers flock to .info, which was created as an alternative to the crowded .com, because its domain names are cheaper – registrars often let people use them gratis for the first year – which is helpful for those, like sploggers, who buy Internet addresses in bulk. Splogs so commonly have .info addresses that many experts simply assume all blogs from that domain are fake.

An analysis of splogs: spam blogs Read More »

Details on the Storm & Nugache botnets

From Dennis Fisher’s “Storm, Nugache lead dangerous new botnet barrage” (SearchSecurity.com: 19 December 2007):

[Dave Dittrich, a senior security engineer and researcher at the University of Washington in Seattle], one of the top botnet researchers in the world, has been tracking botnets for close to a decade and has seen it all. But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.

Dittrich and other researchers say that when they analyze the code these malware authors are putting out, what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.

The way that Storm, Nugache and other similar programs make money for their creators is typically twofold. First and foremost, Storm’s creator controls a massive botnet that he can use to send out spam runs, either for himself or for third parties who pay for the service. Storm-infected PCs have been sending out various spam messages, including pump-and-dump stock scams, pitches for fake medications and highly targeted phishing messages, throughout 2007, and by some estimates were responsible for more than 75% of the spam on the Internet at certain points this year.

Secondly, experts say that Storm’s author has taken to sectioning off his botnet into smaller pieces and then renting those subnets out to other attackers. Estimates of the size of the Storm network have ranged as high as 50 million PCs, but Brandon Enright, a network security analyst at the University of California at San Diego, who wrote a tool called Stormdrain to locate and count infect machines, put the number at closer to 20,000. Dittrich estimates that the size of the Nugache network was roughly equivalent to Enright’s estimates for Storm.

“The Storm network has a team of very smart people behind it. They change it constantly. When the attacks against searching started to be successful, they completely changed how commands are distributed in the network,” said Enright. “If AV adapts, they re-adapt. If attacks by researchers adapt, they re-adapt. If someone tries to DoS their distribution system, they DoS back.”

The other worrisome detail in all of this is that there’s significant evidence that the authors of these various pieces of malware are sharing information and techniques, if not collaborating outright.

“I’m pretty sure that there are tactics being shared between the Nugache and Storm authors,” Dittrich said. “There’s a direct lineage from Sdbot to Rbot to Mytob to Bancos. These guys can just sell the Web front-end to these things and the customers can pick their options and then just hit go.”

Once just a hobby for devious hackers, writing malware is now a profession and its products have helped create a global shadow economy. That infrastructure stretches from the mob-controlled streets of Moscow to the back alleys of Malaysia to the office parks of Silicon Valley. In that regard, Storm, Nugache and the rest are really just the first products off the assembly line, the Model Ts of P2P malware.

Details on the Storm & Nugache botnets Read More »

Russian bot herders behind massive increase in spam

From Ryan Naraine’s “‘Pump-and-Dump’ Spam Surge Linked to Russian Bot Herders” (eWeek: 16 November 2006):

The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers.

Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan. …

For starters, the Trojan comes with its own anti-virus scanner – a pirated copy of Kaspersky’s security software – that removes competing malware files from the hijacked machine. Once a Windows machine is infected, it becomes a peer in a peer-to-peer botnet controlled by a central server. If the control server is disabled by botnet hunters, the spammer simply has to control a single peer to retain control of all the bots and send instructions on the location of a new control server.

The bots are segmented into different server ports, determined by the variant of the Trojan installed, and further segmented into peer groups of no more than 512 bots. This allows the hackers to keep the overhead involved in exchanging information about other peers to a minimum, Stewart explained.

… the attackers are meticulous about keeping statistics on bot infections around the world.

For example, the SpamThru controller keeps statistics on the country of origin of all bots in the botnet. In all, computers in 166 countries are part of the botnet, with the United States accounting for more than half of the infections.

The botnet stats tracker even logs the version of Windows the infected client is running, down to the service pack level. One chart commandeered by Stewart showed that Windows XP SP2 … machines dominate the makeup of the botnet, a clear sign that the latest version of Microsoft’s operating system is falling prey to attacks.

Another sign of the complexity of the operation, Stewart found, was a database hacking component that signaled the ability of the spammers to target its pump-and-dump scams to victims most likely to be associated with stock trading.

Stewart said about 20 small investment and financial news sites have been breached for the express purpose of downloading user databases with e-mail addresses matched to names and other site registration data. On the bot herder’s control server, Stewart found a MySQL database dump of e-mail addresses associated with an online shop. …

The SpamThru spammer also controls lists of millions of e-mail addresses harvested from the hard drives of computers already in the botnet. …

“It’s a very enterprising operation and it’s interesting that they’re only doing pump-and-dump and penis enlargement spam. That’s probably because those are the most lucrative,” he added.

Even the spam messages come with a unique component. The messages are both text- and image-based and a lot of effort has been put into evading spam filters. For example, each SpamThru client works as its own spam engine, downloading a template containing the spam and random phrases to use as hash-busters, random “from” names, and a list of several hundred e-mail addresses to send to.

Stewart discovered that the image files in the templates are modified with every e-mail message sent, allowing the spammer to change the width and height. The image-based spam also includes random pixels at the bottom, specifically to defeat anti-spam technologies that reject mail based on a static image.

All SpamThru bots – the botnet controls about 73,000 infected clients – are also capable of using a list of proxy servers maintained by the controller to evade blacklisting of the bot IP addresses by anti-spam services. Stewart said this allows the Trojan to act as a “massive distributed engine for sending spam,” without the cost of maintaining static servers.

With a botnet of this size, the group is theoretically capable of sending a billion spam e-mails in a single day.

Russian bot herders behind massive increase in spam Read More »

My reply to those “You sent a virus to me!” emails

On Saturday 17 April 2004, I received the following email from someone I didn’t know:

> Hello,
>
> I am not sure who you are but our security detected a Netsky virus in an
> email that you sent. Whether a personal message or a spam, please make
> attention to the fact that you are spreading viruses and have your systems
> checked. Also, when a virus is detected the message does not get through so
> we have no idea who you are or the nature of your message.

My reply

I really wouldn’t bother sending these messages out, or you will find yourself with a full-time job.

Virtually every modern virus spoofs the sender of the email address of the sender. In other words, the virus scans the infected computer for email addresses, and then picks one for the TO field and one for the FROM field. Someone that has both of our email addresses on their computer is infected, and the virus chose your email address for TO and my email address for FROM. That is the extent of it. Unfortunately, we have no way to knowing who really is infected, so emailing the person who appears to have sent the email is a complete waste of your time.

Finally, I could not be infected, as I do not use Windows. I use Linux, which is impervious to the glut of viruses and worms that infect Microsoft’s poorly-coded operating system.

My reply to those “You sent a virus to me!” emails Read More »

What kinds of spam are effective?

From Alex Mindlin’s “Seems Somebody Is Clicking on That Spam” (The New York Times: 3 July 2006):

Spam messages promoting pornography are 280 times as effective in getting recipients to click on them as messages advertising pharmacy drugs, which are the next most effective type of spam.

The third most successful variety is spam advertising Rolex watches, 0.0075 percent of which get clicked on, according to an analysis by CipherTrust, a large manufacturer of devices that protect networks from spam and viruses.

What kinds of spam are effective? Read More »

Spammers causing problems to DNS

From Dennis Fisher’s Spammers’ New Tactic Upends DNS (eWeek: 10 January 2005):

One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients’ networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.

“Anti-spam systems have become heavily dependent on DNS for looking at all kinds of blacklists, looking at headers, all of that,” said Paul Judge, a well-known anti-spam expert and chief technology officer at CipherTrust Inc., a mail security vendor based in Atlanta. “I’ve seen systems that have to do as many as 30 DNS calls on each message. Even in large enterprises, it’s becoming very common to see a large spam load cripple the DNS infrastructure.”

Spammers causing problems to DNS Read More »

Most PCs are rife with malware, & owners don’t know it

From Robert Lemos’s Plague carriers: Most users unaware of PC infections (CNET News.com: 25 October 2004):

A study of home PCs released Monday found that about 80 percent had been infected with spyware almost entirely unbeknownst to their users.

The study, funded by America Online and the National Cyber Security Alliance, found home users mostly unprotected from online threats and largely ignorant of the dangers. AOL and the NCSA sent technicians to 329 homes to inspect computers. …

Nearly three in five users do not know the difference between a firewall and antivirus software. Desktop firewall software regulates which applications on a PC can communicate across the network, while antivirus software detects malicious code that attempts to run on a computer, typically by pattern matching. Two-thirds of users don’t have a firewall installed on their computer, and while 85 percent of PC owners had installed antivirus software, two-thirds of them had not updated the software in the last week. The study found one in five users had an active virus on their machines.

Most PCs are rife with malware, & owners don’t know it Read More »

Prices for zombies in the Underground

From Byron Acohido and Jon Swartz’s “Going price for network of zombie PCs: $2,000-$3,000” (USA TODAY: 8 September 2004):

In the calculus of Internet crime, two of the most sought-after commodities are zombie PCs and valid e-mail addresses.

One indication of the going rate for zombie PCs comes from a June 11 posting on SpecialHam.com, an electronic forum for spammers. The asking price for use of a network of 20,000 zombie PCs: $2,000 to $3,000. …

To put a zombie network to work, an attacker needs a list of targets in the form of e-mail addresses. Lists can be purchased from specialists who “harvest” anything that looks like an e-mail address from Web sites, news groups, chat rooms and subscriber lists. Compiled on CDs, such lists cost as little as $5 per million e-mail addresses. But you get what you pay for: Many CD entries tend to be either obsolete or “spam traps” — addresses seeded across the Internet by spam-filtering companies to identify, and block, spammers.

Valid e-mail addresses command a steep price. In June, authorities arrested a 24-year-old America Online engineer, Jason Smathers, and charged him with stealing 92 million AOL customer screen names and selling them to a spammer for $100,000.

Prices for zombies in the Underground Read More »

Killer search terms

From The Inquirer‘s “Killer phrase will fill your PC with spam”:

THERE IS ONE phrase which, if you type into any search engine will expose your PC to shed-loads of spam, according to a new report.

Researchers Ben Edelman and Hannah Rosenbaum reckon that typing the phrase “Free Screensavers” into any search engine is the equivalent of lighting a blue touch paper and standing well back. …

More than 64 per cent of sites that are linked to this phrase will cause you some trouble, either with spyware or adware. The report found 1,394 popular keywords searches found via Google, Yahoo, MSN, AOL and Ask that were linked to spyware or adware and the list is quite amusing. Do not type in the following words into any search engine:

Bearshare
Screensavers
Winmx
Limewire
Download Yahoo messenger
Lime wire
Free ringtones

Killer search terms Read More »

Even worse spam is coming

From Spam Daily News’s “Spam zombies from outer space“:

Spammers could soon use zombie computers in a totally new way. Infected computers could run programs that spy into a person’s email, mine it for information, and generate realistic-looking replies.

John Aycock, an assistant professor of computer science at the University of Calgary, and his student Nathan Friess conducted new research that shows it is possible to create a new type of spam that would likely bypass even the best spam filters and trick experienced computer users who would normally delete suspicious email messages.

There are two key reasons why spam is suspicious to anti-spam filters and human targets alike. First, it often comes from an unrecognized source. Second, it doesn’t look right.

The evolution of spam zombies will change this. These new zombies will mine corpora of email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others.

The next generation of spam could be sent from your friends’ and colleagues’ email addresses – and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalization, and personal signatures) – making you more likely to click on a Web link or open an attachment.

What features can be easily extracted from an email corpus? There are four categories:

1. Email addresses. The victim’s email address and any other email aliases they have can be extracted, as can the email addresses of people with whom the victim corresponds.

2. Information related to the victim’s email program and its configuration. For example, the User-Agent, the message encoding as text and/or HTML, automatically-appended signature file, the quoting style used for replies and forwarded messages, etc.

3. Vocabulary. The normal vocabulary used by the victim and the people with whom they correspond.

4. Email style.

  • Line length, as some people never break lines;
  • Capitalization, or lack thereof;
  • Manually-added signatures, often the victim’s name;
  • Abbreviations, e.g., “u” for “you”;
  • Misspellings and typos;
  • Inappropriate synonyms, e.g., “there” instead of “their”;
  • Replying above or below quoted text in replies.

Even worse spam is coming Read More »

Bring down the cell network with SMS spam

From John Schwartz’s “Text Hackers Could Jam Cellphones, a Paper Says“:

Malicious hackers could take down cellular networks in large cities by inundating their popular text-messaging services with the equivalent of spam, said computer security researchers, who will announce the findings of their research today.

Such an attack is possible, the researchers say, because cellphone companies provide the text-messaging service to their networks in a way that could allow an attacker who jams the message system to disable the voice network as well.

And because the message services are accessible through the Internet, cellular networks are open to the denial-of-service attacks that occur regularly online, in which computers send so many messages or commands to a target that the rogue data blocks other machines from connecting.

By pushing 165 messages a second into the network, said Patrick D. McDaniel, a professor of computer science and engineering at Pennsylvania State University and the lead researcher on the paper, “you can congest all of Manhattan.”

Also see http://www.smsanalysis.org/.

Bring down the cell network with SMS spam Read More »

Free markets need visibility to work

From Slashdot’s “Pay-per-email and the ‘Market Myth’“:

But I think there’s a bigger problem underlying all of this. It’s not about specific problems with GoodMail’s or AOL’s or Hotmail’s system. The problem is that many advocates of these systems say that any flaws will get sorted out automatically by “the market” — and in this case I think that is simply wrong. And in fact the people on Thursday’s panel can’t really believe it either, because one thing we all agreed on was that Bonded Sender sucks. But has the marketplace punished Hotmail for using it? Have people left in droves because non-Bonded-Sender e-mail gets blocked? No, because if they never see it getting blocked they don’t know what happens. Free markets only solve problems that are actually visible to the user.

Free markets need visibility to work Read More »

Zombies from China attack Internet

From Computerworld‘s “Army of zombies invades China“:

China’s rapid Internet growth has brought with it a somewhat disturbing side effect: multiplying zombies up to no good.

Zombies, or Internet-connected computers infected by worms or viruses and under the control of a hacker, are used to launch denial-of-service (DoS) attacks, or send spam or phishing e-mails. An average of 157,000 new zombies are identified each day, and 20% of these are in China, security company CipherTrust Inc. reported this week.

… “Criminals look for a weaker link, so places like China, or anywhere behind the U.S. in terms of computer literacy, are a good target,” Stanley said.

China’s fast-growing Internet population is also an attraction, he said. As of January, there were 94 million Internet users in the China, up 18% from the year before, according to the China Internet Network Information Center (CNNIC).

Zombies from China attack Internet Read More »

Social engineering via celebrities

From PC World’s “Britney Spears Ranked Top Virus Celebrity“:

Researchers combed through the seven years of virus-laden messages stored in Panda’s malware database to determine which celebrities most often had their names involuntarily used in association with malicious spam. …

The top ten list of celebrity virus rankings (in descending order) is: Britney Spears, Bill Gates, Jennifer Lopez, Shakira, Osama Bin Laden, Michael Jackson, Bill Clinton, Anna Kournikova, Paris Hilton, and Pamela Anderson.

Social engineering via celebrities Read More »