At the Federal Trade Commission

US-CERT encourages users to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Maintaining up-to-date anti-virus is vital. Some appliances, like the Barracuda Spam & Virus Firewalls that are used by CudaMail.com to filter mail are updated on a constant basis.

US-CERT will provide additional details as they become available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

The first report is from Message Labs and it reports that with spam volume up another 5% so far in January 2009 the top 10 Botnets, while consisting of between 10 thousand to 1 Million bots (estimated), were capable of sending out between 131 Million to almost 40 BILLION Spam messages PER DAY per Botnet. Total Volume from just the top 10 Botnets totalled almost 65 Billion messages per day! Are you getting your fair share?

It is interesting to see that the largest Botnet Cutwail/Pandex placed second behind Mega-D/Ozdok in spam volume per day category (7 Billion to 38 Billion) even though it had more compromised PC

We aren’t the only ones thinking of others at this time of year and by that I mean the malware writers. Every year at the holidays we see an upsurge of ‘postcard ware’ based malware. They look like a e-card from a loved one so you are enticed to open them up and while some do display a pretty picture or a play a nice tune in the background they are infecting your pc.

Some recent sample are posted on the Microsoft Malware blog so you can see the pictures without having to get infected.

http://blogs.technet.com/mmpc/archive/2008/12/02/merry-malware.aspx

http://blogs.technet.com/mmpc/archive/2008/12/04/o-come-all-ye-malware.aspx

While many of the e-cards sent at this time of the year are legitimate and sent with the best of intentions it is up to you to double check with the supposed sender if they really did send you one and if you don’t recognize the from e-mail address then don’t open it no matter how tempting it looks.

- Shaun

http://www.itbusiness.ca/it/client/en/home/News.asp?id=50885

It is interesting to note that there are so many compromised bank accounts that they sell at a discount ($1,000 for an account with $40K in it. $10 for an account with $2500 in it) This tells us that the tricks the Cyber Criminals are using (phishing, vishing, spim) are working so you have to be careful out there or it will be your bank account that they are selling online.

Thankfully at IT Business they have provided the following list to remind us of what to and not do online.

Tips to protect yourself

• Use an e-mail filter to block fraudulent messages that are often used in phishing attacks . Use many layers of security such as anti-virus software, firewalls, and anti-phishing toolbars for your browser . Limit the amount of sensitive personal information on your computer.
• Use strong passwords and change them on a regular basis.
• Do not store online account passwords with your Web browser’s automatic feature.

Shaun

- Spam King Shane Atkinson

As reported by the The Register and IT Brief, a two month investigation involving international cooperation has resulted in the laying of charges against [tag]Shane Atkinson[/tag], his brother [tag]Lance Atkinson[/tag] and Roland Smits alleging that they were responsible for the spam messages marketing ‘Herbal King’, ‘Elite Herbal’ and ‘Express Herbal’ along with ‘genuine replica watches’ and ‘adult toy’s’. This has resulted in a noticeable drop in spam volume as this ‘team’ was responsible for up to 1/3 of the spam.

http://www.theregister.co.uk/2008/10/14/prolific_spammers_targeted/

http://www.itbrief.co.nz/index.php?option=com_content&task=view&id=2995&Itemid=799

These same people appear to have been involved in spamming for a while according to a Wikipedia article with reports going back as far as 2003 with a previous monetary judgment against Lance.

Why did the last judgment not stop then and this time it did?

The authorities froze their bank accounts.

I applaud the authorities taking this step but only time will tell if this is going to force them out of the spam game for good.

I believe that this is a temporary slowdown in the volume of spam. They were able to get away with it for a long time and made lots and lots of money.

Where there is lots of easy money it attracts those drawn to easy money so I would expect the vacuum to be filled shortly or for the same team to be back at it shortly.

Sorry but this does not mean that you don’t need an anti-spam solution

- The Spam Cryer

Here are some more articles on the subject for you:

www.theregister.co.uk/2008/07/30/websense_high_profile_website_malware_survey/

Beloved websites riddled with crimeware

Web 2.0 malware mash-up madness

Many of these sites include search engine and social networking sites that are becoming a popular target for attackers thanks to their huge user bases allied to inadequate security controls. Open redirects that allow hackers to bounce surfers off well-known sites onto dodgy domains are a big part of this problem, according to Carl Leonard, security research manager EMEA at Websense. SQL injection attacks are also a major cause of grief, he added.

Overall 29 percent of malicious Web attacks included data-stealing code, demonstrating that information pilfering rather than simple mischief is becoming a more and more significant driver of malware creation.

Brazilian and Chinese hackers get all the blame but the majority of spyware sends its information back to systems based in the US.

Around half (46 per cent) of the malware attacks monitored by Websense in the first half of 2008 send data back over the web with connections made to systems in the US in 57.3 per cent of these cases. By comparison, just 6 per cent of spyware phones home to China, only 4.3 per cent pings Russia and a similar 4 per cent hooks up with cybercrooks in Brazil.

Websense’s Leonard cautioned that its findings don’t necessarily mean malware-spreading cybercrooks are mostly based in the US. “It could be the attacker is located in a different country. cybercrime is international,” he said.

In other findings, Websense recorded a marked drop in malicious code created using exploitation kits over recent months. It reckons VXers are using customized attacks more often in an attempt to bypass signature detection tools that are likely to block the product of rudimentary malware creation toolkits.

A summary of Websense’s latest research can be found here.

The popular technique for writing botnets over the last while is called ‘[tag]Fast Flux[/tag]‘ where an group of infected PC’s act as a proxy layer between the web server hosting the malware and the PC’s that are going to be infected.

This proxy layer is called the ‘[tag]Fluxnodes[/tag]‘.

You will have seen this in the recent ‘Storm Worm’ spam runs where the e-mail to you consists of a brief subject line and a link to an IP address. When you click on the link in the e-mail your computer connects to the proxy software running on an already infected PC and it then goes out and get’s the content, including the malware that will end up infecting your PC, from the real source.

This makes it harder to track down the real source of the infection as you now have to try and contact the IT people of the computer in the middle (the proxy) and get them to check their log files to find out where the malware content is really coming from.

They may be too busy to respond or they may not even have the logs required to track the source down and meanwhile the ‘Storm Worm’ or some variation continues to send out millions of e-mail messages getting more PC’s infected and adding more pawns to that proxy layer insulating the “bot herder” (gotta love the names we give certain people) from the security professionals that are trying to stop the infection.

As hard as it is to coordinate with the IT departments of the infected proxy layer it does happen often enough that the real source of the malware files is found and is shut down. This does not make the “bot herders” happy as now they have to start building up their bot nets all over again or redirect their proxy pawns to a second source of infected files. This takes time and while this transition is going on the bot network is down and not doing the bidding of the herder thus the evolution of ‘Fast Flux’ to ‘Hydra Flux’.

[tag]Hydra Flux[/tag] is the same basic idea as Fast Flux but with the addition of many heads – like the Lernaean Hydra or many headed serpent in Greek mythology – and just like the ancient snake with many heads you can cut off one of the heads of the modern ‘Hydra Flux’ without killing the beast. The Proxy layer talks to many sources of infection, the mother ships of the Internet Storm Article, so that if one gets found out and stopped the proxy layer has a backup. This is a very resilient hosting structure and could be called a great example of ‘[tag]cloud computing[/tag]‘.

So what can we do to stop the infections?

1. Ensure that we don’t settle for setting up our corporate firewall’s to the point that they work for both us and the malware writers. Too many firewall’s are setup to stop the traffic coming from the Internet to the LAN but allow anything and everything from the LAN to flow to the Internet.
2. If you have a corporate mail server then the mail server should be the only system that has SMTP access to the Internet and you can block all other connections from the LAN to any Internet host on port 25.
3. If the firewall has [tag]Universal Plug and Play[/tag] (UPnP) disable it if at all possible because of the security holes it introduces into your network. Enable the Intrusion Detection (IDS) of your firewall if it has that capability and use it on the inside of your network.
4. If you don’t have a firewall that can do IDS get one that can or add a transparent gateway device like the [tag]Barracuda Web Filter[/tag] that looks for infected traffic originating on the inside of your network and can both block it and report to you that you have an infection problem so you can take care of it. The Barracuda Web Filter also has the log files that would allow you to track down the real source of the malware helping cut off one of the many heads of the Hydra Flux botnet.

Interested in learning more?

Here are some links for you:

Hydra Flux

• http://isc.sans.org/diary.html?storyid=4753

Fast Flux

• http://en.wikipedia.org/wiki/Fast_flux

UPnP

• http://en.wikipedia.org/wiki/Universal_Plug_and_Play

Fast-Flux Data

• Back in February, we published a paper on fast-flux service networks at NDSS’08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. …

Botnet Videos:

Botnets PART 1 :Building A Botnet (1/2)

See actual malicious code and understand how it works. Corey Nachreiner explains botnet architecture for beginners, then builds a bot client.

http://www.secumania.org

http://forums.secumania.org

Botnets PART 1 : Building A Botnet (2/2)

See actual malicious code and understand how it works. Corey Nachreiner explains botnet architecture for beginners, then builds a bot client.

Botnets PART 2 : Botnet Attacks (1/2)

Learn how a bot herder uses his bot army for attacks such as Distributed Denial of Service, getting command line control of victims, installing spyware, and more. Hosted by Corey Nachreiner, CISSP.

Botnets PART 2 : Botnet Attacks (2/2)

Learn how a bot herder uses his bot army for attacks such as Distributed Denial of Service, getting command line control of victims, installing spyware, and more. Hosted by Corey Nachreiner, CISSP.

Some Other Interesting Articles on Botnets:

Interesting Pattern in Storm Worm Traffic – Bj

Do you want to have a very easy way to submit SPAM and false positive reports?

Do you want an easy way to keep your white list up to date?

If you answered YES to any of the above questions then you may want to try the Outlook Plug-in.

Getting to Know The Outlook Plug-In:

This very simple toolbar can be installed in the Outlook 2000 to 2007 e-mail client (not Outlook Express or the new MS Mail) to give you some additional options and two new buttons. These Green and Red buttons with an envelope and either a Check Mark (good) or Red X (bad) make the process of sending a report back to the system that you consider a message SPAM or Wanted as easy as clicking on the corresponding button. It can’t get any simpler than that!

To download the toolbar simply go to the CudaMail Web Portal and click on the ‘Get Mail Client Plugins Here‘ link at the bottom of the page. (this download link is only for current CudaMail customers – if you have a Barracuda Spam Firewall and want the plug-in go talk to your network administrator)

Per-user Web portal is at https://web.CudaMail.com

Once you download the Outlook Plug-in you have to run it to install it so you need to do this with an account that has administrative access to your PC. After it is installed you should be able to get to the ‘Spam Firewall‘ tab under the ‘Tools’ – ‘Options‘ menu item and it should look something like this:

What Does This All Mean?

Automatically Update White list: When this option is checked off every time you add someone as a new personal contact or e-mail someone then they will be added to your personal white list. While this sounds like a great idea you need to login to your personal options area on the CudaMail system on a semi-regular basis to clear out old or stale white list entries and specifically to make sure your own e-mail address is not on the white list.

A typical spammer trick is to send you spam pretending to be you so you do not want to white list your own e-mail address or you will get more spam.

This can happen by accident if you ‘reply all‘ to an e-mail and don’t take your e-mail address off or if you are in the habit of always cc’ing yourself.

Additional Button Actions:

Spam: Permanently Delete Message or Move to Deleted Items folder.

While I like to completely get rid of any spam messages by leaving it on the ‘Permanently Delete Items‘ option you have no way of easily getting back any message you accidently marked as Spam. By setting this option to “Move to – Deleted Items Folder‘ you can always rescue it from there if you have an accident.

Not Spam: Add E-Mail addresses to Whitelist. When a message come through with the subject tagged as spam ‘[CudaMailTagged] -original subject’ and you click on the Green button to submit a ‘falsely marked as spam‘ report this option will also update your personal whitelist so that this senders e-mail will not be tagged in the future.

There is a second benefit to the plug-in as it is building your own personal database of ‘Good‘ and ‘Bad‘ messages that are unique to you. Once you have marked at least 200 messages of each type then the statistical analysis or ‘Barracuda Bayesian Learning‘ will kick in and provide additional protection against Spam. You will only be able to mark messages that have been processed by the CudaMail system so don’t just select everything in your inbox and try to mark them all as ‘good‘. What you should do is look at the message and ask yourself ‘Did this e-mail come from outside our organization and is it a representative sample of e-mail that I want to get in the future?’

This plug-in is also the answer to questions like the following:

1. How do I automatically whitelist all of my contacts?
2. I get so few messages in the per-user quarantine how am I ever going to get 200 ‘good’ messages?
3. How do I send you samples of spam that I don’t want?

Does the Outlook plug-in work with Microsoft Vista?

Yes the Outlook Plug-in versions 2.1.0.5 and above work with Microsoft Vista and Outlook 2007. The plug-in version can be found on the licensing screen when installing the plug-in, or in Microsoft Outlook by viewing the Spam Firewall tab in the Options window. The version number will be located in the bottom-right corner of the window.

If you can give the Outlook Plug-in a try. I have been using it myself for the last 2 years and I get a sense of joy every time I can click on the ‘Spam’ button because I know that this is making the Spammer’s job that much harder next time.

- Shaun