At the Federal Trade Commission’s request, a district court judge has permanently shut down a rogue Internet Service Provider that recruited, hosted, and actively participated in the distribution of spam, spyware, child pornography, and other malicious and illegal content. The ISP’s computer servers and other assets have been seized and will be sold by a court-appointed receiver, and the operation has been ordered to turn over $1.08 million in ill-gotten gains to the FTC.

In June 2009, the FTC charged that 3FN, which does business under a variety of names, actively recruited and colluded with criminals to distribute harmful electronic content including spyware, viruses, trojan horses, phishing schemes, botnet command-and-control servers, and pornography featuring children, violence, bestiality, and incest. The FTC alleged that the defendant advertised its services in the darkest corners of the Internet, including a chat room for spammers.

The FTC complaint alleged that 3FN actively shielded its criminal clientele by either ignoring take-down requests issued by the online security community, or shifting its criminal elements to other Internet protocol addresses it controlled to evade detection.

The FTC also alleged that 3FN deployed and operated botnets – large networks of computers that have been compromised and enslaved by the originator of the botnet, known as a “bot herder.” Botnets can be used for a variety of illicit purposes, including sending spam and launching denial-of- service attacks. According to the FTC, the defendant recruited bot herders and hosted the command-and-control servers – the computers that relay commands from the bot herders to the compromised computers known as “zombie drones.”

—

An excerpt from an interesting announcement by the Federal Trade Commission – taking action against a notorioius Internet Service Provider. (* from the FTC Website – original post here).

US-CERT encourages users to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Maintaining up-to-date anti-virus is vital. Some appliances, like the Barracuda Spam & Virus Firewalls that are used by CudaMail.com to filter mail are updated on a constant basis.

US-CERT will provide additional details as they become available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

The first report is from Message Labs and it reports that with spam volume up another 5% so far in January 2009 the top 10 Botnets, while consisting of between 10 thousand to 1 Million bots (estimated), were capable of sending out between 131 Million to almost 40 BILLION Spam messages PER DAY per Botnet. Total Volume from just the top 10 Botnets totalled almost 65 Billion messages per day! Are you getting your fair share?

It is interesting to see that the largest Botnet Cutwail/Pandex placed second behind Mega-D/Ozdok in spam volume per day category (7 Billion to 38 Billion) even though it had more compromised PC’s (1 Million bots to 660,000). This is double interesting as the latest estimates for the recent Conflicker/Downadup botnet size is at 10 million PC’s and they are not sending any spam yet.  With 10 million bots and assuming an aggressive and efficient spam engine Conflicker/Downadup could be capable of sending over half a Trillion (575 Million) messages per day by itself. Are you ready to see your spam volume jump to 10 times its current volume or even higher?

According to Barracuda Central Pharmacy spam still leads with almost 50% of the total volume while Gambling, Illegal Advertizing, ‘Amazing Deals on Software’ and ‘Genuine Replica’s’ round out the top 5 spots and over 90% of the total volume of spam.

If you don’t know how effective your anti-spam measures are or how close they are to running at capacity (out of sight = out of mind) then now is the time to take a serious look at these solutions in your organization and how they are going to handle the new surge of spam that is waiting on the horizon.

It might just be time to invest in a new firewall solution and anti-spam solution.

Don’t say we didn’t warn you!

Other Graphs and reports.

MessageLabs Intelligence: January 2009
http://www.messagelabs.com/mlireport/MLIReport_2009.01_Jan_Final.pdf

Conficker botnet at 10m infections
http://www.theregister.co.uk/2009/01/26/conficker_botnet/

DCC e-mail and spam volume graph last 12 months.
http://www.dcc-servers.net/dcc/graphs/

SpamCop – last 12 months spam volume.
http://www.spamcop.net/spamgraph.shtml?spamyear

Barracuda Central – Spam data last 24 hours
http://www.barracudacentral.org/data/spam

Shaun Sturby

We aren’t the only ones thinking of others at this time of year and by that I mean the malware writers. Every year at the holidays we see an upsurge of ‘postcard ware’ based malware. They look like a e-card from a loved one so you are enticed to open them up and while some do display a pretty picture or a play a nice tune in the background they are infecting your pc.

Some recent sample are posted on the Microsoft Malware blog so you can see the pictures without having to get infected.

http://blogs.technet.com/mmpc/archive/2008/12/02/merry-malware.aspx

http://blogs.technet.com/mmpc/archive/2008/12/04/o-come-all-ye-malware.aspx

While many of the e-cards sent at this time of the year are legitimate and sent with the best of intentions it is up to you to double check with the supposed sender if they really did send you one and if you don’t recognize the from e-mail address then don’t open it no matter how tempting it looks.

- Shaun

http://www.itbusiness.ca/it/client/en/home/News.asp?id=50885

It is interesting to note that there are so many compromised bank accounts that they sell at a discount ($1,000 for an account with $40K in it. $10 for an account with $2500 in it) This tells us that the tricks the Cyber Criminals are using (phishing, vishing, spim) are working so you have to be careful out there or it will be your bank account that they are selling online.

Thankfully at IT Business they have provided the following list to remind us of what to and not do online.

Tips to protect yourself

• Use an e-mail filter to block fraudulent messages that are often used in phishing attacks . Use many layers of security such as anti-virus software, firewalls, and anti-phishing toolbars for your browser . Limit the amount of sensitive personal information on your computer.
• Use strong passwords and change them on a regular basis.
• Do not store online account passwords with your Web browser’s automatic feature.

Shaun

- Spam King Shane Atkinson

As reported by the The Register and IT Brief, a two month investigation involving international cooperation has resulted in the laying of charges against [tag]Shane Atkinson[/tag], his brother [tag]Lance Atkinson[/tag] and Roland Smits alleging that they were responsible for the spam messages marketing ‘Herbal King’, ‘Elite Herbal’ and ‘Express Herbal’ along with ‘genuine replica watches’ and ‘adult toy’s’. This has resulted in a noticeable drop in spam volume as this ‘team’ was responsible for up to 1/3 of the spam.

http://www.theregister.co.uk/2008/10/14/prolific_spammers_targeted/

http://www.itbrief.co.nz/index.php?option=com_content&task=view&id=2995&Itemid=799

These same people appear to have been involved in spamming for a while according to a Wikipedia article with reports going back as far as 2003 with a previous monetary judgment against Lance.

Why did the last judgment not stop then and this time it did?

The authorities froze their bank accounts.

I applaud the authorities taking this step but only time will tell if this is going to force them out of the spam game for good.

I believe that this is a temporary slowdown in the volume of spam. They were able to get away with it for a long time and made lots and lots of money.

Where there is lots of easy money it attracts those drawn to easy money so I would expect the vacuum to be filled shortly or for the same team to be back at it shortly.

Sorry but this does not mean that you don’t need an anti-spam solution

- The Spam Cryer

Here are some more articles on the subject for you:

www.theregister.co.uk/2008/07/30/websense_high_profile_website_malware_survey/

Beloved websites riddled with crimeware

Web 2.0 malware mash-up madness

Many of these sites include search engine and social networking sites that are becoming a popular target for attackers thanks to their huge user bases allied to inadequate security controls. Open redirects that allow hackers to bounce surfers off well-known sites onto dodgy domains are a big part of this problem, according to Carl Leonard, security research manager EMEA at Websense. SQL injection attacks are also a major cause of grief, he added.

Overall 29 percent of malicious Web attacks included data-stealing code, demonstrating that information pilfering rather than simple mischief is becoming a more and more significant driver of malware creation.

Brazilian and Chinese hackers get all the blame but the majority of spyware sends its information back to systems based in the US.

Around half (46 per cent) of the malware attacks monitored by Websense in the first half of 2008 send data back over the web with connections made to systems in the US in 57.3 per cent of these cases. By comparison, just 6 per cent of spyware phones home to China, only 4.3 per cent pings Russia and a similar 4 per cent hooks up with cybercrooks in Brazil.

Websense’s Leonard cautioned that its findings don’t necessarily mean malware-spreading cybercrooks are mostly based in the US. “It could be the attacker is located in a different country. cybercrime is international,” he said.

In other findings, Websense recorded a marked drop in malicious code created using exploitation kits over recent months. It reckons VXers are using customized attacks more often in an attempt to bypass signature detection tools that are likely to block the product of rudimentary malware creation toolkits.

A summary of Websense’s latest research can be found here. ®

The popular technique for writing botnets over the last while is called ‘[tag]Fast Flux[/tag]‘ where an group of infected PC’s act as a proxy layer between the web server hosting the malware and the PC’s that are going to be infected.

This proxy layer is called the ‘[tag]Fluxnodes[/tag]‘.

You will have seen this in the recent ‘Storm Worm’ spam runs where the e-mail to you consists of a brief subject line and a link to an IP address. When you click on the link in the e-mail your computer connects to the proxy software running on an already infected PC and it then goes out and get’s the content, including the malware that will end up infecting your PC, from the real source.

This makes it harder to track down the real source of the infection as you now have to try and contact the IT people of the computer in the middle (the proxy) and get them to check their log files to find out where the malware content is really coming from.

They may be too busy to respond or they may not even have the logs required to track the source down and meanwhile the ‘Storm Worm’ or some variation continues to send out millions of e-mail messages getting more PC’s infected and adding more pawns to that proxy layer insulating the “bot herder” (gotta love the names we give certain people) from the security professionals that are trying to stop the infection.

As hard as it is to coordinate with the IT departments of the infected proxy layer it does happen often enough that the real source of the malware files is found and is shut down. This does not make the “bot herders” happy as now they have to start building up their bot nets all over again or redirect their proxy pawns to a second source of infected files. This takes time and while this transition is going on the bot network is down and not doing the bidding of the herder thus the evolution of ‘Fast Flux’ to ‘Hydra Flux’.

[tag]Hydra Flux[/tag] is the same basic idea as Fast Flux but with the addition of many heads – like the Lernaean Hydra or many headed serpent in Greek mythology – and just like the ancient snake with many heads you can cut off one of the heads of the modern ‘Hydra Flux’ without killing the beast. The Proxy layer talks to many sources of infection, the mother ships of the Internet Storm Article, so that if one gets found out and stopped the proxy layer has a backup. This is a very resilient hosting structure and could be called a great example of ‘[tag]cloud computing[/tag]‘.

So what can we do to stop the infections?

1. Ensure that we don’t settle for setting up our corporate firewall’s to the point that they work for both us and the malware writers. Too many firewall’s are setup to stop the traffic coming from the Internet to the LAN but allow anything and everything from the LAN to flow to the Internet.
2. If you have a corporate mail server then the mail server should be the only system that has SMTP access to the Internet and you can block all other connections from the LAN to any Internet host on port 25.
3. If the firewall has [tag]Universal Plug and Play[/tag] (UPnP) disable it if at all possible because of the security holes it introduces into your network. Enable the Intrusion Detection (IDS) of your firewall if it has that capability and use it on the inside of your network.
4. If you don’t have a firewall that can do IDS get one that can or add a transparent gateway device like the [tag]Barracuda Web Filter[/tag] that looks for infected traffic originating on the inside of your network and can both block it and report to you that you have an infection problem so you can take care of it. The Barracuda Web Filter also has the log files that would allow you to track down the real source of the malware helping cut off one of the many heads of the Hydra Flux botnet.

Interested in learning more?

Here are some links for you:

Hydra Flux

• http://isc.sans.org/diary.html?storyid=4753

Fast Flux

• http://en.wikipedia.org/wiki/Fast_flux

UPnP

• http://en.wikipedia.org/wiki/Universal_Plug_and_Play

Fast-Flux Data

• Back in February, we published a paper on fast-flux service networks at NDSS’08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. …

Botnet Videos:

Botnets PART 1 :Building A Botnet (1/2)

See actual malicious code and understand how it works. Corey Nachreiner explains botnet architecture for beginners, then builds a bot client.

http://www.secumania.org

http://forums.secumania.org

Botnets PART 1 : Building A Botnet (2/2)

See actual malicious code and understand how it works. Corey Nachreiner explains botnet architecture for beginners, then builds a bot client.

Botnets PART 2 : Botnet Attacks (1/2)

Learn how a bot herder uses his bot army for attacks such as Distributed Denial of Service, getting command line control of victims, installing spyware, and more. Hosted by Corey Nachreiner, CISSP.

Botnets PART 2 : Botnet Attacks (2/2)

Learn how a bot herder uses his bot army for attacks such as Distributed Denial of Service, getting command line control of victims, installing spyware, and more. Hosted by Corey Nachreiner, CISSP.

Some Other Interesting Articles on Botnets:

Interesting Pattern in Storm Worm Traffic – Björn Weiland recently sent me a few graphs with interesting observations he made when tracking the Storm Worm botnet as part of his thesis on detection of advanced botnets. The first graph visualizes the network communication of a …

Botnets and Spreading Computer Viruses – How He Did It – Los Angeles, CA – We discovered a 2 year old press release about a “Botherder” who was dealt a record prison sentence, nearly five years, for selling and spreading malicious computer code. Even though the information is 24 months old it …

Distributed SSH Brute Forcing w/ Botnets – It’s not clear who’s behind the assault, which appears to originate from a botnet network of compromised Linux boxes. Aziz explained that the assault is different from other brute force hacking attacks he’s seen before. …

First Prosecution Of Its Kind Involving “Botnets” – … consultant plead guilty to Federal wiretapping and identity theft. In the first prosecution of its kind in the United States, a man who is well known by members of the “botnet underground” pleaded guilty to federal charges [...]

Botnets winning pam wars, says report – The world’s anti-spam systems are fighting a furious but hopeless battle against botnet spam, a new threat analysis from Commtouch has claimed.

The July Security Rountable is available: Battling Botnets with … – Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/. The discussion ran a bit longer than we alloted, yet even on our review listen proved worth …

Botnets as a Business – The Storm worm is being used to sell pharmaceuticals such as Viagra.

Do you want to have a very easy way to submit SPAM and false positive reports?

Do you want an easy way to keep your white list up to date?

If you answered YES to any of the above questions then you may want to try the Outlook Plug-in.

Getting to Know The Outlook Plug-In:

This very simple toolbar can be installed in the Outlook 2000 to 2007 e-mail client (not Outlook Express or the new MS Mail) to give you some additional options and two new buttons. These Green and Red buttons with an envelope and either a Check Mark (good) or Red X (bad) make the process of sending a report back to the system that you consider a message SPAM or Wanted as easy as clicking on the corresponding button. It can’t get any simpler than that!

To download the toolbar simply go to the CudaMail Web Portal and click on the ‘Get Mail Client Plugins Here‘ link at the bottom of the page. (this download link is only for current CudaMail customers – if you have a Barracuda Spam Firewall and want the plug-in go talk to your network administrator)

Per-user Web portal is at https://web.CudaMail.com

Once you download the Outlook Plug-in you have to run it to install it so you need to do this with an account that has administrative access to your PC. After it is installed you should be able to get to the ‘Spam Firewall‘ tab under the ‘Tools’ – ‘Options‘ menu item and it should look something like this:

What Does This All Mean?

Automatically Update White list: When this option is checked off every time you add someone as a new personal contact or e-mail someone then they will be added to your personal white list. While this sounds like a great idea you need to login to your personal options area on the CudaMail system on a semi-regular basis to clear out old or stale white list entries and specifically to make sure your own e-mail address is not on the white list.

A typical spammer trick is to send you spam pretending to be you so you do not want to white list your own e-mail address or you will get more spam.

This can happen by accident if you ‘reply all‘ to an e-mail and don’t take your e-mail address off or if you are in the habit of always cc’ing yourself.

Additional Button Actions:

Spam: Permanently Delete Message or Move to Deleted Items folder.

While I like to completely get rid of any spam messages by leaving it on the ‘Permanently Delete Items‘ option you have no way of easily getting back any message you accidently marked as Spam. By setting this option to “Move to – Deleted Items Folder‘ you can always rescue it from there if you have an accident.

Not Spam: Add E-Mail addresses to Whitelist. When a message come through with the subject tagged as spam ‘[CudaMailTagged] -original subject’ and you click on the Green button to submit a ‘falsely marked as spam‘ report this option will also update your personal whitelist so that this senders e-mail will not be tagged in the future.

There is a second benefit to the plug-in as it is building your own personal database of ‘Good‘ and ‘Bad‘ messages that are unique to you. Once you have marked at least 200 messages of each type then the statistical analysis or ‘Barracuda Bayesian Learning‘ will kick in and provide additional protection against Spam. You will only be able to mark messages that have been processed by the CudaMail system so don’t just select everything in your inbox and try to mark them all as ‘good‘. What you should do is look at the message and ask yourself ‘Did this e-mail come from outside our organization and is it a representative sample of e-mail that I want to get in the future?’

This plug-in is also the answer to questions like the following:

1. How do I automatically whitelist all of my contacts?
2. I get so few messages in the per-user quarantine how am I ever going to get 200 ‘good’ messages?
3. How do I send you samples of spam that I don’t want?

Does the Outlook plug-in work with Microsoft Vista?

Yes the Outlook Plug-in versions 2.1.0.5 and above work with Microsoft Vista and Outlook 2007. The plug-in version can be found on the licensing screen when installing the plug-in, or in Microsoft Outlook by viewing the Spam Firewall tab in the Options window. The version number will be located in the bottom-right corner of the window.

If you can give the Outlook Plug-in a try. I have been using it myself for the last 2 years and I get a sense of joy every time I can click on the ‘Spam’ button because I know that this is making the Spammer’s job that much harder next time.

- Shaun