McColo Hands Off Botnets to the Russians
Continue Reading Add comment November 19th, 2008
Brief respite from spam could be over as McColo hands off Command and Control of Botnets to a Russian network.
Posts filed under 'Botnets'
McColo – Why Would They Host Spammers?
Continue Reading Add comment November 14th, 2008
The recent big news is about the Washington Post being involved in the shutting down of a Co-Location hosting provider (McColo Corp.- AS26780) that has as customers some of the biggest spammers on the Internet – some reports are as high as 2/3rds or even 75% of all spam worldwide was associated with them.
United States Presidential Election Email Attack
Continue Reading Add comment November 6th, 2008
Spammers continue to take advantage of anything ‘newsworthy’ or ’sensational’ like the recent US Presidential election
Warezov Rises From The Ashes
Continue Reading Add comment October 16th, 2008
Well that didn’t take long … Less than a day after the announcement that there was a downward trend in spam because of the arrest and freezing of the accounts of Shane Atkinson, his brother Lance Atkinson and Roland Smits we get word that a botnet than was dormant for 9 month is now waking up.
In The Fight Against Spam Dutch Police Notify Users Infected with Bot Malware
Continue Reading Add comment August 13th, 2008
Dutch police have notified people whose computers were infected with malware that made them part of a botnet comprising more than 100,000 PCs. People were redirected to a web page containing directions on disabling the malware and a link to an online virus scanner.
TechRepublic – “Storm Worm: The Energizer Bunny of Botnets”
1 comment August 6th, 2008
Apart from a great title this is a very interesting read on what the Storm Worm is up to these days.
- Shaun
Original article: http://blogs.techrepublic.com.com/networking/?p=620&tag=nl.e102
In the world of botnets, Storm isn’t king anymore, but Storm’s botnet owners aren’t giving up. This article is a reminder by Michael Kassner of the need to remain vigilant and not fall prey to the Storm worm or its relatives.
——————————————————————————————————————-
It appears that the Storm worm is making a comeback. I first made mention of this botnet maker in the article “Kraken: The biggest, baddest botnet yet“, where I explained how Storm was losing its grip as being the largest botnet in history to Kraken and Srizbi as the second largest. Well, Storm developers have added a few new twists to their arsenal and are seeing a resurgence in the size of their botnets. Therefore it’s very important to not become complacent about this type of malware as it relies on social engineering to propagate. I’d like to take a few moments to go over the process so we’re all clear on how the infestation occurs.
How my computer became a zombie
Let’s follow the process of becoming infected with Storm and the after-effects:
- I receive an e-mail informing me that the attachment contains some very important information. Not knowing any better, I open the attachment.
- I was just conned, the attachment has the Storm trojan/bot client hiding in it. My computer is now infected and just became part of a botnet. The scary part is that this all happened without my knowing it.
- What’s worse is that my AV application is useless as Storm’s code changes constantly, so any AV signature is out-of date within an hour.
- My computer now follows the bidding of the “botmaster,” which normally means it’s going to be used to as a spam relay. There are other more malicious activities such as “distributed denial of service attacks” but botnets are usually for hire and spamming is a lucrative business.
That’s one scenario and as botnet malware matures other more sophisticated attack venues are introduced. For instance, the delivery mechanism used by the Storm worm changes regularly. It starts out as PDF spam progressing to links for e-cards or invites to Web sites. The worm developers will try any method possible to entice users to click on a phony link or attachment. The initial e-mail used by Storm also morphs. There are new subject lines and body text that refer to relevant news or issues — any way to subjugate human nature.
The willingness to prey on human nature is why Storm is back in the news. It’s propagating successfully using an e-mail with a subject line of “FBI may strike Facebook” or “The FBI has a new way of tracking Facebook.” It appears that once again the developers have touched on a chord of human nature and are getting a decent infection rate.
Final thoughts
I could spend all sorts of time on the intricacies of how each of the top three botnets work or how successful they are at evading detection, but that wouldn’t help. This article is my regular attempt at making sure all of us are cognizant of the need to be web-savvy, always questioning whether that link or an attachment makes sense. Doing so will go a long way to reducing the amount of spam we receive. This certainly includes me, as I’ve been very close to becoming an unwilling botnet member myself.
——————————————————————————————————————-
Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.
Here are more Blog articles on the Storm Worm:
- In the last few weeks I have received several requests for information regarding the Storm Worm. So today I thought I would perform an analysis in my lab on the last Storm Binary (postcard.exe) I retrieved using my Storm Binary Tracking … - The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: “230 dead as storm batters Europe.” Those who opened the attachment became infected, their computers joining an ever-growing … - E-mail pretending to contain information on a fictitious FBI vs. Facebook case contains malicious code for the Storm worm botnet. - The FBI and its partner, the Internet Crime Complaint Center (IC3), have received reports of recent spam e-mails spreading the Storm Worm malicious software, known as malware. These e-mails direct recipients to click on a link to view … - I can barely see anything around me due to all the smoke coming from the smoking guns of who’s what, what’s when, and who’s done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first … - The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we’re used to seeing. These days they’re not piggybacking on real news items, … - In addition, an IP address related to the University of California in San Diego (UCSD) sticks out, presumably related to their Storm Worm research. I’m not yet sure what all the other IP addresses mean, but presumably all of them are … - The FBI is warning email users of spam email which mentions a link to an FBI vs Facebook news article. Once the user clicks on the link, the Storm Worm malware is downloaded to the Internet-connected device… - A rash of complaints prompted the FBI to issue a warning of a new round of spam e-mails bombarding the Internet to spread the malicious Storm Worm. |
New Spam Campaign – using CNN’s Daily Top 10 format
Add comment August 4th, 2008
A warning that we are seeing he beginning of a new spam campaign with a possible exploit vector. The e-mails claim to be from CNN based on the subject line but the from e-mail address are not at CNN. They also have links to videos and will probably either silently install malware or prompt you to install the ‘Codec’ required to view the video file. This will not be a real codec but malware designed to take over your PC.
Do not open any e-mail that looks like it came from CNN.com until this attack is over.
- Shaun
Here are some more Blog articles on CNN Spam:
- In general, my anti-spam filters and tools are pretty effective. So when I start to see something like this…. ….it’s obvious that a huge spam wave is underway. These are, of course, related to the fake CNN Spam from a few days ago. … - The first clue that something might have been amiss is the strangeness of some of the titles (“Michael Jackson sued by his own dog” isn’t something I’d expect to see on CNN, at least not yet). Of course, the giveaway is that regardless … - Heads up on a new, very high volume Fake CNN News Update spam run that is making the rounds. The subject of the email is “CNN.com Daily Top 10.” Our Threat Operations Center has seen over 5 million of these just in the last hour alone … - The spam messages contain graphics which are actually being loaded from the real CNN website. We’ll load them here from the same site so you can see them. These are the graphics present in each of the spam emails, fetched directly from … - Over on the so-called “CNN Blog” we find this entry: August 8, 2008 Fraudulent spam about CNN.com Posted: 07:45 PM… - Following the links in the CNN.com Daily Top 10 email could lead you to sites that hosts malware. MX Lab detected and intercepted the first messages at around 7:48 PM local Belgian time and is monitoring an outbreak of this type. … - This time, however it appears that the people responsible for the CNN Spam outbreak last week (original post here and update here) are now responsible for a new outbreak today alleging to be MSNBC news updates. … - If you get an email from CNN Alerts with a subject line like: “CNN Alerts: My Custom Alert email spam” be careful. This is being sent out to people who never signed up for CNN alerts as well as those who have. … - The spam outbreak “from” CNN the occurred this past week has morphed into a new breed:. image. It appears that the spammers have learned from previous mistakes because this one is a little slicker. In the body contents, just like the … - The malicious CNN campaign by Rustock has morphed to ‘MSN Breaking News’. |
From “Fastflux” to “Hydraflux”: A Brief History Of The Botnet
Continue Reading Add comment July 21st, 2008
I’m not sure if you’ve been reading the news over at the Internet Storm Center recently but … they have a an interesting write up on what William Salusky dubs the “Hydraflux” that is worth reading.
