Here’s a “blast from the past”.  It’s like it’s 2001 all over again!  There’s an email worm ( and not kidding here ) circulating that uses the good old infection method of sending emails with malicious executables to all the people in your address book!

It arrives in emails with a subject like “Here You Have”, or something similar to it.

In the email, there’s a link to a malicious download – with text that’s made to look like it’s a link to a pdf, or a video.  If a user clicks on it, the malware winds up in the Windows folder.  The file name winds up CSRSS.EXE and that’s a file name for a legitimate file in Windows.

Body Examples

Hello:

This is The Document I told you about,you can find it Here.
hxxp://www.SomeFakeWebsite/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Dowload Sex Movies,you can find it Here.

hxxp://www.AnotherFakeWebsite/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

At that point it tries sending itself to everyone in your Outlook address book.

Who says that the good old “tried and true” methods of spreading malware don’t work any more?  I suppose if fashion from the 70′s can come back, it’s not too big a leap to have old spammers tactics rear their ugly heads from time to time.

When the first few came through the CudaMail system, they were quickly analyzed and are now being caught and blocked, but for non-CudaMail customers, make sure you keep an eye on your inbox, and stick with “safe emailing” practices with regard to clicking on anything!

— Original Article —

More than 40 percent of the world’s spam is coming from a single network of computers that computer security experts continue to battle, according to new statistics from Symantec’s Message Labs division.

The Rustock botnet has shrunk since April, when about 2.5 million computers were infected with its malicious software that sent about 43 billion spam e-mails per day. Much of it is pharmaceutical spam.

Now, about 1.3 million computers are infected with Rustock, and the botnet is making up for its decreased size with increased volume, said Paul Wood, a MessageLabs intelligence analyst with Symantec. Those infected computers — most of which are in North America and Western Europe — are collectively sending around 46 billion spam e-mails per day.

The reason for the drop in infected computers could be due to a number of factors, Wood said. Those computers’ antivirus programs may have detected the infections or the people controlling Rustock could have lost the connection to those computers for various reasons.

The computers infected with Rustock have also stopped using TLS (Transport Layer Security), an encryption protocol used to securely send e-mail. Spammers were believed to encrypt their spam using TLS because it was harder for other network equipment to inspect the traffic and figure out if it was spam, Wood said.

But sending e-mail using TLS required more resources and was slower. “It would seem that the botnet controllers, especially those behind Rustock, have perhaps realized that the use of TLS gave them little or no discernible benefits and instead impeded their sending capacity owing to the additional bandwidth and processing overhead needed for TLS,” the report said.

Rustock has proved to be a robust botnet. It was nearly killed off when McColo, an ISP in San Jose, California, was cut off from the Internet in November 2008 by its upstream providers. McColo had hosted the command-and-control servers for several botnets, including Rustock.

But Rustock’s operators were able to switch the command-and-control servers when McColo briefly regained connectivity again before finally being shut off, which has allowed it to run for nearly four years now.

View the original story here.

—–

On Wednesday, December 9, 2009 at 06:20 (GMT), Project Honey Pot achieved a milestone:

It received its 1 billionth spam message. That message was a phishing scam regarding the United States Internal Revenue Service.

It was sent to an email address that had been harvested more than two years ago. More than just a single spam email, the billionth message represents the collective work of you and tens of thousands of other web and email administrators.

To celebrate that milestone, they have gone through 5 years of data to learn more about spammers and what they do. Below are some of their more interesting findings. You can also see the Full Report here.

Some Preliminary Statistics

• Monday is the busiest day of the week for email spam, Saturday is the quietest
• 12:00 (GMT) is the busiest hour of the day for spam, 23:00 (GMT) is the quietest
• Malicious bots have increased at a compound annual growth rate (CAGR) of 378% since Project Honey Pot started
• Over the last five years, you’d have been 9 times more likely to get a phishing message for Chase Bank than Bank of America, however Facebook is rapidly becoming the most phished organization online
• Finland has some of the best computer security in the world, China some of the worst
• It takes the average spammer 2 and a half weeks from when they first harvest your email address to when they send you your first spam message, but that’s twice as fast as they were five years ago
• Every time your email address is harvested from a website, you can expect to receive more than 850 spam messages
• Spammers take holidays too: spam volumes drop nearly 21% on Christmas Day and 32% on New Year’s Day

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient’s local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to “breaking news.”

Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user’s IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video.

If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
* Install antivirus software, and keep the virus signatures up to
date.
* Do not follow unsolicited links and do not open unsolicited email
messages.
* Use caution when visiting untrusted websites.
* Use caution when downloading and installing applications.
* Obtain software applications and updates directly from the
vendor’s website.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.

Relevant Url(s):

====
This entry is available at
http://www.us-cert.gov/current/index.html#waledac_trojan_horse_spam_campaign

What does this have to do with spam? Spam is one way that they try to infect your PC so be on the lookout for simple, hard to block e-mail’s with a catchy subject line and a simple link to a website.

The CudaMail System has been seeing and blocking a rise in emails with simple links to malware sites, and even the occasional iframe. They’re definitely trying various ways to sneak malicious links into your inbox.

It bears repeating that if you don’t know where the e-mail came from or if you weren’t expecting it and can’t confirm that the supposed sender really sent it to you be very careful opening the website or better yet don’t open it at all.

MS09-002 exploit in the wild (via Sans)
http://isc.sans.org/diary.html?storyid=5884

- Shaun

The first report is from Message Labs and it reports that with spam volume up another 5% so far in January 2009 the top 10 Botnets, while consisting of between 10 thousand to 1 Million bots (estimated), were capable of sending out between 131 Million to almost 40 BILLION Spam messages PER DAY per Botnet. Total Volume from just the top 10 Botnets totalled almost 65 Billion messages per day! Are you getting your fair share?

It is interesting to see that the largest Botnet Cutwail/Pandex placed second behind Mega-D/Ozdok in spam volume per day category (7 Billion to 38 Billion) even though it had more compromised PC’s (1 Million bots to 660,000). This is double interesting as the latest estimates for the recent Conflicker/Downadup botnet size is at 10 million PC’s and they are not sending any spam yet.  With 10 million bots and assuming an aggressive and efficient spam engine Conflicker/Downadup could be capable of sending over half a Trillion (575 Million) messages per day by itself. Are you ready to see your spam volume jump to 10 times its current volume or even higher?

According to Barracuda Central Pharmacy spam still leads with almost 50% of the total volume while Gambling, Illegal Advertizing, ‘Amazing Deals on Software’ and ‘Genuine Replica’s’ round out the top 5 spots and over 90% of the total volume of spam.

If you don’t know how effective your anti-spam measures are or how close they are to running at capacity (out of sight = out of mind) then now is the time to take a serious look at these solutions in your organization and how they are going to handle the new surge of spam that is waiting on the horizon.

It might just be time to invest in a new firewall solution and anti-spam solution.

Don’t say we didn’t warn you!

Other Graphs and reports.

MessageLabs Intelligence: January 2009
http://www.messagelabs.com/mlireport/MLIReport_2009.01_Jan_Final.pdf

Conficker botnet at 10m infections
http://www.theregister.co.uk/2009/01/26/conficker_botnet/

DCC e-mail and spam volume graph last 12 months.
http://www.dcc-servers.net/dcc/graphs/

SpamCop – last 12 months spam volume.
http://www.spamcop.net/spamgraph.shtml?spamyear

Barracuda Central – Spam data last 24 hours
http://www.barracudacentral.org/data/spam

Shaun Sturby

That sad truth has bled Shane Symington out of almost $200,000 USD (£130,000) – all of his life savings – in a Nigerian 419 scam where they came after him not once but twice – the second time posing as a victim of the original scam to get him to shell out money to hire ‘ex-FBI agents’ in an attempt to ‘recover’ some of the original £100,000 taken by ‘Angela Gates’.

I guess you can be a dog and impersonate an FBI agent on the Internet.

More information on the Daily Mail website along with pictures of ‘Angela Gates’
http://www.dailymail.co.uk/news/article-1116067/Postman-loses-130-000-savings-Nigerian-internet-scam-duped-friend-met-MySpace.html

The warning to take from this is that no matter where you meet someone – in person or online – any deal that sounds too good to be true probably is.

- Shaun

This is in contrast to the 2.2 Million dollar USD fine assessed against Atkinson by the FTC in 2005.

The Spamhaus article points out that Australia has very strict anti-spam laws
(http://scaleplus.law.gov.au/html/ems/0/2003/0/2003092501.htm) and the maximum fines for a ‘body corporate with a prior record’ could be as high as 1.1 million (AUS) or $220,000 (AUS) for ‘a individual with prior record’, just for sending the spam messages.

If you add in the maximum fines for not including accurate sender information ($550,000 corporate / $110,000 personal) for not having a functional unsubscribe facility ($550,000 corporate / $110,000 personal) and supplying, acquiring and using address-harvesting software or harvested-address lists ($550,000 corporate / $110,000 personal) these fines could have been much higher for Lance.

Sydney Morning Herald.
http://www.smh.com.au/news/technology/security/kiwis-nail-big-time-spammer/2008/12/22/1229794316883.html

Herbal King
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7802

While this is great that Lance has been fined if we take a step back and look at the bigger picture we have to ask. If fines worked why didn’t Lance and the whole Herbal King group stop spamming in 2005?

While the laws applied in this particular case are very strict they have not stopped the flow of spam. It looks like one solution may be to add confinement in addition to the monetary fines for repeat spammers with additional time for repeat offences similar to how other criminals are treated.

While the botnets are very automated and will continue for a while after the masters are incarcerated eventually with no new commands the botnets will go dark.

But what do I know? Your thoughts on this issue?

- Shaun

Cisco recently released their ‘Annual Security Report for 2008’ and in it they show in a graph on page 4 that the volume of SPAM has climbed from approximately 60 Billion spam messages per day in May of 2007 to over 190 Billion SPAM Messages per day in October of 2008 or a 300% increase in SPAM in less than 18 months. Hardly seems like the CAN-SPAM act has been able to slow the flood. What was the daily spam volume prior to the 2003 debate and enacting of the act? I don’t have the numbers but I can assure you that a lot less than 60 Billion messages per day.

While there have been some spammers charged under it and some large judgments you would think with SPAM still being such a big problem that more would be done.

http://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003#Enforcement

Why has more not been done? Because the level of pain caused by spam that most people feel is still low enough that they don’t care to do more about it. Solutions like CudaMail have insulated the general public from the pain of SPAM. Yes they get a few messages once in a while that are spam but for each spam message they see Tens of thousands have been blocked. Imagine a day where all anti-spam measures failed and your mailbox went from a few hundred messages to 20,000 messages.

What could you do? Even taking 1 second to look at each message and delete the spam would result in you taking over 5 and a half hours of your day to just delete the spam. Do you have the time to do that?  Nobody does but that is effectively what the CudaMail system is doing for you each and every day – giving you back that 5 and a half hours each day that you don’t have to spend pounding on the delete key.

Aren’t you glad you have CudaMail?

The reason given is that Spammers have moved on from using Open Relay’s and the software developers now configure the mail server software to not relay by default resulting in fewer open relay mail server.

More information on the DSBL page.

http://dsbl.org/

If you have been using DSBL you should remove it from your mail server / Antispam Appliance configuration. The CudaMail system does not use the DSBL.

Shaun