Here’s a “blast from the past”.  It’s like it’s 2001 all over again!  There’s an email worm ( and not kidding here ) circulating that uses the good old infection method of sending emails with malicious executables to all the people in your address book!

It arrives in emails with a subject like “Here You Have”, or something similar to it.

In the email, there’s a link to a malicious download – with text that’s made to look like it’s a link to a pdf, or a video.  If a user clicks on it, the malware winds up in the Windows folder.  The file name winds up CSRSS.EXE and that’s a file name for a legitimate file in Windows.

Body Examples

Hello:

This is The Document I told you about,you can find it Here.
hxxp://www.SomeFakeWebsite/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Dowload Sex Movies,you can find it Here.

hxxp://www.AnotherFakeWebsite/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

At that point it tries sending itself to everyone in your Outlook address book.

Who says that the good old “tried and true” methods of spreading malware don’t work any more?  I suppose if fashion from the 70′s can come back, it’s not too big a leap to have old spammers tactics rear their ugly heads from time to time.

When the first few came through the CudaMail system, they were quickly analyzed and are now being caught and blocked, but for non-CudaMail customers, make sure you keep an eye on your inbox, and stick with “safe emailing” practices with regard to clicking on anything!

— Original Article —

More than 40 percent of the world’s spam is coming from a single network of computers that computer security experts continue to battle, according to new statistics from Symantec’s Message Labs division.

The Rustock botnet has shrunk since April, when about 2.5 million computers were infected with its malicious software that sent about 43 billion spam e-mails per day. Much of it is pharmaceutical spam.

Now, about 1.3 million computers are infected with Rustock, and the botnet is making up for its decreased size with increased volume, said Paul Wood, a MessageLabs intelligence analyst with Symantec. Those infected computers — most of which are in North America and Western Europe — are collectively sending around 46 billion spam e-mails per day.

The reason for the drop in infected computers could be due to a number of factors, Wood said. Those computers’ antivirus programs may have detected the infections or the people controlling Rustock could have lost the connection to those computers for various reasons.

The computers infected with Rustock have also stopped using TLS (Transport Layer Security), an encryption protocol used to securely send e-mail. Spammers were believed to encrypt their spam using TLS because it was harder for other network equipment to inspect the traffic and figure out if it was spam, Wood said.

But sending e-mail using TLS required more resources and was slower. “It would seem that the botnet controllers, especially those behind Rustock, have perhaps realized that the use of TLS gave them little or no discernible benefits and instead impeded their sending capacity owing to the additional bandwidth and processing overhead needed for TLS,” the report said.

Rustock has proved to be a robust botnet. It was nearly killed off when McColo, an ISP in San Jose, California, was cut off from the Internet in November 2008 by its upstream providers. McColo had hosted the command-and-control servers for several botnets, including Rustock.

But Rustock’s operators were able to switch the command-and-control servers when McColo briefly regained connectivity again before finally being shut off, which has allowed it to run for nearly four years now.

View the original story here.

—–

Spammers know that if they include a direct link to their site that their spam messages will not go through so they use URL shortening services to redirect you to their site if you click on the link in the spam message.

Multi-level Intent Analysis checks if the URL in the e-mail message redirects to a spammer website so the URL shortened version of the spam is blocked as efficiently as if the spam link was directly in the message.

- Shaun

Some Information from Barracuda Networks

Hiding Behind the “Good Guy”

By registering new domains or by redirecting to spam Web domains through reputable blogs, free Web site providers, or URL redirection services, spammers have also learned to hide their identity from traditional reputation checks that profile spam Web domains.

Illustrations D and E below show two separate spamming campaigns that were recently detected by Barracuda Central in which the spammers attempt to hide their identity by using URLs referencing reputable Web domains, Geocities and Blogspot. Often these URLs contain either redirections or simple Web links to known spammer Web sites.

Illustration D: Geocities redirect to sexdatesearch.com – known spammer

Illustration E: Blogspot redirect to known spammer IP (211.93.46.38)

Despite these attempts to hide behind a “good” identity, the Barracuda Spam & Virus Firewall profiled this campaign behavior of placing redirections or Web links to known spam
sites behind popular Web providers. The Barracuda Spam & Virus Firewall was able to block these messages through Multi-level Intent Analysis by following the embedded URLs as a Web browser would and inspecting the resulting contents.

Sample Behaviors and Countermeasures

When spammers obfuscate their identities, the Barracuda Spam & Virus Firewall can use Predictive Sender Profiling to identify behaviors of all senders and apply the applicable Barracuda Spam & Virus Firewall defense tactic.

At the Federal Trade Commission’s request, a district court judge has permanently shut down a rogue Internet Service Provider that recruited, hosted, and actively participated in the distribution of spam, spyware, child pornography, and other malicious and illegal content. The ISP’s computer servers and other assets have been seized and will be sold by a court-appointed receiver, and the operation has been ordered to turn over $1.08 million in ill-gotten gains to the FTC.

In June 2009, the FTC charged that 3FN, which does business under a variety of names, actively recruited and colluded with criminals to distribute harmful electronic content including spyware, viruses, trojan horses, phishing schemes, botnet command-and-control servers, and pornography featuring children, violence, bestiality, and incest. The FTC alleged that the defendant advertised its services in the darkest corners of the Internet, including a chat room for spammers.

The FTC complaint alleged that 3FN actively shielded its criminal clientele by either ignoring take-down requests issued by the online security community, or shifting its criminal elements to other Internet protocol addresses it controlled to evade detection.

The FTC also alleged that 3FN deployed and operated botnets – large networks of computers that have been compromised and enslaved by the originator of the botnet, known as a “bot herder.” Botnets can be used for a variety of illicit purposes, including sending spam and launching denial-of- service attacks. According to the FTC, the defendant recruited bot herders and hosted the command-and-control servers – the computers that relay commands from the bot herders to the compromised computers known as “zombie drones.”

—

An excerpt from an interesting announcement by the Federal Trade Commission – taking action against a notorioius Internet Service Provider. (* from the FTC Website – original post here).

The Article:

Consumers Don’t Relate Bot Infections to Risky Behavior As Millions Continue to Click on Spam

San Francisco, March 24, 2010 –A significant percentage of consumers continue to interact with spam despite their awareness of how bots and viruses spread through risky email behavior, according to the Messaging Anti-Abuse Working Group (MAAWG) based on a new survey it released today covering North America and Western Europe. Even though over eighty percent of email users are aware of the existence of bots, tens of millions respond to spam in ways that could leave them vulnerable to a malware infection, according to the 2010 MAAWG Email Security Awareness and Usage Survey.

In the new survey, half of users said they had opened spam, clicked on a link in spam, opened a spam attachment, replied or forwarded it – activities that leave consumers susceptible to fraud, phishing, identity theft and infection. While most consumers said they were aware of the existence of bots, only one-third believed they were vulnerable to an infection. “Consumers need to understand they are not powerless bystanders.

They can play a key role in standing up to spammers by not engaging and just marking their emails as junk,” said Michael O’Reirdan, MAAWG chairman. “When consumers respond to spam or click on links in junk mail, they often set themselves up for fraud or to have their computers compromised by criminals who use them to deliver more spam, spread viruses and launch cyber attacks,” O’Reirdan said. The research findings on awareness of bots, email security practices, and attitudes toward controlling spam were generally consistent with the first MAAWG consumer survey in 2009 covering North America.

The new 2010 survey was expanded to cover Western Europe and looks at consumers’ attitudes in Canada, France, Germany, Spain, the United Kingdom and the United States. It Won’t Happen to Me Syndrome Less than half of the consumers surveyed saw themselves as the entity who should be most responsible for stopping the spread of viruses. Yet, only 36% of consumers believe they might get a virus and 46% of those who opened spam did so intentionally. This is a problem because spam is one of the most common vehicles for spreading bots and viruses. The malware is often unknowingly installed on users’ computers when they open an attachment in a junk email or click on a link that takes them to a poisoned Web site, according to O’Reirdan. Younger consumers tend to consider themselves more security savvy, possibly from having grown up with the Internet, yet they also take more risks. Among the survey’s key findings:

• Almost half of those who opened spam did so intentionally. Many wanted to unsubscribe or complain to the sender (25%), to see what would happen (18%) or were interested in the product (15%).
• Overall, 11% of consumers have clicked on a link in spam, 8% have opened attachments, 4% have forwarded it and 4% have replied to spam.
• On average, 44% of users consider themselves “somewhat experienced” with email security. In Germany, 33% of users see themselves as “expert” or “very experienced,” followed by around 20% in Spain, the U.K. and the U.S.A., 16% in Canada and just 8% in France.
• Men and email users under 35 years, the same demographic groups who tend to consider themselves more experienced with email security, are more likely to open or click on links or forward spam. Among email users under 35 years, 50% report having opened spam compared to 38% of those over 35. Younger users also were more likely to have clicked on a link in spam (13%) compared to less than 10% of older consumers.
• Consumers are most likely to hold their Internet or email service provider most responsible for stopping viruses and malware. Only 48% see themselves as most responsible, though in France this falls to 30% and 37% in Spain.
• Yet in terms of anti-virus effectiveness, consumers ranked themselves ahead of all others, except for anti-virus vendors: 56% of consumers rated their own ability to stop malware and 67% rated that of anti-virus vendors’ as very or fairly good. Government agencies, consumer advocacy agencies and social networking sites were among those rated most poorly.

It Won’t Happen to Me Syndrome

Less than half of the consumers surveyed saw themselves as the entity who should be most responsible for stopping the spread of viruses. Yet, only 36% of consumers believe they might get a virus and 46% of those who opened spam did so intentionally.

This is a problem because spam is one of the most common vehicles for spreading bots and viruses. The malware is often unknowingly installed on users’ computers when they open an attachment in a junk email or click on a link that takes them to a poisoned Web site, according to O’Reirdan.

Younger consumers tend to consider themselves more security savvy, possibly from having grown up with the Internet, yet they also take more risks. Among the survey’s key findings:

The survey was conducted online between January 8 and 21, 2010 among over a thousand email users in the United States and over 500 email users in each of the other five countries. Participants were general consumers responsible for managing the security for their personal email address.

Both the survey’s key findings and the full report are available at the MAAWG Web site, www.MAAWG.org. The 2010 research was conducted by Ipsos Public Affairs, and the full report includes country comparisons for many of the questions along with detailed charts.

About the Messaging Anti-Abuse Working Group (MAAWG)
The Messaging Anti-Abuse Working Group (MAAWG) is where the messaging industry comes together to work against spam, viruses, denial-of-service attacks and other online exploitation. MAAWG (www.MAAWG.org) represents almost one billion mailboxes from some of the largest network operators worldwide. It is the only organization addressing messaging abuse holistically by systematically engaging all aspects of the problem, including technology, industry collaboration and public policy. MAAWG leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services. Headquartered in San Francisco, Calif., MAAWG is an open forum driven by market needs and supported by major network operators and messaging providers.

You can also read the original post at MAAWG (Messaging Anti-Abuse Working Group)

original post:

In part 1 of my series, I looked at which botnet sends the most spam, by total number of messages sent at the recipient level and not the envelope level. In part 2, I looked at which one sends the most spam by total amount of bytes that they emit. Now, I’d like to put it all together; if we normalize the values, which botnet is responsible for sending out the most spam on a daily basis? Depending on how we measure it, there are a couple of answers.

To check this, first I took a look at the average number of message envelopes each botnet sends per day. I then normalized the value and used the lowest sending botnet as a base, assigning it a value of 1. I have removed lethic from this count because it seems to have fallen off the radar (is something wrong with my script?). The table is below:

Looking at this table here, sorting by the average amount of total envelopes each botnet sends per day, it isn’t even close (for the month of January). Rustock, by far, sends more individual spam messages than any other botnet by a factor of 10. Its net is so wide and the other botnets aren’t even in the running. Mega-d is next followed by cutwail2.

But if we measure the amount of bandwidth the individual receiving mail servers have to process, the numbers change. If we take the average number of messages/envelope, multiple by the average message size (kb) and multiple by the average number of message envelopes per day, then we get the total amount of traffic, in bytes, that each botnet sends. Doing this, the numbers change (remember that these are normalized values, not absolute values):

Looking at it this way, the worst botnet is cutwail followed by cutwail2. Rustock drops down to 3rd in the list, a distant 3rd but not far behind cutwail1. The other botnets bring up the rear, only looking out into the distance and wishing they were as cool as the others.

So there you have it, my study on which botnet sends out the most spam. I’ve shown my work and therefore these results should be reproducible in the future. I’m not totally convinced that my scripts are completely accurate and capturing all of the required information, however, as time passes I should be able to refine them and provide an even more accurate analysis on which botnet is the worst.

You can view the original post here.

Here’s a story from the Register about how modern spam filtering has forced a long-time Canadian publication to have to change it’s name.  It’s a good thing that Barracuda Spam & Virus Firewalls are easy to tweak and adjust!

Spam filters stuff Canadian Beaver

Venerable magazine to adopt less suggestive title

By Lester Haines

Posted on theRegister.co.uk 13th January 2010 14:41 GMT

Publisher Deborah Morrison explained to AFP: “The Beaver was an impediment online. Several readers asked us to change the title because their spam filters at home or at work were blocking it. I’ve even had emails bounce back because I had inadvertently typed the term in the heading."

She added: “Nearly a century ago, it probably seemed the perfect name for a magazine about the fur trade and Canada’s northwest frontier. There was only one interpretation for the word then. But you’re likely to find a lot of [porn] sites now if you search for the title of our history magazine online.”

The 90-year-old title will, after the Feb/March issue, be known as Canada’s History.

Other Beavers of note which can be found online are the newspaper of the London School of Economics Students’ Union, a Toronto restaurant offering a range of tongue-tingling delights and a film starring Mel Gibson and Jodie Foster. ®

The original story from TheRegister.

On Wednesday, December 9, 2009 at 06:20 (GMT), Project Honey Pot achieved a milestone:

It received its 1 billionth spam message. That message was a phishing scam regarding the United States Internal Revenue Service.

It was sent to an email address that had been harvested more than two years ago. More than just a single spam email, the billionth message represents the collective work of you and tens of thousands of other web and email administrators.

To celebrate that milestone, they have gone through 5 years of data to learn more about spammers and what they do. Below are some of their more interesting findings. You can also see the Full Report here.

Some Preliminary Statistics

• Monday is the busiest day of the week for email spam, Saturday is the quietest
• 12:00 (GMT) is the busiest hour of the day for spam, 23:00 (GMT) is the quietest
• Malicious bots have increased at a compound annual growth rate (CAGR) of 378% since Project Honey Pot started
• Over the last five years, you’d have been 9 times more likely to get a phishing message for Chase Bank than Bank of America, however Facebook is rapidly becoming the most phished organization online
• Finland has some of the best computer security in the world, China some of the worst
• It takes the average spammer 2 and a half weeks from when they first harvest your email address to when they send you your first spam message, but that’s twice as fast as they were five years ago
• Every time your email address is harvested from a website, you can expect to receive more than 850 spam messages
• Spammers take holidays too: spam volumes drop nearly 21% on Christmas Day and 32% on New Year’s Day

Users of email security and archiving service Postini were frustrated last week when the service began experiencing significant delivery problems.

Users were particularly angered by Postini’s lack of communication about the problem. Postini was acquired by Google in 2007. Similar to our CudaMail Anti-Spam Service, the service scans emails for malware. The problem seems to have been caused by a combination of a bad email filter update and “a power-related hardware failure.”

• http://www.informationweek.com/news/showArticle.jhtml?articleID=220600859
• http://news.cnet.com/8301-30684_3-10374344-265.html
• http://www.theregister.co.uk/2009/10/15/google_postini_snafu/
• http://www.computerworld.com/s/article/9139316/Postini_trouble_stymies_U.S._e_mail_users?taxonomyId=1

[Editor's Note (Pescatore): We used to call the telecommunications infrastructure "the cloud," and we had very high expectations of reliability. We even had required service levels for things like dial tone. Internet-based web services are today's cloud - boy, are they far from achieving dial-tone like reliability.]

- Shaun

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient’s local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to “breaking news.”

Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user’s IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video.

If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
* Install antivirus software, and keep the virus signatures up to
date.
* Do not follow unsolicited links and do not open unsolicited email
messages.
* Use caution when visiting untrusted websites.
* Use caution when downloading and installing applications.
* Obtain software applications and updates directly from the
vendor’s website.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.

Relevant Url(s):

====
This entry is available at
http://www.us-cert.gov/current/index.html#waledac_trojan_horse_spam_campaign