US-CERT encourages users to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Maintaining up-to-date anti-virus is vital. Some appliances, like the Barracuda Spam & Virus Firewalls that are used by CudaMail.com to filter mail are updated on a constant basis.

US-CERT will provide additional details as they become available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient’s local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to “breaking news.”

Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user’s IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video.

If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
* Install antivirus software, and keep the virus signatures up to
date.
* Do not follow unsolicited links and do not open unsolicited email
messages.
* Use caution when visiting untrusted websites.
* Use caution when downloading and installing applications.
* Obtain software applications and updates directly from the
vendor’s website.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.

Relevant Url(s):

====
This entry is available at
http://www.us-cert.gov/current/index.html#waledac_trojan_horse_spam_campaign

‘Follow the money’ With the recent stock market volatility creating interest and opportunity for a savvy investor the lure of all that money is attracting the attention of malware writers.

Michael Kassner the Manager of IT for Getinge LaCalhene and a well certified IT Professional recently ran into a piece of malware with a twist. Called Tigger/Syzor it appeared on the PC of a friend of Michael’s who is a day trader and deals with companies like E-Trade, ING Direct, Vanguard, Options Xpress, TD Ameritrade and Scottrade.

Guess what? Tigger/Syzor likes the same friends as it is a safe mode rootkit password stealing Trojan that targets day traders. Michael was able to use tools like Malware Bytes Anti-Malware (MBAM) to find and remove some files that were identified as malware but ultimately he went with a full clean re-install of the operating system and all applications just to be sure.

The day trader does keep his computer up to date with patches and program updates so what else could he have done? How about running in a virtual environment? With tools like VMWare Server being offered for free and giving you the ability to run an isolated second complete copy of the operating system and programs he could have run the tools that are critical to his job in one and done his research (web browsing) in a second. This isolates the whole system so that if one aspect of his system get’s infested he can just roll back to a previous version or snapshot without the infection and continue running with only a few minutes downtime and not a whole panic filled weekend.

He would even be able to turn off the day trading virtual system after the markets close and let his kids (I don’t know if he has any – just speculating) use a separate dedicated kids only virtual machine that was locked down and set to clear all changes when it was rebooted. This may require that a few additional licenses of Windows be purchased and a little discipline to not get lazy and browse from his critical virtual machine but as they say an ounce of prevention is worth a pound of cure. The day trading tools that he uses also have to be able to run in a virtualized environment and be supported by the vendor when running in such a way.

A second thing this day trader should do is run his home network like a corporate network with similar hardware (http://www.firewallshop.com) and protective measures in place. I’d hazard a guess that he is running a consumer level firewall (with unprotected wireless on too I’d bet) that acts as a one way valve using Network Address Translation (NAT) and very little else.

He makes his living by day trading so treat this network like the office it is and install a corporate level firewall like a FortiGate that does layer 7 anti-virus scanning at the edge. With the recent introduction of the FortiGate 30B Bundle the price of a very capable corporate level firewall has dropped to the $500.00 range with one year of updates and basic support. When your living depends on your trading thousands of dollars daily doesn’t it make sense to protect your investment and passwords with an enterprise level firewall?

Tigger.A: Sophisticated trojan that likes stockbrokers
http://blogs.techrepublic.com.com/security/wp-trackback.php?p=960

Michael Kassner
http://techrepublic.com.com/5213-6257-0.html?id=4730583

FortiGate 30B
http://www.firewallshop.com/detail.aspx?ID=257

Here are some quick tips to look for when reviewing these ‘too-good-to-be-true’ offers.

http://consumerist.com/5102797/8-signs-that-job-you-found-online-is-a-scam

Shaun

While it is nice that spam volume has declined some since McColo has been shut down there is still a lot of messages out there that are spam and a vacuum right now waiting to be filled by other spammers.

While there is a temporary lull in spam volume the underlying problem still remains. The SMTP protocol that we all rely on and both love and hate was originally designed when the Internet was a small well-run network and everyone knew everyone else or knew someone who knew them and could vouch for each new connection or request to relay mail for someone. Open Relay mail servers were the norm and not the exception. Today you can’t setup an open mail server and have it live on the internet for more than a few hours, some would say minutes, before a spammer has discovered it and is hammering away at it.

While there are some good techniques to supply message repudiation (SPF and Domain Keys) the use and deployment of them are not universal and they will not become universal until all e-mail administrator know and understand what you can and can’t do with these techniques and all mail servers use these tools out of the box or make it easy to understand and configure.

In my opinion all mail servers should be able to check Real Time Black lists, SPF records and verify Domain Key signatures – even the ‘basic’ and for free versions of products. Lets get the tools needed to combat spam into everyone’s hands and educate each other in the proper setup and use of these tools.

- The Spam Cryer

Here’s what the study shows:

A tiny response means spammers still cash in (PA)

By hijacking a working spam network, US researchers have uncovered some of the economics of being a junk mailer.

The analysis suggests that such a tiny response rate means a big spam operation can turn over millions of pounds in profit every year.

It also suggests that spammers may be susceptible to attacks that make it more costly to send junk mail.

Slim pickings

The spam study was carried out in early 2008 by computer scientists from University of California, Berkeley and UC, San Diego (UCSD).

For their month-long study the seven-strong team of computer scientists infiltrated the Storm network that uses hijacked home computers as relays for junk mail.

At its height Storm was believed to have more than one million machines under its control.

The team, led by Assistant Professor Stefan Savage from UCSD, took over a chunk of the Storm network to make it easier to run their study.

“The best way to measure spam is to be a spammer,” wrote the researchers in a paper describing their work.

They created several so-called “proxy bots” that acted as conduits of information between the command and control system for Storm and the hijacked home PCs that actually send out junk mail.

The team used these machines to control a total of 75,869 hijacked machines and routed their own fake spam campaigns through them.

The research team created a legitimate looking pharmacy site.

Two types of fake spam campaign were run through these machines. One mimicked the way Storm spreads using viruses and the other tried to tempt people to visit a fake pharmacy site and buy a herbal remedy to boost their libido.

The fake pharmacy site was made to resemble those run by Storm’s real owners but always returned an error message when potential buyers clicked a button to submit their credit card details.

While running their spam campaigns the researchers sent about 469 million junk e-mail messages. The vast majority of these were for the fake pharmacy campaign.

“After 26 days, and almost 350 million e-mail messages, only 28 sales resulted,” wrote the researchers.

The response rate for this campaign was less than 0.00001%. This is far below the average of 2.15% reported by legitimate direct mail organisations.

“Taken together, these conversions would have resulted in revenues of $2,731.88—a bit over $100 a day for the measurement period,” said the researchers.

Scaling this up to the full Storm network the researchers estimate that the controllers of the vast system are netting about $7,000 (£4,430) a day or more than $2m (£1.28m) per year.

While this was a good return, said the researchers, it did suggest that spammers were not making the vast sums of money that some people have predicted in the past.

They suggest that the tight costs might also open up new avenues of attack on spammers.

The researchers concluded: “The profit margin for spam may be meagre enough that spammers must be sensitive to the details of how their campaigns are run and are economically susceptible to new defences.”

+-+-+

The original article can be found at: http://news.bbc.co.uk/2/hi/technology/7719281.stm

So why would a bricks and mortar company like McColo be involved with something as nasty and toxic as hosting spammers and malware / scareware companies?

In a word ‘MONEY’ – yes cold hard cash and lots of it. According to the dedicated hosting package page on McColo’s site they charge up to $2000 per month for a single server. This is chump change though compared to the graft and ‘other charges’ that could be possible to someone who was willing to host for a purveyor of malware.

One of the malware / Scare ware hosted on servers at McColo is the ‘Spyware XP 2008/2009’ – a nasty piece of work that claims your computer is infected with 1000’s of ‘bad things’ and that you really Really REALLY need to purchase SpyWare 200x RIGHT NOW to clean up your computer. The scan this software performs is bogus and when you purchase the software online your actually sending your money to the people that infected your computer in the first place.

As demonstrated by Joe Stewart this scam installed 154,825 versions of the software in just 10 days, and then 2,772 copies of the program were later purchased from those infected users. Based on that conversion rate,  it  is estimated  that an affiliate could expect to earn over $5 million annually by maintaining a botnet large enough to force between 10,000 and 20,000 installations on a daily basis.

Another report shows that spam is profitable at a 1 click per 12,000,000 spam’s sent.  With these statistics the Storm-generated pharmaceutical spam would produce roughly $3.5 million dollars of revenue a year,” the team concluded.

Like I said – MONEY and lots of it. If you were the owner of McColo and someone came to you with the above ‘business plan’ what would you say? Sadly there are those who would take the money first and ask questions later.

Take away points from this recent anti-spam ‘win’?

If there is collaboration between the ‘good guy’s’ we can make things harder for the ‘bad guy’s’. Will this result in a permanent decline in spam? Probably not – with that much money possible do you think the scammers / spammers are going to lie down and play dead? Not likely. Expect business as usual in the next few weeks as we enter the profitable and spam lucrative ‘holiday season’

To learn more:

• http://voices.washingtonpost.com/securityfix/2008/11/study_spam_still_profitable_at.html
• http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html
• http://news.cnet.com/8301-10789_3-10086352-57.html

- Spam Cryer

These raids were against the owners and operators of online drug peddling operations that may or may not be filling the ‘online prescriptions’ with legitimate product. This is interesting to the Spam Cryer because about 50% of the spam today is pushing these online pharmacies. Hopefully this will reduce your spam load in the short term.

Another victory in the war on spam!

let’s hope that these raids and shutdown efforts become the norm and not just a once off effort by these organizations.

For more information on the raids:

• http://www.mhra.gov.uk/NewsCentre/Pressreleases/CON030988

- The Spam Cryer

Spammers continue to take advantage of anything ‘newsworthy’ or ‘sensational’ like the recent US Presidential election

A recent surge of spam messages appear to be coming from a seemingly legitimate source and contain a message indicating that additional video news coverage of the election is available by following a link. This website will instruct the user to update to a new version of Adobe Flash Player in order to view the video ‘news’.

This update is not a legitimate Adobe Flash Player update; it is malicious code. If the user downloads this executable file, malicious code will be installed on your system and your banking information or worse is in the hands of the hackers.

Just another of the same but this time playing on the interest everyone worldwide has in this event.

Protect yourself!

1. Keep your protection - anti-virus and anti-malware both – up to date.
2. Patch your PC (windows update) and applications (secunia.org) on a regular basis.
3. Don’t click on a link in an e-mail unless you know it is safe.
4. Don’t update software from a third party site – go to the source (i.e. adobe.com for flash) – if the vendor says you have the latest version and another site says you need an update who are you going to trust?

- The Spam Cryer

- Spam King Shane Atkinson

As reported by the The Register and IT Brief, a two month investigation involving international cooperation has resulted in the laying of charges against [tag]Shane Atkinson[/tag], his brother [tag]Lance Atkinson[/tag] and Roland Smits alleging that they were responsible for the spam messages marketing ‘Herbal King’, ‘Elite Herbal’ and ‘Express Herbal’ along with ‘genuine replica watches’ and ‘adult toy’s’. This has resulted in a noticeable drop in spam volume as this ‘team’ was responsible for up to 1/3 of the spam.

http://www.theregister.co.uk/2008/10/14/prolific_spammers_targeted/

http://www.itbrief.co.nz/index.php?option=com_content&task=view&id=2995&Itemid=799

These same people appear to have been involved in spamming for a while according to a Wikipedia article with reports going back as far as 2003 with a previous monetary judgment against Lance.

Why did the last judgment not stop then and this time it did?

The authorities froze their bank accounts.

I applaud the authorities taking this step but only time will tell if this is going to force them out of the spam game for good.

I believe that this is a temporary slowdown in the volume of spam. They were able to get away with it for a long time and made lots and lots of money.

Where there is lots of easy money it attracts those drawn to easy money so I would expect the vacuum to be filled shortly or for the same team to be back at it shortly.

Sorry but this does not mean that you don’t need an anti-spam solution

- The Spam Cryer

Here are some more articles on the subject for you: