http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-05-21 22:41:19 - Terry Zink's Anti malware Blog : Via Mashable Today ie, Thursday, May 20 , the Federal Trade Commission permanently shut down 3FN, a Belize-based Internet service provider ISP notorious for hosting botnets, child pornography, phishing attacks and various other scams and malware The ISP has been ordered to pay back 108 million which it earned by cooperating and conspiring with criminals It took almost a full year in court for the FTC to win this battle against 3FN When this ISP was put under a preliminary injunction last year, spam volume dropped by 15pourcents 3FN had been actively recruiting spammers and others and whose senior staff had coached clients on building botnets The latter was proven with instant message logs between criminals and 3FN employees The FTC estimated that 4,500 malicious software programs were hosted by the ISP, attacking unknown numbers of computers with keystroke loggers, password stealing software, data theft, backdoor access and spam distribution In addition to aiding and abetting those who would infest our computers with viruses, spyware and other malware, the ISP also knowingly hosted illegal and disturbing types of pornography The ISP ignored takedown requests and evaded prosecution by shifting certain elements or content to other IP addresses in its control 3FN also did business as Pricewert LLC, Triple Fiber Network, APS Telecom, APX Telecom and APS Communication It remains to be seen whether or not this will have any affect on the amount of spam we are seeing The current trend in spam botnets is to see a temporary decline in total abuse followed by a recovery The recovery periods have been getting shorter and shorter as spammers and malware authors have started building more resiliency into their infrastructure I ll keep an eye on it and report if I see anything unusual IMAGE http://www.secuobs.com/revue/news/224556.shtmlhttp://www.secuobs.com/revue/news/224556.shtml Secuobs.com : 2010-05-21 06:51:27 - Terry Zink's Anti malware Blog - Hotmail has recently announced that it is going to be releasing more security features to its web interface over the next few weeks Microsoft is adding what Harp dubbed proofs to Hotmail to secure accounts against hijacking, or let users more easily recover control if their account has been snatched by criminals Among those proofs will be one that links a specific computer to a user's account You'll be able to set your computer as a proof, said Harp, referring to the link between a PC and an account Google tracks log-ins and warns Gmail users of suspicious patterns, such as an attempt to log-in from a foreign country, or multiple failed log-in attempts We think we've done it a little better than Gmail, argued Walter Harp, Hotmail s director of product management My mom's not going to get it if Gmail told her she had tried to log in from a different IP address I concur with what Harp is saying For most users, if you are told that you have logged in from a different IP address you might as well be speaking a foreign language This may be difficult to believe, but most people are not fluent in geek-speak The ordinary user cannot make the mental connection between an IP address and the physical location where you are It s like when I go to Wikipedia and it tells you how to pronounce a word but uses crazy syntax and characters that I cannot read, and thus the pronunciation guide is of no help to me whatsoever Of course, one of the advantages of web mail is that you can login from anywhere When I m traveling, I find it useful to login and check my mail whether I m hunting down spammers, or being hunted down by spammers, in China or Peru Of course, I would expect that there are certain flags in place that allow the user to say Yes, it s okay, I m traveling so don t worry about this one In any case, the theory behind this is to be able to allow the user to detect deviations from normal patterns of behavior If you normally login in from Las Vegas and some phisher steals your credentials and logs in from oh, let s say Latvia, that is clearly an anomaly You will probably want to be notified and immediately reset your credentials Sometimes, security is all about detecting divergences from established baseline behavioral patterns The article continues Your mobile phone will be an additional proof, said Harp, explaining that if a user loses control of his or her account -- and thus has no way to reset the password to regain access -- Hotmail will notify the user by phone, then send a new password to that phone We'll do that if either a human or malware gets into your account, Harp said Phones play another role in Hotmail's enhanced security Users can request that Microsoft send a one-time password to their phones via SMS Harp envisioned this being used by people logging in at public places, such as Internet cafes, libraries or unprotected Wi-Fi hotspots The feature came out of conversations with focus groups in less-developed countries, where more people connect to the Internet at cafes The general idea is that you'd use this to be particularly cautious at a public computer, which for all you know may be infected with keylogging malware, said Harp I particularly like the idea of using SMS phone verification The idea behind this is that while a user might be able to have several different email accounts that are easily stolen, most people only have one mobile phone at a time that they are actively using While some people do have more, a person will guard their phone because it is expensive to get it replaced In addition, people bond themselves fairly tightly to their phone numbers because it is a pain to get everyone to update their contact information for you So, if you get locked out of your account, you can still get your password reset by following a process and have your password resent to your actual identity your phone, which you physically carry on you or you know its physical location Unless the intruder has stolen your phone as well, you can quickly regain access to your account and kick the intruder out Using mobile phones to authenticate is also an interesting idea I can see how useful this would be in that sitting down at an untrusted location such as an Internet cafe in the developing world might fill you with some trepidation because a keystroke logger could steal your information Instead, you use your own trusted device to login to your account Realistically, I wonder as to the efficacy of this feature If you re going to login with your phone when you re traveling, especially abroad, you need a phone that connect to the local telephone cell phone network Given the diversity of cell phone carriers worldwide GPRS, GSM, CDMA2000, DoCoMo, UMTS, etc and given how quasi-interoperable they are read not particularly , will the average web mail user really care to use their cell phone to login Or will they not be thinking security and just log in anyhow I like the idea, not sure about the rate of uptake Finally Hotmail will also include a new feature tagged Trusted Sender, which visually identifies legitimate mail from about 100 senders, mostly financial institutions like banks, that are commonly spoofed by identity thieves This is another idea that I like It s an idea that I think has been long outstanding Domains that are commonly spoofed like Paypal, eBay, Facebook, Citibank, HSBC, Chase, etc should have some sort of trusted validation flagged in email so the user knows who they are communicating with This is one of the most useful features of sender authentication The drawback is that there are a lot of institutions out there, particularly banks in Europe you know you are actually, you probably don t that don t have identity records set up ie, SPF, SenderID or DKIM This trusted sender feature won t have any affect on them and so they will still probably have some problems with phishing attempts Still, this is a good step in the right direction The downside is that it remains to be seen whether or not users will actually learn to recognize their Trusted Senders and notice that when a communication comes from such an institution and is Untrusted, their suspicions arise ie, shorthand for determining the message is a spoof My prediction is that initially people won t notice at all but over time, things will change and uptake will start to pick up IMAGE http://www.secuobs.com/revue/news/224296.shtmlhttp://www.secuobs.com/revue/news/224296.shtml Secuobs.com : 2010-05-21 06:51:27 - Terry Zink's Anti malware Blog - I came across this recently on xkcd I couldn t resist posting it here IMAGE IMAGE http://www.secuobs.com/revue/news/224295.shtmlhttp://www.secuobs.com/revue/news/224295.shtml Secuobs.com : 2010-05-20 05:03:23 - Terry Zink's Anti malware Blog - NetAtlantic has a fantastic article written by Mark Bowden regarding the history of the Conficker worm It really is a fascinating article and if you never read any of my offsite links and you haven t yet read it elsewhere, you definitely want to take the time to read this one It illustrates the complexity of the Conficker worm, efforts to stop it and why it is so difficult to defeat I just can t resist posting a few excerpts Imagine your computer to be a big spaceship, like the starship Enterprise on Star Trek The ship is so complex and sophisticated that even an experienced commander like Captain James T Kirk has only a general sense of how every facet of it works Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship He knows it well enough to find a portal with a broken lock overlooked by the ship s otherwise vigilant defenses like, say, a flaw in Microsoft s operating platform So no one notices when he slips in He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him He improves the ship s defenses Ensconced securely inside, he silently sets himself up as the ship s alternate commander The Conficker worm itself was exquisite It consisted of only a few hundred lines of code, no more than 35 kilobytes slightly smaller than a 2,000-word document In comparison, the average home computer today has anywhere from 40 to 200 gigabytes of storage Unless you were looking for it, unless you knew how to look for it, you would never see it Conficker drifts in like a mote Here s where things get interesting Analysts with Conficker B isolated in their sandboxes could watch it regularly call home and receive a return message The exchange was encrypted Rivest s proposal for the new encryption standard, MD-6 Message Digest 6 , was submitted in the fall of 2008, about a month before Conficker first appeared, and began undergoing rigorous peer review the very small community of high-level cryptographers worldwide began testing it for flaws Needless to say, this is a very arcane game The entries are comprehensible to very few people According to Rodney Joffe, Unless you re a subject-matter expert actively involved in crypto-algorithms, you didn t even know that MD-6 existed It wasn t like it was put in The New York Times So when the new version of Conficker appeared, and its new method of encrypting its communication employed MD-6, Rivest s proposal for SHA-3, the cabal s collective mind was blown The plot thickened it turned out that Rivest s proposal, MD-6, had a flaw Cryptologists in the competition had duly gone to work trying to crack the code, and one had succeeded In early 2009, Rivest quietly withdrew his proposal, corrected it, and resubmitted it This gave the cabal an opening If the original Rivest proposal was flawed, then so was the encryption method for Conficker B If they were able to eavesdrop on communications between Conficker and its mysterious controller, they might be able to figure out who he was, or who they were How likely was it that the creator of Conficker would know about the flaw discovered in MD-6 Once again, the good guys had the bad guys in check About six weeks later, another new version of the worm appeared It employed Rivest s revised MD-6 proposal The entire article is a great read, and I learned a few things about Conficker I hadn t realized just how sophisticated it was I came away with a couple of points Whoever is behind Conficker is a professional or group of professionals You can t write code that is this sophisticated on your own Like the article says, you and a bunch of buddies playing Xbox cannot get together over the weekend and crank out a worm that is this silent without having some major initiative behind it It requires co-ordination and you need to have some serious programming skillz to know the ins and outs of major operating systems and how computer protocols work Whoever is behind Conficker is watching to see what anti-malware efforts are being done It is no co-incidence that when Microsoft published a previously undisclosed security update to close a security vulnerability, Conficker started to abuse it only a month later And when a new version of the worm came out, it used the most recent submission of a new encryption standard And then it used the revised standard just a short time later Like I said, it is not a weekend coding project to do this You would have to actively keep up on the security space in order to implement this, and have the expertise to do it in such a short period of time This leads me to believe that the developers have had several years background in the security space and know about anti-malware efforts, and also keep close tabs on the public sites and forums that are dedicated to combating it This suggests to me that there is a team of people behind it The job of monitoring is a lot of work I can barely handle it , and there would similarly need to be people in sales and marketing to handle the distribution of payload Yet the team could not be that large Microsoft has a bounty of 250,000 for anyone who comes forward with information leading to the arrest of people responsible for creating the worm The larger the team behind it, the greater the odds of discovery To me, this suggests that either a criminal organization is behind it or perhaps it is state sponsored and they are actively protected Whatever the case, security by obscurity is one of the key layers of defense My guess is that the Ukraine has something to do with it If you get through the article, about 1 3 of the way through they mention that earlier versions of the worm did not infect computers with IP addresses located in the Ukraine Why is this Why is the Ukraine so special I have a couple of theories The first is that this is a professional courtesy The original developers of it were located in the Ukraine and did not want to their home country to be prone to it It s kind of like rooting for the home team infect everyone else s but yours Another theory is a spin-off of the first Perhaps it was also driven by pragmatism than nationalism If the originators of the worm were located in the Ukraine, then it might make sense to have everyone else s computer systems infected but not yours That way, if you ever lose control of the botnet, your home country is clean but everyone else is still infected In other words, your own country s computers would be immune to the botnet This is quite handy and is a redundant backup in case you ever have to hand over the reins of the botnet to someone else This makes it interesting to me We know historically that the Russian Business Network is centered in St Petersburg, Russia But we also know that there were some really bad spammers located in the Ukraine who were involved with CarderPlanet and Shadowcrew Some of the people involved in that are now involved in Ukrainian politics Is there a connection Possibly Perhaps the Ukrainian government or more likely, people in the Ukrainian government acting on their own behalf commissioned the creation of the botnet using contacts they had in the cyber criminal underworld This is just guess-work and I have no evidence to support it All I have is knowledge that Ukraine was excluded but I don t know why This is, of course, speculation And it illustrates just how sophisticated the problem of Conficker really is IMAGE http://www.secuobs.com/revue/news/223817.shtmlhttp://www.secuobs.com/revue/news/223817.shtml Secuobs.com : 2010-05-19 00:40:18 - Terry Zink's Anti malware Blog - The Borowitz Report has a funny post up today hat tip Box of Meat about Facebook and China China to Stop Spying on its People Will Use Facebook Instead Social Network to Replace Listening Devices, Spy Satellites BEIJING The Chinese government announced today that it would disband its extensive domestic spying program that gathers personal information on its citizens and would instead use Facebook According to the head of the domestic spying operation, China decided to scrap its elaborate array of spy satellites, eavesdropping devices and closed-circuit surveillance cameras after recognizing that Facebook put them all to shame At the end of the day, we were not getting as much intimate personal data as Facebook does, he said So as of today, every man, woman and child in China is officially our friend The Chinese version of Facebook, launched next week, will feature addictive online games reminiscent of the American version, such as Collective Farmville The Borowitz Report is a tongue-in-cheek social commentary blog but this one does have an element of truth to it It contrasts the styles of government collection of private information vs voluntary disclosure of private information For a country such as China that is determined to maintain internal stability, they have a desire to crackdown on dissent Because the population is so large and because there are such strong tensions between the rural urban split 2 3 vs 1 3 of the population , imbalances can cause that instability into a weakened government When China is fractured and divided it is easier to conquer So, in order to prevent this, China engages in a series of human rights crackdowns in order to collect information and monitor people and movements that they perceive as internal threats to the regime They can do this using spy satellites and listening devices, as well as banning access to certain sites on the Internet and not letting certain data go outside its borders referred to as the Great Firewall of China this is a reverse pun on the Great Wall of China except that wall was designed to keep people out, not in This, of course, requires a lot of technological resources and the government has to maintain a vast technological infrastructure in order to collect information on people who are either unwilling to reveal it or actively trying to hide it By contrast, Facebook is a huge social networking site where people voluntarily share information with each other They put their interests, likes, dislikes, books they read, friends they associate with, email address, pictures, videos, and so forth, all online for others to see Using this information, private marketing companies can build a dossier of a user and target advertisements whenever I log in to Facebook, I always see ads for dating sites on the right hand side of my page because my relationship status says that I am single However, while marketers can gain access to this information in order to make money, governments could find it useful to keep track people who oppose their regime By monitoring people s political interests, and their friends, for a much lower cost of maintenance it is far quicker to build up profiles on your citizen base Of course, it isn t quite that simple For the majority of the population, this type of information just isn t that interesting While having access to lots of information is a plus, sorting through that information and finding something useful isn t as easy as it sounds And it also assumes that the people who you monitor are actually using Facebook not necessarily true in the developing world, such as China and are careless about the information that they reveal likely in the case of an inexperienced political dissenter, much less likely in the case of an experienced one So, while the government adding everyone as a friend would likely yield some interesting trends, and while it would likely yield some actionable information, it wouldn t necessarily be able to yield exhaustive information It takes time to search through billions of records, and it takes time to sort all of those results, and it takes time to follow up on the leads But if those leads don t go anywhere, then it doesn t necessarily lead to an efficient use of resources IMAGE http://www.secuobs.com/revue/news/223336.shtmlhttp://www.secuobs.com/revue/news/223336.shtml Secuobs.com : 2010-05-18 01:22:37 - Terry Zink's Anti malware Blog - I was watching The Simpsons last night It s a show I used to really enjoy when I was younger but as time passed and we exited the 1990 s, the show got a lot more boring It s just not as funny as it used to be I m sure all of my readers would agree that it now has funny moments but not funny episodes So, it was a surprise to me last night when I actually laughed out loud a few times catching the show last night It was titled The Bob Next Door Sideshow Bob is in prison and by an odd coincidence, his cell mate, who has a similar build to him, is due for early parole Sideshow Bob then drugs him with anesthetic, removes both of their faces in a parody of the movie Face Off , and impersonates his cell make and gets released He then buys the home next to the Simpsons, kidnaps Bart and plans to kill him His plot is to take him to the part of the United States where five states meet at on location the Five Corners At Five Corners, Bob explains to Bart that he will fire the gun in one state, have the bullet travel through two others, hit Bart in a fourth state, and let Bart fall and die in the fifth state The killing would take place in five separate states and would not be prosecutable Bart ends up stalling for time until police from each state arrives and captures Bob image As I were watching the show, I couldn t help but think about how this relates to spamming If Bob were a spammer, we would register a bunch of phony domains in Russia, package cheap pharmaceuticals in China, use compromised bots in Spain, Australia, the UK and Brazil to send spam, send relay instructions out of Latvia, flood customer s inboxes in the United States and collect pay checks via Western Union in the Ukraine Doing all of this would evade prosecution because none of these activities is illegal in and of themselves Except that it s not true I m pretty sure that every single one of these are illegal in all of these countries What is lacking is not jurisdiction but the ability of law enforcement to execute It s difficult to track down spammers when they are using such a wide net to push their products Law enforcement in one country has to contact law enforcement in another For example, if an FBI agent wanted to catch a spammer in Russia, they d have to get their police department to send a letter to the Attorney General of the United States to send a letter of request for assistance to the Minister of Justice or equivalent in Russia who would then approve it the request and then pass it down to law enforcement in that country It s a long, arduous process and it takes a long time It assumes that the spammer will not change jurisdictions and it assumes that law enforcement in that country will actually cooperate In the former eastern bloc, this is far from guaranteed Depending on the political climate, and depending on how useful it is to the government to have a spammer around just in case they need them , they may not decide to acquiesce to the FBI s requests at all Thus, the problem of spam prosecution is not just a technological one, but also a human and cultural one IMAGE http://www.secuobs.com/revue/news/222972.shtmlhttp://www.secuobs.com/revue/news/222972.shtml Secuobs.com : 2010-05-13 15:05:07 - Terry Zink's Anti malware Blog - In case you missed it, last Thursday, May 6, we saw a remarkable day on the stock markets The day started off with some selling which went down neat and orderly Suddenly, around 2 40 pm eastern time, the market started selling off rapidly taking huge hits in in the span of 30 minutes It was an incredible ride and at one point, the Dow Jones average was off 1000 points for the day, the largest drop in history though not the largest percentage drop It was kind of like October of 1987 A number of stocks plummeted to less than a dollar per share Yet within a few minutes, the market recovered and what was a 7-8pourcents decline was a mere 3pourcents decline Not bad if you re a day trader image Of course, the question now is how did this happen Why did this happen Nobody really knows for sure Some speculate that it was a typo and that some trader wanted to sell a million shares but accidentally entered in a sell order for a billion Some speculate that the orderly decline hit a level and then a bunch of computerized trading algorithms all executed at the same time hitting a bunch of sell orders, and then at such low prices a bunch of buy orders kicked in maybe a bug and everyone uses the same algorithms Some speculate that maybe it was a message from Wall Street to Congress that Wall Street still has some cards in their hand that they can play and to not get too ambitious with financial regulation Or maybe it was a cyber attack from an outside source that kicked it all off The Associated Press ran an article last Sunday with homeland security and a counter terrorism advisor saying that there was no evidence of a cyber attack behind the huge drop WASHINGTON AP -- The White House's homeland security and counterterrorism adviser says there is no evidence that a cyber attack was behind the chaos that shook Wall Street last Thursday John Brennan told Fox News Sunday that officials have uncovered no links suggesting that cyber attacks caused turbulence that sent the Dow Jones industrials plunging almost 1,000 points before staging a partial recovery at the end of the day The market already was weak because of the spreading European debt crisis Some have speculated that a typographical error might have triggered the massive computerized sell-off Regulators and market officials are scouring millions of trades to understand what caused the volatility The Securities and Exchange Commission and the Commodity Futures Trading Commission are relying on self-regulatory offices at the New York Stock Exchange and elsewhere to help them identify questionable trades In a joint statement Friday, the SEC and CFTC identified one possible cause for Thursday's plunge Conflicting trading rules for different markets Markets generally write and enforce their own varying rules, under the oversight of the SEC and CFTC If this was a cyber attack, it would be quite a serious cyber attack A hostile intruder would need to break in and either do one or a combination of the following 1 Flood the market with massive amounts of sell orders and drive stocks down 2 Short sell the stocks in order to drive them down, but this depends on the intruder being able to borrow stock in order to short it Naked shorting is a possibility but I don t know if you could get away with that and not leave a big paper trail 3 Exploit a bug in the exchange s Nasdaq or NYSE trading software that made it look like there was huge trading going on but in reality it wasn t The goal in this case isn t necessarily to cause a loss in shareholder wealth but to create mass panic and confusion If this was the case, then creating such mass panic and confusion could be a diversion for a physical attack elsewhere The last one is probably the more fanciful because it would require a major bit of co-ordination amongst multiple groups and would require a lot of pre-operational planning But one would think that someone doing this type of reconnaissance work would have a large financial backing That financier, presumably, would have a lot of their own wealth tied up in the US stock markets and global markets, too So, launching a cyber attack to take down Wall Street and affect the American markets would have the unpleasant side effect of knocking down your own wealth, too You d be cutting your nose to spite your face But like I say, the more likely explanation, in my opinion, is that a bunch of large blocks of traders had algorithms that all executed sell orders simultaneously based off an already skittish market Greek debt If there were bugs in that software that an intruder exploited, that would cause a lot of firms to re-examine their security policies, or perhaps perform an audit IMAGE http://www.secuobs.com/revue/news/221812.shtmlhttp://www.secuobs.com/revue/news/221812.shtml Secuobs.com : 2010-05-07 22:36:19 - Terry Zink's Anti malware Blog - Cory Doctorow over at Locus Online tells the story of how he got phished the other day Doctorow is no computer neophyte, he knows what he is doing when it comes to security Here s his background plus the key part of the story I m media-literate I have a good nose for scams and linkbait, I know that no one s planning to give me millions for aiding in a baroque scheme to smuggle cash out of Nigeria, and I can spot a phishing e-mail at a thousand paces I know that phishing using clever fakes to trick the unsuspecting into revealing their passwords is a real problem, with real victims But I just assumed that phishing was someone else s problem Here s how I got fooled On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop In the process of reinstallation, I deleted all my stored passwords from the phone I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information The next day, Tuesday, we were ten minutes late getting out of the house My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices Because we were a little late arriving, the line was longer than usual My wife went off to read the free newspapers, I stood in the line Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom The message read Is this you and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this http owlly iuefuew I opened the link with my phone and found that I d been redirected to the Twitter login page, which was prompting me for my password Seeing the page s URL truncated in the little phone-browser s location bar as http twitter and having grown accustomed to re-entering all my passwords since I d reinstalled my phone s OS the day before, I carefully tapped in my password, clicked the login button, and then felt my stomach do a slow flip-flop as I saw the URL that my browser was contacting with the login info http twitterscamsitecom it wasn t really scamsite, it was some other domain that had been hijacked by the phishers And that s when I realized that I d been phished And it was bad Phishing isn t just about finding a person who is technically naive It s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall But all the stars aligned for that one moment, and in that exact and precise moment of vulnerability, I was attacked by a phisher While Doctorow does have a point that phishing does rely on finding short-lived cracks in the wall in this case, the crack was that it was sent by an abusive user to his account before Twitter could shut down that user , it is more complex than that All spam is about finding cracks in walls of armor Most of us already know that deals in spam are too good to be true, that our banks don t need us to login and update our information At least, we think we know The article that I am writing for Virus Bulletin for the conference in October has to do with how the brain processes information and specifically around cognitive processes What is it about scams that make us fall for these things Are there some types of scams that work better than others I would argue that social networking scams have a higher hit rate than banking scams, at least in terms of how many people fall for them in sheer numbers The reason is that in the financial world, there is lots of competition Citibank, Wells Fargo, JP Morgan, Chase, Washington Mutual ha , and the list goes on and on In order for a phishing scam to work, it has to get past a spam filter and hit a customer of that particular bank Because there are so many different banks the odds of the spammer hitting someone is not stacked in his favor Social networking is different because there are far fewer popular sites Facebook, Twitter, and uh what else is there just kidding The point is that these sites have a much larger user base attached to it and therefore the odds of getting past a spam filter and hitting a user of that particular service are higher What about brain processes This is a sneak preview into what I am writing about, but in psycho analytics, the term affect is the level of goodness or badness that we feel in certain situations If our team in hockey is winning perhaps winning the gold medal in hockey at the 2010 Olympics , we feel positive affect If our team is losing or, perhaps, the opposing team ties it up with less than 30 seconds to go in the game , we feel negative affect Studies have been done to examine the effect of affect on our decision making process It used to be that researchers determined that positive affect makes us less risk-averse In other words, because we feel that the environment is benign, our guards are not up and therefore the decisions we make do not take into account risk factors We are less likely to perceive a threat when we feel good about something because in the past, when we revert back to past experiences and biases, those outcomes were positive Therefore, our brains utilize heuristics to skip around any threats because there was no threat in the past In this instance, Doctorow saw that he was hearing from an old friend through his social networking site This made him feel good and therefore his guard was lowered On the other hand, recent studies suggest the opposite Introducing positive affect actually helps us to make better decisions People who have had positive affect induced in them are able to reason more accurately and come to better decisions than those in neutral or negative moods People with positive affect or in good moods tend to be more risk averse This suggests that Doctorow should have been more on guard when getting a Twitter message The conclusion is that positive affect can do both, one or the other It can either utilize heuristics to maintain the level of goodness or be more risk averse and make better decisions In this case, it appears to have been the former This particular area of antispam effectiveness research is, I believe, an underexplored topic It s something I plan to evaluate this October in Vancouver at Virus Bulletin I actually do have more of an explanation for this based on the research I have done into cognitive processes but I m going to keep it to myself for the time being IMAGE http://www.secuobs.com/revue/news/220068.shtmlhttp://www.secuobs.com/revue/news/220068.shtml Secuobs.com : 2010-05-07 05:04:06 - Terry Zink's Anti malware Blog - Following up from my previous post on the requirements for the CAN SPAM Act, John Levine has written an article about why there are so few spam lawsuits when the law has been in effect for almost seven years Levine s point in this article essentially is that antispam lawsuits are difficult to win Here s an excerpt ----------------------------------------------------------------- There are a couple of reasons, but by far the largest one is that, unless the recipient is unusually lucky, anti-spam lawsuits are difficult to prosecute and win The evidence in such suits is very technical--mail headers, WHOIS data, traceroutes, ASN numbers, affiliate codes and HTTP redirections that tie a sender to a particular message, or more likely, a thousand messages Judges tend to be reasonably smart, but few of them have a technical background That means that before a judge can rule sensibly on a spam case, he or she needs to learn about the statutes and case law that apply, and also enough about e-mail technology to understand the evidence and evaluate the credibility of the lawyers' arguments on each side Ideally at least from the point of view of someone filing a suit , the judge would take a continuing legal education CLE course that covered the topic, and be well-informed and ready to go when the case starts What this means is that the only cases that are likely to be filed are very easy ones, where the spammer didn't hide his identity or use affiliates, so the connection from the spam to the spammer is easy to show, or ones where the plaintiff has the legal skills to do a lot of the case work himself to keep the costs affordable ----------------------------------------------------------------- I m not sure whether or not I agree with Levine since I don t have much background in legal cases To be sure, unless a judge is familiar with technology then they might be aware of what technology can and cannot do, what works and what doesn t But I think I would add another reason to the mixture and that it can be difficult to actually arrest and charge spammers, let alone prosecute I will speak of the case of Dmitry Golubov, now the leader of the Internet Party of Ukraine, a political party based in the Ukraine Golubov is the alleged kingpin or at the very least, very high ranking officer of the illegal group known as CarderPlanet CarderPlanet was a phishing and hacking operation that dealt in stolen financial information of westerners among others, but mostly westerners Participants of Carder could buy and sell financial credentials with which to commit online fraud It was just like out of those bad movies where online criminals can do what they want Western authorities, including the FBI, had been chasing Golubov for years but couldn t get officials in the country to take action Finally, in late 2004 and early 2005 saw regime change in the country and a pro-western government came to power For months, no action was taken but finally, Golubov was arrested and spent a few months in jail However, he was sprung out by two Ukrainian politicians and decided to form his own political party If elected, he is not liable for past crimes that is, he doesn t have to serve a prison sentence Pretty good deal if you re a spammer Some of the worst criminals in spamming underworld are located in eastern Europe and Russia Many of them are known to the authorities but they are not pursued by legal authorities The thinking is that they have a degree of protection Yes, defrauding westerners is a bad thing, but these characters are handy to have around in case they need to launch a cyber-attack upon a rogue state like Estonia or Georgia Whether or not they are actively protected by governments, they are at least passively protected in that they are not being pursued The problem, then, is complex and again it is cultural Legal authorities in Russia can have, how do we say it, problems with corruption Some parts of Russia can be an expensive place to live and law enforcement doesn t have the highest salary Their services are available to the highest bidders as well And when the government decides that spammers might be useful for a geopolitical purpose, there is low chance indeed that western officials will ever get their day in court IMAGE http://www.secuobs.com/revue/news/219759.shtmlhttp://www.secuobs.com/revue/news/219759.shtml Secuobs.com : 2010-05-07 01:51:42 - Terry Zink's Anti malware Blog - One of my personal friends works in the non-profit space He has a blog post put up about the rules that are required in order to pass the CAN SPAM Act In doing some research, he found that people would say Oh, yes, we know the rules about emailing and marketing but when pressed not so much In other words, people may know that spamming is illegal but they don t really know the requirements from the law I m reposting his article here --------------------------------------------------------------------- Many fundraisers are fuzzy on the rules of email solicitations Nonprofits seem to receive a little grace with people regarding how we use and reuse our email lists But that doesn t mean we shouldn t know the rules By following the rules, you can make sure that your email blasts do not start to become SPAM and that you can build trust and accountability with your donors The law governing mass emailing is often referred to as CAN-SPAM Act of 2003 This act regulates legal use of unsolicited email Although this law was written for businesses, it does apply to nonprofit organizations The Federal Trade Commission does not have jurisdiction over individual nonprofits, but the state attorney general and individual Internet Service Providers ISP can enforce the law Fines can be levied that are as high as 16,000 per individual illegal email sent Local ISP s have a vested interest in enforcing this law as they can be liable if their clients break them Here are a few key points The spirit of the law intends for all email to be clear about what its purpose is and from whom it is coming Email should come from a legitimate and active email address Each recipient should be able to reply to a clearly identified sender or organization email that is visible and identifiable in the From section of the email The body of the unsolicited message should have a physical mailing address for your organization The subject line of the email should be clear about the content of the body of the email There is a lot of wiggle room However, if your email is an advisement, it must be identified as such There must be a method for an individual to opt-out of future emails Their request must be granted within 10 days and they must remain off your mailing list for a minimum of 30 days I would recommend you take them off your list permanently unless they otherwise designate This law applies to more than just bulk email any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service If you hire another company to handle your mass emails, you are still liable For more information on the law check out these articles What s in an Opt In Staying on the Email Up and Up CAN SPAM The CAN-SPAM Act --------------------------------------------------------------------- Source IMAGE http://www.secuobs.com/revue/news/219661.shtmlhttp://www.secuobs.com/revue/news/219661.shtml Secuobs.com : 2010-05-05 09:47:36 - Terry Zink's Anti malware Blog - All Spammed Up published a post this week highlighting the top seven malware threats for that May 3 Here they are 1 MyWebSearch delivers rogue pop-ups, tracks surfing 2 Vundo Rogue A V, information stealer 3 Dr Guard Rogue A V 4 OnLineGames password stealer for MMORPGs 5 TDSServ rootkit to conceal identity 6 DoubleD rogue pop-ups, browser redirection 7 Koobface rogue pop-ups, delivers other malware According to the Microsoft SIRv8, they list the following top 7 threats in the corporate environment 1 Conficker worm 2 Taterf password stealer for MMORPGs 3 RealVNC miscellaneous potentially unwanted software 4 Autorun worm 5 Renos trojan 6 Hamweq worm 7 Agent trojan For the home environment, below are the top 7 threats for the second half of 2009 1 Taterf password stealer 2 Renos trojan 3 FakeXPA rogue A V 4 Alureon trojan 5 Frethog password stealer 6 BaiduSobar miscellaneous potentially unwanted software 7 GameVance Adware Of these, the only ones common to both lists are Taterf and Renos Domain-joined computers were much more likely to encounter worms than non-domain computers, due in large part to the way worms propagate Worms typically spread most effectively via file shares and removable storage volumes, both of which are often plentiful in enterprise environments, and less common in homes In contrast, the Adware and Miscellaneous Trojans categories are much more common on non-domain computers The threat landscape, for malware, differs for home users compared to enterprise users I ve never seen any study that compares the spam spewing out of home users vs enterprise users, but it d be an interesting one to me, anyway IMAGE http://www.secuobs.com/revue/news/218964.shtmlhttp://www.secuobs.com/revue/news/218964.shtml Secuobs.com : 2010-05-04 01:27:40 - Terry Zink's Anti malware Blog - Last week, Graham Cluley of SophosLabs posted an article indicating that China had slid off the list of the top 10 spam relaying countries in the world Here is the list, according to Sophos The top twelve spam relaying countries for January to March 2010 1 USA - 131pourcents 2 India - 73pourcents 3 Brazil - 68pourcents 4 South Korea - 48pourcents 5 Vietnam - 34pourcents 6 Germany - 32pourcents 9 United Kingdom - 31pourcents 9 Russia- 31pourcents 9 Italy - 31pourcents 10 France - 30pourcents 11 Romania - 25pourcents 12 Poland - 24pourcents I decided to do my own quick investigation Mine isn t quite as historically oriented as Cluley s, but I decided to check to see how much spam we have been receiving since Feb, 2010, from a particular set of botnets that I track 15 in total and only IPs that make it past our RBL checks By combining this with botnet statistics, I built a different set of results A couple of months ago, I wrote that certain botnets send the most spam, but it depends on how you count it You can either count it by total envelopes, or total messages An envelope can contain multiple messages since a botnet can put more than one To address on the RCPT TO in an email connection I decided to check to see which country sends the most messages according to specific botnets but not all spam this means that a lot of the spam that I track was left unattributed since I cannot attribute every single IP to a botnet To do this, for the Feb April time frame, I determined the average number of spam messages per botnet I then calculated the total number of envelopes each IP sent that is attributed to a botnet and multiplied by the average Then, I took each IP and divided it up into each country The result is the total amount of spam each country sends, accounting for botnet characteristics Below are the results 1 USA 143pourcents 2 South Korea 142pourcents 3 Australia 139pourcents 4 Canada 62pourcents 5 China 61pourcents 6 Brazil 53pourcents 7 India 41pourcents 8 Great Britain 37pourcents 9 Russia 30pourcents 10 Japan 26pourcents A few points to discuss here The United States is number one and that agrees with Sophos s overall results Rustock is the largest botnet and it is overwhelmingly sending spam based out of IPs in the US Without rustock, the US would drop down to third place South Korea is number two and that doesn t agree with Sophos, at least for this time frame In our stats, it ranks number 1 or number 2 in 12 separate botnets the US ranks first or second in only six botnets For us, South Korea is one of the worst offenders when it comes to spam I wouldn t be surprised if it eventually overtook the US Australia has a serious problem The reason it has such a serious problem is that according to our statistics, it is the number one source for IPs for the lethic botnet Lethic is not a botnet that we have a problem stopping, but it sends the most messages per email envelope In terms of spam messages per IP, it averages 8 times as many as its nearest competitor bagle-cb Thus, if you have a problem with lethic, you are going to have a serious problem with spam because it pumps out so many messages per connection It is attempting to push out as much as it can with limited resources This contrasts it with rustock which has a considerably wider footprint of spamming IPs but sends out fewer messages per IP Canada and the US both have problems with lethic as well This explains why Canada accounts for slightly more spam than China China s infections problems are cutwail and cutwail2 Cutwail2 is the third heaviest botnet but still far trails lethic To be fair to Sophos, they have tracked a different time frame than I did and they haven t restricted their numbers the way I have with botnets Still, the two big divergences between the two of us is that South Korea hits us much harder and so does Australia IMAGE http://www.secuobs.com/revue/news/218397.shtmlhttp://www.secuobs.com/revue/news/218397.shtml Secuobs.com : 2010-05-02 01:06:08 - Terry Zink's Anti malware Blog - Some of you may not know this, but I really enjoy making presentations for audiences When I got a chance to present at a conference earlier this past year, I was really excited about it Some people fear public speaking, but I love it One of my theories secrets to making a good presentation is to inject a very healthy dose of my own personality into it The idea is that while somebody might be able to redo the content, they will not be able to reproduce the quality of the presentation and achieve the same psychological impact In my case, being an amateur magician for over 15 years, I toss in a blended mixture of statistics, research, psychology, editorial, and entertainment I make sure that my facts are correct, make sure my slides contain lots of pictures, tell a few good jokes, include a magic trick or two, and be confident on stage I am performing presenting at Virus Bulletin later this year and I am doing some original work that will reflect some personal interests One of the ideas I was playing around with was how to detect deception I came up with the trick that appears at the bottom of this post That won t work because it is too long trick is 13 minutes and I only have half an hour to speak so I need to do something else The one I am planning also packs a psychological punch But anyhow, the point is, I liked this trick so much that I thought I would repost it here IMAGE http://www.secuobs.com/revue/news/218006.shtmlhttp://www.secuobs.com/revue/news/218006.shtml Secuobs.com : 2010-04-29 08:01:28 - Terry Zink's Anti malware Blog - One of the RSS feeds that I read is Reason magazine, which is a web site for libertarians In general, libertarians want less government intervention both in our personal lives and in the economy The idea behind libertarians is that today s Republicans want less government intervention in our economy but are perfectly fine to have them dictate some aspects of morality Similarly, today s Democrats want less government intervention in our personal lives but are perfectly fine with creating government bureaucracy to deliver social services That s an oversimplified summary, but is more or less correct About two months ago I got an article in my RSS feed where Reason was commenting on the government s response to the cyber war threats The summary of the article is that the government is using the threat of cyber attacks to increase its power to control, regulate and or spy on the Internet and the threat is overblown I m going to reproduce the article here and add some comments --------------------------------------------------------------------- Sensible Cyber War Preparation, Or Just More Government Snooping Ryan Singel at Wired has a great, detailed article warning us of the growing dangers of the military-security complex and its hyping of cyber war to give government more control over monitoring the Internet, and private companies more money helping sell the government the means to do it Read the whole thing, and here are some choice excerpts The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it s Michael McConnell, the former director of national intelligence McConnell s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering He s the nice-seeming guy who s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know And now McConnell is back in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton He s out in front of Congress and the media, peddling the same Cybaremaggedon gloom And now he says we need to re-engineer the internet We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options and we must be able to do this in milliseconds More specifically, we need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment who did it, from where, why and what was the result more manageable The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same Re-read that sentence He s talking about changing the internet to make everything anyone does on the net traceable and geo-located so the National Security Agency can pinpoint users and their computers for retaliation if the US government doesn t like what s written in an e-mail, what search terms were used, what movies were downloaded The NSA dreams of living in the network, and that s what McConnell is calling for in his editorial advertisement for his company The NSA lost any credibility it had when it secretly violated American law and its most central tenet We don t spy on Americans Unfortunately, the private sector is ignoring that tenet and is helping the NSA and contractors like Booz Allen Hamilton worm their way into the innards of the net Security companies make no fuss, since a scared populace and fear-induced federal spending means big bucks in bloated contracts --------------------------------------------------------------------- So do the libertarians have a point Is the government proposing this in order to expand its influence and shut down dissenters Or is Singel unaware of the nature of the threat The problem that we have today in cyber security is exactly what McConnell is talking about Attackers can hide behind anonymity in order to launch DOS attacks, host phishing, send spam, create malware, and so forth This inherent in the design of the Internet For example, SMTP is the protocol we use to send email In its basic form, SMTP does not require authentication and anybody can send as anybody else For sure, we have built identity technologies like SPF, DKIM and SenderID However, email receivers still have to support unauthenticated email And because the cost of email is borne by the receiver and not the sender, there is plenty of incentive for spammers to spam They can hide behind that anonymity, or fake identity We can attempt to back trace some spammers but it doesn t always work Tracking down a spammer is a non-trivial task and it s made easier because there is no inherent identity or authenticity If we were to start all over again, the designers of the Internet would not design it so that anyone could do anything The reason that the Internet is open and anonymous to some degree is because when it was created, it was only intended to be used by a very small user base It wasn t anticipated that it would be launched for widespread use, and it wasn t foreseen that the types of abuses that we see today would occur Geeks all trust each other and they don t always understand that if you give something away for free, spammers will abuse it If the geeks who built the original Internet would have taken into account all of the ways that the Internet could be abused, they wouldn t have been so loosey-goosey with it Unfortunately, we are now stuck with all of this existing infrastructure Microsoft has revamped its image since launching its Trustworthy Computing Initiative in 2002 Going forward, newer versions of Microsoft software is more secure than the older one Unfortunately, there is still plenty of old software out there with security vulnerabilities that Microsoft has to support This software accounts for the majority of exploits Over time, it s being replaced with more secure versions but it takes time And so it is for the Internet, but worse When it went public or privatized, depending upon how you look at it in 1995, people built applications And applications upon those applications Protocols were developed And online communication was established And they built dependencies upon these open protocols that were so easy to exploit And so, we now have a big problem reinventing the Internet means having to redo a lot of work that s already been built Who wants to redo everything when the current version is already working That the Internet is anonymous is not by intentional design, but a byproduct of something that wasn t originally designed to become as widely used as it is today There was no Secure Development Lifecyle back then The Internet then became popular and its anonymity became trumpeted as one of its strengths as if this was the intention all along That s doubtful that it s true, but culturally, because freedom of speech is a Western value, that anonymity translated into a core requirement for the net It would kind of like if I had a home and one side of it was sinking into the ground so I put a few cinder blocks under the corner to prop it up It s there for a utility to serve its purpose and nobody other than me cares about it But one day, my neighbor decides to build a duplex and uses those same cinderblocks as part of the foundation This isn t the optimal purpose but hey, it works And besides which, we can fix it later But then a developer builds another duplex, and then an apartment complex Pretty soon, it becomes very difficult to replace those cinder blocks My house has a dependency on those cinder blocks and so does everyone else But by no means is my short term fix intended to be the optimal way of holding up a house Cheapskate me should have replaced the foundation when I had the chance Cinder blocks are not a good way to hold up a house It s not a perfect analogy, but the way I see it, the Internet s inherent insecurity is not the optimal way to go about designing a network More in another post IMAGE http://www.secuobs.com/revue/news/217218.shtmlhttp://www.secuobs.com/revue/news/217218.shtml Secuobs.com : 2010-04-27 23:49:56 - Terry Zink's Anti malware Blog - I read a pretty good article on PC World today on how Microsoft tracks down pirates, that is, people who make illegal copies of their software not the ones that roam the Caribbean Piracy costs the industry billions each year, and the most recent study that I read last year estimates that the worldwide piracy rate is around 40pourcents This is actually down because in 2004 it was around 45pourcents So, there s some good news You ll certainly want to read the entire article, but here is an interesting excerpt One of the means of tracking physical discs is to actually examine the minute defects a CD-ROM stamper creates as it presses the discs These pits, grooves, or other defects can be scanned and placed into a database, to help track the spread of physical discs across the globe Each unique disc stamp is called a strain Microsoft has tracked over 580,000 throughout the world When a disc's fingerprints are matched to a database that Microsoft maintains, the disc's origin can be linked to a particular facility, which could be tied to a piracy operation Tracking the discs allows Microsoft and investigators to build intelligent maps of a piracy operation and its distribution methods This is similar or rather, it sounds similar to what you see in the movies when there is a crime involving a gun and the police investigator looks at the shell, traces it back to its manufacturer and then figures out who bought it I think that happened in either Casino Royale or Quantum of Solace Microsoft also embeds security features into its discs and packaging to foil pirates, who can spend a great deal of time to try and foil them Microsoft's chief weapon is embedding hard-to-copy security features directly into the disc itself, such as an embedded hologram of the Windows logo Pirates, however, typically affix a hologram sticker to the front of the disc, and replicate the design of the Windows or Office disc with a sophisticated but removable peel-off label Microsoft also designs the holograms so that they shift and move when the disc is rotated A second security feature is the use of an actual embedded thread, which is added to the genuine paper Microsoft uses to print its COAs certificates of authority at the point of manufacturing The thread is used to distinguish the real article Pirates typically simulate the thread, printing it instead of embedding them In some cases, however, pirates have been willing to go almost as far as Microsoft has to establish authenticity In 2007, a major syndicate headquartered in southern China was accused of distributing 2 billion of Microsoft software, including fake versions of thirteen Microsoft products, including Windows Vista, Microsoft Office, and Windows XP, in at least eight languages Software worth 500 million was actually recovered The six-year investigation, including evidence gathered from 1,000 customers and partners, culminated in the 11 ringleaders receiving prison sentences The pirates printed five separate layers of labels onto the discs itself, trying to duplicate the shifting holograms that Microsoft had added Actual thread was woven into the COAs, in an attempt to duplicate the real article Using the CD stamper tool Microsoft developed, Chinese authorities tracked down the manufacturing operation When they did so, Microsoft discovered a shocking fact the counterfeiters had a larger manufacturing operation than Microsoft's own in the Europe, Middle East, and Asia EMEA region We found enough thread on site to make over a million COAs, Krumm said The reseller purchased counterfeit COAs from China, then obtained the keys via fraud, and added them to his own counterfeits The technique was so successful that investigators were fooled until the fraudulent keys were tied to the fake COAs This illustrates the problem that software developers have when it comes to creating their product Once you become so popular that you make lots of money, people will want to copy you and leech off of your product In this case, a cybercrime syndicate went to a lot of work to make the fake pieces of hardware look as genuine as possible It s difficult to say what extent Chinese authorities are clamping down on stuff like this On the one hand, they were involved in breaking up a counterfeit operation On the other hand, they seem to be involved in cybertheft and digital intrusions upon foreign governments and foreign corporations like Google While we can t say for certain, given how closely the Chinese government monitors its digital traffic outside of the country it s a bit of a stretch to believe that they aren t aware of it, can t monitor it or aren t tracking it in some manner It s tough to tell whose side of the fence they are on Anyhow, the point is that counterfeit software costs businesses annually As business keeps making its security better to fight forgeries, the criminals evolve and catch up It s not as easy as it used to be, however At the highest level, counterfeiters keep raising the bar because they have to, MacNaughton said In 2001, it honestly wasn't that difficult to counterfeit a decent passoff of our products As time has passed, however, it has narrowed the number of people and the organizations' ability to counterfeit these products Indeed IMAGE http://www.secuobs.com/revue/news/216629.shtmlhttp://www.secuobs.com/revue/news/216629.shtml Secuobs.com : 2010-04-26 21:51:48 - Terry Zink's Anti malware Blog - Today, Microsoft released its Security Intelligence Report, version 8 The SIR is a twice-a-year semi-annual biannual document issued by Microsoft that reports on threats across the Internet industry, including email threats, malware threats, loss-of-data threats, web threats, and so forth Some key findings from this report The number of malware infections cleaned by Microsoft is up in 2nd half of 2009 2H09 compared to the first half of 2009 1H09 Taterf and Frethog, two password stealers that were very prevalent in 1H09, were less so in 2H09 However, Taterf, Renos and FakeXPA were the top 3 pieces of malware detected in 2H09 respectively The later your version of Windows XP Vista 7 , the less likely your computer was to suffer a malware infection Spam is well over 90pourcents of all email not including intranet email which doesn t flow through spam filters Financial scams like phishing, advance fee fraud scams and phishing are well up in 2H09 Vulnerability disclosures are slowly decreasing over time Either companies are disclosing less, their software is getting better, or malware authors haven t taken the time to discover the exploits I wrote a big chunk of the email threats section You can check out the SIR here Get Microsoft Silverlight IMAGE http://www.secuobs.com/revue/news/216137.shtmlhttp://www.secuobs.com/revue/news/216137.shtml Secuobs.com : 2010-04-24 01:06:52 - Terry Zink's Anti malware Blog - This one fooled me for a half second I got an email to my work account indicating that I had 3 delayed messages in my Twitter account The social engineering technique is designed to get me to click on the link and redirect me to a spam site, and quite possibly infect my system with malware as part of either a drive-by download or click here to install such-and-such I didn t click on the link Because the message looks like something Twitter might send it looks a lot like Twitter , users could easily be tricked into going there Because it came into my email account that I don t have associated with Twitter, I was immediately on-guard But I felt that emotional taking-down-of-my-guard when I saw that it was from Twitter The sending IP is coming out of Russia, but the site is hosted on a domain that ends in comar The A-record for this site is hosted on an IP address that belongs to a hosting company out of Florida Be aware It s a social engineering spoof, not a legitimate Twitter message image IMAGE http://www.secuobs.com/revue/news/215592.shtmlhttp://www.secuobs.com/revue/news/215592.shtml Secuobs.com : 2010-04-23 12:00:28 - Terry Zink's Anti malware Blog - National Defense Magazine has an article up in their May edition about the case of a Russian cyberthief It illustrates the mindset of a hacker and the challenges faced by US corporations Here is an excerpt Vladimir came from a good family in Moscow His parents both had advanced degrees and he was an academic star in high school He studied finance at his university and was equally well versed in computer science and physics Smart, well spoken and personable, he could have been anything he wanted to be But he chose to become a cyberthief He first gravitated to the hacking underground at age 16 There he found a world of colleagues, teachers, conspirators and entrepreneurs, Danner said Rising through the ranks and gaining prestige among peers requires neophytes to display the skills required to break into secure networks that contain valuable data The collaboration and synergies in hacker circles are as robust as any found in the best special operations and law enforcement teams The difference is they collaborate amongst themselves anonymously, he added Hackers have different specialties and work in teams, he said They learn and share knowledge and tools among each other They are, in fact, a community of practice, he said They conduct their reconnaissance and research in a strategic manner in a project management approach The vast majority of their time is spent on operational planning, research and reconnaissance before they carry out an attack Vladimir, for example, would never launch an operation that didn t get laundered through at least 10 servers Vladimir specialized in bilking wealthy Americans He read Forbes Magazine to glean names, broke into databases to grab former addresses, mother s maiden names, social security numbers and other useful information He had American co-conspirators, who specialized in making fake IDs and credit cards They would apply for home equity loans and then abscond with the money Vladimir boasted that it was easy to build a profile on US residents I was really impressed with his data harvesting skills He was really on par with the best investigators and intelligence professionals, said a police investigator, who interviewed Vladimir in a US prison He sometimes hired US-based private investigators who unwittingly gathered information for him Vladimir also had a well-placed connection in Russian law enforcement who protected him This particular example of a hacker demonstrates how far some hackers will go in order to steal our data The good ones do their research ahead of time and cover their tracks afterwards It also shows the relationship between hacking and government, at least in some of the eastern bloc countries The Iron Curtain may have fallen in the 1990 s, but it s now been replaced by the chain link fence You can still see through it, not as thick nor hard as the Iron Curtain, but still a barrier that isn t easily penetrated It s difficult to say how much of a relationship exists between government and hackers in Russia It seems to me that there are hackers out there and law enforcement is corrupt and their services are available to the highest bidder, simply because the cost of living in some cities is so high Hackers are useful to have around, just in case, and keeping them away from the prying eyes of the west is also useful If the state isn t actively using people like the Russian Business Network, they are at least looking the other way Certainly there are some elements that are involved though maybe not directly China seems to be a different case There, the government seems to have no qualms about protecting hackers and using them for cyber intrusions They deny everything directly instead of looking the other way The point is that while some hackers, phishers and spammers are throwing everything out there by casting a wide net and seeing what sticks, others are carefully sewing their nets together, using fish finders and casting their nets in those places Targets that s ham-and-eggers like you and me beware IMAGE http://www.secuobs.com/revue/news/215355.shtmlhttp://www.secuobs.com/revue/news/215355.shtml Secuobs.com : 2010-04-22 13:17:58 - Terry Zink's Anti malware Blog - Gary Warner over at Cyber Crime and Doing Time has a good post up this week about the CallServicebiz website being shut down I m not going to comment on it, rather, I will post a few good excerpts On April 19th a friend sent me a Facebook link announcing that CallServicebiz had been closed The news was officially announced by the New York FBI on Monday, although the arrests happened on April 15th The Indictment says that Dmitry M Naskovets Дмитрий Насковец resided in the Czech Republic and the Republic of Belarus and that he operated the online business CallServicebiz with his co-conspirator, Sergey A Semashko Сергей Семашко , and that such business was an online enterprise designed to help identity thieves profit from stolen financial data The indictment quotes from an advertisement that Semashko placed on another website to advertise their service That website, CardingWorldcc, was owned and operated by Semashko The advertisement claimed that CallServicebiz had 'over 2090 people working with it' and had done 'over 5400 confirmation calls' to banks, meaning calls to confirm or conduct fraudulent transactions, as described above Title 18 Section 1343, accusing them of unlawfully, willfully, and knowingly, having devised and intending to devise a scheme and artifice to defraud, and for obtaining money and property by means of false and fraudulent pretenses, representations, and promises, that would and did transmit and cause to be transmitted by means of wire, radio, and television communication in interstate and foreign commerce, writings, signs, signals, pictures, and sounds for the purpose of executing such scheme and artifice Warner s take on the world of spam, malware, hacking and phishing is that unless people actually go to jail because they are spamming, the problem of spamming will never get better That s because when the security industry fixes the latest hole or comes up with a new technology to stop the newest threat, spammers simply move onto another While the security industry is rushing to catch up to compete with this latest round of threats spam rogue A V Black SEO , these spammers are busily engaging in all sorts of nefarious purposes They simply up and relocate when their tactics no longer work It s not a technology problem, it s a social problem By contrast, arresting people and sending them to prison stops them from spamming because they don t have access to the Internet from which to push out all of their fraud Stop the spammer themselves and you don t have to come up with new technology the people behind them are no longer doing it I actually agree with Warner in that people have to go to jail to stop the problem of cyber-abuse My own take is that the actions are multifaceted Law enforcement must pursue abusive players Technology companies must have good software in order to make abuse unprofitable too difficult to make money Users must stop taking action on abusive initiations-to-treat because the handing over of their money is what drives their motives Each of these is complex in and of itself, but it is what realistically needs to happen IMAGE http://www.secuobs.com/revue/news/214869.shtmlhttp://www.secuobs.com/revue/news/214869.shtml Secuobs.com : 2010-04-21 07:42:30 - Terry Zink's Anti malware Blog - The New York times has some more details on the Chinese cyberattack that hit Google back in January, prompting Google to threaten to withdraw from China and eventually redirect all traffic to googlecn to googlecomhk Below are some excerpts Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret But a person with direct knowledge of the investigation now says that the losses included one of Google s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company s Web services, including e-mail and business applications The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services The theft began with an instant message sent to a Google employee in China who was using Microsoft s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified By clicking on a link and connecting to a poisoned Web site, the employee inadvertently permitted the intruders to gain access to his or her personal computer and then to the computers of a critical group of software developers at Google s headquarters in Mountain View, Calif Ultimately, the intruders were able to gain control of a software repository used by the development team In Google s case, the intruders seemed to have precise intelligence about the names of the Gaia software developers, and they first tried to access their work computers and then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored They then transferred the stolen software to computers owned by Rackspace, a Texas company that offers Web-hosting services, which had no knowledge of the transaction It is not known where the software was sent from there The intruders had access to an internal Google corporate directory known as Moma, which holds information about the work activities of each Google employee, and they may have used it to find specific employees It s still not quite clear what exactly happened but more details are now coming to the surface I don t know exactly what role Gaia plays but what I can tell, here is what happened A Chinese Google employee was using Live Messenger and a hacker sent him a message with a link to a web page with a drive-by download A drive-by download is a web page that hosts malicious content and automatically takes advantages of vulnerabilities in a browser image This employee clicked the link in the Messenger program, launching his web browser It went to the link and the malicious web page started to execute The malicious web page took advantage of the security flaw and exploited another vulnerability in Gaia, Google s Single Sign-On solution I would assume that Gaia helps manage access to Gmail, YouTube, Blogspot, and other Google apps The intruders then gained access to some of Gaia s Google s internal workings and, indeed, once they got this access they were able to impersonate the real Google employee and use his credentials to poke around They obtained access to Google s internal employee database of activities and were able to figure what they wanted Poking around, the intruders gained access to some source code and copied it to servers in Rackscape, in Texas Why they would do this is unclear, but one answer is that they wanted to go with a hosting provider and hide within another cloud service In other words, they didn t go with their own servers right away to prevent being back-traced They then would have pulled the software off of these servers and passed them along to their intended destination or perhaps another intermediate hop To me, this is indicative of a targeted attack It is not something that would have occurred off-the-cuff, but resembles a more sophisticated operation It would have required pre-operational work including surveillance of the targeted employees They also would have had to figure out a security hole in the Gaia software, as well as the web browser This implies that they were working on it well ahead of time and didn t reveal it beforehand such that maintainers of the web browser could have issued a security patch Once inside, they moved around really quickly and seem to have had some familiarity with internal workings of Google, which suggests that they may have had some prior exposure previously and retained the information Finally, they covered their tracks by pushing the software to Rackspace so as not to directly leave a trail back to themselves If my analysis is correct, this is not the work of an amateur but instead of a professional hacking operation Whether or not there was state sponsorship behind it is up for debate IMAGE http://www.secuobs.com/revue/news/214426.shtmlhttp://www.secuobs.com/revue/news/214426.shtml Secuobs.com : 2010-04-21 02:45:29 - Terry Zink's Anti malware Blog - From the Associated Press KNOXVILLE, Tenn A former college student charged with hacking Sarah Palin's e-mail account fears some jurors in heavily Republican East Tennessee could be dazzled when the conservative star testifies A jury of 12 and two alternates was seated Tuesday to hear the case against 22-year-old David Kernell Prosecutors have not said when Palin will take the stand Kernell was a University of Tennessee student majoring in economics when prosecutors say he hacked into the Yahoo account Palin sometimes used for state business At the time she was Alaska's governor and the GOP candidate for vice president Convictions on all four felony charges identity theft, wire fraud, intentionally accessing Palin's e-mail account without authorization and obstructing an FBI investigation could send Kernell to prison for up to 50 years He is accused of accessing Palin's Yahoo e-mail account by answering a series of personal security questions, resetting the password to popcorn, making screen shots and posting the contents online using the nickname rubico This is an interesting case of hacking because it is an example of low-tech hacking All that Kernell did was guess what Sarah Palin s Yahoo id was after reading that she used it instead of government email addresses to discuss some of her personal and public affairs He then went to Yahoo s page and reset the password Like any good web password reset field, Yahoo has some security questions set up Unfortunately, because Palin is a public figure, the questions were not actually a secret because someone, given a little bit of time, could do a web search and figure it out Something like Name your best friend from elementary school is probably a good question, something else like What is your mother s maiden name is not That s what Kernell did Unfortunately, he fell into the trap that a lot of amateur hackers fall into he let his ego get the better of him By changing the password and then posting pictures of it using a nickname, he pretty much led investigators on a trail right to him This is similar to the owners of the Mariposa botnet earlier this year getting frustrated and logging on to control their botnet directly from their own computer Once that happens, investigators can trace the connection back to owner of the computer Of course, in all cases it isn t quite that easy because some people can be behind a shared IP and so while we may be able to narrow it down to a range, we can t necessarily narrow it down to a particular person In addition, because IP addresses are often randomly assigned and refreshed, using IP addresses as a unique identifier works only part of the time and in particular cases The professional hackers know better They keep their egos in check and hide behind proxies, that is, they take control of another machine and use that to control their botnets This proxy machine then relays the information back to the hacker Authorities can still trace the hacker but they have to log onto the machine that is acting as the proxy and view the logs on that one to see where it was transmitting data to Smarter hackers still might hide behind multiple proxies and even erase their log history afterwards, or worse yet, plant fake ones This is all traceable but it takes a lot of time and resources to do it Sometimes it is a matter of time before the attacker slips up and makes a mistake That s what the amateurs do The professionals don t they are careful to hide their identity and they are also cautious to not draw attention to themselves In cybercrime, anonymity is what pays or at least, keeps the police off your trail And that, of course, is the real challenge of cybercrime This anonymity makes it very difficult to trace offenders back to their source and investigations can end up on rabbit trails It s great for protecting privacy, but not so good at protecting people from others with nefarious intentions IMAGE http://www.secuobs.com/revue/news/214348.shtmlhttp://www.secuobs.com/revue/news/214348.shtml Secuobs.com : 2010-04-20 11:25:21 - Terry Zink's Anti malware Blog - Last month, DarkReading had an article about how end users tend not to choose strong passwords, and indeed have poor password habits, due to their inability to draw a line of correlation between strong passwords and personal security End users routinely reject security advice and recommendations for strong passwords and for heeding dangerous Website warnings -- and that behavior makes perfect sense from an economic and psychological perspective, security experts say Cormac Herley, a researcher in the Microsoft Research organization, says end users are understandably noncompliant because there just isn't explicit proof that creating a strong password, for example, makes them less likely to have their accounts hacked Security people are trained to look for the worst-case analysis, but users don't think that way, says Herley, who emphasizes his opinions are his own and not that of Microsoft For example, users are told not to reuse passwords across accounts because if an attacker gets one, he might be able to get into their other accounts But we don't know how often that does happen Most security training and advice aren't compelling enough for users to accept them, he says The approach is telling them to reduce the risk, but it's an unknown risk, Herley says That doesn't seem to be compelling to people In another article that I read this past weekend but can now no longer find, some use the argument that the e-security industry lacks the consistent or simple message of the health industry, or the automobile industry If you smoke, you will get cancer If you don t use your seat belt, you are more likely to die in a car accident In security, the message is convoluted if you don t have a secure password, then in the not-all-that-likely that you have your account attacked, it will take an attacker longer to break into your account But oh yes, there are lots of other things that you have to do as well In other words, end users don t see a direct benefit of implementing all of the security recommendations that experts urge them to do People also hear a lot about threats and it seems like no matter what they do, there is still a good chance that they will get hacked or have their accounts stolen anyhow Given that they lack proof that strong passwords work, it s no wonder that people ignore our security advice So what can we do about it Make things simpler Sacrifice truth for clarity It s difficult to say because the attack vectors are wide If end users are then provided hard numbers on the harmful effects of not recognizing phishing URL cues or using and reusing weak passwords, Herley wants to determine whether this would change their behavior Does it change things if we give them better reasons to follow security guidelines he asks That would mean giving them information on how a strong password reduces their risk by this specific amount, for example, he says Schneier says it all depends on incentive If there's no specific consequence to a user for breaking a security policy, then he isn't likely to change his ways Their bonus is not based on security, but whether they get their job done You get the behaviors you reward , he says Indeed That last line is something I have been preaching internally for a while when it comes to outbound spam A few months ago I shifted my perspective on how we deal with it We filter all of our outbound mail and take action on spam We then open a support ticket to disable the user s account If the spam is currently not being marked as spam by our filters, then we mark it as a higher priority ticket than if it is being marked as spam The idea is that we have to react quickly to spam that we know we are not automatically catching The difference is in support response time because nobody can be on call to react to this stuff at all times and before we have auto-disablement built in I shifted my stance some time ago Now, I am of the opinion that no matter what our filters say, if someone has mail marked as spam, it should be a high priority action to disable the user s account Unless that specific end user encounters a consequence for breaking our security policy, there is no motivation to change their behavior Changing that behavior is key to stopping outbound spam, whether it is by running up-to-date A V software, ensuring that software patches are up-to-date, or not leaking one s username and password to phishers IMAGE http://www.secuobs.com/revue/news/214012.shtmlhttp://www.secuobs.com/revue/news/214012.shtml Secuobs.com : 2010-04-15 22:22:37 - Terry Zink's Anti malware Blog - I m proud of Twitter Last year they started taking action to reduce the amount of spammers on their network As a free service, they are the target of abuse attacks Yet in the beginning, it s not something that most services need to worry about It s only when you start to become popular that you start to attract the ilk of the spammer If you ll check out that blog post, then by their own internal metrics Twitter has reduced the spam volume of spammy posts tweets from 10pourcents in August 2009 to close to 1pourcents today That s incredible image Reducing abuse on a free service like this is notoriously tricky, but it looks like Twitter has managed to implement a number of security measures designed to cut down on malicious sign ups and malicious posts and has demonstrated notable progress IMAGE http://www.secuobs.com/revue/news/212637.shtmlhttp://www.secuobs.com/revue/news/212637.shtml Secuobs.com : 2010-04-15 00:25:24 - Terry Zink's Anti malware Blog - The Washington Post has a good article up today capturing comments issued by the United States military that it has the right to return fire when it comes to cyber attacks WASHINGTON -- The US should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress Lt Gen Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the US should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario, Alexander said in a Senate document obtained by The Associated Press The three-star Army general laid out his views on Cyber Command and the military's role in protecting computer networks in a 32-page Senate questionnaire He answered the questions in preparation for a Senate Armed Services Committee hearing Thursday on his nomination to head Cyber Command Alexander offered a limited but rare description of offensive US cyber activities, saying the US has responded to threats, intrusions and even attacks against us in cyberspace, and has conducted exercises and war games It's unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known But commanders have clear rights to self-defense, he said He added that while this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles would be lawful Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back In cyberspace, the US may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack This is an interesting point of view, and it extends from the United States s policy that if it is attacked using conventional weapons, it reserves the right to counter respond in kind This has been a long accept precept governing US foreign military policy for generations Yet cyber attacks are different for a couple of reasons 1 In cyber attacks, it is not physical infrastructure that is being attacked, and civilians lives are not directly threatened It s a cat-and-mouse game and the response to a cyber attack is hard to respond to in like kind In other words, how do you know how much damage that you want to do 2 The bolded part above, the second part, is convoluted It is true that a police officer doesn t have to know the identity of a shooter in order to shoot back However, a police officer certainly knows who is shooting at him or her because they can see the direction from which the bullets are coming towards them In other words, there is a line of sight They don t know the name of the shooter but they can definitely see them shooting In cyberspace, you may not even know who is attacking you You might see the attacker but it doesn t mean that the one doing the attacking is the one behind the attack For example, in a DOS attack, networks of compromised computers would be attacking your infrastructure but the one behind the attack is not directly connecting to your network Who do you counter attack Do you do it in real time There s no point attacking the zombie computers because they don t even know that they re doing it The analogous to law enforcement is a thriller horror movie some bad guy is able to take control of unsuspecting citizens and get them to commit crimes The police would know the shooter but they d be returning fire at the wrong person Continuing onwards in the article Alexander echoed other experts who warn that the US is unprepared for a cyber attack He said the first priority is to make sure the nation can defend its networks, which are now a strategic vulnerability Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions This is a more realistic view, in my opinion Probably the best step is knowing where your vulnerabilities are and trying to defend them As some famous coach said, Offence brings fans, but defense wins championships In other words, you can go on the offensive but weakness in your own systems can severely degrade and impair your ability launch an attack If your internal systems are going haywire you can be totally disarmed and unable to launch a counterstrike Of course, once you do have your defensive ability up to snuff, or good enough, you will need a good offensive counterpunch In boxing, if all you are doing is defending, eventually your attacker will wear you out as you absorb blow after blow the exception being Homer Simpson where his opponents would hit him and tire themselves out and all he would have to do is push them over without throwing a single punch the exception to that being Drederick Tatum The rules of engagement for offensive counter strikes are more tricky Does the US, after identifying a non-state actor attacking it, go after the actor themselves Or do they pressure the government where the non-state actor is located to handle them Or do they launch an attack on the government if they consider their enforcement lackadaisical Or perhaps even intentionally sheltering cyber attackers I suppose that for this, the standard military rules of engagement apply IMAGE http://www.secuobs.com/revue/news/212267.shtmlhttp://www.secuobs.com/revue/news/212267.shtml Secuobs.com : 2010-04-14 12:39:10 - Terry Zink's Anti malware Blog - I read an interesting article today that the US Air Force is adding the basics of cyberwarfare for new recruits to its training The US Air Force will train all new recruits in the basics of Cyberwarfare and add more advanced schooling for others to help combat the growing threat of attacks on US computer networks Four-star General Robert Kehler said details are still being worked out on a Cyberwarfare component for basic training, but it would be brief, perhaps an hour or two total, and would cover only the fundamentals A more advanced, undergraduate-level training program will begin in June to train officers and enlisted personnel for a new US Air Force career field in cyber operations, Kehler said He likened it to existing undergraduate training for pilots, navigators, missile operators and space operators Kehler, who heads the Air Force Space Command at Peterson Air Force Base in Colorado Springs, spoke to the annual National Space Symposium and in a separate interview The Space Command oversees the Air Force's Cyberwarfare operations Kehler said the basic training component would cover such basic precautions as using firewalls and passwords We teach them at basic training fundamentals of an M-16 rifle , for example, and an M-9 pistol , and so we want them to know the fundamentals of the computer network that they're going to be operating in, he said The more advanced training will last six months and include skills currently taught to communications operators plus additional skills in computer networks and vulnerabilities That will be followed by more specific training The first class will include about 16 officers Kehler said several sessions are planned each year because the Air Force will need to produce about 400 officers annually with skills in Cyberwarfare They will be assigned jobs across the Air Force, including the 24th Air Force, based in Lackland Air Force Base, Texas, a component of the Space Command responsible for Cyberwarfare and Air Force computer networks It s interesting that the military is now adding these basics But basic training that covers only firewalls and passwords, and only lasting an hour or two, is hardly anything One would think that most new recruits would already know the basics of passwords and firewalls but I suppose if enforcing strong passwords is something they teach, than it would be a bonus It will be interesting to see what types of advanced operations are taught in the advanced course I would think it would include stuff like hacking, botnets, buffer overflows, stack dumps and traces, malware, and other sundry subterfuge But even then, I doubt six months would be enough It s one thing to teach these things in a course and it s quite another to experience them in real life It takes people in the industry years to gain enough knowledge such that it comes to them second-nature There s simply so much out there that I would think that real life training would be better acquired by having them run the servers at the Pentagon, or the Department of Defense, or Homeland Security, or something It is there, in real life, that you really learn to cut your teeth by having to deal with this stuff every day I wonder how the air force teaches that sort of thing In warfare training, they can have drills and drills and simulate combat scenarios This is in order to teach recruits not to freeze when it comes to real life battle If you can simulate it enough in a safe environment, it starts to become ingrained in you so that when it is no longer safe, your training kicks in What sort of training can prepare a recruit for cyber attacks Are they simulated Does the military put someone into a server room and then start launching fake DOS attacks, and then see how the people fend them off Cyber security for most people is an iterative approach You do a bunch of trial and error and over time you start to learn to recognize patterns that attackers use Furthermore, it is based off this past experience that you can reach back into your memory banks and react more quickly when new threats appear In other words, training is useful but experience counts for so much Mind you, doing cyber security in the air force probably is a pretty good deal One wonders if it is as lucrative as working at the NSA One wonders what the air force will do with such graduates I arrogantly expect that if I were to take the course I would easily breeze through it If they need someone to teach stuff about spam, I m available on weekends IMAGE http://www.secuobs.com/revue/news/211995.shtmlhttp://www.secuobs.com/revue/news/211995.shtml Secuobs.com : 2010-04-12 12:08:52 - Terry Zink's Anti malware Blog - This past week we started seeing some examples of out-of-office or vacation reply spams being reported as false positives ie, our filters caught them and users reported them as Not Faslse this type of thing happens all of the time What is happening is that a spammer is creating accounts in his Hotmail or Gmail accounts and then setting up a vacation reply When someone emails it, Hotmail or Gmail mails the user back saying that they are not there But the body of the message contains a bunch of spammy text in it clip_image002 The spammer then sends a bunch of mail to his vacation account using spoofed addresses, and the bounce goes back to the user in the spoofed address It s a form of malicious backscatter where the spammer is abusing Hotmail to send his spam indirectly I call it malicious because in traditional backscatter, the receiving MTA is the one that is unknowingly bouncing spam back to end users With this case, the spammer is knowingly bouncing spam to end users taking advantage of one of the flaws in email IMAGE http://www.secuobs.com/revue/news/211040.shtmlhttp://www.secuobs.com/revue/news/211040.shtml Secuobs.com : 2010-04-10 06:04:23 - Terry Zink's Anti malware Blog - With all of the brou-ha-ha of the past couple of years surrounding Net Neutrality, and especially with a federal court ruling that the FCC had no grounds to enforce it, I thought that I would get into a bit about how traffic shaping works, which is at the heart of Net Neutrality Imagine that you have an email to send The email is a chunk of text and let s say that we picture like the following diagram image When anything goes out over the Internet these days, it does so using a technique called packet switching Packet switching is the process of sending a message over a connection that is not physically connected to each other which contrasts it from circuit switching The message is transmitted over any number of hops and these hops are connected to each other, but not necessarily physically connected Thus, to get from Point A to Point B, if you send the same message multiple times, it could take different paths to get there image The above diagram is my fictional diagram indicating a possible packet switching implementation where each circle is a node, or hop, along the way While it is certainly possible that Point A to Point B can follow the same path indeed, there are protocols that do this , a regular packet switching implementation doesn t require or guarantee this Furthermore, the entire message is divided up into little sub-messages called packets These packets are each sent from Point A, travel across the Internet and are reassembled at Point B The packets all have information for Point B on how to reassemble the message A sample packet might look like the following image Each node along the path inspects the header, sees the sender IP address, the receiver IP address, and pushes it along to the next node Point B knows how to reassemble the entire message because of the packet number If an error occurs along the way, it can issue a message back to the sender at Point A to resend either the entire message or single packets The trailer is a sort of data integrity part of the packet and more of the more popular ones is the Cyclic Redundancy Check CRC It detects errors by using mathematics to add up the various ones and zeroes, does some other math operations and compares to see whether the data inside the rest of the packet adds up to the checksum This is important because missing bits of data can change the interpretation of the message Suppose the above message was divided up into the following three packets image However, due to noise on the line it was routed through Manitoba during the summer and the routing lines have 38 million mosquitoes on them, people have swatted them away and during a weird coincidence for this particular message, it interfered with the transmission , certain parts of the message get changed image For those of us who are more accustomed to hearing that first message, the second one gives us a false sense of hope A CRC check can prevent this because the digits would not add up to the proper checksum and the sender would be asked to send the packet again Anyhow, the point of all of this is that packets contain information that the transmission services look at in order to make routing decisions It contains some data, and then the end trailer contains pieces of information to ensure that the message accuracy is retained at the other end IMAGE http://www.secuobs.com/revue/news/210729.shtmlhttp://www.secuobs.com/revue/news/210729.shtml Secuobs.com : 2010-04-10 06:04:23 - Terry Zink's Anti malware Blog - Continuing on from my previous post, we can see that in a packet switching network, data goes from point A to point B with no regards to the type of data being carried Various algorithms compute the best path with no regards for the type of traffic being transmitted If a protocol is SMTP, HTTP, FTP, or something else, the next node doesn t matter The transmission algorithm computes the fastest way in order to ensure that the data gets there and its integrity is retained Net Neutrality requires that the transmission entity companies like Verizon, AT T or Comcast who own the cable lines route traffic like this and don t change anything In other words, the they continue to look at the Sender, Receiver, protocol and packet number and send traffic the best way possible regardless of what that protocol is and regardless of what the payload is Where traffic shaping comes into play is the cable provider doing more packet inspection Not only do they need to know the routing information like for all traffic , they also inspect the content of the traffic to make decisions Suppose that a user is sending an email to a friend, and that the friend is also downloading bit torrents A cable provider might deduce that sending email is a fairly lightweight operation because we can only write so many emails and most messages are small By contrast, bit torrents are much bigger Someone might be trying to download a pirated version of Avatar Movies are very, very large and they consume a lot of bandwidth Most emails are less than 100kb Most movies are 3-4 gigabytes This sucks up a lot of the providers bandwidth Suddenly, the cost to the provider increases and before what was a formerly feasible service providing Internet service to end users has become infeasible image A provider has to lay down more and more infrastructure to accommodate the bit torrent downloader in order to ensure that the quality of service to its other users is not degraded Yet, it charges the user the same amount of money or only marginally more This increased set of costs on the cable provider starts to become infeasible when more and more users start using substantially large amounts of bandwidth yet the cable provider sees no derived benefit from it In order to remain competitive and stay in existence , they need to keep their costs down In order to get around this increased demand from users for bandwidth, cable providers do something called deep packet inspection Instead of only looking at the routing information, they also look at the payload If the payload happens to be something that they deem to be bandwidth heavy, such as bit torrent ing, then they might decide to do one of the following Throttle the connection wherein the bandwidth provider slows down the traffic speed from point A to point B Rather than pushing it all through at once, the bandwidth provider limits the rate at which it transmits data between the two end points Alternate routing wherein the bandwidth provider looks at the type of data being transmitted, and routes it to an alternate path that is lower quality The net effect is the same as throttling, the speed and reliability at which the two end points can exchange data is degraded Depending on who you ask, this is either reasonable behavior the cable companies and hardware infrastructure companies or completely unreasonable users and software companies Where the Net Neutrality debate starts to get heated is when the headers of packets are inspected and routing decisions are made based upon the source of the content, rather than the type of the content If you watched the videos in my other post, the concern is that if a user subscribes to Comcast, and they want to watch a TV show that airs on NBC, that s no problem today But suppose Comcast and ABC have cut a deal Rather than transmitting data between NBC and the end user at the optimal speed, Comcast deliberately throttles the connection so that the user experience is degraded choppy video, pauses, etc In response, a user says Enough is enough and heads on over to ABC Hey, this video quality is sweet I ll just stick to shows on ABC Comcast wins because the deal they cut with ABC is paying off ABC wins because they get more viewers NBC loses because ABC and Comcast have cut them out of the loop So you see, the source destination of the traffic and its possible throttling is what has many Net Neutralists up in arms They fear that large corporations can get together and collude to influence user behavior This is one example but there are others Governments can pressure ISPs to throttle connections to opposition groups ISPs can cut deals with each other to knock other ISPs out of the market Google can team up with Road Runner and provide high speed voice services not that Google would since they are a Net Neutrality advocate And so forth If the net is neutral, that means that all cable providers can do is inspect the routing information and pass it along to the next best hop without prejudice Without it, they can inspect the type of payload, or the end-points of that payload, and make routing decisions that would degrade the user experience It would essentially mean that free information is now subject to the whims of presumably evil corporations who are malevolently looking to make more money off of end users, and this is against the entire spirit of the Internet which is freedom of access to information Bandwidth providers reply that if they are going to lay down expensive infrastructure and people want to pay more for better access, then they should be allowed to do that If they can t charge more, then why should they invest Free market advocates claim that enforcing Net Neutrality is a way of regulating the Internet which the Net Neutrality advocates should be against They also claim that even if a few bandwidth providers do this, others will not End users will stop using ISPs that use traffic shaping and will flock to those that do not, and therefore the attempts by bandwidth providers to shape traffic will fail once they see that their businesses are losing money because of those policies It s a complicated debate but I think I ll reiterate my previous position it s about the money IMAGE http://www.secuobs.com/revue/news/210728.shtmlhttp://www.secuobs.com/revue/news/210728.shtml Secuobs.com : 2010-04-09 07:07:54 - Terry Zink's Anti malware Blog - I recently made a slight shift in the team I report to at work I m still in anti-spam but the organization under which I report has moved a bit Anyhow, we were in a team meeting when my new boss asked people to go around and make introductions When it came to me, someone said We heard you hate spam more than anyone else in the world I smiled at that There s an element of truth to it IMAGE http://www.secuobs.com/revue/news/210440.shtmlhttp://www.secuobs.com/revue/news/210440.shtml Secuobs.com : 2010-04-08 04:37:21 - Terry Zink's Anti malware Blog - Those of you who have been following my blog for a few months know that this past November while I was in Peru, a spammer tried to kill me This was the same guy who tried to take me out when I went to China a year earlier In this latest encounter, I managed to toss him off a cliff and I thought I had finished him off Yet today, I received the following message in my email inbox Nice pictures of Peru But you failed to finish the job Until next time, spam fighter, I m watching you I guess I wasn t able to tie up all the loose ends after all The saga continues IMAGE http://www.secuobs.com/revue/news/210002.shtmlhttp://www.secuobs.com/revue/news/210002.shtml Secuobs.com : 2010-04-08 04:37:21 - Terry Zink's Anti malware Blog - Yesterday, a federal appeals court ruled that Internet traffic regulators like the FCC had limited power over web traffic under current law The court decision was a setback to efforts by the Federal Communications Commission to require companies to give Web users equal access to all content, even if some of that content is clogging the network The court ruling, which came after Comcast asserted that it had the right to slow its cable customers access to a file-sharing service called BitTorrent, could prompt efforts in Congress to change the law in order to give the FCC explicit authority to regulate Internet service Confused about Net Neutrality Here s a video taking the for side on Net Neutrality what it is and why it is important Sounds reasonable Reason has its own video up taking the position against Net Neutrality, you can watch it below To summarize the arguments 1 Today, everyone has equal access to everything on the Internet this freedom of information needs to be preserved and protected by government if necessary 2 Internet broadband providers like Verizon and AT T will slow down connections to rival websites and make users pay them more money if they want better access If you want to visit their preferred sites, let s say Verizon and Google strike a deal, you can visit Google s sites a lot faster if Verizon is your broadband provider This means that various vendors can get together and monopolize the Internet and strongly influence users to their own sites This lies at the very heart of freedom of information it s not free if someone can influence it 3 However, there isn t any evidence of this actually occurring in real life Broadband providers like Comcast and AT T say that this doesn t occur in real life and they need the ability to shape traffic in order to maximize the user experience They aren t interested in shaping traffic to cut deals with large corporations, they are interested in maximizing their investment For example, if they take on the risk of building fatter pipes, then if someone wants to pay more to access those fat pipes then they should be allowed to do so In addition, traffic like bit torrents clog the pipes and Comcast needs to be able to throttle those connections because if they don t everyone suffers 4 In my opinion, companies that have something to gain by Net Neutrality tend to come out for net neutrality For example, Google s services all run on the Internet So do Skye s So does eBay If all traffic is treated equally, then a software company only needs to build the application They take on none of the risk of building the infrastructure and secure all of the benefits They can piggy-back on someone else s work simply wait for the Internet to get faster and without having to do anything, their services run better Companies that bear the brunt of net neutrality, such as an ISP, will be against it because they assume the cost of building out more infrastructure but cannot charge anymore for it It s kind of like building a higher model luxury vehicle but having to charge the same amount for it That s my summary in a nutshell From an end-user perspective, it s all about freedom From a corporation s perspective, it s all about the money IMAGE http://www.secuobs.com/revue/news/210001.shtmlhttp://www.secuobs.com/revue/news/210001.shtml Secuobs.com : 2010-04-06 02:47:34 - Terry Zink's Anti malware Blog - I found this on Yahoo news today via the AFP HANOI AFP Vietnam has rejected accusations by Internet giant Google that Vietnamese computer users have been spied on and political blogs hacked into The US-based firm last week said infected machines had been used both to spy on their owners as well as to attack blogs containing messages of political dissent These are groundless opinions, Nguyen Phuong Nga, spokeswoman for the Ministry of Foreign Affairs, told AFP Vietnam has specific regulations against computer viruses, harmful software and for ensuring information security and secrecy, she said in comments received over the weekend Google said the malicious software infected computers of users who downloaded Vietnamese language software, and possibly other legitimate software, that was altered to infect the machines Leading Internet security firm McAfee said perpetrators of the Vietnamese attacks may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam Google announced last month it was redirecting mainland Chinese users to an uncensored site in Hong Kong, making good on an earlier pledge not to go along with the Communist Party government's censorship rules Its decision to defy Beijing was based on what it called concerns over censorship and cyberattacks it said originated from China Analysts, rights groups and diplomats say the human rights situation in Vietnam has been worsening The country's restrictions on news media and Internet sites such as Facebook threatened Vietnam's rapid economic progress, Western donors said in December That Vietnam is now being accused of spying on political dissonants comes as a bit of a surprise to me Vietnam has been known historically for communism and socialism, as well as clamping down on human rights, but in the past two decades has greatly liberalized its economy and trade practices It boasts a very high rate of GDP growth over 5pourcents for 2009 and the United States has formally re-established relations with the country I guess that shows what I know, however According to the CIA World Fact Book, Vietnam is still officially a communist state and the country s official name is the Socialist Republic of Vietnam The ruling party is the Communist Party of Vietnam while opposition groups are the Democratic Party of Vietnam, People s Democratic Party Vietnam, and the Alliance for Democracy These groups advocate democracy but are not recognized by the government I don t have any other information to go on, but from the looks of it, Google is complaining that some of their software was modified such that when installed, it allowed the modifier to monitor the traffic of the person using the browser My guess is that there is a localized version of some Google software, possibly Google Chrome, that was pirated, reverse engineered and modified Either that, or malicious software in the form of localized Vietnamese versions of antivirus flipped the computers into a botnet In any case, either the browsing history of the person using the software was redirected or sniffed, or possibly the bots launched a denial-of-service attack on Vietnamese versions of some of Google s social networking sites, BlogSpot and YouTube being the most obvious targets In this sense, it bears a strong resemblance to the denial-of-service attacks on the various social network sites last year launched against the blogger Cyxymu As in that case, state sponsorship is not always required in order to do something like this but it helps I only have a theory, but my guess is that websites or social networking pages from those services, run by one of the opposition parties mentioned above, suffered some DOS attacks and either brought them down or attempted to bring them down Whether or not they succeeded is unclear from the article but this does fit a pattern we see recurring again and again IMAGE http://www.secuobs.com/revue/news/209125.shtmlhttp://www.secuobs.com/revue/news/209125.shtml Secuobs.com : 2010-04-02 23:54:09 - Terry Zink's Anti malware Blog - I came across this video today Botnet researcher Joe Stewart discusses the current threat levels presented by botnets, recent attacks from Operation Aurora and the Black Energy botnet, and how to protect your enterprise from DDoS and other botnet attacks Joe Stewart is Director of Malware Research at SecureWorks Inc image Click to play video IMAGE http://www.secuobs.com/revue/news/208546.shtmlhttp://www.secuobs.com/revue/news/208546.shtml Secuobs.com : 2010-04-02 23:54:09 - Terry Zink's Anti malware Blog - A couple of months ago, I posted an article that my own internal statistics did not suggest that Australia was a hotbed of zombie activity This was a follow up response to a previous post where I highlighted that Australia was kicking infected zombie PCs off their networks or at least quarantining them At the time, I said that Australia does have some spam and zombie activity associated with it but it appears to be a small player compared to the others like the US, South Korea, China, Brazil, and so forth I have an update Over the past month, I decided to check to see which countries had IPs associated with particular botnets I found some interesting trends Of the 14 botnets that I track South Korea is the worst country for IPs that are spamming, placing number 1 or 2 for the bagle-cb, cutwail1 2, donbot, grum, mega-d and rustock botnets that send us mail that I am able to track This is half of all the botnets that I keep statistics on The United States is the worst country for IPs in the following, placing number 1 or 2 for bagle-cb, darkmailer, festi, gheg, grum2 but not 1 , rustock by a long shot and waledac This is half of the botnets I have statistics on Note that there is some overlap Australia just doesn t seem to be a major player except in one botnet Lethic This is very interesting to me the global list of IP addresses does not list Australia as the most prolific country for Lethic However, for IPs that send us spam, Australia is number one in Lethic by quite some ways Below is the distribution chart image My intelligence on lethic suggests that as a botnet it is not the biggest in terms of number of IPs, but the number of messages it sends per email envelope is the most out of all of the ones I track Thus, it does account for a very large percentage of spam simply due to how much it attempts to stuff into each message Why we see this anomaly is puzzling to me, but note the trend pre-dominantly speaking English countries make up the top 10 Australia, the United States, Canada, New Zealand and Great Britain Even the Netherlands and Norway have populations that speak English very well That is seven of the top ten countries that send us spam over the past month have strong English speaking populations, and are infected with Lethic Why is this the case I don t know Perhaps the bots that infect these countries have malware attack vectors that are primarily in English If I look at Microsoft s SIR v7, the top threats are Australia 1 Renos 2 ZangoSearchAssistant 3 Alureon USA 1 FakeXPA 2 Renos 3 ZangoSearchAssistant Great Britain 1 ZangoSearchAssistant, 2 Renos 3 ZangoShoppingreports Norway 1 ZangoSearchAssistant 2 Renos 3 Vundo Note that this data is from 1H2009 so it could be old and there could be no relation I don t have updated numbers but I could always check if I get them I will post them But the two common threads here are the ZangoSearchAssistant and Renos The ZangoSearchAssistant monitors your web browsing activity and displays pop-up ads Renos automatically downloads potentially unwanted software such as SpySheriff, SpyAxe, etc These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee I can t say whether or not that there is a link between these two pieces of malware but it does look like the English speaking countries are more susceptible to them Whether or not there is a link between them and lethic I cannot say as the numbers are not new enough, but perhaps there might be a relationship between certain pieces of malware and the lethic botnet after all IMAGE http://www.secuobs.com/revue/news/208545.shtmlhttp://www.secuobs.com/revue/news/208545.shtml Secuobs.com : 2010-04-01 03:08:36 - Terry Zink's Anti malware Blog - Brian Krebs has a post up today on his blog indicating that the amount of spam ending in cn has declined dramatically due to steps taken by the Chinese government making it more difficult to get a domain ending in cn In mid-December 2009, the China Internet Network Information Center CNNIC announced that it was instituting steps to make it much harder to register a Web site anonymously in China, by barring individuals from registering domains ending in cn Under the new policy, those who want to register a new cn domain name need to hand in written application forms, complete with a business license and an identity card According to data obtained from two anti-spam experts, new registrations for sites advertised in spam began migrating from cn to ru just a few weeks after the Chinese domain policy took effect In early January 2010, and indeed in the months leading up to the new year, the percentage of domains advertised in spam registered in the cn space dwarfed the number of ru spam-related domains, according to figures gathered by the University of Alabama at Birmingham But by mid-January, the number of cn spam domains began to fall off dramatically, while the number of ru spam domains increased markedly, UAB found image A cursory glance seems to confirm that the amount of spam from cn as opposed to ru has switched places Indeed, if the CNNIC requires people to start writing in application forms, with a business license and identity card, that is seriously going to slow down the rate at which spammers can sign up and register new domains They can no longer automate the process of creating new domains even if they did create some software to fill out the applications, auto-generate a new domain and then give the applications to some trained monkeys to walk down to the CNNIC office and deposit the applications in order to save money on postage , this still wouldn t work They would be rate-limited by the speed at which the CNNIC would be able to process all of these applications However, Krebs also reports the following Chinese authorities called the move a crackdown on phishing and pornographic Web sites, but human rights and privacy groups marked it as yet another effort by Chinese leaders to maintain tight control over their corner of the Internet Is this an attempt by Chinese authorities to crack down on the Internet Or are human rights and privacy groups getting it wrong here I would surmise that the advocacy groups don t understand the gravity of the abuse that spammers had over the cn domain On the one hand, we know that giving stuff away for free or almost free invites abuse from spammers because they can automate the process of signing up for new domains They can use the throwaway domains in spam and clog up the rest of the Internet with their nonsense And in fact, this is exactly what they have been doing as the cn domain has been used in piles upon piles upon piles of spam We also know that one of the better ways to stop spammers is not necessarily to stop them, but to disrupt them such that it makes their cost model ineffective One of the ways of disrupting them is by requiring them to do something that requires human effort One such technology already used today is the CAPTCHA where you type in the clear text after deciphering what the squiggly text says The theory behind this is that automated technologies cannot perform these requisite actions and a human wouldn t sit there one thousand times in a row filling them out Of course, we know that today CAPTCHAs can be broken part of the time, or with offshore low-cost labor breaking them Still, those are technological solutions to rate limiting abusive users Requiring people to sign up with a written application form is yet another form of rate limiting However, instead of using technology to do it which has proven to be inconsistent as evidenced by the amount of abuse from free webmail accounts , China is using human capital Using human capital is a definite rate limit because people can only work so fast, work so long, and work so hard You just can t push out nearly as much stuff when people have to do the work And that s the goal behind the CNNIC s actions technology cannot stop the spammers so they need to regress it and slow them down even more That s it, really Here in the west, human rights groups positions are that China has a long history of clamping down on human rights By requiring people to fill out application forms presumably accurately dissenters of the government will be unable to advance their cause The government will screen out their applications and not allow them to exercise their rights to speech In other words, we in the west see the Internet as the single greatest mode of exercising our rights to free speech China does not grant those types of rights to its citizens but the Internet is a kind of back-door point-of-entry around these restrictions By clamping down on who gets a cn domain, China has reasserted its control over dissenters, and free speech, and advocacy groups see this as a regression on humans rights in China Whereas before dissenters could retain their anonymity and launch a new site, now they can no longer remain anonymous And if they aren t anonymous, then Chinese officials can either deny their applications or even monitor and arrest them if they see fit Given China s sketchy human rights record, privacy groups have a point It s difficult to say who s side I am on The Internet is a big place and you don t necessarily need to register a cn domain to get your message out You can start a blog, use an existing cn domain, lie on your application, register a comhk domain but be subject to the Great Firewall of China , and so forth Can China really monitor all of its Internet traffic The Internet is a big place, and nobody can possibly control all of it But on the other hand, China does have some pretty lax enforcement of some of the worst offenders on the Internet They have bad registrars, bullet proof hosters and a lot of spamming sites Making it harder to abuse the cn TLD is a step in the right direction Until the technology catches up to prevent automated abuse, it s going to be difficult for China to drop these measures The situation is complicated If China relaxes its requirements for cn registration, we will be subject to piles of abuse in the cn domain If it tightens down, we possibly have clamp down on human rights groups Which are we prepared to live with IMAGE http://www.secuobs.com/revue/news/207719.shtmlhttp://www.secuobs.com/revue/news/207719.shtml Secuobs.com : 2010-03-30 04:55:06 - Terry Zink's Anti malware Blog - Depending on the articles you read, the US is either a leader in cybersecurity or it isn t According to an article from the E-CommerceTimes A new bill introduced in the Senate on Tuesday aims to put the United States in a leading role in the global fight against cybercrime Dubbed the International Cybercrime Reporting and Cooperation Act, the bipartisan legislation was introduced by Sen Kirsten Gillibrand, D-NY, and Sen Orrin Hatch, R-Utah, in response to the growing threat of cyberattacks such as those perpetrated earlier this year against Google and other US companies The new legislation will help the US identify threats from abroad and work with other countries to crack down on their own cybercriminals It will also recommend cutting off US assistance and resources for countries that refuse to take responsibility for cybersecurity The US government has inadequately addressed the need for global cooperation and a harmonized framework in the fight against cybercrime, agreed Jody Westby, CEO of Global Cyber Risk and distinguished fellow with Carnegie Mellon CyLab The Gillibrand-Hatch bill is very important in that it requires the US government to start taking a more global view of cybercrime, she added Westby led the development of the ITU toolkit, which provides sample legislation countries can use to develop cybercrime laws harmonized with those of other nations The United States has to understand that we now comprise only about 12 percent of the online population, Westby told the E-Commerce Times We clearly lead in cybersecurity and have to start asserting our leadership The measures in this bill will go a long way toward doing that and raise awareness globally of where the problems are In short, the senators have identified a very critical gap that has existed in cybersecurity, Westby concluded This could help focus and coordinate the US government on global cybercrime in way it hasn't before The article doesn t state what Westby means by the US leading in cybersecurity By contrast, Michael McConnell director of the National Security Agency in the Clinton administration and the director of national intelligence during President George W Bush's second term recently wrote the following in the Washington Post The United States is fighting a cyber-war today, and we are losing It's that simple As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking These battles are not hypothetical Google's networks were hacked in an attack that began in December and that the company said emanated from China And recently the security firm NetWitness reported that more than 2,500 companies worldwide were compromised in a sophisticated attack launched in 2008 and aimed at proprietary corporate data Indeed, the recent Cyber Shock Wave simulation revealed what those of us involved in national security policy have long feared For all our war games and strategy documents focused on traditional warfare, we have yet to address the most basic questions about cyber-conflicts Yet by contrast again, Howard Schmidt, the new cybersecurity czar for the Obama administration, refutes the assertion claiming the United States is caught up in a cyberwar that it is losing There is no cyberwar, Schmidt told Wiredcom in a sit-down interview Wednesday at the RSA Security Conference in San Francisco I think that is a terrible metaphor and I think that is a terrible concept, Schmidt said There are no winners in that environment Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar and was losing it On the one hand, the US is leading On the other hand, the US is losing the cyberwar But on the other hand, there isn t even a cyberwar Which one is right Well, we know that in 2007 and 2008, Estonia and Georgia suffered large-scale DDoS attacks in a cyber-riot possibly with state sponsorship but possibly not In 2009, Twitter and Facebook suffered similar attacks in a cyber-riot, possibly with state sponsorship but probably not In January 2010, Google suffered from a cyber-attack, possibly with Chinese state sponsorship and possibly not Depending on the articles you read, the Pentagon and other military departments in the United States repel hundreds of cyber-intrusions every single day So, the question is not whether or not these types of attacks are occurring, it s a question of who is conducting them and whether or not they are hostile actions from foreign governments a Chinese-backed effort to steal secrets from Google could be considered a hostile act, in my opinion We do suspect that foreign governments do not actively pursue known spammers in eastern Europe, presumably because they are handy to have around just in case they need to launch cyber attacks But what is the threat level Is Schmidt right Is online crime and espionage the main threat to the Internet Or is McConnell right and that the US is already under attacked and critical pieces of infrastructure are vulnerable and it is only a matter of time before one of them is taken down I tend to lean more towards Schmidt, but for the existential threat I lean more towards McConnell Right now, armies of bots around the world are committing piles and piles of online fraud spam, identity theft, and so forth using botnets, and occasionally these botnets are harnessed to do DDoS attacks on businesses and even branches of government But it doesn t necessarily follow that these are coordinated efforts by foreign governments No doubt some of them are, but some aren t However, it probably wouldn t take much for a foreign government or non-state actor to harness these resources together and launch a sustained cyber attack on key American pieces of infrastructure If that were to occur, most experts would probably agree that the US is underprepared How likely is it Could the US repel it in a reasonable timeframe And could they launch a counterstrike Such questions and answers are above my pay grade and not even part of my department while I think that the threat is there, I don t know how likely the threat is to actually occur It is possible, but is it probable And if so, how much time do we have IMAGE http://www.secuobs.com/revue/news/206722.shtmlhttp://www.secuobs.com/revue/news/206722.shtml Secuobs.com : 2010-03-26 22:44:38 - Terry Zink's Anti malware Blog - My friends over in the Forefront Server Protection team have asked me to post a survey on my blog, and I have agreed to do so They are conducting research to understand what applications you would like to protect, and how you would like them protected For example, are you interested in anti-malware protection for SQL Server The survey shouldn't take more than 5-10 minutes, and your feedback directly impacts product decisions Please head over to http wwwsurveymonkeycom s forefrontsurvey to take the survey They would appreciate your valuable input Thanks IMAGE http://www.secuobs.com/revue/news/205951.shtmlhttp://www.secuobs.com/revue/news/205951.shtml Secuobs.com : 2010-03-26 00:19:07 - Terry Zink's Anti malware Blog - I was checking out a blog post by Dancho Danchev on ZDnet, he has some interesting statistics on Russian spam In it, he describes how much spam is Russian and how much money they are making Rather than summarize his views, I thought I would repost some excerpts because I can t state it any better than he does Spammers make more money, than they are fined with - According to RAEC s study based on publicly obtainable data of fines against EU based spammers, in 2009 the fines 285 million represented slightly more than 1pourcents of their profits 218 million The same situation is often seen in different markets, where the companies engaging in illegal activities are in fact making so much money, that they can afford to pay the fines imposed on them However, despite the obvious need of higher fines for spammers, from my perspective, imposing those fines on a participant within an affiliate network, in situations where you cannot get to the masterminds of it, undermines its effectiveness Russian cybercriminals are ahead of the legal framework - With anti-spam legislation in Russia virtually non-existent, it s no surprise that so many people are operating in the open, without any feeling of prosecution However, another paradox we talked about, was the fact that some Russian spammers and cybercriminals in general, operate their campaigns outside Russian, in countries with developed anti-spam and anti-cybercrime laws Yet, they are still at large The world s top spammers are Russian citizens, relying on US based infrastructure for their operations - Whether it s the systematic abuse of legitimate email providers Gmail, Yahoo and Hotmail systematically abused by spammers , or compromised web sites, numerous independent studies continue emphasizing on this fact For instance, the recent PhishTank s stats for February, 2010, and MarkMonitor s Brandjacking Index for 2009, both, point out that the US is hosting the majority of phishing sites What does this mean It means that from a pragmatic perspective, given the active legal framework, resources and technical capabilities, spam and phishing shouldn t be the kind of problem it currently is That s, of course, in a perfect world Spam and cybercrime in general are not a country-specific problem, but an international one - Although this is a fact and we both agreed on, another fact cannot be disputed - Eastern European based cybercriminals going after financial data, make Chinese cybercriminals look like cartoon heroes on their way to steal your virtual goods Go after the people, not the ISPs, as a form of public statement - The fact that there are people known as spam kings or spam czars means that they ve been in operation for years Moreover, based on the scale of their spam operations, and the money they make, a logical move on their behalf would be to keep a very low profile, and take basic operational security measures in place That s not the case, making it easier to go after them Try to get to the top of the affiliate network chain, instead of prosecuting fining a participant in the affiliate network - Who s getting prosecuted for spamming at the end of the day It s usually not the one who should be The next time you hear that a spammer has been arrested, is being sued, and possibly even fined, ask yourself the following - is this guy the one running an affiliate network with hundreds of thousands of spammers participating in it, the supplier of the counterfeit pharmaceuticals, or is he basically one of the thousands of participants in the network Pretty good analysis, I think IMAGE http://www.secuobs.com/revue/news/205556.shtmlhttp://www.secuobs.com/revue/news/205556.shtml Secuobs.com : 2010-03-26 00:19:07 - Terry Zink's Anti malware Blog - As I posted a couple of weeks ago, the Zeus botnet was partially taken down after researchers worked with ISPs to disconnect them Even though this victory was only temporarily short-lived, it s still nice to know that botnets can be targeted for takedown if enough people get together and concentrate their efforts From the MMPC Encyclopedia, Zeus is also referred to as Zbot but also goes by a variety of other names including Kollah, the Avalanche botnet or Wsnpoem Win32 Zbot is a trojan password stealer that can may bypass installed firewall applications to send captured passwords to an attacker It also contains limited backdoor functionality that allows unauthorized access and control of an affected machine In the wild, Win32 Zbot has been observed distributed as an attachment to spammed e-mail The e-mail is disguised as a security alert from Microsoft and the attachment may have a file name such as officexp-KB910721-FullFile-ENUexe This trojan may also be encountered and installed when visiting a malicious Web page Below and for example, PWS Win32 ZbotPM may be downloaded from a malicious Web site disguised as a security alert from Microsoft as in the following example from the domain 'updatemicrosoftcomil1ificommix' image Win32 Zbot attempts to steal the sensitive information including certificates, cached passwords and cookies but not Ritz crackers Take the following steps to help prevent infection on your system Enable a firewall on your computer Get the latest computer updates for all your installed software Use up-to-date antivirus software Use caution when opening attachments and accepting file transfers Use caution when clicking on links to Web pages Avoid downloading pirated software Protect yourself against social engineering attacks Use strong passwords More information on the MMPC blog is available here IMAGE http://www.secuobs.com/revue/news/205555.shtmlhttp://www.secuobs.com/revue/news/205555.shtml Secuobs.com : 2010-03-24 03:51:38 - Terry Zink's Anti malware Blog - CircleID has an update on the latest Google vs China standoff Earlier this year Google made the announcement that it is reviewing its business operations in China and considering possible closure due to China's cyberattacks and limits on free speech Google today stopped censoring its search services Google Search, Google News, and Google Images on its chinese website, Googlecn and users visiting Googlecn are now being redirected to Hong Kong's site, Googlecomhk David Drummond, Googles Chief Legal Officer writes Figuring out how to make good on our promise to stop censoring search on Googlecn has been hard We want as many people in the world as possible to have access to our services, including users in mainland China, yet the Chinese government has been crystal clear throughout our discussions that self-censorship is a non-negotiable legal requirement We believe this new approach of providing uncensored search in simplified Chinese from Googlecomhk is a sensible solution to the challenges we've faced it's entirely legal and will meaningfully increase access to information for people in China We very much hope that the Chinese government respects our decision, though we are well aware that it could at any time block access to our services Also since it is highly likely that the Chinese government will block access to Google's uncensored services, the company has launched a specific site which updates regularly each day and keeps users informed of which Google services are available in China The entire self-censorship proposition is interesting Google appears to have found a temporary way to weasel around China s requirements by redirecting visits from googlecn to googlecomhk, where presumably these censorship requirements do not exist but I thought Hong Kong was now a part of China or have the Chinese not decided to extend their tentacles there quite yet and leave them alone Google s relationship with China has never been great The government supports its own local horse, Baidu, which is the most popular search engine there From PC World That same day, Li Yizhong, China's minister of industry and information technology, warned Google not to stop censoring search results on Googlecn If you don't respect Chinese laws, you are unfriendly and irresponsible, and you will bear the consequences, Li said, according to a report carried by the official China Daily newspaper It will be interesting to see who will break first China is already reacting Mainland Chinese users still could not see much of the unfiltered Hong Kong search results Tuesday because government firewalls either disabled searches for highly objectionable terms completely or blocked links to certain results That had typically been the case before Google s action, only now millions more visitors were liable to encounter the disrupted access to an uncensored site China s biggest cellular communications company, China Mobile, was expected to cancel a deal that had placed Google s search engine on its mobile Internet home page, used by millions of people daily In interviews, business executives close to industry officials said the company was planning to scrap the deal under government pressure, despite the fact that China Mobile has yet to contract with a replacement Similarly, China s second-largest mobile company, China Unicom, was said by analysts and others to have delayed or killed the imminent introduction of a cellphone based on Google s Android platform One major Internet portal, Tomcom, already had ceased using Google to power its search engine What spurred this latest Google Chinese standoff were the attacks on Google, linked to Chinese hackers, that attempted to steal information from its corporate database In response, Google said it would stop self-censoring The Chinese government warned Google not to do that To some western observers, what Google is doing is good for the Internet Censorship is bad, freedom of speech is good, and Google should take one for the team Yet it isn t as simple as that One Western official who spoke on condition of anonymity said that China now speaks of Internet freedom in the context of one of its core interests issues of sovereignty on which Beijing will brook no intervention The most commonly cited core issues are Taiwan and Tibet The addition of Internet freedom is an indication that the issue has taken on nationalistic overtones If you ll allow me to delve into my own political analysis, the Chinese government views national security and internal stability different than western democracies, especially the United States The US is bordered by two oceans and effectively controls the entire continent of North America There is no threat from Canada in the north, and Mexico is too unstable in the south not to mention its geographically harsh terrain The US has inherent stability because it doesn t need to worry about a foreign country invading it nor devote resources to defending its borders militarily This gives its citizens and government clear advantages the US is in a very fortunate position simply due to geography and its government can afford a more laissez-faire attitude with regards to freedom of expression China is different For much of its history, China has been fractured It has been invaded before most recently during World War II and is internally always trying to balance the struggle between urban and rural areas It is a country of 12 billion people and there is always tension between the poor rural areas which make up 2 3 of the population and the wealthier urban areas which make up 1 3 of the population When there is massive disparages and wealth and unemployment results, China can become unstable, and the government fears that instability It is only through a strong authoritarian government that they are able to maintain control One of the Chinese government s main priorities is maintaining high levels of employment An unemployed populace is an unhappy populace and with 12 billion citizens to worry about, the government is concerned about maintaining internal cohesion When China is divided, it becomes more difficult to defend because of its vastness That is why the Chinese government clamps down so heavily on human rights and dissenting views, as well as Internet freedom They fear that if the spread of anti-government propaganda got out of hand, it would create shockwaves and ripples throughout the country that would destabilize it and leave it vulnerable That is why they have grasped onto the issue of Internet freedom because it strikes at the very heart of Chinese grand strategy and policy The point of this little analysis is not to defend the actions of the Chinese government or advocate Google s position, but rather, to illustrate the point that differences in the way the west vs the Chinese see Internet freedom is cultural It is not as if the Chinese can simply say Oh, you know what We re wrong about freedom of expression, let s change our minds It clashes with its cultural and political values The west says People should be allowed to see whatever they want whereas China says We need to exercise control over the population in order to preserve our national sovereignty Google is not going to win the battle by pushing the Chinese to change its mind, that simply is not going to happen It s a shift that will take years, if not decades, to accomplish image Billboard of Google in Taipei, Taiwan, while I was there in October 2008 IMAGE http://www.secuobs.com/revue/news/204738.shtmlhttp://www.secuobs.com/revue/news/204738.shtml Secuobs.com : 2010-03-20 23:52:49 - Terry Zink's Anti malware Blog - Twitter recently announced that taking action to mitigate spam and abuse of its service A couple weeks ago, Biz explained how Twitter users were being victimized by phishing scams spread primarily through links in Direct Messages Basically, people click the link and bad things happen My team can only detect these scams after malicious links have already been sent out Today, we re launching a new service to protect users that strikes a major blow against phishing and other deceitful attacks By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter Even if a bad link is already sent out in an email notification and somebody clicks on it, we'll be able keep that user safe I ve lamented in the past how URL shortening services are very insecure All it takes is for a spammer to run a malicious URL through there and then use that shortened URL in a spam message They do this because they know that spam filters will often block on the reputation of a domain If the spammer includes a known good service like Bitly, Trim, or Cligs, these domains are all known good users It is similar to a spammer taking over a legitimate email service like Hotmail, Gmail or Yahoo Mail It is reputation hijacking In the case of the URL, unless the spam filter follows the URL and finds out what domain it actually points to, it cannot use URL reputation as part of its antispam service Most spam filters do not have the time to follow through shortened URLs What Twitter is doing, or rather appears to be doing since I don t know exactly they are doing, is subscribing to a URL reputation service These services are populated with URLs from around the Internet that have been deemed malicious by reliable sources If the URL is part of the reputation services feed, Twitter will disallow the link It s like an IP blocklist for URLs Twitter extracts the URLs, scans them against this service, and if they don t show up the link is allowed to be tweeted If not, too bad Thus, they are proactively mitigating the abuse by outsourcing some of their anti-abuse technologies to those who have a lot of experience doing it Good for Twitter Now, if only we could get all of the URL shortening services to subscribe to these reputation services IMAGE http://www.secuobs.com/revue/news/203732.shtmlhttp://www.secuobs.com/revue/news/203732.shtml Secuobs.com : 2010-03-19 22:19:01 - Terry Zink's Anti malware Blog - I have a YouTube account with a bunch of my videos on it, and about two months ago I was contacted by another magician He was commenting on my version of Any Card, wherein any named card appears at any named number in the deck It s an incredible effect, it took me several months to learn This magician first contacted me saying that he had his own version which I thought was cool and asked where I learned mine Magicians are generally very secretive and exclusive, but amongst each other we are somewhat open In other words, you have to join the club The exchange over Youtube was cordial, but I m pretty slow to respond to my Youtube message I just don t log in there very often I would take sometimes a week or two to respond Anyhow, he asked me if I wanted to trade tricks I d send him my Any Card version and in return he d send me a couple of his videos We magicians like to trade secrets with one another I agreed and planned to do it, but as is like me, the amount of work I would have to do to send the manuscript was a lot of effort I procrastinated for, like 5 weeks and today I got the following message from him I was very surprised to receive it because all of our exchanges have been so cordial and positive Warning strong language image Like I said, I was surprised to see this Surely he could have pinged me and said Any update on this and that would have prompted me to get going quicker But instead, I receive the above abusive message and I am now disinclined to do any trading with him, not to mention leave him negative feedback on eBay I believe that this behavior is simply uncalled for So, readers, my point here is that this user is not spamming, but the behavior is abusive nonetheless Sometimes the motivation for sending electronic abuse is not financial IMAGE http://www.secuobs.com/revue/news/203515.shtmlhttp://www.secuobs.com/revue/news/203515.shtml Secuobs.com : 2010-03-19 22:19:01 - Terry Zink's Anti malware Blog - One of our spam analysts who works out of our Dublin, Ireland office, Kai Yu, wrote this on our internal malware blog I am reposting it here because I think that it is an important topic for this past week --------------------------------------------------------------------- Since March 17th, there has been a large spam attack with malware attachments targeting Facebook s 400m userbase with the goal of gaining access to their passwords In the mail, users receive the notice from Facebook to click the attachment to get their new password, while, in the attachment, the program attempts steal their password It reminds me from about four months ago, there was a similar attack also with the password stealer virus image --------------------------------------------------------------------- Facebook is one of fastest growing targets for abuse and phishing in the past couple of years Because of the vast swath of users, it is ripe for social engineering threats The reason spammers attack it is because of brand recognition you recognize and love Facebook and therefore you feel good when you see a message from them You click the attachment, not really thinking about it and before you know it, you re infected with a piece of malware and flipped into a botnet These social engineering ploys are effective because they play on human emotion IMAGE http://www.secuobs.com/revue/news/203514.shtmlhttp://www.secuobs.com/revue/news/203514.shtml Secuobs.com : 2010-03-17 22:23:08 - Terry Zink's Anti malware Blog - On another corner of the Internet, ThreatPost reports that Microsoft s Waledac take down a couple of weeks ago did, in fact, have far reaching impact While some on the Internet were claiming that Microsoft s actions had little to no effect, it turns out that others are saying that Waledac appears to be crippled, if not dead After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero One researcher said that Waledac now seems to be abandoned It looks crippled, if not dead, said Jose Nazario, a senior security researcher at Arbor Networks An analysis of the effects of the Waledac takedown, known internally at Microsoft as Operation b49, by the company and other researchers has shown that Microsoft's efforts, combined with those of other researchers from universities in Europe, have rendered Waledac toothless early data from Microsoft and other researchers indicate that our actions have effectively decimated communications within the Waledac bot network For example, researchers from the Shadowserver Foundation, the Technical University in Vienna, University of Mannheim, University of Bonn and University of Washington have analyzed honeypot data on Waledac and have observed an effective cessation of commands to Waledac 'zombies' That s good news because it indicates that Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet, meaning that those customers are less likely to see rogue security software pop-ups, malware downloads, outgoing spam and ID and password theft associated with the Waledac botnet infection Another key indicator of the botnet's demise is the lack of newly infected PCs Researchers at Sudosecure who track new Waledac infections have data showing a dramatic decline in new IP addresses appearing within the Waledac network, meaning that Waledac is no longer spreading its infection to other computers While there will likely always be some fluctuations as long as the underlying malware exists and we must and will continue to work with the security community to stay on top of Waledac over time, the 'zero new infections' number reported by Sudosecure as of February 27 is a great indicator of the success of these efforts so far, Microsoft's Jeff Williams wrote So rather than stopping the spam, the drones are unable to communicate with its central command points, or rather, new commands are no longer being issued Indeed, here are some snapshots from Sudosecure s page image image You can see that on Feb 23, the amount of new IPs drops dramatically So, rather than stopping the flow of spam coming out of Waledac, this action by Microsoft may have interrupted Waledac s ability to refresh itself If that s the case, then it means that the stoppage of Waledac s spam will slow down over time since the current zombies will finish spewing what they are spewing but will not be issued new commands IMAGE http://www.secuobs.com/revue/news/202730.shtmlhttp://www.secuobs.com/revue/news/202730.shtml Secuobs.com : 2010-03-16 22:42:54 - Terry Zink's Anti malware Blog - In my previous post, I called attention to a story where a bank employee in Switzerland stole information from HSBC s list of clients and gave or more probably, sold it to the French government The government intended to use the data to go after tax evaders I put my own spin on things and suggested that not only do banks have to worry about losing data due to phishers and hackers stealing data, they also have to worry about their own employees stealing it The question that naturally arises which is the bigger worry Electronic theft Or employee theft Microsoft s Security and Intelligence Report actually addresses this, and it s not even close Although security breaches are often linked in the popular consciousness with hacking incidents involving malicious parties defeating technical security measures to gain unlawful access to sensitive data, more than four-fifths of all breaches tracked in the DataLossDB result from something that the OSF database does not classify as a hack, including 877 percent of reported 1H09 breaches Stolen equipment is the largest single category and accounts for twice as many incidents as intrusion, possibly because equipment theft is easily detected and reported A number of the incident reports reviewed for this analysis mentioned that intrusions or accidental exposure of information on the Web had been going on for quite a while before they were detected image image So in reality, it s not so much that banks need to be aware of employee theft being another attack vector in addition to hacking or phishing, it s actually the other way around In addition to employee theft, banks need to be aware of hacking or phishing I am less clear on how to prevent data loss from these supposedly low-tech mechanisms for information loss A company needs employees in order to function, yet these employees are the weakest link in a company s security chain An employer can take great steps like background checks and security policies to ensure that its personnel are not malicious, but ultimately, as a company grows larger the probability of a miscreant obtaining access to its information becomes greater and greater Technology can solve some of the problems we have when it comes to security, but it does not address all of the human problems DSCI0353 A recent picture of me in Geneva, Switzerland IMAGE http://www.secuobs.com/revue/news/202353.shtmlhttp://www.secuobs.com/revue/news/202353.shtml Secuobs.com : 2010-03-16 01:07:00 - Terry Zink's Anti malware Blog - On Friday, I went to Bloomberg s financial page and browsed a few articles I read an article which stated that HSBC revealed that a former employee stole details on 15,000 existing user accounts March 11 Bloomberg -- HSBC Holdings Plc s Swiss private bank said a former employee stole details on 15,000 existing accounts, as banking secrecy comes under growing pressure from nations keen to crack down on tax evasion An information technology worker took the account information about three years ago, the Geneva-based unit of HSBC said in a statement today Data were also stolen on 9,000 accounts closed before October 2006, said the bank, which currently has about 100,000 accounts in all This represents a threat to the privacy of our clients, Alexandre Zeller, chief executive officer of HSBC s private bank, told reporters today in Geneva We deeply regret this situation and unreservedly apologize to our clients The bank plans to spend 100 million Swiss francs 93 million on improving security, he said This is enormous and no-one expected that it could happen to HSBC so it s a tough lesson for the whole industry, says Bernhard Bauhofer, founder of Sparring Partners GmbH, which advises companies on managing their reputations There s an increasing demand for data and there will be other cases because governments are looking for funds where there s demand there will be supply, he said The French Finance Ministry said in December that it had data on Swiss bank accounts held by French taxpayers, including names provided by a former HSBC employee Switzerland suspended treaty negotiations with France in December because of the HSBC case After talks in January, France agreed to return the original data to Switzerland and not ask for assistance from Swiss authorities based on the stolen information France will continue to use the data to pursue tax evaders at home The bank does not believe that the stolen data has or will allow any third party to access any client account, HSBC said The accounts were all opened before October 2006, the bank said, adding that it is contacting all clients with Swiss-based accounts Switzerland s banking regulator said it will investigate how the theft occurred and what HSBC did to improve security since 2007 The Swiss Financial Market Supervisory Authority, known as Finma, has been in close contact with the bank since December last year, the Bern-based regulator said in an e-mailed statement today Swiss secrecy laws, which threaten bank employees with as much as five years in jail if they divulge client information, have failed to stop workers from stealing data The former staffer, Hervé Falciani, was a trusted employee who worked for HSBC for more than seven years, Zeller said He took the data probably over a period of months while working on a project to transfer client information between computer systems HSBC said it became aware of the theft in the middle of 2008 and Falciani was arrested in Switzerland in December of that year after being denounced by a colleague He later left the country for France The bank said it is unsure how Falciani physically stole the data Nobody will ever tell you that 100 percent of data can always be secure because private banking is a human game, said Zeller Data theft is an ever more serious preoccupation within the industry While the stolen data contains numbers and names, the latter could be powers of attorney rather than the client This represents an interesting challenge for banks and clients security Here we have a case of an employee stealing data and governments acquired it in order to look for additional sources of revenue However, in contrast to phishing, the acquirer of this data could not use it to gain access to the clients data at least not directly Really, is it that much of a stretch to use this as part of a social engineering ploy If you have the username, numbers and some more account information, it might not be enough to gain access to the account But it might be enough to impersonate the actual client and request a reset of login credentials which could allow an unauthorized user access More in my next post image Actual picture taken by me of HSBC bank in Geneva, Switzerland IMAGE http://www.secuobs.com/revue/news/201943.shtmlhttp://www.secuobs.com/revue/news/201943.shtml Secuobs.com : 2010-03-14 00:10:56 - Terry Zink's Anti malware Blog - Instant messaging spam, or spim Spam over IM , is not something I have a lot of experience with However, yesterday Thursday, March 11 , Microsoft announced that it reached a settlement with Funmobile, a company it sued last July, accusing it of using its service to spam users From ZDnet Microsoft said on Thursday it has reached a settlement with Funmobile, the Hong Kong-based company it sued last July over accusations that Funmobile was using instant messaging spam to trick users into giving up their account information The software maker said it has obtained an injunction against Funmobile requiring it to refrain from 'spimming' sending IM-based spam to customers or contacts of Windows Live Messenger, and to make a cash payment to Microsoft The successful resolution of this case sends a clear signal that Microsoft does not tolerate abuse of its networks, and we will continue to take action to protect our customers, said Microsoft associate general counsel Tim Cranton in a statement Microsoft had accused Funmobile of targeting users on its Live Messenger network to gain their personal information Live Messenger has more than 320 million users, according to the company In the suit, Microsoft cited a number of attacks, including IMs that appear to be coming from users the victims know TZ emphasis mine It also described phishing attacks that mimic the look and feel of an outside service or an official Microsoft support page The company said the successful use of these tactics allowed third parties to obtain these users' personal account information, then exploit it by sending mass spam and phishing messages to the contacts of those users Such attacks on instant messaging services are more than just a nuisance they are a threat to user privacy, said Cranton Technically speaking this is not phishing since phishing, by definition, is the attempt to trick somebody into providing financial information The tactic is here is known as spoofing and belongs to the broader area of attack known as social engineering It plays on the psychology of brand recognition Companies like Coca-Cola rely on their brand to sell their product around the world People feel good when they are in a foreign place but see the familiar logo of Coke they are in a restaurant, and so they order one note I do this regularly when I travel outside of the US and Canada Images of familiarity when we are in unfamiliar territory causes our brains to release chemicals endorphins that make us feel good That comfort level breaks down some of our barriers If we were to see a message coming from someone we don t recognize, instantly our guard is up and we are less likely to be complicit in a spammer s spimmer s request However, by impersonating somebody we know, if we don t realize right away that this is a spoof, our brains release endorphins and we enter a more suggestible state This is because we recognize the brand of our own personal social network We like to talk to people we know we are comfortable with them and therefore our guards are down The chances of us being more complicit in the release of private information is higher when we are more suggestible This isn t Cranton s or Microsoft s stance, however It s more of an incidental The greater point is that Microsoft has Terms of Service and abusive users of its service are subject to being shut down This also plays into Gary Warner s blog post where he advocates that bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door While Microsoft s actions in this case is not about using law enforcement to shut down a botnet, they aren t far away from it by using the legal arena to force an abusive service to stop doing it Hopefully, this will cause Funmobile to think twice before they start phishing other users Hopefully even more, it will cause other services like Funmobile to do the same IMAGE http://www.secuobs.com/revue/news/201426.shtmlhttp://www.secuobs.com/revue/news/201426.shtml Secuobs.com : 2010-03-12 20:29:35 - Terry Zink's Anti malware Blog - Following in the footsteps of Lethic, Waledac and Mariposa, yet another botnet has been taken offline Not completely, though, it was only a partial disconnect The Zeus botnet, also known as Zbot, is a trojan password stealer that captures passwords and sends them to the attacker From ITWorld March 10, 2010, 04 10 PM IDG News Service Internet service providers linked to the notorious Zeus botnet have been taken down, knocking out a third of the command-and-control servers that run the network of hacked machines Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks There's lots of Zeus and Fragus exploit kit sites , he said Whoever was behind the takedown just decided to knock out a large area of cybercrime, and this was probably one of the easiest ways to do it Troyak is based in Kostanay, Kazakhstan, according to whois records The company could not be reached immediately for comment The Zeus Tracker administrator, who asked not to be named, said that at first he thought that there had been some type of technical error in the Zeus code On further investigation, he discovered that Troyak had been taken offline, which in turn knocked the networks hosting the botnet servers off the Internet Unlike the Waledac takedown , which was removed with a court order, and Mariposa takedown which was done by police authorities, or even the Lethic takedown done by Neustar which operates the us ccTLD, this time around it was done by eastern European network providers Thus, this takedown more closely resembles the 2008 McColo takedown which resulted in spam levels plummeting by 40pourcents our figures to 70pourcents others figures According to The Register, the network providers Ukraine-based Ihome and Russia-based Oversun Mercury severed their ties to the ISPs in question Troyak and Group 3 Unfortunately, it also meant that the legitimate customers on those ISPs also had their ties to the Internet disconnected I bet their customer support desks had their phones ringing off the hooks I can just imagine the conversation Customer Why can t I connect to the Internet I m paying for your service Response Well, sir, no one can We ve been disconnected Customer What Why Response For engaging in cybercrime Customer Oh Well, that explains it Cisco issued a statement that this takedown depeered the botnet What this means is that the drones that perform the actual password stealing, fast-fluxing, etc, can no longer temporarily make contact with command center The drones are aimless, kind of wandering around with no direction, no purpose and no motivation a lot like the entire population of Canada would have been had we lost the gold medal game in hockey two weeks ago at the Olympics It s kind of like if a military unit were out in the jungle taking orders from central command, and central command is knocked out, the unit will stand around forever doing nothing The unit is still there, but they are not going to do anything until they get their orders Since their orders will never come, they will never do anything It s classic bureaucracy in action It s important to note three points 1 The entire C C center wasn t taken down, only about a third of it 2 It will be rebuilt eventually The orphaned drones no doubt had some of their instruction locations hard coded, or maybe specified in a config The botnet operators will send out new malware with new instruction set locations, and users will install the software These systems will become re-infected and point to other locations upon which to download updates and the whole cycle will start all over again It will take time, true, but Zeus will be back 3 Those who took down this botnet wish to remain anonymous Whatever their reason is, they aren t claiming responsibility I ll have a bit more about Zeus Zbot in my next post IMAGE http://www.secuobs.com/revue/news/201188.shtmlhttp://www.secuobs.com/revue/news/201188.shtml Secuobs.com : 2010-03-11 22:55:34 - Terry Zink's Anti malware Blog - In my previous post, I wrote that other security researchers didn t find much impact after Microsoft obtained a court order to take down 270 domains associated with the waledac botnet What do my own statistics say Waledac is one of the smaller botnets that send us spam traffic but since we are enterprise mail while Hotmail is consumer, the attack vectors may be quite different Anyhow, here s how many distinct IPs we were seeing in the month of February before and afterwards image Going by this, we didn t really see much difference either Waledac kind of bounced around before and afterwards with no real drop off in uniqueness I then decided to compare the rest of the botnets I track and none of the other ones showed any distinguishing feature either Except for one While this may be an anomaly or a reporting error in my script, the rustock botnet was affected for a short period of time following waledac s disruption A day after the takedown, the amount of mail it sends us went to almost zero image You can see that it kind of oscillates around but it never gets lower than a thousand Yet on Feb 23 don t let the date on the chart fool you, Excel is being weird for some reason , the amount of post-RBL spam that we get from rustock nearly disappeared That has never happened before, rustock may fluctuate within a range but it never disappears Admittedly, this could simply be a reporting error in my script We have had other problems that seem to have arisen around Feb 22 for some strange reason The problem is that none of the other botnets that I track show this odd behavior of nearly vanishing after waledac was taken offline So, there are some possibilities here 1 My data is valid If so, then that means that there is a link between rustock and waledac Perhaps rustock uses the waledac domains to spam, not waledac itself Rustock also recovered quickly so perhaps waledac also recovered quickly, or else rustock has a robust infrastructure and is self-healing 2 My data is invalid I have a reporting error in my script, or some of our logs didn t rotate, or perhaps the list of IPs didn t download properly I grant this as a possibility but then it means that the rustock reporting is an anomaly, or I need to revisit my other data Indeed, if it is point 1 then we have established a relationship between the two botnets IMAGE http://www.secuobs.com/revue/news/200845.shtmlhttp://www.secuobs.com/revue/news/200845.shtml Secuobs.com : 2010-03-10 23:26:00 - Terry Zink's Anti malware Blog - A couple of weeks ago, I wrote on the story that Microsoft had obtained a court order to take down numerous domains associated with the Waledac botnet It s now been a period of time since then, did the takedown actually affect spam levels out of waledac According to Spamhaus in a statement granted to ZDNet, it had little effect, if any The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday The amount of spam coming from Waledac before the takedown was less than one percent of all spam , and that hasn't changed much, said Spamhaus chief information officer Richard Cox There's been a slight change, nothing major, and we would expect it to be a lot different According to Cox, and Sophos Labs, Microsoft s targeting of Waledac is odd because it is such a small botnet and accounts for so little traffic I've been chatting to colleagues, and we don't understand why Microsoft took these measures against Waledac , said Cox There are other botnets, for example Zeus, that do immense harm fraud-wise Computer security company Sophos agreed that it had seen no appreciable difference in the amount of spam coming from Waledac after Microsoft's action We can't see a direct correlation between Microsoft's takedown efforts and a reduction in spam from Waledac, said Fraser Howard, a principal researcher at Sophos Labs In addition, there has been no noticeable reduction in spam volumes overall, according to Howard If the botnet contributed significantly to spam, we would have expected to see a sharp step down in spam volumes, said Howard There is no distinct difference between before and after the takedown Not everyone agrees that the Waledac takedown was fruitless, though Security company F-Secure said on Wednesday March 3 it had seen a drop in spam coming from Waledac zombies, and a decrease in the number of binary samples from Waledac-related messages Microsoft might have decapitated Waledac , it should be interesting to watch, said F-Secure researcher Sean Sullivan Sullivan said the ability of the botnet to spread malware may have been severely inhibited by Microsoft's action From 8 February to 21 February, F-Secure detected 58,913 instances of Waledac malware attempting to circumvent F-Secure security software After the takedown, from the 22 February until 3 March, F-Secure detected 1,113 instances Despite this respite in Waledac attacks, Sullivan said F-Secure would not be surprised to see the botnet come back So, according to this article, and some other sources I have talked to, here is the reaction to Microsoft s take down Waledac was a small player to begin with The takedown didn t do much at all Although in some places, it did have a noticeable effect Waledac will be back eventually The reason for Waledac s resiliency is that while several domains were taken offline, Waledac also relies on peer-to-peer traffic In that regards, it doesn t matter if a domain is taken down because the nodes are not communicating with it anyway Thus, if that is the case, then it suggests that Waledac doesn t rely on domains for spam distribution and instead uses it for something else, such as pointing to payload in spam IMAGE http://www.secuobs.com/revue/news/200426.shtmlhttp://www.secuobs.com/revue/news/200426.shtml Secuobs.com : 2010-03-10 02:34:25 - Terry Zink's Anti malware Blog - I see on Symantec s Twitter feed that roughly 82pourcents of all spam is pharmaceutical spam Pharmaceutical spam now accounts for 819pourcents of all spam Europe is more likely to receive it than other regions, and Asian ones least of all My own statistics do not confirm this, but they do confirm that pharmaceutical spam is the largest source of spam that we receive network wide That it accounts for 82pourcents is a realistic number I decided to take a random look at my junk mail quarantine for one of my email accounts Below is a snapshot image Click for larger image This is from my latest spam quarantine snapshot, there are 19 messages I removed one false positive because I am on a discussion list that is prone to FPs due to its content Of the 19 messages, 15 are pharmaspam, or 79pourcents That s pretty close to Symantec s numbers, in fact, I d say it confirms their numbers This is, of course, non-scientific and not statistically valid, but it s nice to know that if I want cheap pharmaceuticals, I can always check my spam folder Incidentally, from the Microsoft Security and Intelligence Report, version 7, here s the breakdown of spam that we saw in the first half of 2009 image If you add the Pharmacy categories together it is around half Non-pharmacy product ads includes Rolex watches which is what the other messages are in my spam folder So, my stats agree with Symantec s even if the numbers are not quite the same Of course, these numbers are a little old right now so new ones could obviously re-orient things and tip the balance into pharmaspam s favor even more IMAGE http://www.secuobs.com/revue/news/200072.shtmlhttp://www.secuobs.com/revue/news/200072.shtml Secuobs.com : 2010-03-09 05:56:32 - Terry Zink's Anti malware Blog - I was browsing YouTube today and I found an online video starring David Perry of Trend Micro Perry explains the nature of various web-based threats using building blocks It s actually a pretty good introduction for those who don t understand the threat landscape very well See the video below IMAGE http://www.secuobs.com/revue/news/199654.shtmlhttp://www.secuobs.com/revue/news/199654.shtml Secuobs.com : 2010-03-07 01:14:39 - Terry Zink's Anti malware Blog - One of the assumptions that I have long held about botnets is that they grab a compromised computer, spam it like crazy and then abandon it once it lands on an RBL Eventually, this RBL delists it due to dormant activity, and later on the botnet reawakens and reacquires that IP and spams with it again In other words, the botnet recycles or re-uses its IPs to spam but with sufficient time within spamming cycles that RBLs thinks that they are relatively safe to delist After all, who wants an RBL that grows without bound I don t have a good way to test this over a longer historical time frame, but I do have a shorter way to test this Each day, I collect stats on botnets and dump all of the IPs for each botnet into a file in its own subdirectory I planned to have the script delete the file, but I have discovered that that these files of historical spamming IPs are handy to have around Incredibly handy, actually All I have is a month s worth of data, but I figured this would be an interesting check To test this, I went through the 14 botnets that I keep track of and counted all of the total IPs that it is sending spam from I then did the Linux cat sort uniq wc l that prints all of the IPs, sorts them, gets the unique entries and counts them up This gives me a Total Count, a Unique Count, and a pourcents unique If a botnet has 100 IPs and 98 of them are unique, then it means that the pourcents Uniqueness is 98pourcents It implies that the spammer uses new originating sources of spam each day, which means that we cannot use the previous day s spamming IPs to predict where today s spam will come from The results are below, the IPs are all normalized against the smallest botnet waledac to display the relative size of each botnet sending us spam note that this is all post-RBL data image You can see from this above that each botnet almost never re-uses its IPs Only darkmailer and waledac do it with any consistency, and surprisingly enough, so does rustock But even then, 5 out of every 6 IPs are IPs that it has not used before in the previous one month, ie, Feb 5 March 5 I then decided to see whether or not there is any overlap between the botnets Perhaps they are unique amongst themselves, but what about amongst each other It turns out that there is 867pourcents uniqueness amongst them I would say that the number is this low only because rustock pulls down the average and accounts for so many of the IPs Based upon this snapshot of data, I conclude the following 1 Spammers do not recycle their IPs amongst the same botnets at regular intervals, at least if the interval is less than one month They get new ones each day 2 Spammers do not share IPs amongst each other, at least if the interval is less than one month 3 It is depressing how many new sources of IPs they are able to get, per day 4 However, I can not make any definitive conclusions because once an IP gets blocked at our network edge ie, is on an RBL , I don t have visibility So, my above conclusions are based upon post-RBL mail which may not be reflective of all spam IMAGE http://www.secuobs.com/revue/news/199040.shtmlhttp://www.secuobs.com/revue/news/199040.shtml Secuobs.com : 2010-03-05 23:45:14 - Terry Zink's Anti malware Blog - It hasn t been a great week this week March 1-5 for some of our customers who use us for outbound mail relay I m not going to name names because there have been a wide variety of users, but every single day this week we have had one or two organizations that have been sending abusive content to the rest of the Internet A normal week is one or two violations We ve had 8 or 9 so far and we haven t even hit Saturday yet Now, I will admit that the script I use to track the egregious violators was written by me, and this script had an error that I only managed to fix on Feb 25 So, it s possible that we had a lot more violators each week, I just didn t know about it What s weird is that my script worked sometimes but not always, I had to do some debugging and I found that another script that it points to got moved and so for some reason it was working part of the time but not all of the time Why it worked some of the time makes no sense to me since it was pointing to a non-existent piece of code Anyhow, the point is this week we have seen piles and piles of outbound spam emitting from our network It s been so bad that I have been prompted to accelerate my plans to mitigate it by coming up with some band-aid solutions I am experimenting with auto-additions of known bad users from organizations with checkered reputations In other words, if you were bad before, then we will auto-add users to a banned_sender list until they clean up their act and there will be no notification that we are going to do this Automation of actions like this are risky But we can t keep going like this because these spam campaigns are happening in the middle of the night Three hours later they are done Our reaction time needs to be quicker and human response just isn t fast enough IMAGE http://www.secuobs.com/revue/news/198819.shtmlhttp://www.secuobs.com/revue/news/198819.shtml Secuobs.com : 2010-03-05 07:50:04 - Terry Zink's Anti malware Blog - There are a number of sources talking about the takedown of the Mariposa botnet, here are a few of the good ones The Associated Press details the story and talks about the technical aspects of the takedown Boing Boing only has an excerpt Nothing too detailed Panda Labs, who assisted in the disruption, has their own blog about their participation and the actions that they took Symantec adds something to the discussion with their analysis on the chief piece of malware in the botnets W32Pilleuz, aka Win32 RimecudR Gary Warner, over at the University of Alabama, has a great discussion on botnets He urges the anti-botnet community to move from a model of taking botnets with technology to taking down spammers within the legal framework In case you haven t been reading through the security space lately and mine is the only blog you read, here s the 411 rundown Spanish authorities, working with researchers from Panda Labs, Defence Intelligence and a couple of other educational institutions, took down the Mariposa botnet Mariposa is the Spanish word for butterfly The Mariposa botnet is an absolutely enormous with around 12 million nodes doing its bidding It was involved in things like credit card phishing and identity fraud Yet the thing about the Mariposa botnet was not its sophistication, but rather its lack of sophistication of the people running it It wasn t a bunch of cybercrooks in Eastern Europe running it, but everyday ham-and-eggers like you and me To be sure, the infrastructure of Mariposa was sophisticated with VPN traffic and hiding behind other drones, but what ultimately led to its downfall was one of its operators making a mistake In December, the botnet was knocked offline and the people running it weren t making money Driven by hubris, one operator attempted to regain control of it by connecting to it via his home computer That was his critical mistake he sent a flood of DOS traffic to Defence Intelligence, the Canada-based organization responsible for assisting in taking it offline However, it was this direct connection that left a trail to him and allowed authorities in Spain the chance to move in and make the arrest The people behind it were not tech-heavy hackers, but instead were cyber criminals who outsourced most of the work in an attempt to move to crime online Is such a takedown effective Here s Gary Warner s take Those of you have heard me speak in person know that I believe the answer to these botnets and their continued survival must be the Criminal Justice process When McColo was shut down see Analyzing the Aftermath of the McColo Shutdown or Brian Krebs' Major Source of Online Scams and Spams Knocked Offline spam had a significant world-wide drop in volume, but it rebounded Why Because no bad guys went to jail Our friends at FireEye are doing amazing botnet work see their blog FireEye Malware Intelligence Lab, but without convictions, even the successful botnet takedowns, like their work on Smashing the Mega-D Ozdok Botnet eventually rebound Cautions are already being expressed as a result of the Waledac take-down, that by using TECHNOLOGY to do the takedowns instead of CRIMINAL JUSTICE APPROACHES that we are just helping to rapidly evolve the capabilities of the various cyber criminals who make their living through spam We have to move from DISABLING the C C networks, to MONITORING the C C networks Bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door My own approach is that the fight against spammers is a multi-pronged approach No one company really has a handle on it and instead a combination of techniques is required In no particular order 1 Vendors must build software that is secure 2 Users must make sure that their software is up to date with latest patches 3 Users must use security software 4 Anti-abuse technology spam filters, corporate firewalls must be effective to disrupt the spammers cost models 5 Law enforcement must move to take down cyber criminals 6 Governments must pass laws clearly defining and or updating laws surrounding electronic abuse 7 Spammer infrastructure must be disrupted 8 Organizations need to monitor and mitigate abuse, reactively and proactively So, realistically, advocating one solution over another has its merits but we are still a long ways away from stamping out abuse If spammers can hit users with different types of threats Black SEO, rogue A V, spam, DOS attacks, etc , then anti-abuse proponents must similarly have a large arrow full of quivers with which they can use to strike back IMAGE http://www.secuobs.com/revue/news/198291.shtmlhttp://www.secuobs.com/revue/news/198291.shtml Secuobs.com : 2010-03-04 06:50:14 - Terry Zink's Anti malware Blog - In my previous post, I noted that rustock had started sending us a whole pile of spam over the TLS protocol The question now is why do it at all I mentioned in my post that this is clever behavior and one of my readers posted in a comment What makes this so clever The issue of authentication, reputation and security is one that comes round and round in the world of email Why do we authenticate And what does it buy you There are plenty of reasons to send authenticated mail, here are three 1 It allows you to track abusive behavior If an organization is sending outbound spam, then determining who is responsible for it allows that organization to track down who is sending it and shut them down This, of course, presumes that organizations want to do the right thing But if you are taking responsibility for the quality of what you send, then identification of your users is done using authentication 2 It allows you to combat fraud Up until this point, the principle mechanism that we have used with regards to authenticated mail is using it to combat phishing Organizations that use SPF or SenderID and have a -all in their SPF records are saying that any mail that purportedly comes from us, but is not from our designated IP range, can be discarded or heavily weighted in the negative Organizations like Paypal or eBay have a vested interest in this If a spammer wants to spoof security paypalcom, then looking up the SPF record for paypalcom will reveal that it is a phish and can be discarded Of course, this doesn t work if the phisher does security paypaldoesnotexistcom ie, makes it look like Paypal at a glance However, we don t use it to combat all phishing, we use it to combat some phishing That is where we have gotten the most mileage 3 To fast track mail you want to receive This is the Holy Grail of filtering If you know who mail is coming from and can authenticate that it indeed comes from them, then you can put said contacts on a white list to bypass filtering such that false positives never occur For example, if I always wanted to hear from my girlfriend for the sake of argument, let s call her Christine , I would whitelist her email address in the event that her email account can be authenticated in some regard Only mail that genuinely comes from her would I want to fast track The Holy Grail parts comes in on the theory that for mail that is unauthenticated, you could put through a more weighted rule set or more aggressive rule set The good mail you always receive because it is unauthenticated, but the rest of it is subject to more antispam filtering For example, I would always want to hear from Christine, but my friend Frank will have a tougher time getting through to me Of course, in real life, Frank owes me money so I would always want to hear from him too, to see when he s going to cough up my cash Unfortunately, I call this the Holy Grail of filtering because while it is a noble goal, it is unattainable There are far too many people in the world who I want to hear from who don t authenticate their mail with any technology Thus, any attempt to increase the aggressiveness of a spam filter will result in false positives from people you invariably want to hear from Similarly, there are cases when you do want to hear from new people such as going to a conference and collecting business cards who you have yet to authenticate I don t know the full list of my friends, old and especially new, and increasing a filter s aggressiveness only results in the case of false positives That s my real life experience None of these really fit the profile of a spammer Why would he want to track abusive behavior Or combat fraud The one that does make sense is getting onto a whitelist To a spammer, they may believe that only good institutions authenticate their mail And furthermore, when filters see that the mail is authenticated, they relax their settings and allow the mail to pass through to the end user In other words, there is a hope that an authenticated connection means that the receiver assumes that the sender is a good player Who else would take the time to authenticate their mail Yet this view doesn t really hold up in real life No one in the antispam world worth their salt believes that authenticated mail is de facto good mail We like it when mail is authenticated, but we don t naively believe that because it is authenticated, it is good There is a higher probability that it is, true, but there is no guarantee Just take a look at my other stats, we get plenty of spam from mail that is authenticated In other words, if spammers actually think that authentication will help them, they are soundly mistaken Authentication is used to hear from people we want to hear from, not from anyone There is another reason to send mail over an encrypted channel, however for security for the spammer Why would a spammer need to worry about security Because their drones sending out the spam need to communicate with their command-and-control centers If the communication is going out over an encrypted channel it means that anti-botnet activists out there cannot discern, intercept or observe what type of traffic is going out over the clear text In other words, it makes their communication channel more resistant to tampering Observe in the past 4 months what has happened Mega-D infiltrated Lethic infiltrated Waledac infiltrated Mariposa infiltrated more on this in a future post By encrypting the communication channels, a botnet can make its instruction set more difficult for a security official to disrupt because obtaining proof of malicious behavior means that the observer must connect directly to the botnet C C or drone They cannot sit back and intercept packets and observe what is going on Thus, my theory is that the rustock botnet uses TLS or SSL, or something as a means of disguising its behavior in an attempt to make its infrastructure more robust It then sends email the same way but doesn t necessarily care that it is being slowed down somewhat It has so wide a footprint that it is able to absorb the cost of the delays introduced by sending over an encrypted channel It makes the task of stamping out rustock that much more difficult IMAGE http://www.secuobs.com/revue/news/197927.shtmlhttp://www.secuobs.com/revue/news/197927.shtml Secuobs.com : 2010-03-03 04:29:17 - Terry Zink's Anti malware Blog - The other day, one of our architects was tinkering around and discovered that approximately 40pourcents of the total inbound connections to our network were connecting to us via TLS This seemed to be a rather high number, so that spurred an investigation If you are unfamiliar with TLS as I am , it is a protocol for authenticating servers and clients and using that authentication to encrypt the communications between those two parties From Technet In the authentication process, a TLS SSL client sends a message to a TLS SSL server, and the server responds with the information that the server needs to authenticate itself The client and server perform an additional exchange of session keys, and the authentication dialog ends When authentication is completed, SSL-secured communication can begin between the server and the client using the symmetric encryption keys that are established during the authentication process For servers to authenticate to clients, TLS SSL does not require server keys to be stored on domain controllers or in a database Clients confirm the validity of a server s credentials with a trusted root certification authority s CA s certificates Therefore, unless user authentication is required by the server, users do not need to establish accounts before they create a secure connection with a server In public key cryptography indeed, in all encryption it is an expensive operation It takes time to grab the key, verify it, encrypt the message channel, and then decrypt validate the message channel on the receiver s side Typically, you would use it when you want to have a secure connection such as e-commerce, remote access to a machine to prevent man-in-the-middle attacks , or validation of certain email transactions Thus, it serves a legitimate purpose The idea is that because TLS is an expensive operation, spammers would shy away from it They need to send as much spam as possible and because TLS slows them down, this is not the best option for them to use In my department, we filter 97pourcents of our mail as spam, and 90pourcents of that is done before it gets past our RBLs ie, 90pourcents of our mail is rejected due to IP blocklists So, if TLS is used only by legitimate mail servers, then it would mean that 3pourcents of mail is responsible for 40pourcents of mail that connects to us via TLS This is phrased really awkwardly but at the moment I cannot find the words to capture what I mean 40pourcents of our mail was connecting via TLS, but only 3pourcents of the mail is actually good It is virtually impossible for that fraction of our mail to account for all of those TLS transactions Translation we are getting a lot of abusive mail that is connecting to us via TLS I decided to launch an investigation We suspected that one or more botnets had shifted its behavior because we hadn t seen this last year in 2009 I started to track how much of our post-RBL mail was sent via TLS and how much was marked as spam for the past couple of days The results confirmed my suspicions values below are normalized, not actual values Total amount of mail sent over TLS 50 million Total amount of mail sent over TLS marked as spam 195 million pourcents of mail sent over TLS marked as spam 39pourcents Total amount of mail sent TLS non-TLS 139 million Total amount of mail marked as spam 44 million pourcents of mail marked as spam 32pourcents From this, you can see that mail that gets past our RBLs that is sent via TLS is 7pourcents more likely to be marked as spam than mail that is not sent via TLS This surprised me from a botnet spamming behavior point of view This means that they incur more overhead into an SMTP transaction and it takes them longer to do it It is less efficient for them However, from a numbers point of view this did not surprise me If the ratio of TLS to good mail is 40 3 13 1, then most of the post-RBL TLS mail is going to be spam I next decided to capture the IPs that were spamming and see which botnets they belonged to I had a suspect in mind but I needed to prove it I trolled through a sample of our logs finding all of the IPs that were sending spam via TLS ie, post-RBL , and also looked at the IPs pre-RBL that were sending via TLS I then cross-referenced them with my script that maps botnets to IPs The result Rustock is doing it Out of all the botnets that I can identify that send us spam, post-RBL, rustock accounts for 34pourcents of it Yet, it accounts for 79pourcents pre-RBL spam over TLS and 84pourcents post-RBL spam over TLS The next nearest botnet is cutwail and it only accounts for 1pourcents of spammy TLS connections Rustock was my suspect, and this confirmed it It kind of makes sense for rustock, based upon what I know of it It s the biggest botnet that spams us, by far It sends from a very wide range of IPs and only sends, on average, 1 message per envelope It is known to have sleepy behavior it wakes up, spams, goes to sleep wakes up, spams, goes to sleep The pattern that we observe concurs with this, but the research I have found indicates that its behavior are for much longer spam periods 8 hours rather than the 10 minutes or less that we see If a spamming engine could afford to send spam over TLS, rustock is the one to do it Because it sends from such a large array of IPs, and sends out so much spam, it can absorb the additional TLS overhead required to start an SMTP conversation This behavior in rustock is a clever move IMAGE http://www.secuobs.com/revue/news/197420.shtmlhttp://www.secuobs.com/revue/news/197420.shtml Secuobs.com : 2010-03-02 00:41:28 - Terry Zink's Anti malware Blog - Via xkcd Code Talkers IMAGE http://www.secuobs.com/revue/news/196801.shtmlhttp://www.secuobs.com/revue/news/196801.shtml Secuobs.com : 2010-03-01 06:19:16 - Terry Zink's Anti malware Blog - This post is not spam or malware related at all I just thought that I d point out that Canada won the gold medal in men s hockey today at the Olympics What a great day for Canada image IMAGE http://www.secuobs.com/revue/news/196485.shtmlhttp://www.secuobs.com/revue/news/196485.shtml Secuobs.com : 2010-02-28 01:04:53 - Terry Zink's Anti malware Blog - Courtesy of The Onion IMAGE http://www.secuobs.com/revue/news/196315.shtmlhttp://www.secuobs.com/revue/news/196315.shtml Secuobs.com : 2010-02-27 02:32:00 - Terry Zink's Anti malware Blog - Yesterday, I posted that Microsoft had recently obtained a court order to shut down several com s that were known to host command-and-control centers for the waledac botnet Working together with some folks at Shadowserver, the University of Washington and Symantec, it represented one of the first times that a group of people from private industry, higher education and the legal arena collaborated to take down a botnet Microsoft Associate Counsel Tim Cranton blogged recently At Microsoft, we don t accept the idea that botnets are a fact of life We are a founding member of the Botnet Task Force, a public-private partnership to join industry and government in the fight against bots Given the recent spread of botnets, we are getting even more creative and aggressive in the fight against botnets and all forms of cybercrime That s why I m proud to announce that through legal action and technical cooperation with industry partners, we have executed a major botnet takedown of Waledac, a large and well-known spambot Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent But the operation hasn t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused Although the zombies are now largely out of the bot-herders control, they are still infected with the original malware image A map of Waledac infections around the world in a recent 24 hour period Microsoft does acknowledge, as seen from the quote above by Cranton The malware is still infecting the affected computers, only the communication channels have been disrupted Still, it is a significant, if temporary blow to another botnet This follows a pattern that seems to be emerging over the past 1 1 2 years McColo was knocked offline in late 2008 Pricewert LLC was taken offline in June 2009 A Latvian ISP was taken offline in August 2009 Fireeye took down the Mega-D botnet in November 2009 Neustar took the Lethic botnet offline in January 2010 All of these had temporary impacts on each of these botnets and spam activity, but in each case the botnets rebuilt their infrastructure and returned So yes, perhaps we can be a little jaded about this but we can gain short-lived victories Here s The Register s take Criminals running botnets have faced a number of takedown operations over the last year or so, dating back to the McColo shutdown All normally result in a temporary slowdown in spam volumes But cybercrooks are getting better at building more resilient networks Even if that doesn't work, there are always more miscreants in the shadows ready to step in and sell bulk mail services to unethical, unscrupulous or outright criminal marketeers Microsoft's enforcement action is welcome, but it treats only the symptoms - and not the root cause - of the botnet epidemic TZ - emphasis mine We all acknowledge that Microsoft s actions do not address the root cause of the botnet epidemic It is only one part of the solution, but it does follow a pattern of shutting down the bot s command-and-control center Sometimes you don t have to completely win the battle, you only have to make it too expensive for the bot controller and spammer to shift the cost benefit ratio into an unfavorable direction In other words, disruption of their model is a viable tactic in my opinion And as I said in my previous post, Microsoft has got a multipronged strategy for dealing with the root cause of the botnet epidemic in addition to the action taken above 1 The free distribution of the Malicious Software Removal Tool to registered and unregistered users of Windows cleans up the malware that distributes it in the first place 2 The free distribution of Microsoft Security Essentials that proactively keeps your machine clean MSRT is not real time 3 In 2002, Microsoft launched its Trustworthy Computinginitiative to improve public trust in its own commercial software In addition, the company participates in a number of industry collaborative groups such as the Antiphishing Working Group APWG , the Messaging Anti-Abuse Working Group MAAWG , and the National Cyber Security Alliance NCSA 4 Microsoft s Software Development Lifecycle requires that all of its products go through the Secure Windows Initiative, a process where potential security risks are identified and mitigated Indeed, if you read through the Microsoft Security and Intelligence Report, Microsoft s newer OS es are much more resilient to malware than older versions ie, Windows XP Action against bad against requires a multi-faceted approach, and this latest action by Microsoft and others is another arrow in the quiver to use in the battle against Internet abuse IMAGE http://www.secuobs.com/revue/news/196141.shtmlhttp://www.secuobs.com/revue/news/196141.shtml Secuobs.com : 2010-02-26 00:38:10 - Terry Zink's Anti malware Blog - A number of places are reporting that Microsoft was won a court order to shut down the Waledac botnet Both the Wall Street Journal registration required , The Register and ComputerWorld report on it Quoting from the ComputerWorld article Microsoft said late Wednesday that it had been granted a court order that will cut off 277 com domains associated with the botnet This will effectively knock the brains of Waledac off the Internet, by removing the command-and-control servers that criminals use to send commands to hundreds of thousands of infected machines Thought to be used by Eastern European spammers, Waledac has been a major source of computer infections and spam over the past year Microsoft believes the botnet can send over 15 billion spam messages daily In a lawsuit against the unknown spammers behind Waledac, filed Monday with the US District Court of Eastern Virginia, Microsoft argues that Verisign, which manages the com domain, is a choke-point for the botnet The court has apparently ordered Verisign to remove the botnet's command-and-control domains from the Internet This action has quickly and effectively cut off traffic to Waledac at the 'com' or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world, Microsoft said in its blog post announcing the effort Microsoft designed its lawsuit so the court order would sever the control ties to the botnet before its controller had time to react That unplugging of the Internet connection had to be done without him knowing, said Richard Boscovich, a senior attorney at Microsoft's digital crimes unit, in a video on the blog post So, to summarize what s going on here, computers infected with the Waledac botnet need to get their instructions from somewhere These instructions live elsewhere on other infected computers, sometimes a fastflux domain For example, Computer 1 has waledac and needs to talk to spam_viagracom in order to know what to spam and who to spam By forcing the domain spam_viagracom offline, Computer 1 no longer knows what to spam nor who to spam It cannot download new sets of instructions because the place where it wants to connect to no longer exists An operation like this requires a pretty quiet channel of execution Like the blog post says, the operation had to be done without the botnet owner knowing and before he could have a chance to proactively take measures The ComputerWorld article continues Because Waledac uses peer-to-peer techniques to control hacked boxes as well, Microsoft has more work to do, however It's a busy night tonight and tomorrow is probably going to be a busy day as well, said Jeff Williams, director of Microsoft's Malware Protection Center in an e-mail interview Williams didn't provide details on what Microsoft was doing to further attack Waledac, but in its blog posting the company said it is taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet Microsoft expects to continue to work with the security community to mitigate and respond to this botnet, the post states Known internally as Operation b49, Microsoft's takedown operation was the result of months of investigation and the innovative application of a tried and true legal strategy, Microsoft said Peer-to-peer is different Peer-to-peer is when infected computers talk directly to each other An infected Computer 1 would talk directly to Computer 2 which in turn be talking to Computer 3 This type of action can be more complicated because the web of network connections are more complex and figuring out which sets of instructions are malicious and which are legitimate is not easy to figure out, particularly if the connection is encrypted image You can see from the above diagram that the network mesh contains a couple of redundant techniques for communication within the botnet s infrastructure While I m not privy to this type of information, there are a number of tools that Microsoft is doing in order to disrupt this particular botnet 1 Shutting down com s that host Waledac instructions 2 The free distribution of the Malicious Software Removal Tool to registered and unregistered users of Windows cleans up the malware that distributes it in the first place 3 The free distribution of Microsoft Security Essentials that proactively keeps your machine clean MSRT is not real time The battle continues, but temporary victories are nice to achieve from time to time IMAGE http://www.secuobs.com/revue/news/195727.shtmlhttp://www.secuobs.com/revue/news/195727.shtml Secuobs.com : 2010-02-25 03:47:40 - Terry Zink's Anti malware Blog - Joseph Menn has an article on CNNcom wherein the crux of the story is that US experts are closing in on the hackers that broke into Google last month It is believed by some that the Chinese government sponsored these hackers China, naturally, denied involvement My own take is that tools today are sophisticated enough such that you don t necessarily need state sponsorship in order to launch a cyber attack Here is an excerpt US analysts believe they have identified the Chinese author of the critical programming code used in the alleged state-sponsored hacking attacks on Google and other western companies, making it far harder for the Chinese government to deny involvement Their discovery came after another team of investigators tracked the launch of the spyware to computers inside two educational institutions in China, one of them with close ties to the military A freelance security consultant in his 30s wrote the part of the program that used a previously unknown security hole in the Internet Explorer web browser to break into computers and insert the spyware, a researcher working for the US government told the Financial Times Chinese officials had special access to the work of the author, who posted pieces of the program to a hacking forum and described it as something he was working on In other words, a hobbyist programmer with a lot of time on his hands, and a lot of knowledge in his head, was working on something where he was looking to break Microsoft s Internet Explorer web browser Continuing onward Beyond the immediate forensic inquiry, the work of US researchers sheds light on how cyber-operations are conducted in China The man who wrote code to take advantage of the browser flaw is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts, according to the US team that discovered his role This is similar to the Estonian cyber attacks in 2007 Back then, the Estonian government accused the Russian government of instigating the attacks, and the Russian government denied involvement As it turned out, an aide to a Russian state Duma representative did claim responsibility but specifically denied it as an act of the Russian government It appears that he was angry at the Estonian government for taking down a war monument and in response, launched a cyber riot Similarly in 2008, hackers launched a DOS attack on the Georgian government Like Estonia before it, this appears to have been a case of a group of nationalist people getting together, pooling their criminal resources and launching an attack at an enemy using cyber warfare In this case, the author of the code doesn t work for the Chinese government, and neither did the Estonian or Georgian attackers This code writer wouldn t even want his work to be used in cyber attacks, but that cat is out of the bag now Just like Alfred Nobel regretted his decision to invent dynamite, this guy can t take back what he was wrought If you are looking for security exploits in a browser to do nefarious things, someone can take your code and use it in ways that you didn t expect Continuing onwards If he wants to do the research he's good at, he has to toe the line now and again, the US analyst said He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing The state has privileged access to these researchers' work It s unclear if the Chinese government was peering over his shoulder and stealing his code, or if someone in the middle stole it and delivered it to the Chinese government, or even if the Chinese government was even involved Continuing, we start to get some light shed on this situation A separate team of US contractors has traced the launch of the spyware to computers at Shanghai Jiaotong University and Lanxiang Vocational School, according to two people familiar with that inquiry Jiaotong University has one of the best security departments in the country, US analysts said, with former government cyber commanders in residence The state-run Xinhua news agency said officials at both schools denied involvement In theory, outsiders could have compromised both schools' machines before using them to collect data from the Western companies But US analysts said at least Jiaotong University's networks are closely monitored, making them an odd choice for an independent attacker seeking to avoid detection In addition, Our investigation shows the hosts that did the attacks were not compromised that we could tell , said an analyst involved in that probe In my experience, universities are breeding grounds for compromised servers Not a week goes by when we don t have at least one incident where somebody has been phished and then the account starts spewing out piles of outbound spam And this goes on all the time So, the fact that the spyware was launched from a university should come as no surprise If you ll allow me to craft a theory, it would go something like this Students like to play a lot of online role playing games like World of Warcraft One of the most common worms today is the Taterf worm, which steals passwords to MMORPG games like WoW This worm is spread via thumb drives and misconfigured network drives Perhaps some students in China were playing games, somebody spread around some malware inadvertently and installed a password stealer, or a code stealer The Chinese have lots of pirated software and don t have the best security practices China universities recipe for disaster Meanwhile, a security consultant read PhD student who knows tons and tons about security and was working on it for his thesis has caught the eye of the Chinese government, or someone else who wants to steal secrets from Google This grad student likes to relax and play video games every once in a while, and if you have ever been to China, you know that males between the ages of 18-29 are forever found in Internet cafes playing MMORPGs Maybe his network gets compromised, maybe his computer gets infected with malware, but somehow or another, his system gets hacked and his code is stolen Or maybe it isn t stolen Maybe he is experimenting one day and one of the side effects is that his worm gets out of control like a bad movie and steals Google credentials Or maybe he works for Baidu or perhaps they are funding his research and they steal the code and use it against Google Note the phrase that Jiaotong s network s are closely monitored and the hosts did not appear compromised That would indicate that whoever stole the information did so willingly and there was not malware installed on the networks It would have to be a deliberate act Or would it Many people who are infected wouldn t necessarily know it or recognize it The fact is we don t really know enough to determine if this was a conspiracy or not What it sounds like is that some guy wrote some software that exploits a security flaw and this was used by someone with malicious intent Was it the Chinese government Was it private enterprise Or was it some students using it to see if they could do it I don t know enough about the details of the case, but neither would surprise me IMAGE http://www.secuobs.com/revue/news/195359.shtmlhttp://www.secuobs.com/revue/news/195359.shtml Secuobs.com : 2010-02-24 08:56:48 - Terry Zink's Anti malware Blog - Did you ever wonder how many organizations out there are signing their mail with DKIM Or how many organizations rely on SPF as a tool to validate their inbound mail Well, I ve wondered as well DKIM supposedly is getting more popular, but how widespread is it Are lots of people using it, or is it used by only a few of the big organizations I decided to do a quick investigation using statistics that I have from the past 45 days SPF is the technology that I understand best and is easiest for me to measure Out of all of the mail that we deliver to end users assume that 100pourcents of it is non-spam , 38pourcents of it passes an SPF check So, approximately 2 out of every 5 messages that send us good mail is validated using SPF checks For DKIM, I don t have a way of validating a DKIM signature since Microsoft does not yet support it However, for the sake of argument I am going to assume that the existence of a DKIM header means that it is not spoofed it is not advantageous to the spammer to spoof a DKIM header since it wouldn t decrypt properly anyhow My point is that I assume that the existence of the DKIM header means that someone legitimately attached it Using this gauge, 14pourcents of messages that we mark as non-spam contains a DKIM signature To put it another way, about 1 out of every 7 non-spam messages is signed with DKIM That s actually quite a bit, it takes a long time to put a new technology out there and get it adopted, especially one that is as complex as DKIM complex compared to SPF for example But does a DKIM signature or an SPF check guarantee that a message is valid The answer is no I don t know of anyone worth their salt in the antispam world that would assume that a message authenticated using either of those two technologies must therefore be valid To give you hard numbers, 10pourcents of messages passing an SPF check and 8pourcents of messages with a DKIM header are subsequently marked as spam by our content filters That s around 90pourcents So, the probability that an authenticated technology is high, but it is no guarantee For interest s sake, here is the SPF breakdown of mail that makes it past our IP blocklists incidentally, the above is mail that makes it past our IP blocklists, too image The numbers above are interesting SPF Neutral and Hard Fails don t really seem to have any influence one way or the other on whether or not a message is subsequently marked as spam as they closely align to our network wide statistics on spam SPF None results don t really have that great an affect on whether or not a message is marked as spam which suggests that there are a lot of small senders out there who do no authentication at all and are not spamming This can be interpreted in two ways Either 1 there are lots of people out there who aren t spamming despite doing no authentication, or 2 authentication hasn t really caught on yet the way we in the email industry would like IMAGE http://www.secuobs.com/revue/news/194992.shtmlhttp://www.secuobs.com/revue/news/194992.shtml Secuobs.com : 2010-02-23 01:33:08 - Terry Zink's Anti malware Blog - I recently wrote an article that I submitted to Virus Bulletin about how certain elements in Eastern Europe have connections to large botnet armies and are able to launch DOS attacks on the infrastructure on a country This is similar to what happened when a bunch of spammers decided to launch DOS attacks on Facebook, Twitter, Blogspot, LiveJournal, and so forth, in a bid to shut down a spammer This, of course, is an evil purpose to using botnets But is it possible to use this for the powers of good I have been bugging two friends to fill out a document for me for a couple of weeks now three weeks for one friend, two weeks for another They still have not done it I decided I was going to start emailing them every single day until they finally get off their cans and fill out the personal form for me, which will take all of 15 minutes If they are going to forget, then I shall remind them They shall feel some pain from me I have also reminded them in person Obviously, my notices haven t gone heeded So I thought to myself Why should I do this manually Why not write a script to do it every day This is something I have done in the past for our internal processes All I would need is a mail server and I could code this up in an hour or so if I wanted some redundancy That way, I could have a daily reminder sent to them every single day until they sent it back Then I thought to myself Hmm I could be a bit more evil What if instead of sending once per day, I sent it once per hour That would make it a bit more painful for them After all, nobody moves on anything without sufficient motivation Then I thought to myself What if I sent it 10 times per hour Now I am moving into the realm of spamming Except, of course, it is solicited, it is not bulk, nor is it commercial It d be blackmail, but at least I d get their attention And then I thought to myself Hmm what if I rented a botnet and sent them 100 messages per hour With warnings that this wouldn t stop until they filled out my forms which have a deadline of two days from now That was a little bit too harsh That s using the power of evil maybe a bit too much It would certainly blur a lot of ethical lines In the end I decided against it But it certainly was a seductively entertaining possibility that crossed my mind, that s for sure IMAGE http://www.secuobs.com/revue/news/194387.shtmlhttp://www.secuobs.com/revue/news/194387.shtml Secuobs.com : 2010-02-19 03:12:36 - Terry Zink's Anti malware Blog - Apologies for the strong title of this post, but it aptly describes the emotion I am feeling at the moment I installed Skype a little while ago and I don t use it too often I only really talk to one person on it and now that I am on an AT T cell phone plan with unlimited calling to that person, I don t really feel the need use Skype as much My AT T plan also gives me unlimited text so I attempt to use it so much that it costs them money as a punishment to AT T for charging me so much when I was on pay as you go Of course, that strategy is doomed to fail because the only people in the world who can text that much are 14-year old girls Anyway, I have got Skype set up and it loads automatically when I boot up my PC I was just kind of sitting around, watching a presentation with my laptop open when all of a sudden, I was notified with regards to a new conversation Below is a screenshot image A spammer has contacted me over Skype, trying to push his crap What the hell That s not the worst part It turns out that a few days ago I didn t notice, apparently I was spammed with a notification to update my Windows registry, and today I was informed that there are thousands of unhappy married women in every city who do not want to leave their spouses but are still looking for love You know, I m used to having my email inbox flooded with spam I know that DOS attacks are par for the course I realize that rogue A V is a growing trend But seriously, attacking my Skype account Seriously There just seems to be an unwritten assumption in my mind that the telephone is more of a walled garden from spamming This shouldn t surprise me, I suppose After all, Skype is an internet technology and all internet technologies are subject to abuse It is really no different from any other communication technology that uses the internet So why was I so irritated I d say it s because I haven t shared my Skype information with anyone Ugh of course, many years ago I predicted that telephony was going to be the next big vector for attack I was wrong about the scope of it black SEO is bigger, I think , but at least I got the direction right I guess I can take comfort in that IMAGE http://www.secuobs.com/revue/news/193374.shtmlhttp://www.secuobs.com/revue/news/193374.shtml Secuobs.com : 2010-02-14 01:08:21 - Terry Zink's Anti malware Blog - A friend of mine sent me this image via TheDogHouseDiaries image In case you don t know what is going on, let me explain it in plain English 1 Google Buzz allows you to post something innocuous 2 Your Buzz followers which I shall heretofore refer to as Buzzers post comments responding to your initial post 3 You go back later and change what you said from something benign to something embarrassing 4 The end result is that to subsequent followers, it looks like the thing that your Buzzers are responding to are your revised post I remember on Internet discussion boards, new posts in a discussion thread would be inserted before old posts, rather than tacking them onto the end So it looked like this - Frank Hey, how s it going -- Craig Fine, thanks And you --- Frank Pretty good Hey did you see that new movie Avatar ---- Craig Yeah I really liked it a lot ----- Frank The special effects were amazing ------ Craig I agree Let s suppose that Jimmy wants to get in on the conversation and responds to Frank s last comment The thread looks like this - Frank Hey, how s it going -- Craig Fine, thanks And you --- Frank Pretty good Hey did you see that new movie Avatar ---- Craig Yeah I really liked it a lot ----- Frank The special effects were amazing ------ Jimmy Totally James Cameron s 250 million budget paid off ------ Craig I agree Jimmy s post get top-posted before Craig s comment because it is later in time This looks not too bad, but what if Jimmy was trying to be a douche - Frank Hey, how s it going -- Craig Fine, thanks And you --- Frank Pretty good Hey did you see that new movie Avatar ---- Craig Yeah I really liked it a lot ----- Frank The special effects were amazing ------ Jimmy What are you talking about That was the worst movie I ve seen since Batman and Robin ------ Craig I agree At first glance, it looks like Craig is agreeing with Jimmy s comments, not Frank s It s a quick social engineering trick that could fool other people either deliberately or not into thinking that Craig is out of touch with reality a lot like a certain other real life Craig that I know But if we use bottom posting - Frank Hey, how s it going -- Craig Fine, thanks And you --- Frank Pretty good Hey did you see that new movie Avatar ---- Craig Yeah I really liked it a lot ----- Frank The special effects were amazing ------ Craig I agree ------ Jimmy What are you talking about That was the worst movie I ve seen since Batman and Robin Here we can clearly see that Craig agrees with Frank, but Jimmy disagrees My whole point in all of this is that there are natural ways of posting things online and unnatural ways Some are better than others Giving people the option to go back and update their posts in order to make others look a little silly is a little silly IMAGE http://www.secuobs.com/revue/news/191733.shtmlhttp://www.secuobs.com/revue/news/191733.shtml Secuobs.com : 2010-02-13 00:32:48 - Terry Zink's Anti malware Blog - Well, I wasn t going to blog about Google Buzz, yet here I am I used to own shares in Google, and at the time I did, Google could do no wrong It didn t matter that none of their products made money other than Search Then, I sold them I suddenly started to evaluate them a lot more critically I realized that they have a lot of products that get deployed and after the initial hype, you don t hear too much from them again Google Buzz is the latest incarnation In case you haven t been paying attention, Buzz is Google s equivalent to Twitter I guess Twitter was too expensive to buy You can post short updates about your status, musings, and so forth A lot like Twitter But Google Buzz takes it a step further Because Google already has a very large user base that uses its existing Gmail product, it can import all of them automatically and make them your friends As CAUCE puts it Buzz takes all of your GMail contacts and presumably other connections from elsewhere within the Googleplex , and makes them all your friends by default it then shares your activity from Google Reader, YouTube, and other tools with all of them, and vice versa They can see who your friends are, and you can see who theirs are It's a quick impressive way to make a whole new social network out of the original social networking tool email Only one problem all of those connections, and all of that public information, happens by default You do get to choose whether or not to activate Buzz, but apparently it's activated either way and if you say no, you won't have access to the nearly-hidden privacy controls Building a social network is great signing up for a new service and then automatically have your contacts imported not so much You don t necessarily want everyone in your social network to be part of your contacts list with access to everything Facebook has got that figured out I have friends on Facebook who are friends with others but don t want to share everything Do you want your mom seeing those pictures of you consuming too much alcohol at a party On Facebook, you can set levels of access Some friends have partial profiles available for people they don t know very well, and more details exposed to people they know much better Multiple levels of access are what we do in real life, and more and more this is becoming a requirement in the online world as well Not having the choice to expose information intrudes on privacy Of course, in a wired world privacy is kind of a gray area anyway in real terms, but Google s choice more likely an oversight due to inexperience is an inept move on their part IMAGE http://www.secuobs.com/revue/news/191545.shtmlhttp://www.secuobs.com/revue/news/191545.shtml Secuobs.com : 2010-02-11 19:38:18 - Terry Zink's Anti malware Blog - A friend of mine posted this on his wall at work I m reposting it here image IMAGE http://www.secuobs.com/revue/news/191022.shtmlhttp://www.secuobs.com/revue/news/191022.shtml Secuobs.com : 2010-02-11 19:38:18 - Terry Zink's Anti malware Blog - Courtesy of The Onion, there is a new worm making its rounds across the Internet that is threatening to take money out of your pocketbook it makes unauthorized purchases using your computer View the video below to get more details IMAGE http://www.secuobs.com/revue/news/191021.shtmlhttp://www.secuobs.com/revue/news/191021.shtml Secuobs.com : 2010-02-11 04:10:32 - Terry Zink's Anti malware Blog - The botnets that I track are dominated by a few of them rustock, cutwail, and bagle-cb Rustock is the one that appears far more heavily than others, but what about the smaller players When my scripts are working properly which is about 50pourcents of the time , I keep tabs on ten botnets I have recently upgraded that to twelve But I thought I would take a one-day snapshot to see where some of these botnets are sending spam from Let s take a look at two gheg and grum Below are tables of the top 15 countries for originating IP for spam image Looking at gheg, it is dominated by South Korea, no other country comes close The United States, which is well known for being a haven of spamming, is only number 5 on gheg s list yesterday and it is dwarfed by South Korea The gheg bot seems to be highly concentrated here But what about grum It s a botnet we don t see too often on my blog What does its profile resemble image The grum botnet s profile is quite a bit different than grum s Whereas most spam from gheg originates out of South Korea, a good chunk of grum s does as well but not nearly as much as a total The United States comes in at number 3 Of course, what is unsurprising about grum is that Russia is number 1 When we think of spam, many of us think of eastern Europe and especially Russia at least I do The grum botnet conforms to that stereotype completely Yet Russia is only 9 on gheg s list To me, this suggests that gheg s base of operations is in the far east while grum s is in eastern Europe In future posts, I ll take a look at a few more Who knows, maybe one do I ll a very large whitepaper on the statistical profiles of botnets IMAGE http://www.secuobs.com/revue/news/190780.shtmlhttp://www.secuobs.com/revue/news/190780.shtml Secuobs.com : 2010-02-09 21:45:31 - Terry Zink's Anti malware Blog - A couple of weeks ago, I posted that Australia was getting ISPs to boot infected computers off of their network I commented on whether or not this was a good policy However, there was one thing in that article that I wanted to comment on but didn t, it was this excerpt A global report by security technology giant McAfee reveals that Australia now ranks behind only the US and China for the number of zombie computers that fell under the control of spammers in 2009 The Land Down Under' is proving to be fertile ground for zombie recruiting, the report says It estimates Australia accounts for 63 per cent of the world's new zombies , compared with 18 per cent from the US and 133 per cent from China Just two years ago, Australia was not even in the top 10 countries listed in McAfee's Global Threats report Australia is now number 3 Behind only the US and China That sounds a little hard to believe I say this because it completely contradicts any of the data I have Now, I will admit that I only have data on how much spam we receive from each country, and from how many distinct IPs If I go by the second half of 2009, Australia ranks 24th for distinct number of IPs that sent us spam and 26th for total amount of spam sent It lags far behind other countries like South Korea, Brazil, India, Poland, Spain, Romania, Ukraine, and so forth Now it s possible that McAfee s report measure total zombie activity Zombies do more than send spam they host spammy web pages, do fast flux, perform black search engine optimization, conduct DOS attacks, and so forth And obviously, I have gaps in my own data because I don t measure that Yet if I go by data in Microsoft s latest Security and Intelligence Report covers first half of 2009 , Australia ranks far down the list of countries in terms of number of infected computers with malware, drive-by downloads, and so forth It confirms my data that Australia is not one of the biggest players when it comes to spam This leads me to a couple of possibilities 1 McAfee has other metrics that we are not collecting that indicates that Australia has lots of zombies and bumps it up the list 2 One of us is wrong No offense to McAfee, but I m guessing emphasis on the word guessing that it s 2 , and it s not us that is wrong It stretches the credibility to assert that Australia is a smaller player in spam and malware infections but is really abusive in everything else More often than not, if a country is abusive in one category, they are usually abusive in other categories While it is true they may not be stack-ranked the same in every category of abuse, they usually are pretty close IMAGE http://www.secuobs.com/revue/news/190183.shtmlhttp://www.secuobs.com/revue/news/190183.shtml Secuobs.com : 2010-02-05 22:58:10 - Terry Zink's Anti malware Blog - In part 1 of my series, I looked at which botnet sends the most spam, by total number of messages sent at the recipient level and not the envelope level In part 2, I looked at which one sends the most spam by total amount of bytes that they emit Now, I d like to put it all together if we normalize the values, which botnet is responsible for sending out the most spam on a daily basis Depending on how we measure it, there are a couple of answers To check this, first I took a look at the average number of message envelopes each botnet sends per day I then normalized the value and used the lowest sending botnet as a base, assigning it a value of 1 I have removed lethic from this count because it seems to have fallen off the radar is something wrong with my script The table is below image Looking at this table here, sorting by the average amount of total envelopes each botnet sends per day, it isn t even close for the month of January Rustock, by far, sends more individual spam messages than any other botnet by a factor of 10 Its net is so wide and the other botnets aren t even in the running Mega-d is next followed by cutwail2 But if we measure the amount of bandwidth the individual receiving mail servers have to process, the numbers change If we take the average number of messages envelope, multiple by the average message size kb and multiple by the average number of message envelopes per day, then we get the total amount of traffic, in bytes, that each botnet sends Doing this, the numbers change remember that these are normalized values, not absolute values image Looking at it this way, the worst botnet is cutwail followed by cutwail2 Rustock drops down to 3rd in the list, a distant 3rd but not far behind cutwail1 The other botnets bring up the rear, only looking out into the distance and wishing they were as cool as the others So there you have it, my study on which botnet sends out the most spam I ve shown my work and therefore these results should be reproducible in the future I m not totally convinced that my scripts are completely accurate and capturing all of the required information, however, as time passes I should be able to refine them and provide an even more accurate analysis on which botnet is the worst IMAGE http://www.secuobs.com/revue/news/189109.shtmlhttp://www.secuobs.com/revue/news/189109.shtml Secuobs.com : 2010-02-05 04:13:24 - Terry Zink's Anti malware Blog - Following up from my previous post, there are a couple of ways to measure which botnet sends the most spam On the one hand, botnets can send 1 spam message but address it to a lot of different recipients, thus putting the cost of delivery heavily onto the recipient This means that the spammer can have a small amount of nodes and the recipient has to assume the overhead of splitting the message up and delivery to multiple recipients On the other hand, a botnet can be very wide and send a lot of messages to a lot of different people, but only address each message to one recipient In this case, the overhead of delivery is shifted onto the sender since the spammer botnet has to support and maintain a lot of different nodes But the total number of messages is only one way of looking at it What about the total size of the message If one botnet sends a 10 messages at 30 kb each, and other sends 100 messages at 3 kb each, the way we measure who sends the most spam varies They are each sending the same amount of data Regarding the 10 botnets I have been tracking this month, below is the botnet and the average size per message in kb that they send image From here, we can see that cutwail1 2 send very large messages, and combining that with my previous post, we can see that they send a lot of messages per email envelope and the messages tend to be quite large Cutwail imposes a very large strain onto the overall Internet infrastructure Rustock, conversely, remains very hard to detect in terms of its footprint It sends on average 1 message per email envelope, and these messages are quite small Lethic sends lots of messages per email, but the messages are small Gheg doesn t send very email emails per envelope either, but its messages tend to be larger So, what can we conclude from these figures Rustock is a very efficient spammer, and cutwail is very inefficient where efficiency is defined as how easy they hide themselves and the costs they impose on the recipient Lethic is a new kid on the block but doesn t impose large bandwidth costs, while the others are a mixture between the rustock cutwail contrast Of course, can I definitively state which botnet sends the most spam The answer is that it depends While the Holy Grail of many businesses is that the more data you have, the better, I have found that this is not the case Often times, more data only serves to make you more confused and unable to give a straight up answer IMAGE http://www.secuobs.com/revue/news/188838.shtmlhttp://www.secuobs.com/revue/news/188838.shtml Secuobs.com : 2010-02-04 05:35:40 - Terry Zink's Anti malware Blog - Around the Internet, and even on this blog, various analyses have been done on botnets and which one is responsible for sending the most spam Whether it s Rustock, Cutwail, or one of the new kids on the block grum, gheg, or donbot , I don t really see any consensus on which one is the spammiest There are a couple of ways to measure which botnet sends the most spam You could do it by which one is sending spam from the most distinct IPs You could also do it by which one sends the most amount of messages But the most amount of messages has a couple of different ways of measuring it by total number of envelopes, total number of messages, and total number of bytes The envelope level is different from the message level For you see, a message envelope can have multiple messages A message might be addressed to multiple recipients, in other words From Guy Incognito To Frank Grimes, Lenny Leonard, Carl Carlson This particular email would be one envelope and three messages, because the message has to get delivered to 3 people So, at the message level, it is more costly to process a message with multiple recipients You could scan the message before branching it out, but afterwards when it comes time to deliver the message, you would have to fork it out into each individual messages, and each of these messages costs bandwidth and storage At the message level, here are 10 botnets that I have been tracking for around a month along with the average number of recipients per message image From this perspective, cutwail and lethic are the spammiest botnets They send spam messages to lots of different recipients which results in higher infrastructure costs for the recipient not to mention the filterer of the spam Lethic is a fairly new botnet, I don t have a lot of stats for it before November 2009 I wonder whether or not it is related to cutwail1 2 at all, seeing as how the behavior is so similar I d have to dig into our logs and see what the messages look like in order to see if there are enough similarities Rustock is way down the list Rustock is a very clever botnet, contrasting it from cutwail1 2 and lethic Rustock s strategy is to have a botnet base a mile wide and an inch deep In other words, the number of distinct IPs is far higher in Rustock than any other botnet it isn t even close But the number of messages it sends per envelope is small, approaching 10 This allows it to have a wider footprint that is harder to detect A bursty emission of spam from a small number of IPs is easier to detect than a scattered distribution of it coming from many, many more IPs On the other hand, while the latter is harder to detect, the former does more damage to a network because of the additional load put onto a network during the peak traffic times What about the types of messages it is sending How big are they and how much bandwidth do they consume That s the subject for a future post IMAGE http://www.secuobs.com/revue/news/188439.shtmlhttp://www.secuobs.com/revue/news/188439.shtml Secuobs.com : 2010-01-29 22:55:37 - Terry Zink's Anti malware Blog - This morning, I was once again browsing through my Facebook lists man, Facebook really is a gold mine of material for the cybersecurity world, isn t it I came across something a friend of mine posted, it is entitled My ex-girlfriend of 2 years cheated on me here is my revenge There is a picture of a scantily clad woman with a link off-site This friend is a different friend than the one I took to Peru and tossed his iPod into the lake My brain started making all sorts of not-so-random associations Recall that a couple of days ago, I posted that I received a Friend invite from a spammer And in that invite, there was a picture of a woman in a seductive pose Having an idea that there might be some relation here, I decided to click on the link being pretty certain that I knew what was going to occur I clicked on the link and Facebook prevented me from going to it I was told Sorry, the link you are trying to visit has been reported as abusive by Facebook users Now my curiosity started to kick in Was it abusive because the material was offensive Or was it abusive because the content was malware I decided to go to the link myself and find out for certain I went to the page and it had another image non-offensive actually, neither image was offensive but it said to click on a link to download the full image set Right away, I pretty much knew what it was a social engineering trick that uses seductive images of women to get people mostly men to download the images but in reality installs a worm The invitation to treat is in the original image, and the payload is not what people bargained for I checked out the WHOIS info and it was inconclusive But the story gets more interesting than this I just uploaded a post on CircleID this morning As I normally do from time to time, after creating my post, I decided to read the posts of other authors I am currently tied for the 19th most prolific author on there, and I like to read the posts of the most prolific writers One of them is Gadi Evron, a security consultant who used to work for the Israeli government in their cybersecurity space I have read a bunch of his posts on CircleID and some of the other posts on his web site Now here is where the story gets interesting For some reason, I decided to do a Bing search for his name I don t know why I did this, I think I just wanted to check out his web page again I found his home page and gave it a quick glance and read his Career Highlights I then read through his most recent tweets Here is the most recent one as of 9 55 am PST, Jan 29, 2009 yet another facebook worm with a sexy lure I cheated on my girlfriend, here's my revense sic -- don't click on it Right then, I knew that my initial subconscious guess was correct This new post that my friend had put up was actually a redirection to a malware page My friend had fallen prey to it and Facebook was right to block it because it links to malicious content Good for Facebook, they re on the ball However, I thought it was pretty neat strange coincidental that a bunch of seemingly random events could all be tied together So, unlike the last Facebook incident I encountered where I did nothing, this time I around I did something I went to my friend s profile and posted that this was a Facebook worm, not a legitimate joke Hopefully he didn t click on the link or download install anything IMAGE http://www.secuobs.com/revue/news/186794.shtmlhttp://www.secuobs.com/revue/news/186794.shtml Secuobs.com : 2010-01-29 13:57:19 - Terry Zink's Anti malware Blog - The Australian has a good article describing the efforts some of their ISPs are making in an attempt to clean up their act the government is encouraging ISPs to detect computers on their network that are infected and part of botnets, and to communicate to the customer that their system is compromised Here s an excerpt COMPUTERS infected with viruses could be expelled from the internet under a new industry code to control Australia's plague of contaminated PCs The federal government has given the internet industry an operate-or-legislate ultimatum to identify zombie computers involved in cyber-crime The Internet Industry Association - whose members include major internet service providers Optus, Telstra, Vodafone, AAPT, Virgin and Hutchison 3G, as well as industry giants Facebook, Google and Microsoft - is preparing a voluntary industry code to come into force this year The move follows industry intelligence that Australia now hosts the world's third-highest number of zombie computers infected with malicious software that can attack other PCs, send spam, store child pornography or steal the user's identity A draft copy of the voluntary code says the ISPs should identify affected computers and try to contact the users, by phone or email It proposes ISPs apply an abuse plan to slow down the speed of the customer's infected computer, or to change the customer's password so they are forced to call the ISP help desk Another action could be to provide the customer with a timeframe in which to take remedial access and, if this is not adhered to, terminate service The code states ISPs should cut off internet access only in the most extreme of cases , when a customer had refused to install anti-virus software, or where the amount of spam being sent from the customer's account was clogging up the network I like the part above that I bolded It basically says that ISPs take action to coerce the end user into fixing their system Unless the customer feels a little bit of pain they will not change their ways Having your password reset or slowing down a computer s speed I assume it is the speed of their Internet connection, this is known as throttling will certainly get a customer s attention This line of thinking has been part of my own line of thinking recently as I have attempted to revamp our own outbound spam process As I have been collecting requirements, one of my selling points has been that unless a customer feels some pain, they won t address the root cause of their spam problem We fork our spam out a different pool of IPs, and I find that there is an internal perception that this solves the problem of outbound spam for us It doesn t I want to go beyond the spam problem on our network and try to address the root cause that the customer is part of an infected botnet, is running malware, and needs to clean it up Unless they have an incentive to clean it up such as us shutting off their outbound mail relay privileges there is insufficient motivation to actually do it Antispam zealots like me care about stuff like that, but average Joes aren t into it so much Thus, the Australian code of conduct resonates with me Home users are probably going to be annoyed at being cut off, and many likely won t know what to do in order to clean up their systems Still, it s a good start and may cause some degradation of the user experience in particular, it should raise the user experience of the rest of the world in general IMAGE http://www.secuobs.com/revue/news/186602.shtmlhttp://www.secuobs.com/revue/news/186602.shtml Secuobs.com : 2010-01-27 20:28:27 - Terry Zink's Anti malware Blog - The Financial Times has an update on the cyberattacks that targeted Google last week and caused Google to threaten to pull out of China ----------------------------------------------------------------- Hackers target friends of Google workers By Joseph Menn in San Francisco Published January 25 2010 23 47 Last updated January 25 2010 23 47 Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks, raising privacy concerns and pointing to a highly sophisticated operation, security experts said Cybersecurity experts analysing the attacks said the hackers spied on individuals and used other sophisticated techniques, making them extremely difficult to stop The disclosures come amid renewed alarm over cybersecurity after Google said it had been the target of a series of cyberattacks from China The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent We re seeing a lot more up-front reconnaissance, understanding who the players are at the company and how to reach them, said George Kurtz, chief technology officer at security firm McAfee Someone went to the trouble to backtrack Let me look at their friends, who I can target as a secondary person McAfee discovered that a previously unknown flaw in Microsoft s Internet Explorer had been used in the attacks Mr Kurtz said the attackers also used one of the most popular instant messaging programmes to induce victims to click on a link that installed spy software Another element of the attack code used a formula only published on Chinese language websites, said Joe Stewart, a researcher for security firm SecureWorks Mr Stewart also found that some of the code had been assembled in 2006, suggesting that the campaign had been not only well organised but enduring The evidence pointed to a government-sponsored effort that only large spy agencies or perhaps some of the most advanced big companies could have withstood, experts said China on Monday described accusations it was behind cyberattacks as groundless Sam Curry, vice-president of security firm RSA, said This is a loud message for the commercial world, which is wake up, this isn t all happiness and goodness and new business Doing business on the internet is as risky as sending ships through the Panama Canal ----------------------------------------------------------------- Okay, now I am confused Is this a cyberattack on Google, or what The way I read the article, the attackers figured out who the higher-ups were in the company which means I am safe and then figured out who their friends and social networks are How they obtained this, I don t know But get this the hackers then compromised these social network accounts, hoping that they would click the links Does this mean that the hackers went to all of this trouble to create a targeted spam campaign That doesn t read like a cyberattack at all in which information is stolen or services are DOS ed, it sounds like a spam run But why would a spammer target a few employees at Google Spam depends on sending out its garbage to tens, or even hundreds, of thousands of users At the most, these hackers would get perhaps a few thousand people from a few higher-up Google employees That the source code only IMAGE http://www.secuobs.com/revue/news/185981.shtmlhttp://www.secuobs.com/revue/news/185981.shtml Secuobs.com : 2010-01-27 06:20:06 - Terry Zink's Anti malware Blog - This morning, I logged into my Facebook account to see what all of my various friends were up to Is anyone having a birthday I shall write on their wall some warm wishes Is anyone doing anything interesting Perhaps I could like their status Does anyone have a clever wall post Perhaps I can post a witty reply I logged in and looked at the notifications One new friend request Hello, what s this I asked A new friend Who could it be The one thing about Facebook is that whenever you get a friend request, there s always this momentary twinge of curiosity that is incredibly difficult to resist I clicked on the Friends link to see who it was I saw who it was and experienced several emotions simultaneously confusion, disappointment, and intrigue It was from some random woman that I had never met before who was standing in a seductive pose The name was not a normal name, it looked eastern European It took me about two seconds to figure out that this was probably a social engineering mechanism an avenue for abuse The first thing that entered my mind, after the fog cleared, was that this was going to be the basis of a blog post I clicked Accept I then proceeded to check out her profile She had about 40 friends and there were a bunch of postings on her wall Her age was about the same as mine, born in the same year but a few months earlier In her status, there was a message about checking out her website so I decided to follow the link I had an inkling of where it would take me but decided to wait the 60 seconds while the page took an eternity to load yep, in the world of the Internet, I consider 60 seconds an eternity Well, the page loaded and much to my non-surprise, I was taken to a porn page Not Japanese porn, just typical run-of-the-mill spammer porn, the type you would normally see in a spam message I sighed, rolled my eyes, shook my head and closed the tab I then went back and defriended the account I thought to myself It figures, Facebook is being attacked this way with spammers signing up for profiles, creating them and randomly searching for people through the Friend Finder Well, at least it s nice to know that I was targeted in this way, I hope it s because I m so well known in antispam but the reality is likely that it was merely a chance occurrence I should have reported the abusive account to Facebook Oh, well, better luck memory next time IMAGE http://www.secuobs.com/revue/news/185707.shtmlhttp://www.secuobs.com/revue/news/185707.shtml Secuobs.com : 2010-01-26 07:34:31 - Terry Zink's Anti malware Blog - The NewScientist has an article on an interesting new antispam technique Here s an excerpt SPAMMERS' own trickery has been used to develop an effectively perfect method for blocking the most common kind of spam, a team of computer scientists claims Most of the billions of spam messages sent each day originate in networks of compromised computers, called botnets Unbeknown to their owners, the machines quietly run malicious software in the background that pumps out spam Researchers have now come up with a system that deciphers the templates a botnet is using to create spam These templates are then used to teach spam filters what to look for The system, developed by a team at the International Computer Science Institute in Berkeley, California, and the University of California, San Diego, works by exploiting a trick that spammers use to defeat email filters As spam is churned out, subtle changes are typically incorporated into the messages to confound spam filters Each message is generated from a template that specifies the message content and how it should be varied The team reasoned that analysing such messages could reveal the template that created them And since the spam template describes the entire range of the emails a bot will send, possessing it might provide a watertight method of blocking spam from that bot To test their idea, the team installed a previously captured software bot onto a machine After analysing 1000 emails generated by this compromised machine - less than 10 minutes' work for most bots - the researchers were able to reverse-engineer the template Knowledge of that template then enabled filters to block further spam from that bot with 100 per cent accuracy Knowledge of the spam template enabled filters to block further spam with 100 per cent accuracy High accuracy can be achieved by existing spam filters, but sometimes at the cost of blocking legitimate mail The new system did not produce a single false positive when tested against more than a million genuine messages, says Andreas Pitsillidis, one of the team The biggest advantage is this false positive rate So, to summarize, a team of researchers downloaded and installed some software that flips a computer into a botnet This bot then started spewing out spam and the team was able to capture the spam, analyze, and then write spam rules in order to 100pourcents target the spam run All you have to do is download the malware, capture the spam traffic, and then use the traffic to build an antispam corpus of rules In other words, it s the next step in doing what antispam vendors have been doing since 2002 In case you can t tell, I m not really all that impressed with this spam solution Yes, it does have a 100pourcents accuracy rate with no false positives But how practical is it in real life 1 You have to capture malware from every botnet There are lots of different botnets out there, not just one In order for this solution to be effective at stopping all spam, you would need to capture each type of malware and analyze the spam traffic from all of the botnets, not just a single one Different botnets have different spam signatures 2 You have to capture multiple versions Malware from botnets, the more intelligent ones, are auto-updating They periodically phone home and upgrade themselves And they may not send out traffic in the same ways You would have to ensure that the software that you have intercepted is capable of analyzing traffic from versions of botnets that send out spam differently 3 Botnets do not just send out spam by themselves Not all botnets spam Some of them break CAPTCHA s set up by Windows Live Hotmail , Yahoo and Gmail And then, they send out instructions using those compromised accounts to spam from them Thus, even if these botnets were intercepted in terms of traffic, they wouldn t solve the spam problem since botnets have multiple uses 4 Botnet software is competitive Some pieces of malware will erase other pieces of malware in an attempt to monopolize the botnet space So, if you have installed one piece of malware, another piece can come and erase it You ll be attempting to capture traffic that doesn t exist Still, this technique is a viable antispam measure if you can capture malware and install it however, one would need to understand that it is but one tool in the antispam arsenal It would have to be supplemented with other techniques like IP reputation and sender reputation As to how practical it is, well, I can t comment on that because I don t understand botnet malware very well But the idea is interesting IMAGE http://www.secuobs.com/revue/news/185336.shtmlhttp://www.secuobs.com/revue/news/185336.shtml Secuobs.com : 2010-01-22 22:17:53 - Terry Zink's Anti malware Blog - Yesterday, I was browsing through Facebook I never really look at the ads on the right hand side of the page Or rather, I should say that I never click on them However, yesterday, my curiosity was piqued There was an ad that I had already qualified for a free free 1000 gift card from Best Buy because I was a male of a certain age I was intrigued Being in the antimalware space and as someone who has fought spam for years, trying to combat these annoying gift cards that plague user inboxes, I decided to click on the link Maybe these types of ads were a way to circumvent spam filters Perhaps social networking is the next big thing for spammers targeting users Well, perhaps not the next big thing since they are already doing it I clicked on the link, and here s where I was taken to image Yep, I said, that explains it All I have to do is enter in my email address, be bombarded by tons of offers every day for the next 50 years, have my address sold to plenty of other folks and there we go a free 1000 gift card As Milton Friedman said, there s no such thing as a free lunch Still, I decided to read the official gift offer rules How much was this free gift card going to cost me Here are the terms and conditions 1 I have to fill out a form complete with true and accurate information about myself Fair enough 2 I don t have to complete any Special Offer Surveys, but I do have to complete the Sponsor Offer Surveys I have to complete 13 Sponsor Offer Surveys in order to get the gift card And these Sponsor offers are presented to me after the Special Offer surveys This is a little deceptive, I bet that most people will go to the first couple of surveys, get mentally fatigued and give up It s not worth the effort, they say Of course, at this point, they have already handed over all of their details to the spammer, er, I mean marketer 3 As I said, you have to complete 13 Sponsor Offers Oh, and get this sponsor offers may require you to sample and or purchase products of interest Examples are obtaining a loan or extending your credit including credit cards , transferring a balance or something similar This 1000 offer is starting to get more expensive than just the cost of time and being spammed for the rest of your life 4 Once you have completed a transaction with a sponsor, you are subject to that sponsor s rules of termination and terms and conditions 5 The sponsor has to provide proof that you have completed that Sponsor s offer Man, if it gets lost in paperwork who knows how that could happen you could be haggling for a while After reading through all of this, I can see that it s not going to be worth my time and effort to go through all of these steps I mean really, 13 sponsor offers And I have to buy stuff I ll bet it will end up costing me a lot more than 1000 to extend my credit IMAGE http://www.secuobs.com/revue/news/184587.shtmlhttp://www.secuobs.com/revue/news/184587.shtml Secuobs.com : 2010-01-18 03:21:49 - Terry Zink's Anti malware Blog - A colleague forwarded me the following scam today, spammers taking advantage of the recent earthquake in Haiti It sure didn t take them long to prey on people s emotions Here s an excerpt ----------------------------------------------------------------- Human Relief Foundation 755 Romford Road Manor Park London E12 5AW UK By now I'm sure you have seen pictures of the absolute devastation in Haiti As many as 100,000 people could be dead Survivors are sleeping in the streets among the dead, too afraid to go back into buildings The people of Haiti need us now to survive, and they will need our help for a long time to rebuild Human Relief Foundation HRF has launched an emergency appeal seeking a total of 120,000,00000 to deliver assistance to families affected by the devastating earthquake that struck Haiti Thousands are feared dead, with more than two million people affected and, widespread damage Critical services such as electricity, water and telephones have been affected HRF appeals to the local, national and international community to come forward and donate generously whatever they can to the Haiti earthquake appeal - just as they did with the Tsunami disaster of 2004 and the Kashmir earthquake of 2005 Donations can be accepted in various ways to make a donation contact Email relief-care Thank you for everything you are doing to help the people of Haiti Rebecca Young, Care2 and ThePetitionSite Team ----------------------------------------------------------------- There's something particularly unethical about preying on the misery of the less fortunate and taking advantage of those who are genuinely concerned for the well-being of others The Human Relief Fund is an actual organization or it appears to be, after 5 seconds of research but the drop box points to a spam site This particular example of social engineering really is par for the course for spammers IMAGE http://www.secuobs.com/revue/news/182625.shtmlhttp://www.secuobs.com/revue/news/182625.shtml Secuobs.com : 2010-01-16 20:00:41 - Terry Zink's Anti malware Blog - Well, we re barely two weeks into 2010 and already we have some interesting geopolitical stories about cyber security In a one-two punch combination, Google this past week threatened to pull out of China, ostensibly over the issue of censorship At the same time, they claim that they were the victim of a cyberattack in which the Chinese government attempted to hack into email accounts of anti-government groups Stratfor subscription required has some analysis ----------------------------------------------------------------- On Jan 12, California-based Google announced it was considering ending its search-engine operations in China, the world s largest Internet market It also is a difficult market for foreign companies, especially those involved in media and information China s restrictions on freedom of speech and its Great Firewall pose tough challenges for a business like Google, which has had a difficult time attracting Chinese customers as it competes with indigenous search engines like Baidu Google s announcement came in response to frustrations over Internet constraints in China and a specific incident in mid-December, when an alleged cyberattack against the search engine resulted in intellectual property theft and stolen information on the e-mail accounts of two Chinese human rights activists Google claims the attack originated in China and targeted 34 other American companies in Internet, finance, technology, media and chemical sectors US authorities, including the National Security Agency, have taken a particular interest in the case, and US Secretary of State Hillary Clinton has called on China to respond to the allegations The attack was linked to six different servers in Taiwan that are often used by hackers, especially hackers on the mainland, to camouflage their locations The data was transferred from Google through a server at San Antonio-based Rackspace, a large Internet hosting company The Texas server was hacked and disabled, and information on the two customer e-mail accounts was accessed, though it is unclear what intellectual property was actually stolen from Google STRATFOR suspects that hackers were looking for more than just information on the human rights movement in China If the mid-December cyberattack was indeed launched by, or with the consent of, the Chinese government, it was likely an attempt to gain some sort of corporate intelligence STRATFOR has no direct evidence that the government was involved, but the sophistication of the attack leads us to believe it was coordinated by some entity with the capabilities of an intelligence organization And we do know how skilled the Chinese government is in conducting such an attack ----------------------------------------------------------------- This attack illustrates once again the difficulty of tracing Internet attacks You don t necessarily need government sponsorship in order to steal information as last year s attacks on Twitter have proven Without having more details about the cyberattack, it s difficult to say what exactly happened But, I can speculate on some possible scenarios 1 The Chinese government is looking to crack down on the human rights activists who use Gmail as their email software Under orders from certain elements within the government, Chinese hackers used compromised servers in Taiwan to intercept packets from these accounts and relayed offsite where the email messages could be decrypted and broken It is difficult to say whether or not Taiwan was acting in cahoots with China These two countries do not get along Either the Taiwan servers were compromised due to poor security, or there are Chinese moles in Taiwan Each are equally likely 2 Baidu has links to people in government in China Attempting to get a leg up on their competition, Baidu requests the government to get them some information ie, source code about how Google s algorithms work Chinese hackers leap into action, steal data, and turn it over to Baidu The Chinese government is only too eager to assist their native countrymen in getting a leg up on the competition, whose share of the market has grown from 18pourcents to 31pourcents since 2007 3 Or maybe there is no connection Perhaps some hackers decided to hack into Google and steal the information, and then later sell it to the highest bidder Given the amount of tools available for free online, this would be a sophisticated attack but might be possible to pull off without state support It s difficult to say what Google s next move will be Obviously, they would want to stay in China because that s where profits are and this might be a cost of doing business Google is threatening to withdraw from China but it seems very unlikely that they would be willing to cede the country to Baidu a stock I used to own and it has popped up 80 points in the past three days and I wish I still owned it In any case, cyber security is poised to affect the geopolitical scene once again in 2010 IMAGE http://www.secuobs.com/revue/news/182429.shtmlhttp://www.secuobs.com/revue/news/182429.shtml Secuobs.com : 2010-01-16 04:19:43 - Terry Zink's Anti malware Blog - This story is mostly fiction But it s quite entertaining if you use your imagination And who knows It could have been true --------------------------------------------------------------------- If you ve been following my story for the past few posts, you ll know that I was in dire straits Somehow, a spammer who I tangled with a year ago had managed to track me down and fight me again, and had learned a few new moves in the meantime He obviously had learned from before and was making his personal infrastructure more resilient It was a lot like the McColo takedown in 2008 spammers were shut down for a few months but eventually responded by making their own infrastructure more resistant to takedown and much more greatly diversified This spammer was following the same pattern This guy had learned moves from the characters in Street Fighter II, something I had shown him a year earlier and now he had stolen my moves He was imitating me, a lot like a phisher imitating an actual financial institution The parallels between video games, spam and real life were uncanny And now he was giving me a spinning pile driver, about to slam me noggin right through the concrete of Machu Picchu I knew that I had only a split second to break out of the hold otherwise I would most likely be done for I was starting to get a bit dizzy from all of the spinning, similar to what happens when I go ballroom dancing and do moves that involve a heck of a lot of rotation As the ground rushed up, I made my move I pulled back my right leg a bit and then thrust my knee forward as hard as I could I connected by hitting the spammer right in the nose He grunted a bit but retained his grip Unfortunately for him , that grip loosened a bit, giving me just enough slack I grabbed onto his waist with my hands and shoved myself up a bit so that my head would no longer be the point of impact on the ground A split second later, I braced hard with my arms He landed on the ground, coming down extremely hard on his posterior Because of the now-existing gap, my head did not impact with the full force of his body weight The impact was very hard and body slammed down because of gravity I felt the strain on my arms and tried to avoid hitting my head but couldn t I didn t have quite enough strength in my arms to keep myself up in the air I slipped a bit and banged my head slightly, giving myself a concussion as I would later find out The spammer, however, was hurt Landing on himself sent a shockwave of strain through his lower back and legs Aagh he shouted He kind of rolled to the side while I blinked a few times and rubbed my head The world was woozy but at least I was still alive I staggered to my feet, still holding my head It was warm and gooey I looked at it and I saw a red liquid At the time it didn t quite register to me what it was but obviously it was blood I straightened up and looked at the spammer He was getting to his feet and looked even angrier than before I then saw him pull out a knife Enough of this, he sputtered Come here The knife looked like it was an imitation knife, like something he picked up out of his spam folder It was at this point that I decided that I couldn t rely on any of my Street Fighter II moves This spammer had studied me and knew the counterattacks It was even likely that he had practiced on a few other anti-spammers over the past year in order to hone his skills like the bad guy Syndrome in the movie The Incredibles I was going to have to descend into my role as a former secret agent who was trained in secretive fighting arts The spammer closed in on me and swung his knife at me The first time he swung at me, he cut me on my arm but I did not react He then struck out at me a second time, but as he did I moved into him and enclosed his personal space That caught him off-guard I then went into a mental zone and kind of spaced out a bit as my body went into an automatic reaction I extended my arms and closed them as quick as I could, smashing my hands over top of his ears and popping his eardrums His eyes went wide, stunned by this sudden burst of output I raised up my palm under the bridge of his nose and thrust upwards, pushing his schnoz into the top part of his forehead I gave him a headbutt in his right eye, right where the iPod-shaped mark was, and then hit him four times in a row on his throat He staggered backwards but I closed in and refused to let him get away I kicked him in the knee and as he bent forward I grabbed him by the back of the neck and shoved his head down At the same time, I brought my knee up, smashing his head into it It did hurt my knee a bit but I didn t care As his head came up I jabbed out my fist into the side of his jaw, grabbed him so he couldn t fall backwards and pulled him back, and then did the same thing I then did it again Blood was exiting his mouth I let him go and he collapsed to the ground He turned back to me You can t win, you know, he sneered If you get rid of me, more will take my place There are hundreds of us And we can hide where you can t touch us You cannot win I paused He was right There were hundreds of spammers around the world, and they could hide They were in cahoots with other malware writers and figures in the criminal underworld And even if I took out one, others would take his place There was nothing I could do to fix this situation At that instant, the spammer turned and he threw his knife at me from point blank range, 5 feet away It flew towards me at a rapid pace headed right towards my face But at the last instant, I extended my right arm caught it out of mid-air, only 1 inch from my eye I looked at the knife, tossed it aside and then looked back at the spammer His eyes were wide with fright He knew that he had just used his last piece of leverage he had on me, hoping to distract me I glared at him Get off my mountain, I growled The spammer obeyed He got to his feet, ran over to the side of the mountain and looked back at me I started to run after him, but before I could catch him he jumped over the side of the mountain I peered over the side and saw him tumbling down, down, down the side of it His body bounced and jolted around in an unnatural manner, and eventually disappeared from sight We were a mile and a half high, after all image I reached into my pocket and removed a Kleenex I wiped my forehead, now realizing that the ooze on it was blood I shook my head That s going to leave a mark, I said I sighed and looked for my baseball cap which had flown off in the melee I saw it about 20 feet away I walked over to it, picked it up and put it back on It stung my head a little, but I didn t want to be walking around with a big cut and bruise on my forehead I climbed back down from the high point, glancing at my watch We only had about 20 minutes of free time left I walked around for a while and found my friend who I had been traveling with I was no longer sorry for losing his iPod I still haven t replaced it to this day What happened to you he asked, kind of motioning with his chin I looked myself over I was covered in dust and dirt and I had a couple of bruises on various parts of my body I spit up a bit more blood and wiped my mouth I then looked back at my friend Let s head back to the entrance, I said I want a refund Me and this spammer would meet again one day And next time we met, I would finish it once and for all IMAGE http://www.secuobs.com/revue/news/182277.shtmlhttp://www.secuobs.com/revue/news/182277.shtml Secuobs.com : 2010-01-15 22:50:37 - Terry Zink's Anti malware Blog - The following article is a reprint from Stratfor subscription required I am re-posting it here because it illustrates the difficulties that foreign companies have when attempting to make a profit in China In case you are unaware, on Tuesday, Jan 12, Google threatened to pull out of China if they didn t start cracking down on a cyberattacks against them that compromised user s accounts I will get into that in a future post ----------------------------------------------------------------- Google's Rocky Relationship With China UNITED STATES SECRETARY OF STATE Hillary Clinton called on China Wednesday to respond to allegations that an advanced cyberattack originating in China had targeted US Internet company Google, resulting in intellectual property theft and stolen information on two Chinese human rights activists email accounts An unnamed Chinese official with the State Council Information Office said that Beijing is seeking clarification on the complaints and that it is not clear whether Google will stay or go These statements come one day after Google surprised the business world by announcing it was reviewing its venture in China and might have to close operations if it cannot arrive at a deal that allows it to run its popular search engine without censorship Google, like many American companies, has had a rocky relationship with China Since the days of Marco Polo, China has inspired Western countries with visions of prosperity and opportunity, and it continues to do so today With a massive and rapidly urbanizing population and a rising middle class, China offers attractive markets, especially for companies that offer high-tech products and services that Chinese people cannot get at home Once these companies arrive in China, however, they often find that the combination of a relatively small consumer market and high hidden costs relating to a difficult regulatory and political environment eats away at their profits, leaving them with far fewer earnings than they first imagined On top of these problems, as STRATFOR has long argued, companies often face the threat of having their intellectual property stolen or their security compromised with the apparent complicity of Chinese authorities But the deeper problem for these companies arises from some uncomfortable truths about China s geopolitical situation China has a massive population that is difficult to bring together under a single centralized power since it is divided starkly along ethnic, cultural and economic lines Historically, Chinese governments have especially had trouble keeping the country together when faced with wave after wave of foreign influence in other words, times like these Of course, the Chinese economy needs foreign trade, investment and technology But as Beijing opens up the doors and foreign enterprises generate new wealth, the imbalance between China s poor mostly rural masses and its wealthier urban elite begins to grow, and coastal provinces that are integrated into the international trade system develop interests at variance with those of the central government Since China s central government cannot compromise on social stability and internal security, it tries to control foreign presence Chinese authorities view foreign information technology companies suspiciously because of these geopolitical interests The flow of information both within Chinese regions and between China and the outside world has the potential to weaken Beijing s social controls The Iranian protests in June 2009, and China s own Xinjiang riots in July 2009, served as recent reminders of this fact, and prompted China to block Internet services such as Twitter, Facebook and YouTube, to ensure they would not be used as forums to criticize the government By many measures, Google falls into the same basket Foreign businesses generally accept China s policies as a necessary evil to gain access to the country But if an industry giant like Google should decide to jump ship, it sends a strong signal and may cause others to rethink whether China is more trouble than it is worth, at least for mobile information technology companies whose success depends on preserving their intellectual property Regardless, Beijing s fundamental requirement stays the same it must preserve a balance of social forces at home Concessions are possible as long as this rule is observed Otherwise, alienating foreign technology is a price that Beijing has paid before and is willing to pay again ----------------------------------------------------------------- Source IMAGE http://www.secuobs.com/revue/news/182189.shtmlhttp://www.secuobs.com/revue/news/182189.shtml Secuobs.com : 2010-01-15 05:33:54 - Terry Zink's Anti malware Blog - A few weeks ago in the beginning of November, I posted a blog post about the highest number of spamming botnets that we see on our network In roughly the following order, the worst botnets were the following 1 Rustock 2 Bagle-cb 3 Cutwail 4 Darkmailer 5 Grum 6 Donbot 7 Bobax 8 Mega-d 9 Xarvester I don t track these botnets every day, though I do collect the statistics Every once in a while I take a look to see who s the worst, and it s usually Rustock But lately, another botnet has exploded and often penetrates the top 3 the lethic botnet While I don t currently have the stats handy I m off work recovering from arthroscopic hip surgery due to that stupid spammer who attacked me in Peru , I do know that lethic has managed to penetrate the number one spot for botnets on some occasions It s not consistent but it does do it Over the weekend, on Jan 10, 2010, the lethic botnet was penetrated by the folks over at Neustar Following that, spam from lethic plummeted Even on our own networks, we saw a massive drop in mail from week-over-week on a Sunday, even though Sunday, July 3 was still in the holiday time Indeed, we are still way below our general network averages for the months of December and early January prior to Jan 10 Similar to what happened to Mega-D last year when FireEye penetrated it, the botnet s command-and-control structure was infiltrated in order to take it offline Disrupting these types of brain mechanisms prevents the botnet from sending out instructions to the worker nodes and sending out spam Cutting off the head of the dragon pretty much kills it for a short time Unfortunately, like Medusa s heads, these things keep growing back So, should there be more proactive action on the part of the antispam community to take out botnets Should there be research into it Funding Should ISPs take the initiative to take their customers offline if they detect they are C C centers It s difficult to say but there is certainly no denying that going after the C Cs work better than almost any other technique After McColo, botnets evolved to make their infrastructure more resilient It s nice to see that the anti-abuse community is also evolving IMAGE http://www.secuobs.com/revue/news/181871.shtmlhttp://www.secuobs.com/revue/news/181871.shtml Secuobs.com : 2010-01-09 04:16:24 - Terry Zink's Anti malware Blog - Today, I came across a spam message pushing Asian porn The body of the links contained a redirector from googlecomtw and yahoo sites to the sites containing the payload It s a pretty standard technique for spammers to exploit known trusted sites like Google and Yahoo in hopes of evading content filters, since the assumption is that a content filter wouldn t block on the domains yahoocom whereas they would certainly block on where the sites point to I m not going to go into that particular technique, instead, I will delve into the spam message headers and the extents the spammer has gone to in an attempt to mask his location Below are the headers with some parts redacted Received from VA3EHSMHS031bigfishcom unknown 10714247 by mail182-va3bigfishcom Postfix with ESMTP id 2BAEA1BA8052 Fri, 8 Jan 2010 15 33 08 0000 UTC Received from S-OrangeskyOrangeskylocal 62253203138 by mailbigfishcom 1079941 with Microsoft SMTP Server TLS id 14048232 Fri, 8 Jan 2010 15 33 07 0000 Received from 62253203138 125110109119 by s-orangeskyorangeskylocal 102103410 with Microsoft SMTP Server id 813931 Fri, 8 Jan 2010 15 29 46 0000 Received from smfxvyahoocom smfxvyahoocom 22511023742 by with Microsoft SMTPSVC 5021956824 Tue, 12 Jan 2010 16 36 51 0100 Message-ID Date Tue, 12 Jan 2010 16 27 51 0100 From i i i iFw AV W a r ,DVD , e Reply-To D x C u n40 f I , w O To Subject LANDY P A MIME-Version 10 This can be a little hard to read, so let me describe the path this message purportedly took to get to the end user s inbox 1 The message originated from a Yahoo web server somewhere This is evidenced by the fact that the Message-ID contains a yahoocom portion and the From address points back to a Yahoo email alias 2 It arrived at a home user s computer in China, on the ChinaNet Telecom ISP where 3 It was forwarded along to a computer running in the corporation OrangeSky s network where 4 It was forwarded along to mail servers that our network is running in order to get back to the end user Below is a diagram of the path image Click for ginormous image Of course, that is not what actually happened nor is it the route that actually occurred There is a whole heck of a lot of spoofing going on, below is an analysis of what is wrong with the above headers and how much effort the spammer has put into hiding his location 1 To begin with, the spammer claims that the originating mail server s HELO and reverse DNS is smfxvyahoocom This domain does not actually exist in DNS ie, it has no A-record , nor does the IP 22511023742 s reverse DNS point to smfxvyahoocom, ie, Yahoo didn t accidentally set up a domain with no A-record but does have a PTR record for a particular IP 2 The IP address 22511023742 is reserved for the Internet Assigned Numbers Authority IANA It does not send out email Combining this and the first point, the originating header ie, the bottom one is forged 3 When the spam message eventually gets to our servers, it comes from the IP 62253203138 However, when it purportedly comes to the infected server from the Chinese computer, it HELO s as that same IP address In other words, it HELO ed with the IP address that it was eventually going to send out from Whether or not this ChinaNET Telecom Received header is forged or not, it s hard to say since the time stamps look about right 4 This IP address that it HELO ed as is the static IP address of the sending IP that would eventually connect to our servers However, the internal server that received the message was 102103410 In other words, it ignored the internal IP of the server that received it and instead mapped it to the eventual public IP 5 The name of the internal server is the same as the HELO string of the spam message This means that the spamming software had to get the host s internal name and store it for sending out the spam message This internal name is likely correct because this was an outbound spam message and the name of the company is contained within the HELO string Of course, both this point and the previous point occur in headers that cannot necessarily be trusted However, it does illustrate the depths that the spammer will go to to hide where he is located by either including confusing information, or having access to information in order to make himself look more legitimate Below is a diagram containing what I just said I think it s clear that OrangeSky has a problem on their system and it s probably infected with a piece of malware that is able to harvest the name of the internal host as well as figure out what the public outbound IP will be when it eventually starts spamming image Click for bigger image IMAGE http://www.secuobs.com/revue/news/179825.shtmlhttp://www.secuobs.com/revue/news/179825.shtml Secuobs.com : 2010-01-08 00:00:36 - Terry Zink's Anti malware Blog - This story is mostly fiction But it s quite entertaining if you use your imagination And who knows It could have been true --------------------------------------------------------------------- Continuing on from my previous post which I last wrote two weeks ago where have I been , I was facing a showdown at Machu Picchu in Peru with a spammer that had tried to kill me a year earlier when I visited China, and had tried to kill me a couple of times already on the trip We were standing toe to toe, noses inches away from each other He was glaring at me, intending on taking me out again I was a little annoyed that he kicked my fingers How did you find me I asked I was actually curious how this douche bag managed to track me down again Well, let me tell you, he explained as a slow grin crept across his face I added your travel companion as a friend on Facebook He had no idea who I was when I made a Friend request, but he added me anyways I rolled my eyes that sounded like something my friend would do I then watched all of his Facebook status updates are where you were going to be located at any given time Ha, ha, ha Something in this did not add up But how did you even know we were friends You two stopped at a hostel on your first day, in Peru This is South America, and keystroke loggers are a serious problem down here I thought back to the Microsoft Security and Intelligence Report, version 7, of which I am credited as an author The number one piece of malware in Brazil in 1H2008 was the Bancos worm, which is a keystroke logger and password stealer He logged into his account on an infected machine, sent a bunch of emails that mentioned your name, I stole his credentials and I was able to put the pieces together What the heck My name was mentioned and he connected all the dots my friend probably mentioned things like terry , zink , super , awesome Was he intercepting all of my friend s emails Does this guy sub-contract out for the NSA And why was I friends with a guy who was so security unconscious, was he secretly a member of my family It was clear that as a hero in the anti-spam community, I was going to have to watch my back a bit closer or have someone watch it for me But enough of this he shouted Time for you to die He then took a swing at me with his right hand I ducked He swung with his left and I ducked again He then threw out a jab straight at me and I dodged to the side He did kind of a side kick and I jumped over it, landing square on my feet I then counterattacked I then gave him a roundhouse kick to the head Or, should I say, I tried to You see, in October 2008 I had surgery to correct some torn cartilage and bone spurs in my left hip The cartilage is fixed but I still have a slight bony protrusion on my hip bone, so I have bone rubbing up against bone in my left hip and when I move it in certain ways, it causes pain This roundhouse kick that I attempted caused extreme pain due to the angle that I was rotating my leg I felt it in my hip and the pain shot all the way down through my leg and up to my shoulders I couldn t finish the kick at all, it kind of died partway through and I caught the spammer in the side of the shoulder rather than a good boot to his noggin, and the impact wasn t very hard at all Aargh, I groaned as I pulled my leg down and put my hand on my hip inside of my hip and closed my eyes for a split-second Unfortunately, that was all the time that the spammer needed Now, as an anti-spammer, when I get into a battle with my mortal nemeses, I gain the ability to fight like the characters from Street Fighter II Yet somehow, this spammer also gained these abilities as he started to fight like the character Zangief Certainly not the most playable character, but definitely my favorite because of all of his neat wrestling moves image The spammer thrust his hand under my shoulder, lifted straight up and then slammed me down in a modified choke-slam hold think of the Undertaker from WWE, except with the hand under my shoulder and not my throat I hit the ground with a thud, landing on the upper part of my back and I rolled a bit I grunted when I hit the ground, wondering where he learned that move At this point I was starting to get angry I got up quickly and turned to face him, but as I did he hit me with a spinning clothesline I flew backwards again and banged my head against the ground I wondered if I had a concussion because that hurt and I got a little dazed For a split second, I literally saw stars in front of my eyes and temporarily lost my vision I realized that I was going to have to bring out some of the big guns I recalled back to the previous year when my Street Fighter II skills saved me from this guy I did a backwards somersault, rolling onto my feet and shouted Ha-do-ken and thrust my hands forward I didn t realize that he was so close to me when I did that, he had been closing in on me while I lay on the ground for the split second that I did However, a fireball erupted from my hands and moved towards him at a rapid speed I used the strong punch when I did this It whirled towards him but just it would have connected, he did another spinning clothesline and the fireball passed right through him, doing no damage Oh, not good, I said He was close enough to me now, and the fact that I was slightly taken aback didn t help matters much He grabbed onto my hands and yanked me close into him Want to know where I learned these moves he shouted Not really, I replied quietly, not wanting to give him the satisfaction He grunted a breath of hot air into my face I trained all year he shouted I learned from our last battle What a ironic coincidence, I thought I had made no attempt to improve my skillz since the last time we met At this point, he took me, somehow flipped me upside down and jumped high into the air and rotating as he did so Uh-oh, I thought, this is a spinning pile driver If he connected with this, I would be in a serious world of hurt and he would be able to finish me off with relative ease Yet I saw no way out of the move Would this be the end of me IMAGE http://www.secuobs.com/revue/news/179379.shtmlhttp://www.secuobs.com/revue/news/179379.shtml Secuobs.com : 2010-01-01 04:03:03 - Terry Zink's Anti malware Blog - Remember way back, in summer of 1999, when Will Smith and Kevin Kline starred in the movie Wild, Wild West If you don t remember, that s fine, because the movie really sucked According to the Wikipedia entry, Will Smith turned down the role of Neo in The Matrix in order to star in this one Ordinarily, I d say that was a pretty poor career decision for Smith in a sarcastic tone , but he s bounced back incredibly well from that bad selection image Anyhow, over here in Forefront Online, our customer base continues to evolve One of the projects coming up is that of shared IP space That s when we have a customer that connects to us and delivers mail downstream to their customers An example would be an ISP For inbound mail, this isn t a big deal Filtering mail inbound and delivering to its destination makes no difference to us whether it s going to them direct or if it s going via some other filtering service a downstream filtering service from us would certainly have some issues, though However, where this does become a big deal is when these same customers attempt to use us to send outbound mail Then it becomes a really big issue How so, you ask Well, I m glad you posed the question If a customer is sending outbound mail through us directly, through no proxy, that s easy for us to detect We can block the customer s offending email alias or, if the problem is widespread, we can disable the one customer directly and affect none of our other customers However, if the customer s IP space is shared, it becomes a different ball of wax The reason is that we do not necessarily know who all of our shared IP customer s customers are If we were to cut off the shared IP customer, then all of their customers cannot send email anymore This becomes a serious issue for them because all of them are impacted To make matters worse, we don t really know who all of our customers are who are in this scenario since it is relatively new for us We have to build up this list of IPs on the fly So to sum it up we don t know who uses shared IP space, and even if we did we don t know what domains belong to the ones using shared IP space That s why I use the analogy of the wild, wild west This is unchartered territory How do you have a very high user experience when you don t have all of the necessary information required to maintain it The rules that we have defined over the past 18-24 months are not applicable anymore So, the bad news is that our evolving customer base and complex customer scenarios will make it much easier for spammers to relay spam through us The good news is that they will have to go through me to do it And I hate spam so much IMAGE http://www.secuobs.com/revue/news/177291.shtmlhttp://www.secuobs.com/revue/news/177291.shtml Secuobs.com : 2009-12-31 22:58:14 - Terry Zink's Anti malware Blog - All Spammed Up has a nice little summary wrap up of the year 2009 I have my own summary, it is a condensed version of an article that will appear in next month s edition of Virus Bulletin There are a lot of stories that could have gone into this that I had to cut, like Canada s near passage of an antispam bill, ICANN s decision to release more gTLDs, the abuse of URL shortening services and Geocities going the way of the dodo But in the end, I think that the following stories are a good reflection of what happened in 2009 in the world of cyber-security 1 Come together, right now Conficker is a piece of malware that appeared in late 2008 and initial patches for it were released even then But the story of Conficker didn t heat up until 2009 The story is noteworthy not because of the impact of Conficker, which in itself was large instead, the story is important because of the way the industry responded to the problem In January 2009, representatives from various security companies, along with the anti-botnet Shadowserver Foundation, met together and designed a strategy to counteract Conficker, forming the Conficker Working Group One month later, the group had a plan to register as many domains as possible and assign them to a sinkhole, a server designed to capture and analyze malware traffic The fight against Conficker is not over, however, it does illustrate the fact that people working together can make a difference in the fight against malware 2 Why can t I tweet today In August, users of Twitter discovered that their favorite 140 character messaging service was offline and unavailable What s going on they asked People need to know what I had for breakfast It turned out that it was a co-ordinated Distributed Denial of Service DDoS attack against a number of social networking sites including Twitter, Facebook, LiveJournal, YouTube and Blogger But whereas the other sites were able to repel the attacks, Twitter was not An analysis turned out that it appeared to be a targeted attack on one particular blogger by the name of Cyxymu, or Сухуми Sukhumi , which is the capital of the Georgian breakaway region of Abkhazia In the 21st century, politics and cyberattacks are very closely intertwined But August s Twitter attack wouldn t mark the last time that hacktivism would make a splash on the political scene in 2009 3 The shutdowns continue The top story of 2008 was when an ISP based in California, McColo, was taken offline after a story Almost immediately after the shutdown, global spam levels plummeted 2009 also had its share of ISPs taken offline In June, the United States Federal Trade Commission filed a motion of complaint to have Pricewert LLC taken down, an American ISP In August, Latvian ISP Real Host, responsible for botnet command-and-control centers, was similarly disconnected But the major story of these two disablements was not how much spam decreased, but how little impact this had on global spam volume The short lived elation of seeing McColo removed has now worn off to the grim reality of knowing that spammers are coming back more resilient than previously known 4 The Little Empire Strikes Back In November, the small security company FireEye was able to disable a botnet that at one point was responsible for perhaps a third of the world s spam Security researchers from the company analyzed the workings of the huge botnet, known as Mega-D and sometimes Ozdok and managed to infiltrate its command-and-control structure They were able to send a new set of instructions to all of the zombie hoards that make up the Mega-D botnet After doing this, spam from Mega-D slowed to a crawl FireEye had succeeded Not bad for a little guy 5 Colonel Mustard in the ballroom with the candlestick Over the 4th of July weekend, Americans were celebrating their extra day off with backyard barbeques and fireworks However, for various government employees, the hamburgers and potato salads would have to wait That weekend, a large scale DDoS attack hit the Federal Trade Commission, the US Department of Transportation and the US Treasury The US Secret Service, Department of Homeland Security and the State Department were also hit So were several government websites in South Korea So who was behind these attacks Shortly after they occurred, South Korean officials blamed North Korea, or at the very least, pro-Pyongyang forces North Korea, of course, did not confess to anything and denied involvement What obfuscates the problem is that it need not be government sponsored It could have equally been the work of pranksters or industrial spies Did the North Koreans do it Maybe they did, maybe they didn t But perhaps the US and South Korean governments need to join up with Twitter and form a support group 6 The Long Arm of the Law 2009 saw some pretty heavy hitting in the legal arena in the spam world In June of this year, spam king Alan Ralsky plead guilty to a stock fraud case where he pumped up Chinese penny stocks He did not get off easy In November of 2009, he was fined 250,000 and sentenced to four years in jail Many anti-spam advocates doubt that this is enough Across the ocean, another spammer was also hit with a huge fine In November, the US Federal Trade Commission fined Lance Atkinson 15 million Atkinson is thought to be behind the spam affiliate Affking, the folks who bring you such delightful products as the Canadian Pharmacy s cheap drugs and Herbal King s wonderful line of weight loss pills Even Facebook got into the game this year In October, a judge in San Jose, CA, awarded Facebook a 711 judgment against alleged spammer Sanford Wallace So, while in general spammers do get away with what they are doing, sometimes it does catch up with them And we, in the antispam and eSecurity community, can enjoy a little bit of schadenfreude, if only for a little while 7 Black SEO One of the biggest trends in spam over the past two years has been Black Search Engine Optimization, or Black SEO 2009 was not the year it started but it certainly was the year in which it really accelerated Black SEO comes in two main flavors 1 Malvertising This is when sponsored links at the side of the screen in search engines come up, and they are links to malware which you have the honor of paying for if you so desire 2 Page Rank Optimization This is when a spammer uses various sundry techniques to get his spammy pages near the top of a search result, such as when a user searches for Jessica Biel Of course, there is no Jessica Biel but instead is a spam landing page Black SEO in each flavor destroys the confidence of the end user As spam became less profitable except to the elite spammers, they moved onto other techniques and Black SEO is the growth industry of 2009 8 Going rogue The story of rogue antivirus software is not new to 2009 It has been going on for a while What makes the story of rogue antivirus software so news worthy for 2009 is that it is still a big problem and is getting worse As spammers have started encountering more difficultly in spewing out spam, they have shifted gears and moved into other avenues of deception Social engineering is the tactic of choice to accomplish this Two of the primary emotions that are targeted are the same as the ones that drive the stock market fear and greed One example is for spammers to spoof a well-known piece of software such as Microsoft s Windows Security Center see screenshot below of FakeXPA The user, recognizing Microsoft s splash page reminding them that they have no anti-virus protection, can t resist the lure of cheap or free software to protect them from the nefarious world out there A few clicks later and a botnet is born Not good And not improving much, either clip_image012 9 Microsoft Security Essentials for free Long criticized for its insecure software, or rather, the perception of insecure software, Microsoft made a splash into the home user market by releasing Microsoft Security Essentials, a free antivirus software program for registered users of Windows What makes Security Essentials different is that it is free the company now offers services for anti-spam and antimalware, putting it on par with other traditional security vendors such as McAfee or Symantec In another post, I have recommended this software as I use it personally If you aren t running something out there, and you have a legitimate copy of Windows, seriously use this 10 Lots and lots of hactivism In October, the technology blog Neowin had an unusual article posted it was a large posting containing approximately 10,000 usernames and passwords belonging to Hotmail users Many theories floated about Whose usernames are these What were they used for What complicated the problem further was that Yahoo Mail and Gmail Google Mail in Europe accounts were also compromised with various user accounts from those services posted While some hacker somewhere broke into a bunch of people s email accounts, in December, another news story broke A hacker had broken into a server used by the Climatic Research Unit CRU used by the University of East Anglia in Norwich, England The hacker stole and disseminated over a thousand emails and other documents that were compiled over the course of 13 years To the skeptics, the emails and documents are proof that the scientists who assert that global warming is real engaged in a massive conspiracy to hide or manipulate data in order to support their conclusions To the proponents, the emails were used out of context The fallout from all of this is entirely political the emails can mean different things to different people It does drive home the point, though, that we need to be careful what we say lest those with a certain set of computer skills do something to us So that s the way I saw 2009 Make sure you stay tuned to this blog when I do the 2010 end-of-year wrap-up IMAGE http://www.secuobs.com/revue/news/177238.shtmlhttp://www.secuobs.com/revue/news/177238.shtml Secuobs.com : 2009-12-30 00:42:07 - Terry Zink's Anti malware Blog - I haven t been that active on this blog in the past few days because I ve been fighting off a real cold virus Ugh, sick over Christmas Not pleasant But fear not, the story of me vs the spammer shall complete by year s end IMAGE http://www.secuobs.com/revue/news/176547.shtmlhttp://www.secuobs.com/revue/news/176547.shtml Secuobs.com : 2009-12-24 08:22:24 - Terry Zink's Anti malware Blog - This story is mostly fiction But it s quite entertaining if you use your imagination And who knows It could have been true --------------------------------------------------------------------- Continuing on from my previous post, I was in a pretty tight spot There I was, hanging over a ledge by my fingers, gripping on for dear life Standing on top of a ledge was a guy who was attempting to kill me at least I thought he was attempting to kill me If he wasn t he sure had a funny way of showing it The pain my fingers throbbed It was a sharp, piercing pain that pumped more agony through them every time my heart pumped a beat And, because I was kind of panicking because I thought I could end up dying in the near future, my heart was beating faster than normal This was not exactly the best combination I forced myself to calm down and try to come up with a plan on how I was going to escape this dilly of a pickle that I was in I looked up at my attacker He looked back down and me, and grinned He then crouched down He glared into my eyes, and I saw the face of pure evil Remember me he asked I looked back at him, studying his face No I answered He seemed a little taken aback by that He got a little closer Are you sure he asked again I paused and examined him a little closer, trying to going through my memory banks Nothing immediately came to mind Of course, given the fact that my brain was going a mile a minute, I think I could be forgiven for my lack of memory recall Nope, I replied again Nothing rings a bell He grunted again and looked rather annoyed He got down even closer to me Look closer he ordered sharply Think Even though he held a precarious position against me, I was in no mood to play these mental mind games What did he want me to do, log in to my Facebook account, scroll through all of my friends photos and see if he was tagged in any of them Look, moron, I said, probably not picking the best choice of words since that would likely aggravate him, I don t remember your ugly face from anything I usually try to purge unpleasantries such as your visage from my memory banks I highlight them, click delete, and then empty my mental Recycle Bin I was rather proud of myself for coming up with that clever analogy while under tremendous psychological pressure He snorted and shook his fists and put his face mere inches from mine His fists were shaking from anger and his face was turning red I m the one you threw over the Great Wall of China last year he shouted at me I was taken aback slightly I studied his face one more time and then it clicked on me That was the same guy who had tried to kill me last year when I visited China He was a spammer that was very angry at me for shutting down his business and tried to take me out when I visited the great eastern empire He attacked me on the Wall but I prevailed in a very heated battle Well, I m sorry if I don t remember you, I started Obviously, to you that was a very important event You came after me after I managed to put a stop to your lifestyle and put a significant dent in your earnings You obviously trained for a long time to defeat your arch-nemesis but failed to accomplish that task as you were bested by the better man This clearly made a substantial emotional impact on your psyche I paused to catch my breath But for me, it was a Thursday I dismissively waved my hand and broke eye contact Well, that set him off because eyebrows dropped down sharply, his eyes widened, his nostrils flared, the muscles in his neck tensed, his lips curled, revealing his teeth He was madder than a yak in heat Now I am going to finish was I started last year he shouted again He raised up his fist to strike me down Wait I yelled back He stopped ever so slightly, and that s I when I moved in What s that on your wrist He was caught off-guard What this he said It s a rool-ex, he explained A rolex I asked No, he said, A rool-ex Finest imitation Rolex He seemed rather proud of it What time is it I interrupted him from continuing Wha he asked The time He glanced at his watch Why it s I broke in again It s time for me to kick your ss I shouted With that, I gripped onto the little rock I was holding onto as tightly as I could I then lifted my knees in close to me brought them up against my chest and pushed my feet flat against the side of ledge I then kicked out as hard as I could Because my hands were still clasped firmly to the rock, my hands and arms acted as a pivot around which I could rotate, and rotate I did I pushed off at great speed from the side of the cliff and rotated off the side of it until I was vertical and slightly angled over the ledge I then let go with my hands, continued soaring upwards and then pivoted in midair I twisted my body and oriented myself as gravity took over I landed on the ledge, face-to-face with the spammer Impressive, he said, most impressive But it will not save you I glared into his eyes and saw hatred spewing out of them I then uttered these next totally awesome words One of us will not be walking out of here Let s roll IMAGE http://www.secuobs.com/revue/news/175513.shtmlhttp://www.secuobs.com/revue/news/175513.shtml Secuobs.com : 2009-12-23 22:13:05 - Terry Zink's Anti malware Blog - Well, I finally got my other home PC the one in my parents place cleaned up from all of the infections I backed everything up to an external hard drive, formatted the computer, scanned the external drive and cleaned it, reinstalled Windows XP SP2 , installed AVG and Microsoft Security Essentials, found more malware, cleaned that, and finally proceeded to delete all of the old files I still have to clean up my brother s laptop I am not looking forward to that as it is an older laptop c2000 He s transferring files between the two of them which explains why I continue to find malware infections on the one I just spent the better part of two days cleaning When I first formatted it and reinstalled Windows, I was unable to install Microsoft Security Essentials Instead, I had to install the free version of AVG When I got all of the updates from Windows Update, then I was able to install MSE So which one do I like better I much prefer MSE for two reasons 1 It is smaller it consumes less disk space and less system resources When I uninstalled AVG, I noticed a definite performance boost to my system It s already kind of slow, so anything less in memory is better 2 It works better I did a full system scan of the computer with both AVG and MSE MSE found infections that AVG did not Furthermore, I found MSE a little easier to configure than AVG Now, I know I am biased because I work for Microsoft, so obviously I am going to push MS products That is not the case, however There are a number of products that I use for which Microsoft has an equivalent piece of software and I prefer the competitor For example, I prefer Firefox to Internet Explorer sorry, IE team I prefer Google Talk to Live Messenger because it is smaller and cleaner I prefer Thunderbird for my personal mail than Outlook However, there are many other instances where I prefer MS software I very much prefer Outlook for my business mail I prefer Office to any other equivalent software out there from any other company I prefer Bing to Google including the maps The whole point of this is that I am not biased, I go with the ones I prefer So, the point is that I quite like MSE I ve now gotten experience using it personally and I can recommend it Now if only I could get my brother to stop installing rogue A V IMAGE http://www.secuobs.com/revue/news/175413.shtmlhttp://www.secuobs.com/revue/news/175413.shtml Secuobs.com : 2009-12-21 12:30:57 - Terry Zink's Anti malware Blog - Regular readers of this blog will know that I have sometimes referred to myself as Jack Bauer I do this for a couple of reasons 1 Some days I am so busy that I am doing something every hour of the day with no rest in between, a lot like an episode of 24 I call these my Jack Bauer days 2 Sometimes I cut through the bureaucracy and in an attempt to get results 3 I like the TV show 24 I am currently back in Canada and I am staying at my parents place They have a number of computers a new Dell laptop, an older Dell PC circa 2004 and my brother has my old laptop from back in 2000 The older PCs run Windows XP SP2 while the newer laptop runs Windows Vista The older Dell PC is pretty much unusable It has a ton of malware on it My brother keeps a bunch of data on USB sticks and transfers between the older PC and his even older laptop I decided to scan his various USB drives and see if they were infected with any malware Well, it did I took one drive and stuck it into my laptop and scanned it with my Forefront Endpoint Protection shameless plug but it is a good product The one USB drive had 1400 files infected with malware fourteen hundred, that s no typo and over 75 distinct malware infections I gasped I could not believe how much malware was on that thing Here I am, a computer security expert who preaches about the need for antimalware protection and my own brother is infected like the dickens I have clearly failed in preaching my message to the people closest to me I cleaned up the memory stick and did the same thing with the other three The Dell PC is pretty much useless My plan is to backup all of the data onto an external drive, clean it on my laptop, format the hard drive of the PC and then copy everything over I m then going to install Microsoft Security Essentials I cannot download anything like that now and clean it because I cannot connect to the web It s way too slow and unusable, and Internet browsers neither Firefox nor IE work The older laptop does not connect to the Internet I don t have a network card for it and who uses dial-up anymore but I should get that thing formatted, too Remember back to 24, season 5 or 6 when it turns out that the hero of the series, Jack Bauer, has a brother And it turns out that his brother was a villain The antithesis of Bauer That s kind of how I felt, me being the anti spammalware crusader yet having a brother who is unaware of the security risks he posed image image I did a little bit of digging and it turned out he fell victim to rogue A V a popup that says that their PC was vulnerable to infection and that they should download protection for their system And of course, wanting to keep their system secure, they were tricked Fricking malware writers IMAGE http://www.secuobs.com/revue/news/174505.shtmlhttp://www.secuobs.com/revue/news/174505.shtml Secuobs.com : 2009-12-18 04:04:31 - Terry Zink's Anti malware Blog - This story is mostly fiction But it s quite entertaining if you use your imagination And who knows It could have been true --------------------------------------------------------------------- After a couple of days of non-incidents, my guard was still up But on Saturday, November 28, I was about to achieve one of my life-long dreams visiting the city lost Inca city of Machu Picchu Machu Picchu is an amazing place First built around 1450, it was undiscovered by the Spanish during their conquest of South America Yet, only 100 years later, the Incas abandoned it It is unknown why they did this As I toured Machu Picchu, it was pretty clear why it was never discovered Its altitude is a mile and a half high and it is out of the way It is easily defended And other than the stone buildings I m not sure why the Spanish would want the city as there was no gold to loot image image Machu Picchu is a village of stone, housing approximately in its heyday 700 people One of the cool things about it is that the stone tablets upon which the walls are built out of have no mortar between them The rocks are cut perfectly fine But not only that, they aren t just square slabs of rock instead, many pieces have multiple shapes and angles and corners indicating that they spent a heck of a long time carving these things out image image I spent a good amount of time wandering throughout the city, snapping photos and shooting video The tour guide was humorous and he spoke English always a relief why is it that the language of computers is English but the language of the rest of the world is not I went through the various stone houses, saw the sculpture of the condor and saw the King s room It s an absolutely amazing city and I recommend that everyone check it out one day, if you can It was the highlight of my trip Well, not everything associated with Machu Picchu was a highlight After about 2 hours, the group disbanded and we were given free time to explore the premises My friend, who was still a little miffed at me for throwing his iPod into Lake Titicaca, decided to split up from me and take some pictures at another part of the grounds I, on the other hand, decided to show off for no one in particular by climbing a high part of the city that was up on a hill I wanted to see the high building at the top Surely if something was built that high up, there had to be something worthwhile seeing, wasn t there That was my theory, anyhow image Now at this point, the crowds had dispersed from that part of the city There didn t seem to be anyone up there anymore Machu Picchu has tons of tourists and that was something I didn t like so much But I figured that the Peruvians had to milk their capitalism for all it was worth and if people were willing to pay to get in, who was I to disagree I told my friend I d see him later and started going up a very high series of hills I didn t think he would be able to keep up with me, what with the altitude and me being a super-fit specimen of humanity and everything It took about 20 minutes to get to the top of the hill By that point, I was kind of tired and I needed a rest but decided not to take one I was too proud of myself for getting to the top without stopping But at the top of the hill, while it looks like a series of steps from one side, on the other it is a pretty sheer drop down If you were to fall off of there, you could suffer a pretty severe injury I walked around a bit and kind of stretched out from side to side and peered down I m not good with heights, not after my accident in Fiji a couple of years ago I leaned up against the wall, hummed a tune of some sort for some unknown reason, and then went to peer over the side again Whoa, too high, I said, and started to back away A misstep there would spell the end of me I took one step back, and then a second, when I heard noise to my left I turned to look to my left and saw a pebble rolling further away from me It had clearly been tossed from the other side of me Suddenly, I felt a huge thud plow into me, sending me flying forwards In that instant, I knew that the pebble had been tossed to distract me, in order to misdirect away from looking back and to my right Oof, I grunted, not exactly sounding particularly clever The force of the impact hurt I felt it in my shoulder and right hip and the throbbing pain caused by the impact was causing me to lose my focus But that wasn t the worst part The crash landing into me caused me to stumble forward right to the edge of the cliff I was trying to stop myself but it was no use I had lost my balance and had flown through the air a little bit I tumbled over the side and began to panic Would this be the end of me I flailed my arms out to the side as I sailed over the edge of the cliff I fell for what seemed like an eternity but in reality was only one second because beneath the edge of the cliff, there was actually a small step pattern ledge right beneath it I landed on that, kind of grunted again and rolled I hadn t seen it earlier because I didn t want to get too close to the side of the mountain Now that I was rolling off of it, my momentum was carrying me forward and this time, I knew for sure that if I could stop myself I would definitely plunge over the side, most likely to my death I tossed out my arms as I started skidding over the second ledge I felt my feet go over, then my torso and then my chest I was starting to panic, big time But at the last second, my hands grabbed onto a rock I clamped my fingers down on the rock and gripped on for dear life I evaluated my position I looked down and saw my legs dangling over the edge Well, at least I hadn t fallen down I was just a little stuck So long as my fingers didn t slip I would probably be alright Just then, I felt an incredible throbbing pain in the fingers of my right hand Argh I shouted I looked up Standing above me was a guy with dark hair and a somewhat darker complexion, but he was clearly of Caucasian descent He had a contemptuous smile on his face I glared at him, he had just kicked me in the hand jerk My right hand had come loose immediately What the eff I yelled I then looked up at his face On the right side of his head, just by his eye, was a red mark that resembled the shape of an iPod The crazy motor boat driver had come to finish me off This is not good, I mumbled under my breath IMAGE http://www.secuobs.com/revue/news/173702.shtmlhttp://www.secuobs.com/revue/news/173702.shtml Secuobs.com : 2009-12-17 01:50:44 - Terry Zink's Anti malware Blog - This story is mostly fiction But it s quite entertaining if you use your imagination And who knows It could have been true --------------------------------------------------------------------- After several days of waking up early and doing tours, not to mention a couple of overnight tours on buses that were actually quite comfortable, my friend and I arrived at Lake Titicaca Lake Titicaca is a very large lake and it is bordered by two countries Bolivia and Peru Each country claims greater ownership in terms of physical size of the lake This lake is the highest lake in the world or possibly the highest freshwater lake We got down there around 8 am and it was originally a rather dreary day It was kind of cool, rainy and overcast a lot like Seattle or London Luckily, things got nicer later on in the day You can take a few different tours on the lake but the one we went on was for about 3 hours or so You see, in Lake Titicaca they have manmade floating islands made out of a substance that I shall call straw It s not actually straw, but it looks like it and I cannot remember the name of what it really is They are fairly large hunks of straw and people live on them They live in little, small huts also made out of straw other than the roofs, of course We went and talked to the islanders and I bought a few trinkets and doodads, as is my custom whenever I go to a developing country image image We wandered around for a bit, went inside the various huts where I saw how people lived How in the world do people live in these huts I wondered They are so small for a family And how do they power the television Eventually, it came time to leave this island and go to another island where presumably we would see more of the same The only way to get across from one island to the other is by boat, and so that s what we did Halfway through the boat ride, they made an announcement We are asking for a fee to travel from one island to the next The cost is twenty soles Note to readers this part of the story is true, and twenty soles is about 7 US How convenient that we had no place to go and were at their mercy when we had to pay up the cost of travel They certainly had a lot more leverage than do the food vendors at major sports events where they charge you 14 for a hot dog I paid up because a the cost wasn t that prohibitive, and b what else was I going to do Say I wouldn t pay image image After I paid, I looked off into the distance where I saw another reed boat group of tourists going some place else They were clearly going to another island, not the same one we were going to nor the one that we came from I also saw something else a motor boat charging by, looking like it was going to come very close to the group of tourists Nobody else seemed to notice except for me I watched and assumed that the boat would change course so that it s wake wouldn t come too close to the boat, and that it would easily by the other tourists But it didn t it stayed on the same course And worse yet, as it got closer, it looked like it was going to go into the path of the other reed boat I looked closer I couldn t tell for sure because of the angle I was looking at It looked like that boat was charging right for the tourists In fact, I was pretty sure that was directly where it was headed for But everyone else was looking the other way, listening to the guide as he talked about something or other The motor boat got closer and closer, and I started to panic What was that guy doing Didn t he see where he was headed A large collision like that would send the reed boat tipping and probably break it up and likely cause a lot of injuries to the other passengers I decided to take action I stood up in the reed boat and promptly lost my balance, falling back down Apparently, boats like the one I was in are tippy Who would have thought Everyone in my boat started to look at me The guide said something to me in Spanish No habla espangol, I said I m fluent in over six million forms of communication, but Spanish isn t one of them I really need to fix that one day I got up again This time I kept my balance and didn t fall down Hey I shouted at the boat, waving my arms, knowing full well they couldn t hear me, and probably didn t see me either Hey I shouted again, waving my arms even more like a maniac Watch out The guide in my boat started saying something to me again, I suspect it was something like sit down I didn t care, some crazy lunatic was heading straight for the other boat I tried to point him towards the motor boat bearing down on the reed boat of passengers, but he wouldn t turn around He just focused on me It was kind of like a professional wrestling match when the bad guys are cheating but the dumb referee keeps his back turned away to nitpick over something else I had to take more drastic action I looked around for an object to throw I looked at my souvenirs hmm, can t throw those away because I paid good money for them like, 5 US worth I then looked at my friend, who wasn t paying attention, either He was listening to his iPod, kind of in his own little world I reached down and grabbed his iPod He didn t have time to react because my ninja-like skills sprung into action I wound up, and with a sense of accuracy and power that would put Tom Brady, Peyton Manning and Brett Favre to shame combined I hurled the iPod at the other boat which was at least 200 feet away It was an awe-inspiring sight The iPod hummed nicely threw the air, somehow curved around two objects and hit the driver of the boat square in the side of the head, knocking off his sunglasses and jolting his head back, and to the left Back, and to the left Back, and to the left Success It looked like he grunted and at the last minute swerved out of the way of the other boat His boat made a large wave but it was nothing the reed boat couldn t handle The iPod, after hitting the driver in the side of the head, landed in the water Hey cried my friend I got that for my birthday I looked back to him I ll buy you a Zune HD, I replied As the boat sped away, I looked back at the driver He was too far away to see, but I could tell he was staring at me I was very suspicious now and was thinking that the events of the past few days were now starting to tie together I knew that before this trip was done, we would be meeting again IMAGE http://www.secuobs.com/revue/news/173132.shtmlhttp://www.secuobs.com/revue/news/173132.shtml Secuobs.com : 2009-12-16 10:15:15 - Terry Zink's Anti malware Blog - Note this story is mostly fiction But it could be a true story if you use your imagination a little --------------------------------------------------------------------- The town of Nazca is like a desert Barren rock everywhere, little vegetation, dusty, windy, and warm during the day image But, it is here where you can see the Nazca lines The Nazca lines are a series of carvings more or less in the ground that are between 30 m and 200 m in size They are huge, and the only way to see them completely is from the air They were made by the Nazca people around 2000 years ago The drawings are interesting because there are many drawings of animals that are not native to the area, including the condor, the parrot and the monkey Thus, the Nazca people must have traveled very far, at least a couple of hundred miles, in order to see these animals They brought back stories of them and carved them out on the ground The Owl Man image A fish image Even today, the Nazca lines remain an archaeological wonder, and a bit of a mystery We don t know exactly what they are for, but researchers think that it was a form of nature worship as well as a calendar, similar to the zodiac The Nazca used it to time the weather phenomenon El Niño Obviously, water was very important to the Nazcas seeing as how they live in a desert and all and El Niño cycles could make a huge impact on the environment Anyhow, we got to the plane and I got into the front seat The pilot did his walk around pre-flight inspection while I decided to fool around a bit I slipped on the headset and did my impression of a pilot I picked up the non-existent radio on my side and spoke into it Roger, roger, this Rogue Two requesting clearance for take-off I smiled to myself, and said Stay on target Almost there Stay on target I was enjoying myself, saying a bunch of ridiculous things image While I was sitting there speaking into the imaginary microphone, the pilot opened the door Okay, we need to take a different plane, he announced This one is grounded What I asked Why Something is wrong with the propeller in the front There are some major holes in it that have breached its integrity Well, I couldn t argue with that I certainly didn t want to go up in a plane where the propeller suffered a problem with its integrity But I was a little puzzled Haven t you flown this plane earlier today We re not your first flight of the day, I pointed out And we weren t Did he go up before and just not notice Si, señor, replied the pilot I went up about 40 minutes ago At the time, the propeller was fine because I checked it twice It must have happened after I landed Perhaps some gust of wind tossed up a rock into it At this point I was getting a little suspicious A gust of wind like that would have had to have been blowing at 100 miles hour, and someone would have noticed that I looked around but didn t see anything out of the ordinary The problem is that if anything was out of the ordinary, I probably wouldn t have noticed it anyhow because I had no frame of reference in which to compare it to the normal We walked away from the damaged plane and I didn t get a good look We were on a schedule and I didn t have time to fool around with this sort of thing We just went to a new plane, we all got in with me in the front seat, of course and the pilot did his inspection This time around, everything worked out fine I went up in the plane and took a bunch of photos of the Nazca lines, some of which you can see in this post We landed and I exited the plane To be honest with you, I wasn t feeling too good Sometimes people on planes like these will lose the contents of their stomach I could understand why There were hard banks to the left and to the right, as well as lots of going up and down At first during the flight, I was like This is really cool During the second half, I was thinking to myself Man, my stomach is starting to protest I think I want to go back down now Seriously, I don t get sick on carnival rides or roller coasters or anything like that This had me thinking about my woozy tummy After recovering on terra firma, we left the mini-airport We had a bus that would leave later that night, but I couldn t get out of my head that damaged propeller I wished I had taken a closer look Later on, a few days later, I would definitely wish I had take a closer look around before leaving the airport IMAGE http://www.secuobs.com/revue/news/172635.shtmlhttp://www.secuobs.com/revue/news/172635.shtml Secuobs.com : 2009-12-14 07:24:41 - Terry Zink's Anti malware Blog - I interrupt my unfolding Peruvian story to share this very funny video about Windows 7 Enjoy IMAGE http://www.secuobs.com/revue/news/171612.shtmlhttp://www.secuobs.com/revue/news/171612.shtml Secuobs.com : 2009-12-11 08:24:18 - Terry Zink's Anti malware Blog - Those of you who have been reading this blog for a while now know that during October, 2008, I was fictitiously attacked by a spammer while I was traveling to the Great Wall of China The spammer had been fictitiously tracking my movements and fictitiously cornered me He attempted to take me out, but I managed to outduel him and tossed him over the wall, never to see him again Those of you who have been reading this blog for only a little while know that during the last part of November, 2009, I traveled to Peru It was a good trip I visited the city of Lima, saw the Nazca lines, traveled through Colca Canyon like the Grand Canyon, but more impressive , sailed on Lake Titicaca and wrapped it up with a visit to the lost Inca city of Machu Picchu It was very enjoyable, other than the sleep deprivation Or shall I say, there was one other thing that I didn t enjoy another spammer once again cornered me and tried to take me out Only one of us lived to tell about it Guess which one Like my trip to China, this story is largely fiction But not completely --------------------------------------------------------------------- We flew into Lima at 1 am in the morning My friend and I got up out of our airplane seats and disembarked the plane It had been a long trip, a six hour flight from Atlanta after a five hour flight from Seattle The batteries in my Bose headphones were nearly dead I couldn t hear the movies anymore The flight attendant at the beginning of the trip offered me some headphones but I said No, thanks, I don t need them I ve got these cool Bose headphones which I won at a limbo contest at MAAWG in 2008 She shrugged, said something that sounded like suit yourself and moved on Suit myself, indeed Apparently my ability to judge battery life is inversely proportional to my skills in Antispam We waited an additional hour or so to get through customs and then collect our luggage At this point it had been a very long day, and after catching a cab at the airport, we headed on down to the hostel that we had booked ahead of time This hostel was the only thing we had pre-booked, everything else was going to be us just booking stuff on the fly It really was pretty ad hoc, kind of like how I like to run our Triage meetings at work By the time we got checked in and convinced the hostel owner to open the door at 3 am, and somehow manage to check-in despite speaking almost no Spanish and being fairly sure that some paperwork wasn t up to snuff, we were in our room I had made it to Peru Due to jetlag and general angst, I only got maybe 3 hours sleep that night, and that s certainly on the far end of the scale We got up around 10 30 or 11 am Wow, I said, we slept late But in reality, that s not too late because Lima is only 3 hours ahead of Seattle I got up, showered and changed, as did my friend after I was done We went down for breakfast and planned our day It wasn t a complicated plan, we only had two goals 1 Book the rest of our trip 2 See Lima I am proud to say that we accomplished both It took about an hour to book the trip and we planned out the various spots we want to see, you can see them in the preamble to this story After that, we walked outside and decided to go downtown We caught a taxi which took us to the heart of Lima and it only cost us 10 soles, or about 350 US That was for a 20 minute cab ride Cabs in Lima are the exact opposite of cabs in Geneva, which fricking charge 350 per minute We got to the main square where we saw various attractions Whenever I go traveling, I like to see the various shopping parts of the main strips and watch the people I also like seeing the architecture and comparing it to places I have been to before If you are wondering what Lima is like, the city that is closest to it is Los Angeles image image At last we came to the main square And this is where the story gets interesting Another one of my main goals in Peru was to see a Peruvian Flute Band Ever since I saw that South Park episode last year, it has been my lifelong dream Lo and behold, we came to the main square and what did I see A Peruvian Flute Band I had accomplished my goal in one day They were just walking around the main square, playing music and what not I went up and snapped a picture image Little did I realize what I was getting myself into As I snapped the picture, I had to get the shot from a good angle I never really succeeded at that, they were moving around too much As I was snapping the first picture, I was bumped by a bystander walking beside me Watch it, he sneered as he moved past me What s his problem I said to myself He was clearly having a bad day, or so I thought I watched him as he went up and joined the Flute Band, playing with them Well, he s obviously not their PR guy, I said to my friend, who laughed As I reflect back on it, I should have known something was up For one, this guy was on bongo drums For another, he seemed out of place There was something about it that was just off He didn t look like he naturally fit into the group I didn t think about it at the time, but I should have It would come back to haunt me 10 days later IMAGE http://www.secuobs.com/revue/news/170942.shtmlhttp://www.secuobs.com/revue/news/170942.shtml Secuobs.com : 2009-12-11 04:12:02 - Terry Zink's Anti malware Blog - As a Program Manager, it s my job to assign work items to people and then track everything When there s a few bugs, it s not that difficult When there s 30 or 40, it s much tougher We have a couple of mechanisms for assigning work items, called bugs We can assign them to Investigate, wherein the developer goes off, figures out what to do and then reports back We can also Approve them, wherein the work is actually done It then is subsequently assigned for testing and eventually rolled out This process worked okay, but not great Bugs that are assigned to Investigate often stay that way for days, weeks, and even months and that includes even myself We may keep mental track of them but when somebody has to review all of the bugs like myself, for example, in our weekly Bug Triage meetings , we don t know what the status of them is When a bug kind of sits there with no updates, I call these Orphans I decided that I had to fix the Orphans So here s what I came up with if a bug is assigned to you and is marked Investigate, if you don t have either an update or a date for when you will have an update, you pay a fine of 1 It is 1 per meeting, not 1 per bug for now The goal is keep bugs from getting Orphaned If people start feeling the pain with a huge 1 fine or simply the embarrassment of paying the fine then there now exists social pressure to keep things on track The motivation to keep things up to date is now felt very strongly Who wants to be publically shamed It s only been in force for a week, but it has worked well so far I encourage other managers to consider borrowing the principle and tweaking it for their ends IMAGE http://www.secuobs.com/revue/news/170868.shtmlhttp://www.secuobs.com/revue/news/170868.shtml Secuobs.com : 2009-12-04 22:26:31 - Terry Zink's Anti malware Blog - The one near the top is completely valid click for ginormous image image IMAGE http://www.secuobs.com/revue/news/168789.shtmlhttp://www.secuobs.com/revue/news/168789.shtml Secuobs.com : 2009-11-27 08:02:08 - Terry Zink's Anti malware Blog - I don t normally comment on things I see on TV wait a minute, what am I talking about I do that all the time Anyhow, yesterday I was watching the show How I Met Your Mother One of the main characters, Barney Stinson, has a scheme that uses in order to meet members of the opposite sex he creates and impersonates a fictional character by the name of Lorenzo von Matterhorn Here s how it works Barney walks into a bar and targets a single, attractive lady The catch is that she has to have a fairly advanced phone He walks up to her, kind of half-shrugs and says That s right, it s me The woman looks up at him and asks Should I know you Barney, acting surprised, says Oh, really You mean you don t recognize me That s a relief My name is Lorenzo von Matterhorn There is a bit of byplay, and Barney has to run off for a moment in order to attend to some business The girl then takes the opportunity to look up, on the web, the name Lorenzo von Matterhorn using the Bing search engine, no doubt After all, that s what smart phones are there for, to verify information Yet Barney has planned ahead He has created several web sites in advance that reference the fictional Lorenzo von Matterhorn One is a reference to Lorenzo as a world famous billionaire who has circumnavigated the globe in a hot air balloon, others are web sites to fake news articles about how rich, powerful and famous he is In other words, he has engaged in a whole bunch of social engineering and used grey search engine optimization to make himself look like a superstar rich guy, all in an attempt to impress the girl When he returns, the girl is very impressed with him The plan has worked Of course, today, if you search for that name, you ll get references to How I Met Your Mother But Barney has taken a page from the spammer playbook and is using the web in order to create false impressions of himself, similar to how spammers will attempt to game Google s most popular search phrases and then getting their spammy landing pages to the top of those search results this is known as Black SEO Indeed, the techniques utilized by the two are probably not all that different from each other One could certainly argue that Barney s shenanigans are unethical Of course, there is certainly no question that black SEO is unethical But the point of my post is this the Internet can be used for both good and evil, even if it is fictional image IMAGE http://www.secuobs.com/revue/news/165717.shtmlhttp://www.secuobs.com/revue/news/165717.shtml Secuobs.com : 2009-11-25 10:28:15 - Terry Zink's Anti malware Blog - This is another vignette that I am posting while I am out traveling The other day, I popped into Half Price Books to pick up a couple of novels by Michael Crichton I don t know if there s a Half Price Books in your area, but the one in mine is awesome I can get all sorts of used books in good condition for less than 5 a piece Seriously, that s fantastic It s completely worth it to me to spend a few dollars on a book I will only ever read once Anyhow, I picked up a bunch of books and went to the checkout counter As I was paying, the clerk asked me Would you like to sign up for our mailing list We ll be sending out an offer in a little while and I was hesitant I don t like giving out my information and signing up for stuff I never even sign up for store credit cards even if it gets me 20pourcents off that day But this one had an offer that seemed pretty good to me Obviously, it couldn t be that good since I can t remember what it was As I was debating it in my head, the clerk said We won t spam you, we re not evil I looked up at that and tried to conceal a smile Oh, if only she knew that I was a program manager of antispam, with over five years experience, in charge of protecting millions of inboxes which blocks a couple of billion spam messages daily Stopping spam is my specialty Oh, I believe you, I said I smirked to myself, thinking to myself what would I do if I do get spammed Heh, I can think of a couple of things And I bet you can, too IMAGE http://www.secuobs.com/revue/news/165118.shtmlhttp://www.secuobs.com/revue/news/165118.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - Every 6 months or so, Microsoft releases its Security and Intelligence Report for the previous 6 months of the year SIRv7 is now available here This is a very comprehensive document covering topics from the entire threat landscape that Microsoft is involved with combating This year s report contains three key messages 1 The redistribution of knowledge Microsoft s level of security intelligence will be unmatched and provided to individuals and organizations to help them make better security decisions 2 OK, so what else is new The SIR contains the information that is relevant to people right now 3 What do I do now - The SIR allows people to assess where they are and what action they need to take I thought I would post an excerpt from the Executive Foreword I think that this highlights the theme of this current SIR ----------------------------------------------------------------- Welcome to the seventh installment of Microsoft s Security Intelligence Report, which I hope you will find is the most extensive and comprehensive edition to date The cover story in this report looks back at the major threats that have attacked customers over the last 10 years, and then the report drills deeply into the current threats that you need to understand and includes what you can do to best manage your risks At Microsoft, we remember the pain past incidents caused our customers and we reflect on them frequently In particular, the Slammer and Blaster attacks that disrupted the Internet in 2003 are vivid reminders of the responsibility we have at Microsoft to ensure our products are as secure and privacy enhanced as possible image As you can see from the timeline above, 2003 and 2004 were difficult times tzink note see the report for a better image But, you can also see that since then, major security incidents have become less and less frequent From the data in this report, you ll also note that the scope and impact of major events have changed, as well For example, from the press surrounding the Conficker worm that has been attacking customers over the past year, it s easy to conclude that Conficker is just as widespread and impactful as Slammer or Blaster but in most respects, it hasn t been In 2003, Blaster became one of the most prevalent threats impacting home PC users Six years later, Conficker didn t even make the Top 10 list among this audience I don t want to minimize the pain that many of our customers experienced fighting Conficker, because, as you ll read in the report, it was the top threat detected and cleaned in enterprises in the first half of 2009, but Conficker emerged in a much different software industry than Slammer and Blaster Indeed, the software industry has matured a great deal since the days of Slammer and Blaster Since 2003, the software industry has improved its ability to mobilize and coordinate resources to fight threats The Conficker Working Group CWG was founded earlier this year, establishing a new model for how the collective industry can work together to mitigate global threats The industry was able to proactively get ahead of Conficker by discovering the vulnerability before attackers could use it in widespread attacks The Security Science team at Microsoft was able to find the MS08-067 vulnerability, which Conficker uses to propagate, and work with the Microsoft Security Response Center MSRC to release its update before attackers could use it for a Blaster-type attack Our industry partners helped protect many customers from attack via the Microsoft Active Protections Program MAPP MAPP supplies Microsoft vulnerability information to security software partners prior to security update releases from Microsoft This program enabled the majority of MAPP partners to provide protections to their customers for Conficker 24 hours after the MS08-067 security update was released This meant that many customers were protected up to a week earlier than traditionally possible, and certainly much earlier than customers could obtain such defense-in-depth protections and threat mitigations in 2003 With the vulnerability that Slammer exploited, many administrators didn t know whether they needed to apply a security update or that it had to be applied manually Today, customers are notified and protected much faster multiple communications channels exist to help customers find and understand information on security vulnerabilities Security advisories help draw attention to security issues as they unfold, and provide customers with critical information before security bulletins become available Microsoft s advanced notification service provides customers with an insight into the number and nature of security updates that Microsoft will be releasing each month so they can plan more effectively for the deployment of the updates Security bulletins provide information on vulnerabilities, along with workarounds and mitigations The progress that the software industry has made to better protect systems and customers might be small consolation to the users of those 5 million systems that were infected with Conficker in the first half of 2009 Still, it is a significant step forward, given that more than 100 times as many systems were protected from Conficker This is in stark contrast to the Slammer and Blaster attacks of 2003 where many, many more systems were infected The industry will continue to work together to make the frequency, scale and scope of emerging threats as minimal as possible We thank you for your help and efforts to protect the ecosystem, and look forward to continuing to work with you to create a safer, more trusted Internet George Stathakopoulos General Manager, Trustworthy Computing Security Trustworthy Computing Group ----------------------------------------------------------------- More excerpts to come over the next few days highlighting global trends in the threat landscape IMAGE http://www.secuobs.com/revue/news/164986.shtmlhttp://www.secuobs.com/revue/news/164986.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - One of my favorite stories in the recent edition of the Microsoft Security and Intelligence Report v7, pp 29-32, is that of the story of Conficker I thought I would repost it here because it illustrates the problem of Conficker and the way the industry worked together to respond to the problem Case Study The Conficker Working Group The appearance in late 2008 of Win32 Conficker, an aggressive and technically complex new family of worms, posed a serious challenge to security responders and others charged with ensuring the safety of the world s computer systems and data Win32 Conficker Update, beginning on page 95, explains the technical details of the Conficker worm and the methods it uses to propagate Working together, however, the security community was able to react quickly to the threat and contain much of the damage, in the process establishing a potentially groundbreaking template for future cooperative response efforts On October 23, 2008, Microsoft released critical security update MS08-067, addressing CVE-2008-4250, a vulnerability in the Windows Server service that could allow malicious code to spread silently between vulnerable computers across the Internet The vulnerability affected most currently supported versions of Windows, although architectural improvements in Windows Vista and Windows Server 2008 made them more difficult to exploit than earlier versions Like the worms that plagued the Internet earlier this decade, malware that exploited the vulnerability would be able to spread without user interaction by taking advantage of the protocols computers use to communicate with each other across networks For this reason, and because actual attack code that exploited the vulnerability was known to exist in the wild at the time, the MSRC took the unusual step of releasing MS08-067 out of band rather than wait for the next scheduled release of Microsoft security updates, which takes place on the second Tuesday of every month Security Bulletin MS08-067 happened to be released on the last day of the eighth annual meeting of the International Botnet Task Force in Arlington, Virginia, a suburb of Washington, DC, where attendees agreed to closely monitor developments around what appeared to be the first legitimately wormable vulnerability to be discovered in Windows in several years The November appearance of Win32 Conficker, the first significant worm that exploited the MS08-067 vulnerability, marked a major challenge for security researchers, due to the aggressive tactics several of its variants used to propagate Despite this, researchers soon discovered a way to limit or eliminate the Conficker bot-herders ability to issue instructions to infected computers As described on page 96, the authors of the Conficker malware used an algorithm to generate 500 new domain names every day 250 for each of the first two Conficker variants discovered to use for command-and-control servers Computers infected with Conficker would attempt to contact each of these generated domain names every day If the authors had a task they wanted the computers in the botnet to perform, they would simply use the same algorithm to generate domain names in advance and register a few of them, which they could then use to host command-and-control servers Fortunately, researchers from Microsoft and other organizations were able to reverse engineer the domain-name-generation algorithms used by the first two variants, designated Worm Win32 ConfickerA and Worm Win32 ConfickerB, soon after each variant was discovered This enabled them to begin registering the domain names before the botnet operators could, thereby impeding the Conficker malware from obtaining new instructions Initially, the researchers resorted to registering the domains commercially through the domain name registrars for the eight top-level domains TLDs com, net, org, info, biz, ws, cn, and cc used by Conficker, an approach that quickly became unworkable Registering 500 domain names per day would cost thousands of US dollars per day for the foreseeable future and the cost would only increase if new variants appeared using different name-generation algorithms It was clear that more help would be needed Conficker, Part 1 Conficker, Part 2 Conficker, Part 3 IMAGE http://www.secuobs.com/revue/news/164985.shtmlhttp://www.secuobs.com/revue/news/164985.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - The Conficker Working Group Is Born In January 2009, representatives from a number of security research companies and domain registrars, along with the anti-botnet Shadowserver Foundation, began discussing how best to implement a defensive Domain Name Service DNS strategy to handle domain registrations To coordinate the significant amount of e-mail being generated by these discussions, the group established the CONFICKER e-mailing list on January 28, which drew a growing number of security researchers and members from law enforcement, academia, and industry, in addition to members representing each of the eight TLDs used by Conficker Enlisting the support of the TLD operators would prove to be a vital step in containing the Conficker threat, enabling the group to block domain names more efficiently and at far less expense than would be possible through the commercial registration process By early February 2009, working group members had instituted a process for registering as many domain names as possible, before the Conficker operators could register them, and assigning them to IP addresses belonging to six sinkholes server complexes designed to absorb and analyze malware traffic operated by organizations belonging to the working group Infected computers looking for command-and-control servers would contact the sinkholes instead, providing researchers with valuable telemetry for analyzing the spread of the worm A number of Internet service providers ISPs were also able to use this telemetry data to identify infected computers Around the same time, the Internet Corporation for Assigned Names and Numbers ICANN , which is responsible for allocating IP addresses and managing the Internet domain name system, invited the group to deliver a presentation on its domain registration efforts to a meeting of the ICANN board of directors The board expressed its support for the program and assigned two staffers to help coordinate it Despite these efforts, the Conficker operators were still able to register some domains before the working group could get to them To mitigate this, researchers at Kaspersky Lab, an anti-malware vendor headquartered in Russia, worked with OpenDNS, a free network resolution service used by many organizations and individuals, to compute a year s worth of Conficker domain names and proactively point them at the group s sinkholes Any infected computer belonging to an OpenDNS user would not be able to contact any of the Conficker command-and-control servers, even on domains the Conficker operators had been able to secure The formation of the Conficker Working Group CWG was officially announced to the public on February 12, 2009, as what a number of news stories characterized as an unprecedented example of global cooperation in the computer security industry, and a potential blueprint for dealing with threats in the future The CWG had grown from an e-mail list for nine individuals to a group of more than 30 member organizations from around the world, coordinating complex activities through a robust communications infrastructure On the day the CWG was announced, the group had successfully registered every Conficker domain name for the next 10 days, a genuine if temporary victory over the Conficker operators Conficker, Part 1 Conficker, Part 2 Conficker, Part 3 IMAGE http://www.secuobs.com/revue/news/164984.shtmlhttp://www.secuobs.com/revue/news/164984.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - Setbacks and Triumphs The domain registration task became exponentially more challenging on March 4, 2009, with the discovery of Worm Win32 ConfickerD Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs, beginning on April 1, 2009 Though this seemed at first like an impossible hurdle to overcome, CWG members immediately began working to counter the effects of the upcoming change As security researchers continued to analyze the ConfickerD malware, ICANN staffers began contacting the registries responsible for each of the affected TLDs seeking cooperation in registering or blocking the domains, and the CWG compiled go packs of information for Internet service providers and enterprises about the steps they should take to help keep their customers and employees safe April 1, 2009, came and went, with the world outside the security community noticing little or no change By that time, however, ICANN had secured the cooperation of all 110 TLDs used by Conficker, and the global DNS community was active and prepared to deal with the Conficker threat Rapid, effective collaboration across borders and organizational lines had proven instrumental in containing what has been, and remains, a significant threat to the world s computers and information The CWG Today The CWG remains in place today, with more than 300 member organizations representing law enforcement, academia, and industry, and remains vigilant against new developments In cooperation with ICANN and the DNS community, the CWG continues to block or register the 50,000 domain names generated each day by the Conficker algorithms Each month the group supplies the 110 affected TLD operators with an updated list of generated domain names covering the next several months, so they can begin implementing countermeasures well in advance Automated mechanisms verify that each domain name has been blocked before it is scheduled to be used and alert the CWG for any that have not, so activity for those domains can be closely monitored Once in a while, a domain name generated by the algorithm happens to correspond to an existing domain owned by a legitimate party in such cases, the CWG contacts the legitimate domain owner in advance and offers assistance managing the expected spike in traffic coming from infected computers In March, the group underwent a reorganization process to add structure and to segment its work by subject area to work more effectively The group maintains a Web site at http wwwconfickerworkinggrouporg with links to information in multiple languages about Conficker and resources that service providers and end users can use to determine if they are infected, and if so, what to do about it The fight against Conficker is not over The five identified variants continue to spread to new computers due to a lack of information or action on the part of some system administrators and end users Even after Conficker recedes into insignificance, there will likely be other threats of similar magnitude to deal with in the future As such threats appear, though, collaborative efforts, such as the CWG, can provide the global security community with unequaled tools for mitigation and resolution Conficker, Part 1 Conficker, Part 2 Conficker, Part 3 IMAGE http://www.secuobs.com/revue/news/164983.shtmlhttp://www.secuobs.com/revue/news/164983.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - For the very first time since I created this blog back in July of 2006, I am changing it s title It is no longer Terry Zink s Anti-spam Blog , it is now Terry Zink s Anti-malware Blog I have not moved out of spam Instead, I have decided to broaden the focus of this blog to include malware as well as spam The relationship between the two is tightly integrated and I believe that I need to touch a wider array of the security space to remain relevant The only real change you will see will be that I will be writing about malware more than I have in the past, and other security topics in general My sphere of interest has expanded from focusing on spam to focusing on the general security space Happy reading IMAGE http://www.secuobs.com/revue/news/164982.shtmlhttp://www.secuobs.com/revue/news/164982.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - All Spammed Up has a new post up referencing an article that security researchers have issued a report indicating that Spain is the country with the most infected computers, at 445pourcents The United States is second at 144pourcents The countries with the least infections are Sweden, The Netherlands and Peru The Microsoft Security and Intelligence Report, v7, doesn t measure infection rates quite the same way Instead, it has a metric called Computers Cleaned per Thousand machines scanned, or CCM where M is the Latin word for thousand mille This is a measure of the number of computers cleaned per thousand executions of the Malicious Software Removal Tool MSRT Below is a heat map of the countries with the most infections, for a better image either click the image as it will be cut off in this blog below or download the full report and zoom in your Adobe pdf reader it is on page 41 image Click here for ginormous image Going from the above, we can see that Spain is definitely one of the hotter countries But, it is not the hottest Below is a table of the countries with the worst rates of infection image Spain is clearly one of the worst but it is actually only number 4 behind Serbia and Montenegro, Turkey and Brazil There is no set pattern but in general, countries in the developed world at the very least, the G7 are not found among the worst countries for malware infection Of course, the very interesting thing is that even within different countries, the types of infections are different Microsoft classifies the types of malware it removes and below is a table of what it looks like among various countries Click on the picture to see the full image as it will be cut off partially in this blog image Click here for full sized image From our table above, Brazil and Spain are the worst offenders for malware infected computers, coming in at 3 and 4 respectively Yet the type of malware hitting them is different Brazil is plagued by Password Stealers that target Brazilian banks led Win32 Bancos , followed by Worms and Viruses by contrast, Spain is hit hardest by Worms, then miscellaneous trojans and password stealers, which are substantially less than Brazil The United States was number 2 in the report that All Spammed Up referenced, but the most common malware affecting systems in the US are miscellaneous trojans, followed by trojan downloaders and droppers and then Adware the pattern is similar in the United Kingdom So, different regions of the world are more prone to certain types of attacks than others If we can make a generalization, then the countries with the highest malware infections rates as measured by the MSRT CCM metric are more prone to Worms The United States is actually about average with regards to infection 86 CCM vs 87 global average With regards to the lower countries, I am currently not seeing any discernable pattern and I would have to do a deeper statistical investigation IMAGE http://www.secuobs.com/revue/news/164981.shtmlhttp://www.secuobs.com/revue/news/164981.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - One of the pieces of conventional wisdom that goes through my head is that if you install pirated versions of software, then your computer is more likely to be infected with malware It makes sense in order for spammers malware authors to take control machine, they offer users cheap software Yet this cheap software comes with a heavy price tag you relinquish control of it to the whims and fancy of the spammer or malware writer to do nefarious things like spam, host phishing pages, host fast flux, serve as a command-and-control center, and so forth Furthermore, individuals with pirated software are also much less likely to download security updates and therefore remain exposed and vulnerable for longer periods of time and, therefore, more prone to malware infection That s the theory But is it true To test this, I compared the data in the Microsoft Security and Intelligence Report and the Business Software Alliance Piracy Study I used Microsoft s metric of CCM, Computers Cleaned per thousand executions of the Malicious Software Removal Tool I extracted the countries in common between the two reports and ran two correlation studies, one for 1H 2009 compared to the 2008 piracy rate, and another for 2H 2008 compared to the 2008 piracy rate Below are the top 10 countries for CCM in 1H 2009 and the change from 2H 2008 green is good and represents a decrease, red is bad and represents and increase image I have removed Serbia and Montenegro as it represented an outlier Note that 4 of the top 6 countries Turkey, Spain, Saudi Arabia and Taiwan have all had substantial increases of malware infection and removal compared to the previous six months of the year Below is a table of rates of piracy for the top ten countries image For interest s sake, here are the best countries with the lowest rates of piracy image You can see that the US has the lowest rate of piracy which surprises me a little bit given that so much spam comes out of the US Next, to determine if there is any relationship between the two of them, I calculated the statistical correlation between the two and plotted a scatter plot I did this comparing the 1H 2009 CCM to the rate of 2008 software piracy, and then the 2H 2008 CCM to the rate of 2008 software piracy Below are the results image image In 1H 2009, 08pourcents of the variance of the rate of piracy is associated with the CCM, and in 2H 2008, 11pourcents of the variance of the rate of piracy is associated with the CCM In other words, there is no statistically significant relationship between the national rate of software piracy and the national rate of malware detection Update But is this really the best way to compare whether or not pirated software is more susceptible to malware All I did was take the malware clean rate CCM and the country s software piracy rate and compare them But this study does not account for the following 1 In this calculation, pirated software is mixed in with legitimate software, lumps it together and then compares it to the CCM But this cannot differentiate between the two of them It could be that pirated software contains many more malware infections than legitimate software and by mixing the two pieces of data together, the statistical relationship will show no correlation In other words, they could be cancelling each other out What would have to be checked is a pulling of the data that contains the CCM for legitimate software vs the CCM for pirated software, both within the country and then across countries That would be a much more accurate comparison 2 This study of mine does not account for relationship that update frequency has on rates of malware infection Does pirated software update less frequently Or run fewer instances of the Malicious Software Removal Tool If so, then it should have a higher rate of malware infection The data in the SIR does have some data points surrounding the rate of update frequency This should be accounted for in the malware piracy study, and it is something that I did not include Therefore, I am retracting my earlier statement that there is no statistically significant relationship between the rate of software piracy and the rate of malware infection detection My earlier methodology is incomplete and right now I do not have enough of a complete data set to measure this with statistical certainty The non-correlation is spurious The experiment I used above, while a good start, does not go far enough and account for enough of the variables that could have an impact on the conclusions IMAGE http://www.secuobs.com/revue/news/164980.shtmlhttp://www.secuobs.com/revue/news/164980.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - From the Register A botnet that was once responsible for an estimated third of the world's spam has been knocked out of commission thanks to researchers from security firm FireEye After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels The channels were used to send new spamming instructions to the legions of zombie machines that make up the network Almost immediately, the spam stopped, according to M86 Security blog Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers When all else failed, its software was able to dynamically generate new domain names on the fly I decided to check this using our own statistics While I don t know if Mega-D was at one time responsible for 1 3 of all spam my stats only go back to late July 2009 , it certainly isn t one of the big ones today Those slots are reserved for Rustock, Bagle-cb, Cutwail, and sometimes DarkMailer However, Mega-d certainly does register no pun intended on our radar Below are the stats image You can see that Mega-d does have a sawtooth-like sending pattern, but we definitely saw a big drop in spam from that botnet that appears to be generating a bit of a recovery today 11 13 2009 Also note that the numbers on the y-axis are not necessarily representative of the full set of spam we see from Mega-d but the general trend is representative The good news in all of this is yes, a relatively small company can make an impact into a major spam operation The bad news is that these takedowns tend to be short lived Earlier this year, when a Latvian ISP was disconnected due to its abusive practices, it made only a small dent in global spam volumes, and this small dent vanished a few days later The spam operation is becoming more resilient to disruptions in its service IMAGE http://www.secuobs.com/revue/news/164979.shtmlhttp://www.secuobs.com/revue/news/164979.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - Win32 Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of spam e-mail First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat It is the largest spamming botnet that sends mail to our servers I decided to take a look at where its spamming IPs were located, geographically, for the date of November 12, 2009 Below is the chart image In a surprising twist and departure from the norm, the United States is very under-represented in the above chart South America is strongly over-represented The top countries are below Rank Country Distinct IPs 1 Brazil 3274 2 India 2687 3 Columbia 1211 4 Poland 899 5 United States 836 6 Argentina 760 7 Czech Republic 745 8 Romania 731 9 Thailand 630 10 Israel 464 11 Spain 447 12 Italy 440 13 South Korea 419 14 South Africa 379 15 Great Britain 372 16 Germany 372 17 Turkey 368 18 Peru 363 19 Vietnam 361 20 Ukraine 332 Three of the top six countries are in South America Only one is in Asia, and one is in Europe This differs significantly from the total spamming IP distribution where the United States has 18pourcents of the total IPs image For this one day, South America s representation has doubled compared to its global IP distribution for all spam, the United States is around 1 3, but Asia and Europe are about the same For some odd reason, the United States seems to be more resistant to relaying spam from rustock than other countries And for some reason, South America is more prone to relaying it I ll take some guesses in my next post as to why this is IMAGE http://www.secuobs.com/revue/news/164978.shtmlhttp://www.secuobs.com/revue/news/164978.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - This probably belongs in the Well, no kidding category but I thought I would post it anyhow Since near the beginning of this year, I have been tracking how much email our filters classify as malware I then took those values, broke them down into a weekly chart and compared it to how many mails we received on a weekly basis that contained virus attachments Is there any relationship between the two If there is a new malware campaign, is that associated with an increase in spams with links to malware It s hard to measure this because we block so much mail at the network edge 90pourcents So, all of the data that I have is for post-edge blocked mail Below is a chart of the amount of mail we classify as malware vs how much mail has a virus attachment, on a weekly basis image The result is pretty significant, 31pourcents of the variance in the number of viruses in email is associated with the variance in the number of messages we classify as malware In other words, there is a very strong malware spam virus correlation correlation 055 since March of this year The problem is that I had to massage the data There were 4 weeks of outliers that skewed the data set If you include those, there is a weak relationship between the two of them, and it is negative r 012 image So on the one hand, I feel that removing the outliers results in an outcome that makes sense and fits the expectation On the other hand, I feel bad about having to do some data-mining in order to return a result that I was expecting IMAGE http://www.secuobs.com/revue/news/164977.shtmlhttp://www.secuobs.com/revue/news/164977.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - I am going to be traveling in Peru for the next little while, but fear not I shall still be blogging I have written a few posts in advance to entertain you all that shall become publically visible over the next few days Enjoy IMAGE http://www.secuobs.com/revue/news/164976.shtmlhttp://www.secuobs.com/revue/news/164976.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - I m currently on vacation in South America so I thought I d pre-write a few stories about how spam malware relates to real life We all know that a big trend in recent years with malware is social engineering Social engineering is an attempt to trick the end user into doing something by impersonating someone else or by playing on their emotions This is usually a bad thing but not always When someone nefarious gains access to your credentials, they don t necessarily have to use it right away They can sit on it for a while before making use of it That adds another dimension of social engineering because something that you did several months ago giving up your credentials can come back to haunt you many weeks or months later And then, when it happens, you can t recall when you might have surrendered them But what if social engineering was used for the powers of good Let me tell you a story Many of my readers will know that I am a magician, and this year my focus has shifted to mentalism This branch of magic focuses on predictions, reading thoughts, and creating experiences in the minds of the audience Well, this year, I was sitting on a couch preparing to depart from a local establishment I was leaving, I overheard another lady talking to someone else She was talking and said something like Give me a call and said her phone number My brain flipped into action I pulled out a pen and notepad and wrote it down I memorized as soon as I heard it This might come in handy, I thought to myself I started thinking about how I could use it And that time came a few months later I decided to use it in a magic effect I decided to test out something new I walked up to her and said Amanda not her real name , I want you to think of a number Make it a meaningful number your phone number Keep in mind that I have never asked for it nor obtained it in any fashion Concentrate, now Visualize it, floating in front of you, I said as I waved my hand in front of her as if it were a few inches in front of her eyes such that only she could see it I moved in closer, putting my hand on her shoulder while gesturing with my other hand Still seeing it now, I want you to silently recite the numbers in your head Echo them one by one, clearly She looked up and to the right, saying the numbers I played it up a bit more 10 digits, I said She nodded I then said the numbers very slowly 1 2 3 4, 5, 6 7, 8, 9, 0 Her eyes went wide and she smiled in disbelief I had just performed a miracle I smiled in return, thanked her for helping out and proceeded on my way out the door Now for some analysis on social engineering The original leak of information is something that I overheard by accident Sometimes people slip information without realizing it They enter in their username and password over clear text like a discussion forum and then re-use that those credentials elsewhere If a hacker breaks into those forums and obtains that information, they have revealed their info by accident to an eavesdropper But it doesn t stop there In fact, it s just the beginning, because my trick illustrates real social engineering using body language techniques The first thing I said was to think of a number, but not just any number a phone number Getting someone to think of something related to them makes it about them Once that happens, emotions start to kick in When emotions kick in, it becomes more difficult to think logically I put my hand on her shoulder That breaks a psychological barrier of personal space invasion and again triggers an emotional response It s something I do a lot when I perform magic close-up The sensation of touch makes it even more personal At the same time, I waved my hand in front of her, at eye level, and my eyes followed it Her eyes did the same This wasn t necessarily designed to do anything, however, I say to illustrate the fact that I was using a psychological technique to control actually, influence her gaze Finally, when I got closer to the end, I leaned forward and moved in closer Moving in towards a personal is a technique I picked up from Neuro-Linguistic Programming and general techniques of learning body language When we lean in to someone, it means we are interested in them, or what they are saying Whether or not she actually was interested in me or more accurately, what I was saying and doing , I was using a psychological technique to suggest interest It s not particularly overt but at the same time it is not subtle So you see, I was using a lot of social engineering technique to generate an emotional response because when the number was revealed, I got a positive response All I basically did was say Think of a number , but I spiced it up And when you spice things up and get the person to start thinking more with their emotions, you can get away with a lot more But in this case, it made me look pretty suave and sophisticated, if I do say so myself image IMAGE http://www.secuobs.com/revue/news/164975.shtmlhttp://www.secuobs.com/revue/news/164975.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - While I am out, I am posting some random stuff from around the web From AppleGeeks image IMAGE http://www.secuobs.com/revue/news/164974.shtmlhttp://www.secuobs.com/revue/news/164974.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - Did you ever wonder what it s like to work at Microsoft Click on the link below to check out a humorous parody of what we all go through every day image Click here to watch the video offsite IMAGE http://www.secuobs.com/revue/news/164973.shtmlhttp://www.secuobs.com/revue/news/164973.shtml Secuobs.com : 2009-11-25 01:18:28 - Terry Zink's Anti malware Blog - I m still out traveling, so below is a personal vignette about social engineering A couple of weeks ago, I headed off to a murder mystery free form game If you ve never been to one, it s a ton of fun The basic theme is that everyone plays a role in a wider story arc This year s theme was the American Old West There are various sundry folks like the crooked doctor with a gambling addition me , the competing developers of the railroads, the crooked judge, the sheriff, and so forth As you start the game, you find out that somebody has been murdered gasp Your character s goal in the story is to attain certain assignments and the over-arching goal is to figure out who the killer is It takes about 2 and a half hours, and you stay in character the entire time It s fun But onto my story about social engineering Earlier in the day, I was talking to a friend of mine over the phone He played a character known as Slick O Hare Part of my character was that I did some research on Slick and discovered that he was a notorious thug from out west who s real name was Saul Jackson Now, part of his character was that he wanted to keep that information a secret from everyone So, while we were speaking on the phone, he mentioned that he was playing the character of Slick Without really thinking about it, I said Oh, you re a thug I knew this from my character sheet but didn t know his said to keep that a secret I kind of blurted it out when I probably should have kept it to myself What the How d you find that out No one is supposed to know that he exclaimed In that instant, I realized that I may have made a mistake I decided that I had to recover quickly by thinking fast Now, this friend of mine knows that I am a magician and mentalist, and that I am good at deciphering body language I played off that fact You just told me, I said It was a lucky guess He realized that he had been had Oh, he groaned, you and your lucky guesses He knew just then that I had been fishing around for information and that I had, by chance, figured out an important part of back story that he was supposed to conceal That s unfair It is unfair, I suppose, that I use some of my abilities to my advantages Later on, while driving both him and another friend to the party, we talked about it again He bemoaned the fact that I tricked him into revealing information But on the way home, I explained what really went down So, remember earlier when I tricked you into revealing that information about yourself being a thug from back west Yes he responded It turns out, I explained, that I already knew that information What actually happened is that I tricked you into thinking that I tricked you into telling me Argh he exclaimed, realizing that he had been had a second time I can t believe you did that again The fact is that I recovered quickly from my earlier error and utilized my own reputation to my advantage to misdirect away from my error I think that s pretty clever And I socially engineered him into believing that the error was his, not mine But, he still trusts me IMAGE http://www.secuobs.com/revue/news/164972.shtmlhttp://www.secuobs.com/revue/news/164972.shtml