AllThingsD » botnet

Prolific Spam Network Is Unplugged

Michael Hickins — Thu, 17 Mar 2011 20:54:22 +0000

Activity from Rustock, one of the world’s most prolific spam email networks, has ground to a halt, apparently thanks to a coordinated effort by Internet service providers and software vendors. The take-down, which took place Wednesday morning Eastern time, happened without fanfare, and surprised many in the tight-knit community of cybersecurity consultants and experts.

Botnets like Rustock use malicious code to string together hundreds of thousands of personal computers that are then used to send spam email without knowledge of their owners. In the case of Rustock, infected computers were managed by a fleet of 26 separate “command and control” servers that sent them instructions.

Read the rest of this post on the original site »

Cisco Security Survey Finds Windows Vulnerabilities And Spam Decreasing

Arik Hesseldahl — Thu, 20 Jan 2011 14:40:09 +0000

Cyber criminals have fewer ways to attack Microsoft Windows, and sent less spam in 2010 than in 2009–a first-ever decline of spam from year to year. Those are among the findings in an annual report on the state of Internet security released today by networking giant Cisco Systems.

All the security attention paid in recent years to securing the Windows desktop and the applications running on it have paid off a little, Cisco found, making it harder for computer scammers to successfully carry off their intended crimes on that platform. The trouble is they’re now starting to focus more attention on mobile devices, including Apple’s iPhone and iPad, and devices running Google’s Android operating system, Cisco said.

Meanwhile, the overall global volume of spam, which often contains troublemaking links that are used to deliver attacks, decreased for the first time ever in 2010. Even so, spam still increased in some developed countries where broadband connections are multiplying. In the United Kingdom, spam volume nearly doubled, while the volume in France went up 115 percent. The U.S. saw a slight decline–11.1 trillion messages down from 11.3 trillion in 2009. Spam in Brazil, China and Turkey also declined. Some of the decline can be attributed to last year’s arrest by FBI agents in Milwaukee of a Russian accused of being the “king of spam,” and to the shutdown of a few botnets used by scammers to send spam.

One thing about Cisco’s report that’s likely to draw some attention is its finding that the raw number of vulnerabilities on Apple products appear to be growing. Apple users are usually pretty sensitive about this topic, and any comparison of the Mac to Windows on the security front tends to make them grind their teeth and pound out annoyed comments on tech blogs. I know because I’ve done the same teeth-grinding and have in the past criticized other reports for similar findings.

Here Cisco is addressing vulnerabilities that Apple has itself documented and patched in software updates. One thing that’s not clear to me–though it sure looks like it–is whether Cisco is combining vulnerabilities found on both iOS (iPhone and iPad) and OS X (the Mac). The data it’s using is from its IntelliShield service, which tracks vulnerabilities and security incidents, and shows that over five years Apple’s vulnerabilities rose, from less than 200 in 2006 to more than 350 in 2010. That rate was higher than Microsoft and Hewlett-Packard and Cisco itself, the report found, though it goes on to say that Apple has worked harder than most other vendors to protect its users. Security is one of the reasons Apple imposes such strict rules on what’s available in the App store, though people still jailbreak their phones.

Another trend Cisco found is something called “money muling.” Tom Gillis, VP and general manager of Cisco’s Security business unit, describes money muling as using unsuspecting people who are attracted by “work at home” spam messages and Web ads to participate in money laundering by moving small amounts of money into bank accounts, just a few thousand dollars at a time. He says the operations around this are becoming increasingly elaborate, and criminals will devote a lot of effort to developing it this year.

I talked with Gillis about the report and other security trends that Cisco found. Here are a few highlights from our conversation:

NewEnterprise: So you’re seeing fewer attacks on Windows and more on mobile devices. Is that simply because there are more of them?

Tom Gillis: It’s the simple fact that there’s this new class of mobile device coming into the enterprise that used to be a phone and now it’s a computer, and it can access enterprise information. So what we’re seeing is that the raw number, but not the severity, is down on Windows. Part of this is that Windows 7 was a very good release on Microsoft’s part from a security standpoint. And we’ve got these new devices coming into the enterprise, and so we’re seeing a shift in focus of attacks on these mobile devices. They’re vulnerable to attack and they’re relevant in the enterprise. Two years ago this would have been too small a population to be meaningful.

What kind of attacks are you seeing?

It varies. In some cases there’s a little “phone home” code in a free gaming app. Pretty gentle stuff so far. But as people start using smartphones to access sensitive information we need to start thinking about security considerations on these devices. There’s a larger theme here that the whole nature of attacks is changing dramatically. The fact that spam volumes dropped at all is a big tell. For 10 years this has only gone up. We’re not forecasting a steady decline in spam, but the fact that it slowed down at all is an indicator of the shift in the way that attackers are using email. The attacks are more targeted and personal, for one thing.

Can’t some of this decrease be attributed to some of the arrests that happened last year?

It can. There’s been a handful of arrests. And they went after not only the botnet operators but other parts of the spam value chain. There are firms and entities that build botnets of compromised machines that relay the spam, and then there are other firms and entities that rent time on those botnets that do the merchandising. The biggest category is selling fake pharmaceuticals. Some of these fake pharma operations were shut down and the people associated with them arrested. It’s not an easy thing to do, because they’re global, they move around, and so to make an arrest in this space is a huge accomplishment.

So what is the thinking now about securing the mobile device?

We think there are two ways to make mobile devices work in the enterprise. The flood of devices into the enterprise is huge, and everyone wants to use them to check their email and access corporate directories and other fundamental things. There needs to be some kind of software on the end point–the phone or device. It will have to be light. You can’t have some kind of antivirus suite running on the phone. It would be a little piece of software that’s on all the time that knows when you’re behind the corporate firewall and when you’re not, and manages your connection accordingly. We bought a company called ScanSafe that has 40 data centers around the world. When you’re outside the firewall it connects to you the nearest data center and enforces your corporate policies, but all you as the user know is that it just works. This notion of being on or off the corporate network goes away. And we can do all kinds of scanning for security, independent of the device that’s being used.

This year we also saw the Stuxnet attacks, which we now know for certain were carried out against the Iranian nuclear program. Clearly this is a new kind of attack that can be mounted against industrial control systems via computer networks. Is Cisco researching this?

Massively. Often these types of attacks are targeted against Cisco’s biggest enterprise customers. Who buys Cisco’s infrastructure? The biggest banks in the world, the defense contractors. If the goal of an attacker is to disrupt an economy, their targets will be our customers, and they’re demanding a response from us. I like to call it global threat correlation, but it comes down to taking huge samples of network traffic and picking out good traffic from the bad. Cisco has a good advantage here because our equipment is so widely deployed around the world. As we start measuring traffic we can develop reputation data on every publicly routable IP address on the Internet. As we start putting telemetry info into that equipment–and the customer can choose to enable it or not, and it’s turned off by default. But people turn it on because it helps them against the unknown kind of attacks that are popping up. If a Web server says its a Web server, but you just saw it sending spam three minutes ago, there’s a pretty good chance it’s part of a botnet. Once you know that you know that, you can start to mount a pretty good defense. We’re putting a lot of energy into developing that, and it’s proven to be pretty robust.

Microsoft Wants Isolation Ward for Infected PCs

Beth Callaghan — Thu, 07 Oct 2010 16:51:03 +0000

Microsoft security chief Scott Charney wants to protect your computer from botnet-infected PCs on the Internet. In a paper published yesterday, Charney proposed issuing “health certificates” to malware-free machines, requiring antivirus updates for those with vulnerabilities, and quarantining PCs infected by botnets. In a post to a company blog, he argued, “Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.”

It’s a Botnet Party Vietnam, Redux

John Paczkowski — Tue, 06 Apr 2010 13:50:46 +0000

Vietnam’s Foreign Ministry has a message for the thousands of Vietnamese citizens reportedly targeted by politically motivated cyberattacks: There were no attacks.

In a statement posted to the Ministry’s Web site Monday evening, spokesperson Nguyen Phuong Nga indignantly dismissed accusations that the Vietnamese government has been using botnets to silence opposition to a bauxite mining operation in the country run by China’s state-owned mining group, Chinalco.

“Such comments are groundless,” said Nga. “We have on many occasions clearly expounded our view on issues relating to access to and use of information and information technology, including the Internet. Vietnam law puts in place specific regulations against computer virus and malware as well as on information security and confidentiality.”

Sounds eerily similar to China’s bristling response to Google (GOOG) claims that it had detected a targeted attack on its corporate infrastructure originating in China, doesn’t it?

Which is not to say that the two are in any way linked. At the moment, security researchers say they are not. It’s just that indignant disavowals like these do seem to be the go-to PR strategy in countries where online political censorship to is known to be pervasive.

Bing on the iPad?

John Paczkowski — Wed, 31 Mar 2010 17:00:46 +0000

[ See post to watch video ]

It's a Botnet Party Vietnam

John Paczkowski — Wed, 31 Mar 2010 15:20:07 +0000

East Asia obviously isn’t taking Google’s principled stand in China very seriously–not that you’d expect it to. Politically motivated cyberattacks in the region continue. The latest to be identified: A botnet intended to silence widespread opposition to a bauxite mining operation in Vietnam run by China’s state-owned mining group, Chinalco.

Though similar to the late-2009 attacks against Google (GOOG), this effort was a bit less sophisticated. Still, it appears to have been politically motivated and perpetrated by folks with some sort of allegiance to the government of the Socialist Republic of Vietnam.

“The malware infected the computers of potentially tens of thousands of users who downloaded Vietnamese keyboard language software and possibly other legitimate software that was altered to infect users,” Neel Mehta of Google’s security team wrote in a blog post describing the attack.

“While the malware itself was not especially sophisticated,” Mehta added, “it has nonetheless been used for damaging purposes. These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent.”

Which is frightening, because a number of Vietnamese Internet activists have already been imprisoned for attacking Chinese involvement in the bauxite mining project.

[Image credit: Wikimedia Commons]

Conficker: Don't Believe the Hype

Ben Worthen — Thu, 26 Mar 2009 11:59:17 +0000

You may have heard about Conficker, the rogue computer program that might do something dreadful on April 1. The truth is that the threat posed by Conficker is almost entirely theoretical, and that only a handful of dedicated professionals will notice anything out of the ordinary when that date comes around.

Conficker is the latest example of a type of malware called a botnet, which gives a cyber criminal control over an infected computer. The criminal can steal information stored on the computer or make it do things like send spam emails. In some cases, criminals amass millions of computers to command.

Researchers estimate that a couple million computers could be infected with Conficker, which makes it a large botnet, but not the largest. What sets Conficker apart is that it’s more sophisticated than any previous piece of malware. It uses a new form of cryptography, can be controlled by criminals in multiple ways, and updates itself. This scares security researchers. So does the fact that the bad guys haven’t done anything with the computers they control yet, which means they could do, well, anything.

Read the rest of this post

Got Any Networks Without So Much Spam in Them?

John Paczkowski — Thu, 13 Nov 2008 19:00:21 +0000

[ See post to watch video ]

75 Percent of All Spam Globally? On Our Backbones? Holy Cow!

John Paczkowski — Wed, 12 Nov 2008 18:29:31 +0000

There is damning evidence that this activity has been going on there for way too long, and plenty of people in the security community have gone out of their way to raise awareness about this network, but nobody seems to care.”

– Paul Ferguson, a threat researcher with computer security firm Trend Micro

According to security experts, Web-hosting outfit McColo is responsible for enabling the broadcast of more than 75 percent of all spam globally. Its client list is a rogues gallery of bad-guy syndicates involved in everything from botnets to counterfeit pharmaceuticals and kiddie porn. So how is it that MoColo’s ISPs, Hurricane Electric and Global Crossing, were unaware of that until notified by a Washington Post reporter?

I’m not sure there’s a good answer to that question, though it would certainly be interesting to hear one. Almost as interesting as hearing the two ISPs explain away their network traffic from known criminal botnets Mega-D, Srizbi, Pushdo, Rustock and Warezov, all of which have their master servers hosted at McColo.

“We shut them down,” Benny Ng, director of marketing for Hurricane Electric, told the Post. “We looked into it a bit, saw the size and scope of the problem you were reporting and said ‘Holy cow!’ Within the hour we had terminated all of our connections to them.”

“Holy cow?” More like, “Holy cow, someone finally noticed we’re the preferred ISP of a massive criminal syndicate! What do we do?!?”

“ISPs can’t take the ‘I see nothing, I hear nothing’ approach to this content,” said Mark Rasch, a former cyber crime prosecutor for the Justice Department. “It’s a little bit like a landlord who owns a building and sees people coming in and out of the apartment complex constantly at all hours and not suspecting their may be drug activity going on. There are certain things that raise red flags, such as the nature, volume, source and destination of the Internet traffic, that can and should raise red flags. And to have so many third parties looking at the volume and content from this Internet provider saying ‘This is outrageous,’ clearly the people doing the hosting should know that as well.”

Take Me Away From All These … Layoffs

John Paczkowski — Tue, 11 Nov 2008 19:00:17 +0000

[ See post to watch video ]

Spammers: Sure, Our Sales Conversion Rates Are Low, but Lead Generation Is Through the Roof

John Paczkowski — Tue, 11 Nov 2008 18:10:20 +0000

Not that there’s any reason to think otherwise, but the spam network business is not one that’s dependent on sales conversion rates. You’ve got to send a hell of a lot of spam to make a living at it.

Consider this: Using the Storm botnet and 75,869 of its zombie members, researchers at UC Berkeley and UC San Diego broadcast 350 million pieces of spam peddling male enhancement supplements. All but 28 were ignored. “After 26 days, and almost 350 million e-mail messages, only 28 sales resulted,” the researchers explained. “Taken together, these conversions would have resulted in revenues of $2,731.88–a bit over $100 a day for the measurement period.”

That’s a conversion rate of well under 0.00001 percent. Laughable, right?

Not really. The supplements were priced at $100. And botnet overhead, as you might imagine, is quite low. Which means it’s entirely possible to turn a nice profit by managing just one sale per 12.5 million emails sent. Said the researchers, “Under the assumption that our measurements are representative over time, we can extrapolate that…Storm-generated pharmaceutical spam would produce roughly $3.5 million dollars of revenue a year.”

It's Not a PayPal Mockery. It's a 'Person-to-Person, Stored-Value Payments Celebration'

John Paczkowski — Thu, 14 Jun 2007 17:39:43 +0000

[ See post to watch video ]

It's Not a PayPal Mockery. It's a 'Person-to-Person, Stored-Value Payments Celebration'

John Paczkowski — Thu, 14 Jun 2007 17:39:43 +0000

[ See post to watch video ]

Better to Have a Botnet in Front of Me Than a Frontal Lobotomy!

John Paczkowski — Thu, 14 Jun 2007 07:06:48 +0000

Vint Cerf wasn’t kidding when he warned attendees at the World Economic Forum in Davos, Switzerland, last year that the Internet is at serious risk from botnets. These vast networks of compromised PCs–used by criminals for sending spam and spyware and for launching denial-of-service attacks–are a very real and quickly evolving problem. To wit, the FBI’s announcement yesterday that its OPERATION BOT ROAST initiative has identified some 1 million compromised PCs.

Unsettling, isn’t it? The thought of a million machines sitting in homes, schools and businesses around the country just waiting to spew out some nasty piece of malware or the latest “pump and dump” stock scheme. Depressing, too. Said Gadi Evron, who coordinates an international volunteer effort to fight botnets, “The war to make the Internet safe was lost long ago, and we need to figure out what to do now.”