FBI Spam Fighters - Operation Bot Roast

Earlier this morning the Federal Bureau of Investigation published an update to their crack down on BotNet's termed "Operation Bot Roast". The first phase commenced in June of this year and today announced phase two of the operation. The most interesting part of todays announcement was the results of the operation to date.

The collective toll revealed so far in our operation has been significant, both at a national level and a personal level. To date, we’ve uncovered more than $20 million in economic losses. In one case, a victim confirmed damages of nearly $20,000 in denial of service attacks via botnets.

It's fantastic to see that the FBI appreciate the realistic dangers of BotNet's and phishing and are acting although at this point it's still a drop in the ocean. On a positive note, they did uncover a Denial of Service attack against a major University in Philadelphia which they disabled. Also, they sentenced three people involved in a phishing scheme against a Midwest bank.

The report is available on the FBI website.

Google Caches Virus Popup

This evening I was looking at some of the spam found in my Gmail Spam folder. I started using Google Search to see if I could correlate some websites related to the spam. I did find some interesting things, such as the bad English "recorded for security purpose", found on one spam-related website, is copied across several spam-related sites. I was looking for some casual correlation to hopefully find some bad IP addresses not found in one of the top RBL sites, such as Spamhaus. Alas, Spamhaus had me beat. It knew them all.

But then I found something rather interesting. I came across a website with a pop-up, trying to get me to download a Windows executable file.



In order for this to work I'd have to click on the fake dialogue button "Continue". Then a real dialogue with an option for "Save As" appears, I download it, open it, and enjoy using my new virus. Okay, so nothing new and exciting there. It's a pretty simple website trying to con me into running their malicious code.

Now I was curious how many duplicate pages out there had the same pop-up, so I did a search for the text "You need to download new version of Video ActiveX Object to play this video file.".

I clicked on the first result.



But the page was gone.



I was really looking forward to that virus pop-up. Never mind, maybe Google Cache can help me out.





Excellent! The spammer took down the webpage linking to their exploit code, but luckily Google Cache was able to save a copy of the page, which popped-up the "Save As" dialogue, so I can now download it and enjoying start using my new virus, as it silently rips through my machine, stealing my personal data and emailing spam around world.

I uploaded this file to the Kaspersky Virus Scanner and it was identified as being "infected by Trojan-Downloader.Win32.Zlob.eob".

Oh no, I just realized. This exploit is not platform independent and will not run on my machine. It only runs on Windows and I'm using Ubuntu Linux. I guess I'll have to keep googling...

iTunes affected by zero day exploit

[Update: 29th November 2:30pm] Proof of concept code is now publicly available for this exploit on Mac OS X - Both Leopard and Tiger on Intel and PowerPC architectures are vulnerable.

The US Computer Emergency Readiness Team released a note warning of a zero day exploit for the Apple QuickTime product. iTunes user's should be aware that they are also affected since QuickTime is a component of it.

The bad news is that the exploit code is already available and virus writers are no doubt scurrying to create an attack. To make matters worse, there isn't currently a patch available so the iTunes product is vulnerable even when updated. An attacker could use several methods to infect a machine such as simply connecting to a machine on the RTSP port, linking to a malicious file, sending the file as an e-mail attachment or using the web browser (javascript/plugins/ActiveX).

The Danger of Auto Open

It's quite common for PC users to have applications linked to specific file types. For example, a pdf file may be associated with Adobe Reader or a mpeg video file associated with Windows Media Player. If an internet user clicked on a website link to a file such as this, the user could may be prompted to confirm the file should be opened. Many people opt to use the "Auto Open" feature so the application would immediately open the attachment.

Mass mailing worms typically exploit vulnerabilities in applications by crafting an evil file. Did you realize that by simply opening an image, pdf or other simple file it could be possible for an attacker to take complete control over your PC? You may feel that you would never click on an attachment in an e-mail from someone you don't know as it's obviously a worm but the attachment doesn't even need to be in the e-mail, it could be simply linked to.

Here's an example of an attack I provided to David Utter of Web Pro News:

http://www.google.com/search?hl=en&q=inurl:mail%20intext:shaping+traffic+techniques&btnI=

The URL above exploits a combination of the "Feeling Lucky" feature and an "Auto Open" configured PC. Should a user click on the link the pdf attachment could automatically open. Fortunately in this case it's a benign white paper but it could have easily been a malicious file.

I should point out that the "Feeling Lucky" button has been abused by spammers for quite a few months but my combining social and technical engineering techniques this could have been an effective attack. At the time there were rumors of a Google Phone so an attack e-mail could have been created with Subject lines related to a sneak peak. Since, the e-mail was related to Google, it would make sense for the body to have a link to Google, keywords specific to the gphone could have been used. Lastly, there was a fresh pdf exploit that could have been used to infect PC's.

Taking the text out of the Spam

For spammers, the trouble with image and video spam is that they have to ultimately give you information. Selling Viagra - you need to know where to buy it. Stock pump and dump - you need to know what stock you need to buy. So, leaving audio based spam aside for now, the text has to be given to you and it has to be readable, or it's of no use to the spammers. Text-based spam content-filtering has come a long way, so as long as we can extract the text from the images and video, we should be able to run that text through the existing text filters.

Many top websites use "Captchas". This is distorted text, designed to be unreadable by computers (used in automation by spammers), but is readable by humans. This is exactly what spammers are trying to do with image-spam. Whilst websites are using distorted image text to stop spammers, the spammers are using distorted image text to bypass email spam filters. The irony is that as spammers seem to be using social engineering and a little ingenuity to defeat catchas, image-based spam filters are still struggling. So what if we used spam images as captchas? Could we somehow use this to get spammers to unwittingly convert their images back to text?

USENIX LISA Conference Report

I had the pleasure of speaking at the USENIX LISA conference last week in Dallas. My talk was entitled, "Using Throttling and Traffic Shaping to Combat Botnet Spam".

USENIX LISA is the annual conference for sysadmins of large systems (i.e. networks having more than 1,000 end users). LISA is a great conference: there's almost no marketing and sales presence, and the technical sessions are truly hands-on, if not entertaining. The BoFs (bird of a feather sessions) are like little nerd parties, and continue well into the night after the main conference is done.

About 100 people showed up to watch my talk (video will be available soon), which started with a brief history of spamming, then took the audience through my theory of spammer economics, and finished with some stats porn showing how well throttling works to get rid of botnet spam. Some of the more interesting statistics I presented were analyses of the make-up and behavior of zombies from the Storm botnet.

One of the unique things we do with Traffic Control is to track the operating system type email senders. We track operating system type using a technique known as passive OS fingerprinting. Another thing we do is to track the ability of different senders to actually deliver email through to end user recipients. By correlating the delivery success rate with the operating system type, we can draw some interesting conclusions about email senders, based on their operating system type.



The chart above summarizes the operating systems of email senders that are successfully able to delivery email through Traffic Control. Or, in other words, this chart summarizes the operating systems which are sending mostly good email -- because good email has a high chance of being delivered to end users. As you can see, Linux hosts do very well at delivering email. They are tolerant of throttling, generally have a good reputation, and rarely send spam. It's fair to say that a large proportion of the world's legitimate email servers are therefore running Linux.



The second chart summarizes the operating systems of email senders that are not successful at delivering through Traffic Control. They have a poor reputation that causes them to be blocked or severely throttled; or, they send spam which is blocked by downstream filters. In either case, they aren't very good at getting their messages delivered to end users. The bulk of these senders are running Windows. This matches with our understanding that the majority of spam originates from Windows machines which are participating in botnets.

I'll post more about USENIX LISA later. For now, please comment if you have questions.

The One that Got Away

Yesterday, I speculated that LinkedIn could be used as an attack vector for a phishing attack. Although it's interesting to try and theorize how an attack could take place it's even more interesting to hear first hand how an attempted phish did take place.

Within hours of reading my blog post, Matt Hartley, responded with a first hand account of how he almost fell victim to such an attack. Fortunately, he was the one that got away and didn't take the bait. Perhaps people think of online scams as being ridiculously obvious such as being written in capital letters, referencing obscure countries they've never been to and the chance of obtaining millions of dollars of inheritance. In reality they can be much more sophisticated.

Could LinkedIn Users be the next victims of Spear Phishing?

Most savvy internet users are aware that the term "Phishing" is used to describe an online attempt to steal personal or financial data. However, this type of fraud is sometimes even targeted to specific individuals which is known as "Spear Phishing". Rather than casting a dragnet by sending millions of messages to unknown users, time and energy are invested into spearing small groups of individuals.

If a Phisher discovered the full name, geographic region, e-mail address and job title of an individual it could make for the perfect phishing attack. Fortunately, most social networking sites that contain this type of information require approval before a stranger is able to view it. Although, this isn't the case if people decide to work around the safe guards put in place to protect them.

LinkedIn is a very popular professional networking website which has such safe guards in place. Despite this, many people opt to openly publicize their e-mail addresses and other confidential information in the hopes to increase their number of connections. A quick Google Search reveals in the region of 10,000 people with an e-mail address in their title alone. This information could be harvested by spammers so that they would receive more spam. Worse still, it could be used as part of a phishing attack to steal an identity.

Comment Spam Hits Technorati

On visiting Technorati this morning, I could not help but notice that the number 4 most popular search term looked a lot like the spam email we've all seen.



Surely Technorati are pretty good at stopping this kind of thing. So how did it happen? Well when I searched Google for this phrase, plus "Technorati", I found close to 17,000 hits all of which link back to the Technorati search page.



What I found most surprising is that this comment spam appears on so many different language websites.

Link between Zombies and Vampires?

Romania was home to the infamous vampire Count Dracula so perhaps it shouldn't be such a surprise to learn that it is home to many of the Zombies associated with the Storm BotNet. The term "Zombie" is commonly used to describe a home PC that has been compromised and is under the central control of a master to send spam. Storm has evolved so that it no longer has an army of zombies under one central control, rather it behaves like an army of vampires, divided into small groups where each machine has the ability to assume control should one be killed.

Typically when Anti-Spam companies publish metrics related to spam or infections per country allowances aren't made for the size or population of the country so it shouldn't be a surprise that the USA is seen time and time again. However, by looking at the number of machines recently infected by the storm worm in each country and normalizing by the number of Internet Users in that country, we see the following ranking:

1. Romania
2. Argentina
3. Chile
4. Malta
5. Israel
6. Slovenia
7. Panama
8. Poland
9. Bulgaria
10. Hungary

Storm Worm Batters Europe

It's well known that the Storm Worm received it's name since the messages carrying the worm used Subject lines related to storms. For example, "230 dead as storm batters Europe" was commonly seen. Ironically, the Storm Worm itself is now battering Europe.

Our recent analysis of Storm Bot's indicate that the majority of the compromised computers are actually located in Europe as the following chart shows:

Almost 37% of the zombies were found to be located in Europe, followed closely by 29.1% in North America and 21.4% in Asia. The USA, China, Korea and Russia often appear in media headlines as having the highest number of compromised machines and European countries go under the radar. However, by looking at things by Continent we see a different story.

How much does a Botnet cost?

It could cost you up to 60 years in prison along with a $1.75 million fine. At least that's the situation facing John Shiefer as reported recently by the Los Angeles Times.

Schiefer is reported to have compromised up to a quarter of a million computers and used them to steal personal financial information from his victims. He will now go down in history as the first person to be accused of running a botnet under the US federal wiretapping law.

The Latest Storm Botnet Surprise

The Storm Botnet is infamous for it's delivery of "pump & dump" stock spam. In the past we've seen html, images and even mp3 formats used to bypass filtering. What better way to avoid e-mail filtering than by avoiding the use of e-mail?

The Botnet operator is now delivering web browser pop ups with similar stock tips to users of PC's that have been infected by the Storm Worm! The Secureworks team posted a screen shot of one of the pop-ups.

It's an interesting tactic since it draws attention to the fact that a PC has already been compromised by the worm and the owner may decide to fix it. On the other hand, it's more likely that it would be looked at than a spam e-mail which runs an incredibly high risk of being caught by anti-spam or just deleted from an inbox.

Welcome to the NEW Anti-Spam Blog

We’re here to cut through the clutter for the email security community. What are the newest spam tactics? How can we undermine the economics that drive spamming? What are IT professionals saying?

So read on and enjoy!