The infamous Storm worm was named based on the Subject lines related to the storms across Europe at the time. For example, "230 dead as storm batters Europe" was commonly seen. Last year, we blogged about it and did a breakdown of infected machines by continent and country as well as discussing how it changes tactics.
This week, a new variant has appeared with Subject lines related to an earthquake in China. This is very similar to the social engineering tactics of the original campaign, where a natural disaster was used to entice the recipient to open the e-mail. The US Computer Emergency Readiness Team has posted an alert on it's website. The Subject lines currently being seen in the e-mails are as follows:
* The most powerful quake hits China
* Countless victims of earthquake in China
* Death toll in China is growing
* Recent earthquake in china took a heavy toll
* Recent china earthquake kills million
* China is paralyzed by new earthquake
* Death toll in China exceeds 1000000
* A new powerful disaster in China
* A new deadly catastrophe in China
* 2008 Olympic Games are under the threat
* China's most deadly earthquake
Thursday, June 19, 2008
Storms and Earthquakes
Thursday, April 3, 2008
Post #2 on Why Spam Filters Suck "trickle blog" series
Prohibition Induces "Botlegging"
Spamming is a "tragedy of the commons," in which a finite resource (our time and attention) is abused at low cost by a minority (the spammers). Like many such tragedies in our human history, prohibition has been seen as the quick fix. Classic targets of prohibitionism include alcohol, drugs, and gambling. The idea is simple really. Stop spammers from profiting by making the actions illegal, enforceable and a harmful choice to the culprit. However, this kind of law is difficult to enforce.
In 2003, American legislators passed the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing). CAN-SPAM made it illegal to send unsolicited bulk email with a deceiving subject line and forced legitimate senders to identity themselves with a full mailing address.
So why then, does spam volume continue to rise despite an increased adoption of spam blocking mechanisms worldwide?
Several years have passed and spam volume is higher than ever. While CAN-SPAM is rightly criticized for not ending the spam problem, its most significant side effect was to force spamming underground and out of the reach of law enforcement. Face with service interruptions, spammers began in early 2004 to migrate their operations to a highly scalable distribution platform immune to law enforcement: the botnet.
By the end of the same year, the majority of spam was being delivered by decentralized networks such as "Phatbot" - and nowadays by Storm, Mega-D, and Srizbi - lending little hope to Bill Gates' famous pronouncement that spam would be beaten before the end of 2006.
The fact is that there are limitations with each anti-spam technique. Content filters are a core component of that architecture and are very effective at separate spam from email once they receive and recognize it. DNSBLs can block bad senders from known IP addresses once they known the sender is bad. But what happens when a botnet harvests new zombies with IP addresses unknown to DNSBLs and uses those to send new spam campaigns – something that happens every day? Discarding spam after you receive it does nothing to decrease high spam traffic from new campaigns. What is needed is a combination of the best-of-breed elements suited to deal with each type of spam: known content, unknown content, known senders and most importantly the unknown sender.
If you're doubling servers to deal with heavy spam loads, your infrastructure costs are under control of the spammers who can just keep sending more spam. What you need is a new solution that can block most spam without having to receive the message first in order to get the costs and the load back under control and ensure your infrastructure is used to deliver legitimate mail first.
NEXT: Post #3 Once Promising Proposals for a Final Ultimate Solution to the Spam Problem (FUSSP)
PREVIOUS: Post #1 Short History on Spam Protection
Wednesday, November 14, 2007
How much does a Botnet cost?
It could cost you up to 60 years in prison along with a $1.75 million fine. At least that's the situation facing John Shiefer as reported recently by the Los Angeles Times.
Schiefer is reported to have compromised up to a quarter of a million computers and used them to steal personal financial information from his victims. He will now go down in history as the first person to be accused of running a botnet under the US federal wiretapping law.
Tuesday, November 13, 2007
The Latest Storm Botnet Surprise
The Storm Botnet is infamous for it's delivery of "pump & dump" stock spam. In the past we've seen html, images and even mp3 formats used to bypass filtering. What better way to avoid e-mail filtering than by avoiding the use of e-mail?
The Botnet operator is now delivering web browser pop ups with similar stock tips to users of PC's that have been infected by the Storm Worm! The Secureworks team posted a screen shot of one of the pop-ups.
It's an interesting tactic since it draws attention to the fact that a PC has already been compromised by the worm and the owner may decide to fix it. On the other hand, it's more likely that it would be looked at than a spam e-mail which runs an incredibly high risk of being caught by anti-spam or just deleted from an inbox.
