This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.
As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.
The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based...
This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.
We concurred that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.
That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys. So without further ado, I present to you Symantec’s 2010 Security Predictions.
This post is made on behalf of my colleague Mathew Nisbet, Malware Data Analyst
Researchers at the Fireeye intelligence lab recently decided to attempt to take down the Mega-D botnet after doing detailed analysis of its inner workings. It seems their actions have been very successful indeed, as our monitoring shows a huge decline in this previously prolific botnet’s activity.
Mega-D was the botnet that took the biggest advantage of the takedown of the McColo ISP in November 2008, becoming the biggest of all the spam botnets. Since then, others (such as Rustock, Bagle, Grum, and Cutwail) have gained strength, but Mega-D has consistently been in the top 10 spam bots. Or at least it was, until the 4th of November, when it was hit, and hit hard.
This shows the number of unique IP’s seen on our systems on a daily basis for the Mega-D botnet. Normally between 600 and 1600 IP’s are seen each day, but you can see...
Posted on behalf of Dan Bleaken, Malware Data Analyst
MessageLabs Intelligence has been tracking a new botnet, ‘Festi’ since the beginning of August.
Gradually, Festi has steadily increased its output of spam from virtually insignificant volumes up to 3-6% of daily spam. In terms of spam volumes, 3-6% is estimated at a massive 1.5-3 billion spams per day globally. This increase in output has been achieved both by gradually increasing the amount of spam sent from each Festi bot, and by recruiting new bots to the botnet.
At the moment it is spewing out 2 variants of spam.
The first variant, is ‘male enhancement‘ type mails containing .cn domains, leading to a Canadian Pharmacy Website
This post is made on behalf of my colleague Nicholas Johnston
On 27 October, MessageLabs Intelligence began tracking a small number of spam emails that included links to the popular online file transfer service, YouSendIt.com. In the latest examples, the files that were being distributed were word-processing documents that contained advanced-fee fraud lottery scams. MessageLabs Intelligence will continue to monitor this activity. YouSendIt and other similar file transfer services are used legitimately by may users to send large files via the Internet where it may not be appropriate or possible to send as an email attachment, for example if the file is too large.
This is another example of the bad guys turning to online services in order to exploit the use of their reputable services and bypass traditional anti-spam countermeasures that consider the reputation of domain names contained in hyperlinks used in email messages in...
This post is made on behalf of my colleague Mathew Nisbet, Malware Data Analyst
The Bredolab Trojan has been seen “in the wild” for a long time, but the people behind it constantly change the subjects and format of the e-mails to try and fool people. The most recent change has been to use the a popular social networking brand name to try and trick people into opening and running an attachment by telling them their password has been reset, and that their new password is contained in the attachement. Running the attachment will install the Bredolab trojan on their machine and give the people behind the attack full control to do almost anything they want.
The first few occurrences of the new style were seen between 7pm and 8pm on 26th October and there has been a steady stream of them since, reaching almost 30% of all malware seen between 2am and 3am on the 27th October.
After spending some time on analysing the mail bomber tool downloaded from spamfordz [dot] com, here is some interesting information noticed.
Fig.1 Files contained in the tool package
To get this work, one needs to upload the files (as shown in Fig. 1 above) to a web server and open index.html file, which opens the mail bomber sform as shown below.
Fig. 2 Mail Bomber form
As the form shows, one just needs to follow the easy steps like entering the victim’s email address, From name, etc, and hit ‘Do It!’ button, the job is done.
Is that simple? Before answering the question, let’s take a look at what it actually does behind the ‘Do It!...
This post is made on behalf of my colleague Manoj Venugopalan, Malware Analyst for Symantec Hosted Services.
AutoIT, a free automation language for Windows platform-based development, is often used for scripting Windows-based applications and sometimes misused for creating malware. AutoIT scripts can be compiled into a compressed, standalone executable which will run without an interpreter. Auto2Exe is the application used to compile the AutoIT script into a standalone executiable.
Most of the malware based on AutoIT is in the form of worms and Trojans. Many such worms are well-known for logging into a user's IM client, changing their status message and then sending copies of the malware to all of the "buddies" in the victim's list.
MessageLabs Intelligence recently discovered an AutoIT Trojan using IRC (online chat) to connect an infected machine to a command and control channel without the user's knowledge. The malware is...
Further analysis of Rustock reveals some interesting insights regarding how it seems to have settled into a remarkably predictable pattern of spamming in the last few months - so regular that it may be possible to set your watch by it! Every day at 8 a.m. GMT (3 a.m. ET) it begins to send out spam emails, continuing throughout the day, peaking at about midday GMT (7 a.m. ET), and then ceasing spamming at midnight GMT (7 p.m. ET). It then rests for about eight hours, before the cycle begins again the following day.
Botnets are now responsible for distributing 87.9% of all spam, an increase of 2.9% since Q2 2009. With approximately 151 billion unsolicited messages each day being distributed by compromised computers, understanding who is responsible for such unprecedented levels is always of interest as, much like the threat landscape, the botnet landscape is ever changing. As highlighted in the latest analysis from MessageLabs Intelligence, the largest botnet now appears to be Rustock with an estimated 1.3 million to 1.9 million compromised computers in its control. However, estimated at half Rustock’s size, the most active botnet in terms of spam distribution is now the little-known botnet, Grum.
Both Grum and another botnet called Bobax have overtaken Cutwail as the most active spam-sending botnets, currently responsible for 23.2% and 15.7% of all spam respectively. Although significant in their own rights, their size and power highlight the dominance that Cutwail had in June...
We've taken a closer look at spam on a regional/city basis in five large markets for September 2009, Just as we see differences in spam rates between countries we often see significant differences within countries:
The areas that are subjected to the highest levels of spam are generally those locations that are populated with a higher density of small-to-medium sized businesses. Similarly, the least spammed places are often home to some of the largest companies.
Between four million and six million computers scattered across the globe have been compromised by cybercriminals without the user’s knowledge. These computers now form robotic networks – Botnets, which are controlled by cybercriminals and used to send out more than 87% of all unsolicited mail, equating to approximately 151 billion emails a day
The global spam rate for September 2009 is 86.4 percent, but Canadian businesses are receiving more than their fair share, with levels...
For the bad guys, it can be a costly exercise to produce new families of malware in order to maintain their criminal activity at sufficient levels. Registering new domains is much more economical for them, and by spreading the malware across as many different websites and domains as possible, the longevity of each new malware is increased. When employing server-side polymorphism, the same family of malware code may be packaged differently into new strains, automatically and dynamically, each time it is accessed. This requires a different anti-virus signature each time in order to detect it accurately. These approaches combined with the use of “bullet-proof” hosting services and “fast-flux” hosting means that criminals can ensure that malicious websites are not taken down quickly in response to complaints.
In many cases the organized criminals often have highly automated techniques in place that require little or no monitoring, and their systems are...
In early August, a number of very well-known social networking websites were reported to be victims of distributed denial of service (DDoS) attacks. The attacks appear to be linked with a “Joe Job” style spam run against an anti-Russian blogger. A “Joe Job” is a spam technique that spoofs the From: email address using a real email address (i.e. an unsuspecting victim) to make it appear as though that person was responsible for the email.
The spam run, as far as MessageLabs Intelligence can determine, was estimated at less than one percent of all spam at that time and distributed from a currently unclassified botnet. The run was significantly smaller compared with some of the more recent spam runs, such as the URL-shortening attacks from Donbot.
Although it is presumed that this spam run contributed to the DDoS attacks on these social networking websites, it is unlikely that this run alone could have caused all the reported disruption,...
Over the past two months, MessageLabs Intelligence has been tracking the rise of URL-shortening services appearing in spam emails. With so many of these legitimate services available on the internet, many are being routinely abused by spammers, so much so that many have been forced to close, leaving users with indignant messages explaining why, for example in Figure 1 and Figure 2, below.
Figure 1 - URL shortening website abused by spammers
Figure 2 - URL shortening website temporarily closed due to spam abuse
Spam runs containing many new shortened-URLs continued through July and August, with a peak of activity on 26 July at 9.25% of all spam, equivalent to more than...
Real Host, an ISP based in Riga, Latvia was alleged to be linked to command-and-control servers for infected botnet computers, as well as being linked to malicious websites, phishing websites and “rogue” anti-virus products. Real Host was disconnected by its upstream providers on 1 August 2009. The impact was immediately felt, as can be seen in Figure 1, where spam volumes dropped briefly by as much as 38% in the subsequent 48-hour period.
Much of this spam was linked to the Cutwail botnet, currently one of the largest botnets and responsible for approximately 15-20% of all spam. Its activity levels fell by as much as 90% when Real Host was taken offline, but quickly recovered in a matter of days.
Figure 1 shows the relative proportion of spam originating from the five major botnets globally during the period of this attack: Cutwail, Xarvester, Rustock, Mega-D, and Donbot. The scale used is a relative index based on the relative volumes and...
