Video Screencast Help
Symantec Intelligence
Showing posts in English
Daren Lewis | 15 Oct 2009 | 1 comment

After spending some time on analysing the mail bomber tool downloaded from spamfordz [dot] com, here is some interesting information noticed.

 20091005_01.gif

Fig.1 Files contained in the tool package

To get this work, one needs to upload the files (as shown in Fig. 1 above) to a web server and open index.html file, which opens the mail bomber sform as shown below.

 20091005_02.gif

Fig. 2 Mail Bomber form

As the form shows, one just needs to follow the easy steps like entering the victim’s email address, From name, etc, and hit ‘Do It!’ button, the job is done.

Is that simple? Before answering the question, let’s take a look at what it actually does behind the ‘Do It!’ button. After hitting the ‘Do It!’ button, it actually opens file bmb...

Paul Wood | 14 Oct 2009 | 0 comments

This post is made on behalf of my colleague Manoj Venugopalan, Malware Analyst for Symantec Hosted Services.

AutoIT, a free automation language for Windows platform-based development, is often used for scripting Windows-based applications and sometimes misused for creating malware. AutoIT scripts can be compiled into a compressed, standalone executable which will run without an interpreter. Auto2Exe is the application used to compile the AutoIT script into a standalone executiable.

Most of the malware based on AutoIT is in the form of worms and Trojans. Many such worms are well-known for logging into a user's IM client, changing their status message and then sending copies of the malware to all of the "buddies" in the victim's list.

MessageLabs Intelligence recently discovered an AutoIT Trojan using IRC (online chat) to connect an infected machine to a command and control channel without the user's knowledge. The malware is...

Paul Wood | 06 Oct 2009 | 0 comments

Further analysis of Rustock reveals some interesting insights regarding how it seems to have settled into a remarkably predictable pattern of spamming in the last few months - so regular that it may be possible to set your watch by it!  Every day at 8 a.m. GMT (3 a.m. ET) it begins to send out spam emails, continuing throughout the day, peaking at about midday GMT (7 a.m. ET), and then ceasing spamming at midnight GMT (7 p.m. ET).  It then rests for about eight hours, before the cycle begins again the following day.
 

 2009Sep_Ex_rustock.gif
Figure 1  - Rustock's New, Regular Spamming Pattern
 

2009Sep_Ex_cutwail.gif
Figure 2 - Typical Spam Output from Cutwail

This pattern of spamming for Rustock (Figure 1) began around July 6-12, 2009.  Prior to that, Rustock...

Daren Lewis | 29 Sep 2009 | 0 comments

Botnets are now responsible for distributing 87.9% of all spam, an increase of 2.9% since Q2 2009. With approximately 151 billion unsolicited messages each day being distributed by compromised computers, understanding who is responsible for such unprecedented levels is always of interest as, much like the threat landscape, the botnet landscape is ever changing. As highlighted in the latest analysis from MessageLabs Intelligence, the largest botnet now appears to be Rustock with an estimated 1.3 million to 1.9 million compromised computers in its control. However, estimated at half Rustock’s size, the most active botnet in terms of spam distribution is now the little-known botnet, Grum.

Both Grum and another botnet called Bobax have overtaken Cutwail as the most active spam-sending botnets, currently responsible for 23.2% and 15.7% of all spam respectively. Although significant in their own rights, their size and power highlight the dominance that Cutwail had in June...

Daren Lewis | 25 Sep 2009 | 0 comments

We've taken a closer look at spam on a regional/city basis in five large markets for September 2009, Just as we see differences in spam rates between countries we often see significant differences within countries:

  • The areas that are subjected to the highest levels of spam are generally those locations that are populated with a higher density of small-to-medium sized businesses. Similarly, the least spammed places are often home to some of the largest companies.
  • Between four million and six million computers scattered across the globe have been compromised by cybercriminals without the user’s knowledge. These computers now form robotic networks – Botnets, which are controlled by cybercriminals and used to send out more than 87% of all unsolicited mail, equating to approximately 151 billion emails a day
  • The global spam rate for September 2009 is 86.4 percent, but Canadian businesses are receiving more than their fair share, with levels...
Daren Lewis | 15 Sep 2009 | 0 comments

For the bad guys, it can be a costly exercise to produce new families of malware in order to maintain their criminal activity at sufficient levels. Registering new domains is much more economical for them, and by spreading the malware across as many different websites and domains as possible, the longevity of each new malware is increased. When employing server-side polymorphism, the same family of malware code may be packaged differently into new strains, automatically and dynamically, each time it is accessed. This requires a different anti-virus signature each time in order to detect it accurately. These approaches combined with the use of “bullet-proof” hosting services and “fast-flux” hosting means that criminals can ensure that malicious websites are not taken down quickly in response to complaints.

In many cases the organized criminals often have highly automated techniques in place that require little or no monitoring, and their systems are...

Daren Lewis | 15 Sep 2009 | 0 comments

In early August, a number of very well-known social networking websites were reported to be victims of distributed denial of service (DDoS) attacks. The attacks appear to be linked with a “Joe Job” style spam run against an anti-Russian blogger. A “Joe Job” is a spam technique that spoofs the From: email address using a real email address (i.e. an unsuspecting victim) to make it appear as though that person was responsible for the email.

The spam run, as far as MessageLabs Intelligence can determine, was estimated at less than one percent of all spam at that time and distributed from a currently unclassified botnet. The run was significantly smaller compared with some of the more recent spam runs, such as the URL-shortening attacks from Donbot.  

Although it is presumed that this spam run contributed to the DDoS attacks on these social networking websites, it is unlikely that this run alone could have caused all the reported disruption,...

Daren Lewis | 15 Sep 2009 | 0 comments

Over the past two months, MessageLabs Intelligence has been tracking the rise of URL-shortening services appearing in spam emails. With so many of these legitimate services available on the internet, many are being routinely abused by spammers, so much so that many have been forced to close, leaving users with indignant messages explaining why, for example in Figure 1 and Figure 2, below.

005_01_sample.jpg
Figure 1 - URL shortening website abused by spammers

005_02_sample.jpg
Figure 2 - URL shortening website temporarily closed due to spam abuse

Spam runs containing many new shortened-URLs continued through July and August, with a peak of activity on 26 July at 9.25% of all spam, equivalent  to more than 10 billion spam messages per day worldwide. This can be seen in Figure 3.

In...

Daren Lewis | 15 Sep 2009 | 0 comments

Real Host, an ISP based in Riga, Latvia was alleged to be linked to command-and-control servers for infected botnet computers, as well as being linked to malicious websites, phishing websites and “rogue” anti-virus products.  Real Host was disconnected by its upstream providers on 1 August 2009. The impact was immediately felt, as can be seen in Figure 1, where spam volumes dropped briefly by as much as 38% in the subsequent 48-hour period. 

Much of this spam was linked to the Cutwail botnet, currently one of the largest botnets and responsible for approximately 15-20% of all spam. Its activity levels fell by as much as 90% when Real Host was taken offline, but quickly recovered in a matter of days.

Figure 1 shows the relative proportion of spam originating from the five major botnets globally during the period of this attack: Cutwail, Xarvester, Rustock, Mega-D, and Donbot. The scale used is a relative index based on the relative volumes and...

Daren Lewis | 15 Sep 2009 | 0 comments

The most common trigger for policy-based filtering applied by the MessageLabs Web Security Service for its business clients was the “Advertisements & Popups” category, down by 2.07% since July, to 58.03% in August.

Analysis of web security activity shows that 45.4% of all web-based malware intercepted was new in August, an increase of 44.7% since July, and 19.5% of web-based spyware was new, a 0.01% decrease since the previous month.

An average of 3,510 websites per day were identified as harboring malware and other potentially unwanted programs such as spyware and adware; a decrease of 2.9% since July.

003_01_webactivitya_09aug.gif
The chart below shows the increase in the number of new spyware and adware websites blocked each day on average during August compared with the equivalent number of web-based malware websites blocked each day.

...