Advertisement
<a href="http://krebsonsecurity.com/spam-fake-av-like-ham-eggs/?administer_redirect_13=http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Posts Tagged: spamhaus

    A Little Sunshine / Web Fraud 2.06 Comments
    26
    Jul 11

    Spam & Fake AV: Like Ham & Eggs

    An explosion of online fraud tools and services online makes it easier than ever for novices to get started in computer crime. At the same time, a growing body of evidence suggests that much of the world’s cybercrime activity may be the work of a core group of miscreants who’ve been at it for many years.

    I recently highlighted the financial links among the organizations responsible for promoting fake antivirus products and spam-advertised pharmacies; all were relying on a few banks in Azerbaijan to process credit card payments.

    In this segment, I’ll look at the personnel overlap between the fake AV and pharma industries. The data is drawn from two places: a study done by researchers at the University of California, Santa Barbara (UCSB) that examined three of the most popular fake AV affiliate services which pay hackers to foist worthless software on clueless Internet users; and the leaked Glavmed/Spamit affiliate database, which includes the financial and contact information for many of the world’s top spammers and hackers.

    UCSB researcher Brett Stone-Gross and I compared the ICQ instant message numbers belonging to affiliates from Glavmed/Spamit with the ICQ numbers used by affiliates of the largest of the fake AV programs measured by his research team. The result? 417 out of 998 affiliates who were registered with the fake AV distribution service — a whopping 42.2 percent — also were registered pharma spammers with Glavmed/Spamit.

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.022 Comments
    28
    Mar 11

    Microsoft Hunting Rustock Controllers

    Who controlled the Rustock botnet? The question remains unanswered: Microsoft’s recent takedown of the world’s largest spam engine offered tantalizing new clues to the identity and earnings of the Rustock botmasters. The data shows that Rustock’s curators made millions by pimping rogue Internet pharmacies, but also highlights the challenges that investigators still face in tracking down those responsible for building and profiting from this complex crime machine.

    Earlier this month, Microsoft crippled Rustock by convincing a court to let it seize dozens of Rustock control servers that were scattered among several U.S.-based hosting providers. Shortly after that takedown, I began following the money trail to learn who ultimately paid the botnet controllers’ hosts for their services.

    According to interviews with investigators involved in the Rustock takedown, approximately one-third of the control servers were rented from U.S. hosting providers by one entity: A small business in Eastern Europe that specializes in reselling hosting services to shadowy individuals who frequent underground hacker forums.

    KrebsOnSecurity.com spoke to that reseller. In exchange for the agreement that I not name his operation or his location, he provided payment information about the customer who purchased dozens of servers that were used to manipulate the day-to-day operations of the massive botnet.

    The reseller was willing to share information about his client because the customer turned out to be a deadbeat: The customer walked out on two months worth of rent, an outstanding debt of $1,600. The reseller also seemed willing to talk to me because I might be able bend the ear of Spamhaus.org, the anti-spam group that urged ISPs worldwide to block his Internet addresses (several thousand dollars worth of rented servers) shortly after Microsoft announced the Rustock takedown.

    I found the reseller advertising his services on a Russian-language forum that caters exclusively to spammers, where he describes the hardware, software and connection speed capabilities of the very servers that he would later rent out to the Rustock botmaster. That solicitation, which was posted on a major spammer forum in January 2010, offered prospective clients flexible terms without setting too many boundaries on what they could do with the servers. A translated version of part of his message:

    “I am repeating again that the servers are legitimate, funded by us and belong to our company. To the datacenters, we are responsible to ensure that you are our client, and that you will not break the terms of use. Also, to you we are responsible to make sure that the servers are not going to be closed down because of credit card chargebacks, as it happens with servers funded with stolen credit cards. In conclusion, they do not have an abuse report center, they are suitable for legitimate projects, VPNs and everything else that does not lead to problems and complaints to the data center from active Internet users. Please, take it in consideration, so that nobody is pissed off and there is no bad impression from our partnership.”

    The reseller said he had no idea that his customer was using the servers to control the Rustock botnet, but he hastened to add that this particular client didn’t attract too much attention to himself. According to the reseller, the servers he resold to the Rustock botmaster generated just two abuse complaints from the Internet service providers (ISPs) that hosted those servers. Experts say this makes sense because botnet control servers typically generate few abuse complaints, because they are almost never used for the sort of activity that usually prompts abuse reports, such as sending spam or attacking others online. Instead, the servers only were used to coordinate the activities of hundreds of thousands of PCs infected with Rustock, periodically sending them program updates and new spamming instructions.

    The reseller was paid for the servers from an account at WebMoney, a virtual currency similar to PayPal but more popular among Russian and Eastern European consumers. The reseller shared the unique numeric ID attached to that WebMoney account — WebMoney purse “Z166284889296.” That purse belonged to an “attested” WebMoney account, meaning that the account holder at some point had to verify his identity by presenting an official Russian passport at a WebMoney office. A former law enforcement officer involved in the Rustock investigation said the name attached to that attested account was “Vladimir Shergin.” According to the reseller, the client stated in an online chat that he was from Saint Petersburg, Russia.

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.048 Comments
    21
    Mar 11

    Homegrown: Rustock Botnet Fed by U.S. Firms

    Aaron Wendel opened the doors of his business to some unexpected visitors on the morning of Mar. 16, 2011. The chief technology officer of Kansas City based hosting provider Wholesale Internet found that two U.S. marshals, a pair of computer forensics experts and a Microsoft lawyer had come calling, armed with papers allowing them to enter the facility and to commandeer computer hard drives and portions of the hosting firm’s network. Anyone attempting to interfere would be subject to arrest and prosecution.

    Weeks earlier, Microsoft had convinced a federal judge (PDF)  to let the software giant seize control of server hard drives and reroute Internet addresses as part of a carefully timed takedown of the Rustock botnet, which had long reigned as the world’s most active spam-spewing crime machine.

    In tandem with the visit to Wholesale Internet, Microsoft employees and U.S. marshals were serving similar orders at several other hosting providers at locations around country.  Microsoft’s plan of attack — which it spent about six months hatching with the help of a tightly knit group of industry and academic partners — was to stun the Rustock botnet, by disconnecting more than 100 control servers that the botnet was using to communicate with hundreds of thousands of infected Windows PCs.

    Only two of the control servers were located outside the United States; the rest operated from hosting providers here in the US, many at relatively small ISPs in Middle America.

    Concentrations of Rustock control networks.

    Microsoft was careful not to make any accusations that hosting providers were complicit in helping the Rustock botmasters; however, some of these control servers existed for more than a year, and most likely would have continued to operate undisturbed had Microsoft and others not intervened. Using data gathered by Milpitas, Calif. based security firm FireEye, which assisted Microsoft in the takedown, I was able to plot the location and lifetime of each control server (the map above is clickable and should let you drill down to the details of each control server; the raw data is here). The average life of each controller was 251 days — a little over eight months.

    Wholesale Internet’s Wendel said his organization takes action against any customers that appear to be violating the company’s terms of use or its policies. But he insisted that the visit by Microsoft and the marshals was the first time he’d heard that any of the 16 Rustock command and control servers were located on his network.

    “To be perfectly honest with you, we never heard of Rustock until Wednesday,” Wendel said in a phone interview last Friday. Wendel also said he  hadn’t heard anything about the problematic servers from either Spamhaus or Shadowserver, which allow ISPs and hosting providers to receive reports about apparent botnet control servers and bot infections on their networks. Both Shadowserver and Spamhaus dispute this claim, saying that while they certainly did not alert Wholesale to all of the problem Internet addresses that it may have had on its network, they filed several reports with the company over the past six months that should have given the company cause to take a closer look at its customers and systems.

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.048 Comments
    16
    Mar 11

    Rustock Botnet Flatlined, Spam Volumes Plummet

    The global volume of junk e-mail sent worldwide took a massive nosedive today following what appears to be a coordinated takedown of the Rustock botnet, one of the world’s most active spam-generating machines.

    Rustock spam volumes, from M86 Security Labs

    For years, Rustock has been the most prolific purveyor of spam — mainly junk messages touting online pharmacies and male enhancement pills. But late Wednesday morning Eastern Time, dozens of Internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously.

    Such an action suggests that anti-spam activists have succeeded in executing possibly the largest botnet takedown in the history of the Internet. Spam data compiled by the Composite Spam Blocklist, the entity that monitors global junk e-mail volumes for the anti-spam outfit Spamhaus.org, shows that at around 2:45 p.m. GMT (10:45 a.m. EDT) spam sent via the Rustock botnet virtually disappeared. The CBL estimates that at least 815,000 Windows computers are currently infected with Rustock, although that number is more than likely a conservative estimate.

    “This is a truly dramatic drop,” said one anti-spam activist from Ottawa, Canada, who asked not to be named because he did not have permission from his employer to speak publicly about the spam activity spike. “Normally, Rustock is sending between one to two thousands e-mails per second. Today, we saw infected systems take an abrupt dive to sending about one to two emails per second.”

    Joe Stewart, director of malware research with Atlanta-based Dell SecureWorks, said none of the 26 Rustock command and control networks he’s been monitoring were responding as of Wednesday afternoon.

    “This looks like a widespread campaign to have either these [Internet addresses] null-routed or the abuse contacts at various ISPs have shut them down uniformly,” Stewart said. “It looks to me like someone has gone and methodically tracked these [addresses] and had them taken out one way or another.”

    Update, Mar. 18, 10:04 a.m. ET: As many readers have pointed out, the Wall Street Journal is reporting that the takedown of Rustock was engineered by Microsoft, which used the legal process to shutter the botnet’s control networks at various U.S.-based hosting providers. For more on how Microsoft did that, check out my latest story, Homegrown: Rustock Botnet Fed by U.S. Firms.

    Original story:

    Continue reading →

    Other11 Comments
    26
    Jul 10

    Services Let Malware Purveyors Check Their Web Reputation

    Virus writers and botmasters increasingly are turning to new subscription services that test when and whether malicious links have been flagged by Web reputation programs like Google Safe Browsing and McAfee SiteAdvisor.

    Nothing puts a crimp in the traffic to booby-trapped Web sites like being listed on multiple Internet reputation services that collect and publish information on the location of nasty Web sites. People who maintain the bad sites can stay ahead of such services by moving their malware to new domains once the present hosts start showing up on too many blacklists. But constantly checking these lists can be a time-consuming pain.

    Enter sites like check-crypt.com. For a mere 20 cents, subscribers can check to see whether their malicious sites are flagged by any of 18 different blacklists, including Spamhaus, ZeuSTracker, SpamCop, SmartScreen (anti-malware and anti-phishing technology built into IE7/IE8), Norton Safe Web, Phishtank, Malwaredomainlist and MalwareURL.

    As we can see from the screen shot here, this service acts as a kind of Virustotal for bad domains, listing the percentage of blacklists that detect any submitted malware sites.

    The name and address of the person who registered check-crypt.com is protected by a domain privacy service, but if we dig far enough back in the WHOIS history we see it was registered to someone named Oleg Lojko in Rogatin, Ukraine. A search for the e-mail address attached to that record turns up a domain (vinni-trinni3.net) that a couple of the malware blacklists have flagged for distributing the infamous Zeus Trojan, a powerful password-stealing strain of malicious software.

    I wanted to test this service, and so I thought I’d pick on vinni-trinni, because that site was first flagged by Malwaredomainlist and MalwareURL back in March of this year. The results were underwhelming: As we can see from the above screen shot, this service detects that three out of 18 blacklists have flagged it as malicious, but the author’s own service fails to show listings by either Malwaredomainlist or MalwareURL.

    A Little Sunshine / The Coming Storm / Web Fraud 2.036 Comments
    17
    Mar 10

    Researchers Map Multi-Network Cybercrime Infrastructure

    Last week, security experts launched a sneak attack to disconnect Troyak, an Internet service provider in Eastern Europe that served as a global gateway to a nest of cyber crime activity. For the past seven days, unnamed members of the security community reportedly have been playing Whac-a-Mole with Troyak, which has bounced from one legitimate ISP to the next in a bid to reconnect to the wider Internet.

    But experts say Troyak’s apparent hopscotching is expected behavior from what is in fact a carefully architected, round-robin network of backup and redundant carriers, all designed to keep a massive organized criminal operation online should a disaster like the Troyak disconnection strike.

    Security firm RSA believes Troyak is but one of five upstream providers that encircle a nest of eight so-called “bulletproof networks” – Web hosting providers considered impervious to takedown by local law enforcement (pictured in red in the graphic below). RSA said this group of eight hosts some of the Internet’s largest concentrations of malicious software, including password stealing banking Trojans like ZeuS and Gozi, as well as huge repositories of personal and financial data stolen by these Trojans and a notorious Russian phishing operation known as RockPhish.

    Continue reading →