Posts Tagged: Alex Lanstein


1
Jul 11

Where Have All the Spambots Gone?

First, the good news: The past year has witnessed the decimation of spam volume, the arrests of several key hackers, and the high-profile takedowns of some of the Web’s most notorious botnets. The bad news? The crooks behind these huge crime machines are fighting back — devising new approaches designed to resist even the most energetic takedown efforts.

The volume of junk email flooding inboxes each day is way down from a year ago, as much as a 90 percent decrease according to some estimates. Symantec reports that spam volumes hit their high mark in July 2010, when junk email purveyors were blasting in excess of 225 billion spam messages per day. The company says daily spam volumes now hover between 25 and 50 billion missives daily. Anti-spam experts from Cisco Systems are tracking a similarly precipitous decline, from 300 billion per day in June 2010 to just 40 billion in June 2011.

Spam messages per day, July 2010 - July 2011. Image courtesy Symantec.

There may be many reasons for the drop in junk email volumes, but it would be a mistake to downplay efforts by law enforcement officials and security experts.  In the past year, authorities have taken down some of the biggest botnets and apprehended several top botmasters. Most recently, the FBI worked with dozens of ISPs to kneecap the Coreflood botnet. In April, Microsoft launched an apparently successful sneak attack against Rustock, a botnet once responsible for sending 40 percent of all junk email.

Daily spam volume July 2010 - July 2011. Image courtesy Spamcop.net

In December 2010, the FBI arrested a Russian accused of running the Mega-D botnet. In October 2010, authorities in the Netherlands arrested the alleged creator of the Bredolab botnet and dismantled huge chunks of the botnet. A month earlier, Spamit.com, one of the biggest spammer affiliate programs ever created, was shut down when its creator, Igor Gusev, was named the world’s number one spammer and went into hiding. In August 2010, researchers clobbered the Pushdo botnet, causing spam from that botnet to slow to a trickle.

But botmasters are not idly standing by while their industry is dismantled. Analysts from Kaspersky Lab this week published research on a new version of the TDSS malware (a.k.a. TDL), a sophisticated malicious code family that includes a powerful rootkit component that compromises PCs below the operating system level, making it extremely challenging to detect and remove. The latest version of TDSS — dubbed TDL-4 has already infected 4.5 million PCs; it uses a custom encryption scheme that makes it difficult for security experts to analyze traffic between hijacked PCs and botnet controllers. TDL-4 control networks also send out instructions to infected PCs using a peer-to-peer network that includes multiple failsafe mechanisms.

Continue reading →


28
Mar 11

Microsoft Hunting Rustock Controllers

Who controlled the Rustock botnet? The question remains unanswered: Microsoft’s recent takedown of the world’s largest spam engine offered tantalizing new clues to the identity and earnings of the Rustock botmasters. The data shows that Rustock’s curators made millions by pimping rogue Internet pharmacies, but also highlights the challenges that investigators still face in tracking down those responsible for building and profiting from this complex crime machine.

Earlier this month, Microsoft crippled Rustock by convincing a court to let it seize dozens of Rustock control servers that were scattered among several U.S.-based hosting providers. Shortly after that takedown, I began following the money trail to learn who ultimately paid the botnet controllers’ hosts for their services.

According to interviews with investigators involved in the Rustock takedown, approximately one-third of the control servers were rented from U.S. hosting providers by one entity: A small business in Eastern Europe that specializes in reselling hosting services to shadowy individuals who frequent underground hacker forums.

KrebsOnSecurity.com spoke to that reseller. In exchange for the agreement that I not name his operation or his location, he provided payment information about the customer who purchased dozens of servers that were used to manipulate the day-to-day operations of the massive botnet.

The reseller was willing to share information about his client because the customer turned out to be a deadbeat: The customer walked out on two months worth of rent, an outstanding debt of $1,600. The reseller also seemed willing to talk to me because I might be able bend the ear of Spamhaus.org, the anti-spam group that urged ISPs worldwide to block his Internet addresses (several thousand dollars worth of rented servers) shortly after Microsoft announced the Rustock takedown.

I found the reseller advertising his services on a Russian-language forum that caters exclusively to spammers, where he describes the hardware, software and connection speed capabilities of the very servers that he would later rent out to the Rustock botmaster. That solicitation, which was posted on a major spammer forum in January 2010, offered prospective clients flexible terms without setting too many boundaries on what they could do with the servers. A translated version of part of his message:

“I am repeating again that the servers are legitimate, funded by us and belong to our company. To the datacenters, we are responsible to ensure that you are our client, and that you will not break the terms of use. Also, to you we are responsible to make sure that the servers are not going to be closed down because of credit card chargebacks, as it happens with servers funded with stolen credit cards. In conclusion, they do not have an abuse report center, they are suitable for legitimate projects, VPNs and everything else that does not lead to problems and complaints to the data center from active Internet users. Please, take it in consideration, so that nobody is pissed off and there is no bad impression from our partnership.”

The reseller said he had no idea that his customer was using the servers to control the Rustock botnet, but he hastened to add that this particular client didn’t attract too much attention to himself. According to the reseller, the servers he resold to the Rustock botmaster generated just two abuse complaints from the Internet service providers (ISPs) that hosted those servers. Experts say this makes sense because botnet control servers typically generate few abuse complaints, because they are almost never used for the sort of activity that usually prompts abuse reports, such as sending spam or attacking others online. Instead, the servers only were used to coordinate the activities of hundreds of thousands of PCs infected with Rustock, periodically sending them program updates and new spamming instructions.

The reseller was paid for the servers from an account at WebMoney, a virtual currency similar to PayPal but more popular among Russian and Eastern European consumers. The reseller shared the unique numeric ID attached to that WebMoney account — WebMoney purse “Z166284889296.” That purse belonged to an “attested” WebMoney account, meaning that the account holder at some point had to verify his identity by presenting an official Russian passport at a WebMoney office. A former law enforcement officer involved in the Rustock investigation said the name attached to that attested account was “Vladimir Shergin.” According to the reseller, the client stated in an online chat that he was from Saint Petersburg, Russia.

Continue reading →