Posts Tagged: Brett Stone-Gross


5
Dec 13

ZeroAccess Botnet Down, But Not Out

Europol, Microsoft Kneecap Click-Fraud Botnet

Authorities in Europe joined Microsoft Corp. this week in disrupting “ZeroAccess,” a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers.

The action comes partly from Europol’s European Cybercrime Center (EC3), as well as law enforcement cybercrime units from Germany, Latvia, Switzerland and the Netherlands, countries that hosted many of the Internet servers used to control the ZeroAccess botnet.

In tandem with the law enforcement moves in Europe, Microsoft filed a civil lawsuit to unmask eight separate cybercriminals thought to be operating the giant botnet, and to block incoming and outgoing communications between infected PCs in the United States and those 18 control servers, according to a statement released by EC3.

The malware the powers the botnet, also known as “ZAccess” and “Sirefef,” is a complex threat that has evolved significantly since its inception in 2009. It began as a malware delivery platform that was used to spread other threats, such as fake antivirus software (a.k.a. “scareware”).

In recent years, however, the miscreants behind ZeroAccess rearchitected the botnet so that infected systems were forced to perpetrate a moneymaking scheme known as “click fraud” — the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site.

Maps of ZeroAccess infected PCs in Texas. Source: botnetlegalnotice.com

Maps of ZeroAccess infected PCs in Texas. Source: botnetlegalnotice.com

It remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term. Early versions of ZeroAccess relied on a series of control servers to receive updates, but recent versions of the botnet malware were designed to make the network as a whole more resilient and resistant to targeted takedowns such as the one executed this week.

Specifically, ZeroAccess employs a peer-to-peer (P2P) architecture in which new instructions and payloads are distributed from one infected host to another. P2P-based botnets are designed to eliminate a single point of failure, so that if one node used to control the botnet is knocked offline, the remainder of the botnet can still function.

The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers — including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred.

Continue reading →


19
Jul 12

Top Spam Botnet, “Grum,” Unplugged

Nearly four years after it burst onto the malware scene, the notorious Grum spam botnet has been disconnected from the Internet. Grum has consistently been among the top three biggest spewers of junk email, a crime machine capable of blasting 18 billion messages per day and responsible for sending about one-third of all spam.

Source: Symantec Message Labs

The takedown, while long overdue, is another welcome example of what the security industry can accomplish cooperatively and without the aid of law enforcement officials. Early press coverage of this event erroneously attributed part of the takedown to Dutch authorities, but police in the Netherlands said they were not involved in this industry-led effort.

The Grum ambush began in earnest several weeks ago at the beginning of July, following an analysis published by security firm FireEye, a Milpitas, Calif. based company that has played a big role in previous botnet takedowns, including Mega-D/Ozdok, Rustock, Srizbi.

Atif Mushtaq, senior staff scientist at FireEye, said the company had some initial success in notifying ISPs that were hosting control networks for Grum: The Dutch ISP Ecatel responded favorably, yanking the plug on two control servers. But Mushtaq said the ISPs where Grum hosted its other control servers — networks in Russia and Panama — proved harder to convince.

Continue reading →


26
Jul 11

Spam & Fake AV: Like Ham & Eggs

An explosion of online fraud tools and services online makes it easier than ever for novices to get started in computer crime. At the same time, a growing body of evidence suggests that much of the world’s cybercrime activity may be the work of a core group of miscreants who’ve been at it for many years.

I recently highlighted the financial links among the organizations responsible for promoting fake antivirus products and spam-advertised pharmacies; all were relying on a few banks in Azerbaijan to process credit card payments.

In this segment, I’ll look at the personnel overlap between the fake AV and pharma industries. The data is drawn from two places: a study done by researchers at the University of California, Santa Barbara (UCSB) that examined three of the most popular fake AV affiliate services which pay hackers to foist worthless software on clueless Internet users; and the leaked Glavmed/Spamit affiliate database, which includes the financial and contact information for many of the world’s top spammers and hackers.

UCSB researcher Brett Stone-Gross and I compared the ICQ instant message numbers belonging to affiliates from Glavmed/Spamit with the ICQ numbers used by affiliates of the largest of the fake AV programs measured by his research team. The result? 417 out of 998 affiliates who were registered with the fake AV distribution service — a whopping 42.2 percent — also were registered pharma spammers with Glavmed/Spamit.

Continue reading →


19
Mar 10

Naming and Shaming ‘Bad’ ISPs

Roughly two years ago, I began an investigation that sought to chart the baddest places on the Internet, the red light districts of the Web, if you will. What I found in the process was that many security experts, companies and private researchers also were gathering this intelligence, but that few were publishing it. Working with several other researchers, I collected and correlated mounds of data, and published what I could verify in The Washington Post. The subsequent unplugging of malware and spammer-friendly ISPs Atrivo and then McColo in late 2008 showed what can happen when the Internet community collectively highlights centers of badness online.

Fast-forward to today, and we can see that there are a large number of organizations publishing data on the Internet’s top trouble spots. I polled some of the most vigilant sources of this information for their recent data, and put together a rough chart indicating the Top Ten most prevalent ISPs from each of their vantage points.  [A few notes about the graphic below: The ISPs or hosts that show up more frequently than others on these lists are color-coded to illustrate consistency of findings. The ISPs at the top of each list are the “worst,” or have the most number of outstanding abuse issues.  “AS” stands for “autonomous system” and is mainly a numerical way of keeping track of ISPs and hosting providers. Click the image to enlarge it.]

What you find when you start digging through these various community watch efforts is not that the networks named are entirely or even mostly bad, but that they do tend to have more than their share of  neighborhoods that have been overrun by the online equivalent of street gangs.  The trouble is, all of these individual efforts tend to map ISP reputation from just one or a handful of perspectives, each of which may be limited in some way by particular biases, such as the type of threats that they monitor. For example, some measure only phishing attacks, while others concentrate on charting networks that play host to malicious software and botnet controllers. Some only take snapshots of badness, as opposed to measuring badness that persists at a given host for a sizable period of time.

Also, some organizations that measure badness are limited by their relative level of visibility or by simple geography. That is to say, while the Internet is truly a global network, any one watcher’s view of things may be colored by where they are situated in the world geographically, or where they most often encounter threats, as well as their level of visibility beyond their immediate horizon.

In February 2009, I gave the keynote address at a Messaging Anti-Abuse Working Group (MAAWG) conference in San Francisco, where I was invited to talk about research that preceded the Atrivo and McColo takedowns. The biggest point I tried to hammer home in my talk was that there was a clear need for an entity whose organizing principle was to collate and publish near real-time information on the Web’s most hazardous networks. Instead of having 15 or 20 different organizations independently mapping ISP reputation, I said, why not create one entity that does this full-time?

Unfortunately, some of the most clear-cut nests of badness online — the Troyaks of the world and other networks that appear to designed from the ground up for cyber criminals — are obscured for the most part from surface data collation efforts such as my simplistic attempt above. For a variety of reasons, unearthing and confirming that level of badness requires a far deeper dive. But even at its most basic, an ongoing, public project that cross-correlates ISP reputation data from a multiplicity of vantage points could persuade legitimate ISPs — particularly major carriers here in the United States — to do a better job of cleaning up their networks.

What follows is the first in what I hope will be a series of stories on different, ongoing efforts to measure ISP reputation, and to hold Internet providers and Web hosts more accountable for the badness on their networks.

Continue reading →