Jameson
10-8
Premium
join:2004-05-28
Fallbrook, CA
clubs:  | Uhm..
This is nothing new.. |
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| Good article, mixed up summary
Spam from botnets is nothing new, but there are some interesting new techniques used. It's a good article. There's a slideshow too.
The writeup above is somewhat confused.
botnets can be devastating, because of the way in which they may rapidly infect thousands of computers How rapidly computers are added to the botnet is independent of the harm that they do. In fact the article says little about how the member machines get infected initially. What's new here is how the botnet maintains its integrity against cleanup efforts.
, automatically forwarding the spam to other computers without the computer owners’ awareness. The Russian group has taken their botnet to the next level, using SpamThru Trojan and a built-in anti-virus scanner to ensure that the spam infects as many users as possible. This statement gets the function of the botnet mixed up with the question of how computers get infected. The particular botnets described are used to send spam, but spam is not necessarily the means of infection. In this case it's advertising stocks and bogus products.
The article doesn't go into the securtities aspect, but it should be pointed out that the companies whose stock is advertised don't necessarily have anything to do with these malware purveyors. The botmasters just pick some stocks that are big enough to make money on, but small enough so that spam respondents can move the price.
Another interesting aspect is that the spams used here are better at evading filters than most spams have been in the past. |
|
Kibbles
Premium
join:1999-07-31
Mission Viejo, CA | reply to Jameson
Re: Uhm..
It maybe nothing new...but as to why we still have so many compromized PC's in the US is odd...and yes I have been receiving a lot more spam lately..with a spam filter off 14-20 a day...with a spam filter on...2-3 a day. |
|
Jameson
10-8
Premium
join:2004-05-28
Fallbrook, CA
clubs:
 ·HughesNet Satellit..
·Time Warner Cable
| said by Kibbles  :It maybe nothing new...but as to why we still have so many compromized PC's in the US is odd...and yes I have been receiving a lot more spam lately..with a spam filter off 14-20 a day...with a spam filter on...2-3 a day. Man thats nothing, my gmail accounts junk folder got emptied the two days ago and is now at 500 messages..
--
DirecWay | DW6000-CE |SM5, 117 West, 970 MHz |3.2GHZ Intel|BFG GF 6800 OC |Win XP Pro SP2/98SE/ Macbook Pro OSX Tiger |PCs connected via Linksys WRT54G | DD-WRT firmware: dd-wrt.v23 SP1 |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to Kibbles
said by Kibbles :...but as to why we still have so many compromized PC's in the US is odd... Notice the graphic about which operating systems are infected. It's literally 99.95% Windows. |
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
 ·Speakeasy
| reply to Kibbles
said by Kibbles :It maybe nothing new...but as to why we still have so many compromized PC's in the US is odd...and yes I have been receiving a lot more spam lately..with a spam filter off 14-20 a day...with a spam filter on...2-3 a day. Meh... With spam filters off, I'd be at several thousand a day; with them on, still getting a few dozen of the "Hi, It's Stan" (and the like) emails.
They post a message that's about 80% "real" text, and then the stock pump is a single JPEG or GIF image in the message. So, most of the Bayesian filters just give it a pass. If it weren't for all of the MS mail users, I'd simply reject HTML email altogether.
-tom
--
"Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficial. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding." -Louis D Brandeis |
|
jsouth
Jsouth
join:2000-12-12
Wichita, KS | reply to swhx7
So what? All that proves is that there is more windows machines out there.
--
Bush bashing is old. How about more solutions instead? |
|
04875776
Rollin' up my dog ends
Premium
join:2006-11-14
Chicago, IL
| reply to swhx7
Re: Good article, mixed up summary
said by swhx7 :The botmasters just pick some stocks that are big enough to make money on, but small enough so that spam respondents can move the price. These same folks are big in the junk fax biz. Even though it's illegal to send them I keep getting "stock alerts" from offshore fax spamming operations in Romania and elsewhere...always not selling me anything. This is just a different delivery mechanism.
If it didn't work they wouldn't do it. Amazing how gullible people are. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to nixen
Re: Uhm..
said by nixen :They post a message that's about 80% "real" text, and then the stock pump is a single JPEG or GIF image in the message. So, most of the Bayesian filters just give it a pass. If it weren't for all of the MS mail users, I'd simply reject HTML email altogether. SpamAssassin is getting pretty good at catching the quirks that seperate these messages from real mail.
One thing that really helps is automating "sa-update" to grab the latest rules from the SpamAss folks. I didn't even no about that until a few weeks ago - previously they released new rules with each version of spamass, but now the rules are continuously updated.
I would imagine if you greylist and use spamass, you don't see too much of this crap.
I wonder how long it will be until they have botnet clients that are compliant enough to make their way through greylisting (ie: include a queue)? I mean if they can generate a unique image for each email, queueing sounds pretty darn simple in comparison. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to Jameson
said by Jameson :This is nothing new.. The sophistication, sheer volume, image-based junk and non-irc command and control sure looks new to me.
And this:
"According to data from Barracuda Networks, an enterprise security appliance vendor in Mountain View, Calif., there has been a 67 percent increase in overall spam volume and a 500 percent increase in image spam since Aug. 2006." |
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| reply to sporkme
said by sporkme :SpamAssassin is getting pretty good at catching the quirks that seperate these messages from real mail. One thing that really helps is automating "sa-update" to grab the latest rules from the SpamAss folks. I didn't even no about that until a few weeks ago - previously they released new rules with each version of spamass, but now the rules are continuously updated. Hmm... perhaps it would be helpful if I read the Release Notes to see these new tools? Just ran it in debug mode. Nifty tool. I got it croned now.
said by sporkme :I would imagine if you greylist and use spamass, you don't see too much of this crap. Yeah, I use a greylist daemon. However, the bot-nets are getting a bit more sophisticated. They aren't just attempting single delivery any more.
-tom
--
"Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficial. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding." -Louis D Brandeis |
|
DebianDog
join:2003-08-13
Chester, VA | reply to jsouth
No there is only about 10,00 copies of Vista out there (legally) and they are already infected. Once you start really using another OS you will see the faults of Windows. All windows has on the competition is currently "marketshare". |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
1 edit | reply to jsouth
said by jsouth :So what? All that proves is that there is more windows machines out there. Consumer and business desktops are about 90% Windows, something like 7% Macintosh, and most of the rest Linux. Internet-facing servers are about 70% Unix or Linux and are much better for sending spam or viruses or other malware.
The compromises on Windows are much higher than in proportion to its share in every one of those segements (servers, business desktops, consumer desktops). It's just easier to hack, harder to secure and tends to be maintained by less competent administrators. |
|
peter_m
Premium
join:2005-07-13
Canada, QC
2 edits | reply to Jameson
If we know who is responsible, why doesn't the CIA use one of it's drones to deliver a "package" on the people responsible for all this spam. I'm sure the savings in CPU load and electricity alone are worth it... Not to mention the convenience of having only desired e-mail in your mail box.
In a previous article, it was mentioned that less then 10 men are responsible for 80% of spam. Sounds to me like an easy, useful, morale boosting mission for the CIA.
Just kidding... but you all know you feel the same way  |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to Kibbles
Whether my filter is off, or on, I am seeing about 30-35 spam email messages per day in two 'pacbell.net' accounts. The difference is whether the messages reach the Inbox (filter off), or the "Bulk" folder (filter on).
I am seeing nowhere near that level of spam to my personal domain; but not for lack of trying by the spammers. I see a lot of this in my mail server logs:
T 20061119 035025 455fb8df Connection from 81.50.67.217
T 20061119 035025 455fb8df HELO APoitiers-155-1-148-217.w81-50.abo.wanadoo.fr
T 20061119 035026 455fb8df MAIL FROM: <miat@dawsontechnology.co.uk>
E 20061119 035026 455fb8df Host 81.50.67.217 blocked by NJABL - message rejected.
T 20061119 035027 455fb8df QUIT
T 20061119 035027 455fb8df Connection closed with 81.50.67.217, 2 sec. elapsed.
T 20061119 035028 455fb8e0 Connection from 81.50.67.217
T 20061119 035028 455fb8e0 HELO APoitiers-155-1-148-217.w81-50.abo.wanadoo.fr
T 20061119 035029 455fb8e0 MAIL FROM: <miat@dawsontechnology.co.uk>
E 20061119 035029 455fb8e0 Host 81.50.67.217 blocked by NJABL - message rejected.
T 20061119 035029 455fb8e0 QUIT
T 20061119 035029 455fb8e0 Connection closed with 81.50.67.217, 1 sec. elapsed.
E 20061119 035347 0 Connection from 125.142.206.225 refused because of restriction.
T 20061119 035706 455fb8e1 Connection from 71.17.24.217
T 20061119 035707 455fb8e1 EHLO ahie.apu0eyra.rr.com
T 20061119 035707 455fb8e1 MAIL FROM: <circumventioncomplaisant@xr23.com>
T 20061119 035707 455fb8e1 RCPT TO: <%User_ID%@aosake.net>
E 20061119 035707 455fb8e1 554 This email address was disabled because it was harvested from a web page.
T 20061119 035708 455fb8e1 Connection closed with 71.17.24.217, 2 sec. elapsed.
T 20061119 040844 455fb8e3 Connection from 88.233.142.244
T 20061119 040847 455fb8e3 HELO dsl88-233-36596.ttnet.net.tr
T 20061119 040848 455fb8e3 MAIL FROM: <fdqloe@huntjewellers.ie>
E 20061119 040848 455fb8e3 Host 88.233.142.244 blocked by NJABL - message rejected.
T 20061119 040848 455fb8e3 QUIT
T 20061119 040848 455fb8e3 Connection closed with 88.233.142.244, 4 sec. elapsed.
T 20061119 040849 455fb8e4 Connection from 88.233.142.244
T 20061119 040850 455fb8e4 HELO dsl88-233-36596.ttnet.net.tr
T 20061119 040850 455fb8e4 MAIL FROM: <fdqloe@huntjewellers.ie>
E 20061119 040850 455fb8e4 Host 88.233.142.244 blocked by NJABL - message rejected.
T 20061119 040851 455fb8e4 QUIT
T 20061119 040851 455fb8e4 Connection closed with 88.233.142.244, 2 sec. elapsed.
T 20061119 041543 455fb8e5 Connection from 59.95.162.84
T 20061119 041543 455fb8e5 HELO aosake.net
E 20061119 041543 455fb8e5 554 Forged host name - message rejected; see: HTTP://antispam.aosake.net.
T 20061119 041544 455fb8e5 Connection closed with 59.95.162.84, 1 sec. elapsed.
T 20061119 042329 455fb8e6 Connection from 81.37.29.194
T 20061119 042330 455fb8e6 helo localhost
E 20061119 042330 455fb8e6 554 Forged host name - message rejected; see: HTTP://antispam.aosake.net.
T 20061119 042330 455fb8e6 Connection closed with 81.37.29.194, 1 sec. elapsed.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
