Two machines are better than one

This morning’s Observer column

If you’ve signed up for a new web service recently, you may have noticed that a final stage of the enrolment process presents you with an indistinct image of a number of letters and numbers, often in a wavy line, and sometimes displayed against a confusing background. You are asked to identify the sequence and type it accurately into a text box. You have just encountered a Captcha…

Gotcha CAPTCHA!

Nick Carr led me to the Washington Post which referred to this intriguing Websense report. Excerpt:

It is observed that at this stage bots (or bot-infected machines) are trying to sign up as many accounts as possible with Gmail mail services. One of the main concerns here is attacking CAPTCHA. Unfortunately, spammers seem to have success with it. The bot is signing up an account feeding all the prerequisites or input data that goes into the signup page and successfully creating a mail account.

Considering the normal / routine process involved in signing up a web mail account (Gmail), CAPTCHA authentication is a must for a successful signup. Since a bot is creating an account successfully, it is obvious that CAPTCHA is broken…

Thirty years on…

This morning’s Observer column marking the 30th anniversary of Gary Thuerk’s famous email mistake.

Looked at from the perspective of today, when my spam filter is reporting that it has blocked 5,700 messages in the last month, Thuerk’s unsolicited email seems touchingly innocent. For one thing it actually imparts some useful and interesting information.

If I had been an Arpanet researcher on the west coast in 1978, I would have been genuinely interested to learn that the network’s protocols had been incorporated in the operating systems of a major vendor. In that sense, it provides a stark contrast with the invitations to purchase penis-extending drugs, fake Rolexes and mining shares which nowadays clog my spam filter. And it’s sobering to see how such pernicious weeds can grow from such an innocuous beginning…

CyberCrime 2.0

From the Register

Selling “installs” is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet and installing adware from 180 solutions for a fee of $60,000. Cybercriminals have since moved on to installing spyware onto compromised machines.

Zombie machines infected with Trojan horse malware can be used to relay spam or launch denial of service attacks. Compromised machines can be also be pointed to websites from which additional items of malware can be downloaded. The practice is normally used to update Trojan code, but it also creates a means for cybercrooks to make a “nice little earner”.

The income that can be earned grows with the numbers of installs, and varies based on the geographical location of an installation. For example, installing spyware on 1,000 machines in Australia earns $100 but only $50 in the US, and a measly $3 in Asia. A sample price list obtained by net security services firm sheds fresh light on the phenomenon.

MeesageLabs culled its figures from a malware distribution site in Russia, the existence of which we’ve verified. The site is loaded with malware and for that reason we’ll refer to it by a shortened version of its name, installscash.org.

Going phishing

Aw, isn’t this sweet. My bank is anxious to safeguard my account.

It’s nice that they appreciate my ‘bunsiness’. And amazing that people fall for this stuff. But they do. They should take our course.

Germans are planning to eavesdrop on Skype

Interesting documents on Wikileaks. Basically, it seems that the Bavarian authorities have been looking for contractors to install Trojans on target machines which run Skype. Slashdot explains:

The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications.

Cyber-attack on Estonia may not have come from Russia

Bah! Looks as though those of us who suspected Vladimir Putin of testing cyberwarfare techniques on plucky little Estonia were wrong. At any rate, this ArsTechnica report says that the DDoS attacks were the work of a single disaffected individual.

Last May, the web sites of a number of high-ranking Estonian politicians and businesses were attacked over a period of several weeks. At the time, relations between Russia and Estonia were chillier than usual, due in part to the Estonian government’s plans to move a World War II-era memorial known as the Bronze Soldier (pictured below at its original location) away from the center of the city and into a cemetery. The country’s plan was controversial, and led to protests that were often led by the country’s ethnic Russian minority. When the cyberattacks occurred, Estonia claimed that Russia was either directly or indirectly involved—an allegation that the Russian government denied. Almost a year later, the Russian government appears to have been telling the truth about its involvement (or lack thereof) in the attacks against Estonia. As InfoWorld reports, an Estonian youth has been arrested for the attacks, and current evidence suggests he was acting independently—prosecutors in Estonia have stated they have no other suspects. Because the attacks were botnet-driven and launched from servers all over the globe, however, it’s impossible to state definitively that only a single individual was involved…

Charles Arthur has a rueful post on this too.

The five ‘coolest hacks’ of 2007

Just in case you thought that the Dark Side had gone away. From Dark Reading

Hackers are creative folk, for sure. But some researchers are more imaginative and crafty than others. We’re talking the kind of guys who aren’t content with finding the next bug in Windows or a Cisco router. Instead, they go after the everyday things we take for granted even more than our PCs — our cars, our wireless connections, and (gulp) the electronic financial trading systems that record our stock purchases and other online transactions…

Inside a Botnet

Fascinating glimpse by SecureWorks of the inner workings of a spamming botnet.

With the help of Spamhaus, we were able to not only shut down the command and control server, we were able to obtain the running software from the server, written in the Python language. Examining these showed that the Srizbi botnet is actually a working component of a piece of spamware known as “Reactor Mailer”. Reactor Mailer has been around at least since 2004, and is in its third major version. Versions 1 and 2 likely used proxy servers to relay the spam; however, since this is not as efficient as template-based spambots, version 3 was created along with Srizbi, the bot that actually does the mailing.

Reactor Mailer is the brainchild of a spammer who goes by the pseudonym “spm”. He calls his company “Elphisoft”, and has even been interviewed about his operation by the Russian hacker website xakep.ru. He claims to hire some of the best coders in the CIS (Commonwealth of Independent States, the post-Soviet confederation) to write the software. This claim is probably true – by examining details in the source code, we were able to identify at least one of the principal coders of Reactor 3/Srizbi, a Ukrainian who goes by the nickname “vlaman.” Various postings by vlaman indicate he is proficient in C and assembler, and would certainly be capable of writing the Srizbi trojan.

Reactor Mailer operates with a software-as-a-service model. Spammers are given accounts on a Reactor server, and use a web-based interface to manage their spam tasks. In the case of the Ron Paul spam, there was only one account on the server in addition to spm, which was named “nenastnyj”.

We loaded the Reactor Mailer software onto a test machine in order to recreate the interface as seen by the spammer…

Thanks to Tony Hirst for the link.

Spamalot themes

One of the many advantages of using Pobox as my email hub is its wonderful spam filter. Occasionally, though, it blocks a legit message, so I periodically have to skim through the piles of ‘discards’ it has blocked. It’s interesting to see the changing patterns of spam. The pump-and-dump, penis-enlargement and fake Rolex salesmen are still, er, hard at it. But there’s an increasing amount of incomprehensible Cyrillic guff. Putin’s Russia continues to develop along predictable lines.