Monthly Archive for November, 2008
In the fallout resulting from knocking McColo Corp. offline, this past week may prove to be a missed opportunity in the prevention of a dramatic reappearance of junk e-mail, as a botnet that once controlled 40 percent of the world's spam apparently has found a new home. The botnet Srizbi was knocked offline Nov. 11 along with Web-hosting firm McColo, which Internet security experts say hosted machines that controlled the flow of 75 percent of the world's spam. One security firm, FireEye, thought it had found a way to prevent the botnet from coming back online by registering domain names it thought Srizbi was likely to target. But when that approach became too costly for the firm, they had to abandon their efforts. "This cost us a lot of money. We engaged all the right people. In the end, it comes back to the fact that there wasn't a process
Spam volumes could rise considerably over the next few days now that one of the world's largest networks of compromised computers used for blasting out junk e-mail was brought back to life tonight. The "Srizbi" botnet, a collection of more than half a million hacked PCs that were responsible for relaying approximately 40 percent of all spam sent worldwide, was knocked offline two weeks ago due to pressure from the computer security community. On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers. Turns out, Srizbi's authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web
A full two weeks after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline, the volume of spam sent globally each day has yet to bounce back. The block graph over at e-mail security firm IronPort suggests that the company blocked around 35 billion spam messages on Monday. Prior to hosting provider McColo's shutdown, IronPort was flagging somewhere around 160 billion junk e-mails per day. A quick glance at the volume flagged by Spamcop.net shows that they're still detecting well below half of the spam volumes they were just two weeks ago. I'm not suggesting this is a permanent situation: I happen to agree with most experts who have said they expect spam volumes to at some point bounce back or even exceed previous levels. Still, it is nice to see this drop in junk e-mail
Extortionists targeting clients of Express Scripts -- one of the nation's largest pharmacy benefits management firms -- may have inadvertently picked a fight for which they were ill-prepared. Security Fix has learned that among the company's biggest customers is the federal government, and specifically almost every federal law enforcement, military and intelligence agency in the country. Last month, St. Louis-based Express Scripts said extortionists are threatening to disclose personal and medical information about millions of Americans if the company fails to meet payment demands. Express Scripts is the third-largest U.S. pharmacy benefit management firm, which processes and pays prescription drug claims. Working with more than 1,600 companies, it handles roughly 500 million prescriptions a year for about 50 million Americans. The company has refused to pay the demand, and since then the extortionists have moved on to targeting clients of its member companies directly. Locally, the Fairfax County Public Schools
A substitute teacher in Connecticut who faced 40 years in prison for allegedly surfing porn Web sites in the presence of seventh graders has been cleared of the charges after state prosecutors dropped the case. The remarkable story of Julie Amero touched a nerve with our readers the last time I wrote about it. Prosecutors had charged Amero with four felony counts of endangering a child, but security experts rose up to her defense. They argued that spyware and adware, which had infected her PC, was responsible for serving the porn sites on her machine. According to a story Friday in the Hartford Courant, Amero agreed to plead guilty to a single charge of disorderly conduct, which is considered a misdemeanor and came with a $100 fine. "Amero, who has been hospitalized and suffers from declining health, also surrendered her teaching license," the Courant's Rick Green writes. Alex Eckelberry, president
Microsoft is rising quickly on a running list of the Top 10 Worst Spam Service ISPs as maintained by spamhaus.org, a group that tracks unsolicited commercial e-mail. The software giant debuted on the list earlier this month at number 9 (one being the worst), and has slid over the past few days down to number 5. Spamhaus says spammers and scam artists are abusing Microsoft's live.com and livefilestore.com properties to redirect visitors to sites that peddle fake pharmacy products, porn and Nigerian 419 scams. Spamhaus explains how entities wind up on its Top 10 list: Although all networks claim to be anti-spam, some network executives factor revenue made from hosting known spam gangs into corporate policy decisions to continue to sell services to spam operations. Others simply decide that closing the holes in their end-user broadband systems that allow spammers access would be too costly to their bottom lines. Richard
Earlier this year, Security Fix criticized Apple for making iPhone users wait for security updates that Apple had fixed in its other products four months earlier. Now, it appears that iPhone users may have received a patch for a critical security hole four months before Apple fixed the flaw in its other products. Taking a look at the vulnerability summary from the update Apple released last week to fix critical vulnerabilities in Mac and Windows versions of its Safari browser, we can see that Apple corrected a serious flaw in WebKit, the rendering engine used by Safari on Mac OS X, Windows and the iPhone: WebKit CVE-ID: CVE-2008-2303 Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue in Safari's handling of JavaScript array indices
One of the casualties from the unplugging of McColo Corp. is fraudcrew.com, a Web service that offered paying customers the ability to hide their identities online by routing their traffic through computers controlled by others. Fraudcrew, which has not been charged with any crime, offered subscribers a point-and-click way to mask the source of their Internet connections, so that Web sites could not tell the true location of visitors using the service. The site was advertised heavily on Russian online forums catering to computer hacking and identity theft. There are a number of services like those offered by Fraudcrew (Security Fix profiled another one earlier this year) that not only aid in hiding one's identity online, but could also defeat security measures put in place by financial institutions. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's
Washingtonpost.com today published a follow-up story to the pieces we ran last week on the unplugging of a California Web hosting company and the subsequent worldwide drop in spam levels. Today's piece tries to answer the question we heard from so many readers: "How Can So Much Spam Come From One Place?" Some of the less newsy but just as interesting stuff was cut from the piece for space and story flow reasons. One of those was a section on what security experts think the incident will mean for the evolution of botnet technology and its use by the bad guys: Security experts worry that botnet creators will learn from the experience and make key changes to improve the security, stealth and resiliency of their herds. One of the largest and most advanced spam botnets ever designed, "Storm," was successful in large part due to its decentralized nature. As the
A massive swath of some 65,536 unique Internet addresses that appear to have been swiped from early Internet pioneers by a convicted spammer has been reclaimed by Internet regulators, Security Fix has learned. In April, Security Fix reported that a huge block of Internet addresses once assigned to San Francisco Bay Packet Radio -- an organization that was involved way back in the 1970s in testing the predecessor to the global commercial Internet that we all use today -- was being used to send e-mail for a company called MediaBreakaway. That company's chief executive is Scott Richter -- a self-avowed "spam king" who has been sued by a number of the Internet's biggest players -- including Microsoft and Myspace -- for sending spam. When I was first presented with this information, I put the relevant questions to the American Registry for Internet Numbers (ARIN) -- one of five regional Internet
