Later in the year, Mega-D all but disappeared when California based ISP Intercage (aka Atrivo) was disconnected from the Internet on September 20. Charged with providing a safe-haven for online scammers, cyber crooks and malware distributors, Intercage’s upstream provider terminated its service. After a few days, another service provider agreed to host Intercage. But on September 25, after deciding the rogue ISP still had too many ongoing problems, the service was again terminated8.
Service terminated srizbi cutwail mega_d storm Activity from major botnets during the period when Intercage was disconnected Since the demise of Intercage, spam has fallen globally, reaching about 70% by the end of the third quarter of 2008.
8 For more information, please read the Spamhaus article here: www.spamhaus.org/news.lassoarticle=0 1 - S e p 0 2 - S e p 0 3 - S e p 0 4 - S e p 0 5 - S e p 0 6 - S e p 0 7 - S e p 0 8 - S e p 0 9 - S e p 1 0 - S e p 1 1 - S e p 1 2 - S e p 1 3 - S e p 1 4 - S e p 1 5 - S e p 1 6 - S e p 1 7 - S e p 1 8 - S e p 1 9 - S e p 2 0 - S e p 2 1 - S e p 2 2 - S e p 2 3 - S e p 2 4 - S e p 2 5 - S e p 2 6 - S e p 2 7 - S e p 2 8 - S e p 2 9 - S e p Furthermore, Intercage was forced to terminate its largest client, EstHost, an Estonian company that was alleged to be responsible for much of the illegal activity on Intercage’s network. EstDomains, the sister company of EstHost, was subsequently de-accredited by ICANN (Internet Corporation for Assigned Names and Numbers) in November, citing9, “an Estonian Court record reflecting the conviction of EstDomains’ then president, Vladimir Tsastsin, of credit card fraud, money laundering and document forgery.” Also in November 2008, another California-based ISP was taken offline when evidence of criminal activity originating from its network was uncovered. McColo Corporation was believed to have provided services to some of the world’s largest cyber-criminal operations. Spam originating from Srizbi, Rustock and Mega-D all took a nosedive in the days following the ISP’s demise.
Mix of botnet contributions to spam (from an example honeypot) 50% McColo disconnected 40% srizbi 30% 20% mega_d cutwail 10% rustock 0% Activity from major botnets during the period when McColo was disconnected During this period, MessageLabs Intelligence observed a drop in spam of up to eight times less than typical volumes for a period of 12 hours immediately following the takedown, proving that taking out kingpin members of the underground spam economy can have a massive effect on global spam levels.
Further analysis suggested there had been an 80% drop from Mega-D and 60% from Srizbi; Rustock was down by 50% and ASPROX down by 80%. Overall botnet traffic had reduced by approximately 30% in the 24 hours following the takedown.
Spam volumes from Rustock and ASPROX increased in the weeks following McColo being taken offline; this lag between the initial decline and the subsequent rise was attributed to the time it took for botnet owners to find new hosting services.
As 2008 drew to a close, both Mega-D and Srizbi were severely impacted as a result of the takedown, and as a consequence in the weeks following, rival botnets, including Cutwail and Warezov, were being used to carry increasingly more spam traffic.
Srizbi first appeared in mid-2007 and had been a potential contender to the title of most notorious botnet. The Srizbi botnet Trojan is able to hide itself using “rootkit” techniques and is used for sending large volumes of spam.
9 To read the ICANN correspondence, please visit: www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf 1-Nov 2-Nov 3-Nov 4-Nov 5-Nov 6-Nov 7-Nov 8-Nov 9-Nov 10-Nov 11-Nov 12-Nov 13-Nov 14-Nov 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct 31-Oct Additionally, Srizbi is the mail-sending component of the “Reactor Mailer” spamware. Around since 2004, Reactor Mailer is the Web-based module used to distribute spam via the Srizbi botnet. Its users can login via a secure Website where they can upload and edit their messages and customize their email address lists. Reactor Mailer provides spammers with a portal through which they access the service and was cloud-based in design, using the Software-as-a-Service (SaaS) model.
Botnet contribution to spam volume (May-Oct 2008) 100% Unknown other 90% 80% asprox 70% grum 60% storm srizbi 50% 40% 30% rustock 20% mega_d gheg 10% cutwail bobax 0% Chart highlighting the distribution of spam by botnet, including unclassified sources 6-Jul 5-Oct 1-Jun 8-Jun 3-Aug 7-Sep 13-Jul 20-Jul 27-Jul 12-Oct 19-Oct 15-Jun 22-Jun 29-Jun 10-Aug 17-Aug 24-Aug 31-Aug 14-Sep 21-Sep 28-Sep 25-May Botnet Size1 Description S torm 100,000 o High-profile in 2007 to early o A utom atic re-purpos e (E m ail, W eb, DDoS, DNS ) o P eer-to-peer o S upports “fas t-flux ” DNS o E nc ry pted c om m unic ations o Dis rupted in February in M ic ros oft W indows updates S rizbi 1,300,000 o 50% of all s pam o S pam with fake news headlines in s ubject, inc luding c elebrities, m alicious links and fak e video s ites o K ernel-m ode S M TP engine:
A voids loc al firewalls, V ery fast and s c alable Cus tom TCP s tack (by pass W indows s ecurity ) o B otnet behind “Reactor M ailer” s pam ware o Dis rupted when Mc Colo was disc onnec ted in Novem ber (down 60% ) Cutwail 1,000,000 o 25% of all s pam o A k a P us hdo o M ale enhanc em ent products o P ropagation through s poofed greeting c ards (m alic ious links ) G heg 500,000 o A k a V irtum onde, M ondera, Tofs ee or S aturn P rox y (not a proxy ) o Us ed for s ending Frenc h language spam and pharm ac eutic al s pam M ega-D 150,000 o A k a Oz dok o Relies on Comm and & Control o Dis rupted when Interc age and Mc Colo were disc onnected in S eptem ber and Novem ber (down 80% ) A SP RO X 100,000 o S pec ific ally des igned for conducting SQ L injec tion attack s o Infec ts vulnerable W eb s ites with m alicious JavaS c ript o Us ed m ainly for phis hing o Dis rupted when Mc Colo was disc onnec ted in Novem ber (down 80% ) Rus tock 90,000 o S om e s pamm ers m ay s hare res ourc es with S riz bi o K ernel-m ode rootk it to hide proc ess es o Us es enc rypted Comm and & Control o S pam with fake news headlines in s ubject, inc luding c elebrities, m alicious links and fak e video s ites o Dis rupted when Mc Colo was disc onnec ted in Novem ber (down 50% ) W arez ov 50,000 o Downloader m ec hanism us ed to install s oftware o S upports “fas t-flux ” DNS o Revers e W eb-proxy to hide m aster s ervers o Us es m ade-up, s eem ingly random dom ain nam es o Us ed to s end s tock s pam (pum p-and-dum p) o S ending W eb m ail s pam (via brok en CAP TCHA acc ounts ) o Dis rupted when Mc Colo was disc onnec ted in Novem ber Table illustrating notable features of major botnets before disruptionThe technique of “fast-flux” is used by some botnets to conceal the true location of spam, malware and phishing sites by hiding them behind the rapidly changing addresses of Web proxies for each domain. The most effective way to disrupt a fast-flux domain is to have it closed down by the registrar for the domain, which can often prove difficult when the registrar is not quick to respond to such requests.
In August 2008, spam volumes rose by more than two-fold as a result of the continued, aggressive approaches taken to expand botnet capacity, especially the Srizbi and Cutwail botnets, which both grew in size by 20-25% by mid-2008.
10 Size indicates number of actively spamming IP addresses and does not tell the true size and power of the botnet, which is always larger than the numbers given 3.3 Spam predictions for CAPTCHA the Bad Guys The bad guys accomplished the unthinkable in 2008 when broken CAPTCHAs became the keys to the spamming kingdom. Spammers placed a premium on spamming with reputable online Web mail service providers as the messages are less likely to be blocked and allow spammers a world of possibility using an authentic email account. MessageLabs Intelligence predicts that while providers will respond to CAPTCHA-breaking techniques in 2009 enhancing the CAPTCHA process and deploying alternative CAPTCHA approaches, Websites that require a personal account to be created online will continue to be targeted and the CAPTCHA failure rate will continue to increase accordingly.
Already, people are struggling to correctly identify visual and audio CAPTCHAs, and the long-term future of current approaches will be called into question. Moreover, alternative CAPTCHA approaches will be deployed on some sites, where visitors will be asked to recognize the animated letters from the static ones. In another example, Microsoft Research is developing Asirra, which according to their Web site is, “a human interactive proof that asks users to identify photos of cats and dogs.” It is powered by a database of more than 3 million photographs. Other sites will similarly deploy more sophisticated CAPTCHAs where visitors are required to recognize objects, rather than letters and numbers.
Globalization of Spam Brazil, Russia, India and China are among the biggest emerging broadband markets worldwide and as such offer a tremendous opportunity for cybercrime. Through 2008, Internet use in China overtook 11 that of the U.S. Based on this rapid growth and early spam samples, MessageLabs Intelligence experts predict that in 2009 the emerging markets will be more heavily targeted with spam delivered in the local language. Growth in foreign language spam, especially Asian character spam, will increase by up to 100 percent from current levels at 5 percent to around 10 percent. Since June 2008 the proportion of English language spam has decreased from about 90% to 80%, with other language spam increasing to fill this gap.
Social Networking Gets Personal Popular social networking sites will continue to be targeted and exploited by cyber-criminals, but in a much more professional way with the goal of collecting as much personal data and information relating to each victim’s social network as possible; enabling more highly targeted and personalized spam, phishing and malware attacks. In 2009, spam will include proper names and will be segmented according to demographic or market. The content of the messages will become shorter with less content to filter and some will resemble legitimate newsletters and other special offers.
11 “By the end of June 2008, the amount of netizens in China had reached 253 million, surpassing that in the United States to be the first place in the world.” -- Survey Report by China Internet Network Information Center (CNNIC), July 4 Malware: Top Threats of 4.1 Malware Summary The overall trend for email-borne malware in 2008 shows that after an initial drop, following the disruption of the Storm botnet in April 2008, malware levels continued to rise later through the year, with an average of around 1 in 143.(0.70%) emails intercepted as malicious, compared with 1 in 117.7 (0.85%) for 2007. However, this is indicative of the transition to spreading malware using malicious content hosted on Web sites and drive-by installs rather than favoring email as the primary delivery mechanism.
1 in 1 in 1 in 1 in 1 in 1 in Virus rate 1 in 2005 2006 2007 Average global proportion of malware in email traffic In 2008, botnets, or robot-networks, evolved significantly from the previous year. The deployment of multistage Trojan “droppers” that could be installed using a variety of methods, including drive-by malware installations, social networking sites and instant messaging, resulted in a surge in malware threats in 2008, especially from the Web.
In the first half of 2008, vulnerabilities and weak security in Web applications were being exploited by criminals to deploy Web-based malware more widely. New toolkits were able to seek-out Web sites with weak security and target them.
For 2008, the average number of new malicious Web sites blocked each day rose to 2,290, compared with 1,253 for 2007. This represents an increase of 82.8% since 2007.
Websites blocked hosting malicious content and spyware (per day) New sites with spyware New sites with web viruses Jan Feb Mar Apr May Jun Jul Aug Sep Oct Chart showing rise of Web-based malware in By June 2008, the average number of malicious Web sites blocked each day rose by 58% to 2,076; taking the threat to its highest level since April 2007. By the second half of 2008, many more malicious Web sites were linked to SQL injection attacks targeted against legitimate, vulnerable Web servers. In July 2008, 83.4% of all Web based malware intercepted was new, owing to increased SQL injection attacks. In October 2008, the number of malicious Web sites blocked each day rose further, to its highest level of 5,424.
4.2 New Techniques, changes etc The proportion of email-borne malware that contained links to malicious sites peaked at 61.1% in February. An increase of malicious activity from the Storm botnet earlier in the year was responsible for up to 96% of these interceptions. The potential for such links to enter an organization via other channels was a growing cause for concern for businesses especially via Web-based email services, instant messaging and the Web.
Commercial polymorphic12 and metamorphic13 software protectors were also being used to obfuscate many malware samples intercepted in the latter part of 2008. Commercial software protectors are often used to prevent anyone else from directly inspecting or manipulating commercially compiled code, by encrypting an application and making it more difficult to identify its purpose. An application protected in this way can check for the presence of dissemblers or decompilers and only if everything is considered safe will the software protector decrypt the code allowing it to be executed as normal.
Legitimate uses of this technique are intended to safeguard applications against piracy, and help to prevent others from decompiling or modifying an application to change its behavior.
“Antivirus XP 2008” – The Rise of the Rogue-bots First identified in July 2008, a new bout of malware originating from the diminishing Storm botnet stood out not only because of the use of headlines involving celebrities implicated in a scandal or meeting death in an unusual way, but also because this new batch of spam contained links to sites that when activated resulted in the installation of “Antivirus XP 2008,” a rogue anti-spyware program, which could be installed without any action by the user.
Материалы этого сайта размещены для ознакомления, все права принадлежат их авторам.
Если Вы не согласны с тем, что Ваш материал размещён на этом сайте, пожалуйста, напишите нам, мы в течении 1-2 рабочих дней удалим его.