Panda Security finds 20 Million New Malware Strains In 2010

Apparently malware writers have "cranked up" their production this year. Security firm Panda Security has reported that 20 Million new strains of malware have been created by "the badguys" this year already. That includes over 33% of all active malicious programs. Some information from the original post:

Malware authors have been very busy this year

How busy? According to Panda Security, 20 million new strains of malware have already been created this year—the same total as in all of 2009. The shortened lifespan of the malware combined with the increased number of variants demonstrates a shift in the cyber-crime landscape, where many variants are now being created to infect a small number of systems before they disappear, the vendor said.

"Since 2003, new threats have increased at a rate of 100 percent or more," said Luis Corrons, technical director of PandaLabs, the company's research arm, in a statement. "Yet so far in 2010, purely new malware has increased by only 50 percent, significantly less than the historical norm.

"This doesn't mean that there are fewer threats or that the cyber-crime market is shrinking," he said. "On the contrary, it continues to expand, and by the end of 2010 we will have logged more new threats in Collective Intelligence than in 2009. It seems hackers are applying economies of scale, reusing old malicious code or prioritizing the distribution of existing threats over the creation of new ones."

The average number of new threats created each day has reached 63,000 to date, the company said, a figure roughly the same as what was reported in recent research from McAfee.

Panda also found however that the average lifespan of 54 percent of malware has been cut to just 24 hours. Thirty-four percent of all active malware threats were created this year, the company said.

Some of those threats are undoubtedly infecting users via malicious Websites promoted through black hat search engine optimization (SEO) efforts. A report by CyberDefender Research Labs noted keyword combinations such as "Thanksgiving Lunch Invitations," "Thanksgiving Invitation Template" and "Thanksgiving Printable Invitations" were drawing malicious results.

Out of 50 search results for each of the three terms, roughly 20 directed users to infected URLs, the firm said. Waiting for the user is a fake antivirus scan page that tells the person they need an immediate scan of their PC, followed by a prompt to download malware.

"SEO attackers most likely to target holiday shopping keywords are those that push fake/rogue antivirus software aka scareware," said Sean Sullivan, security adviser for F-Secure. "Typically these types of attackers react to trending topics such as celebrity deaths and other newsworthy events. The holiday season and shopping-related searches offer these attackers a proactive set of topics to focus on. They know in advance what the likely trending topics will be."

The original story can be found here.

Blast from the Past: "Here You Have" Email Worm Circulating

Here's a "blast from the past".  It's like it's 2001 all over again!  There's an email worm ( and not kidding here ) circulating that uses the good old infection method of sending emails with malicious executables to all the people in your address book!

It arrives in emails with a subject like "Here You Have", or something similar to it.

In the email, there's a link to a malicious download - with text that's made to look like it's a link to a pdf, or a video.  If a user clicks on it, the malware winds up in the Windows folder.  The file name winds up CSRSS.EXE and that's a file name for a legitimate file in Windows.

Body Examples

Hello:

This is The Document I told you about,you can find it Here.
hxxp://www.SomeFakeWebsite/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Dowload Sex Movies,you can find it Here.

hxxp://www.AnotherFakeWebsite/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

At that point it tries sending itself to everyone in your Outlook address book.

Who says that the good old "tried and true" methods of spreading malware don't work any more?  I suppose if fashion from the 70's can come back, it's not too big a leap to have old spammers tactics rear their ugly heads from time to time.

When the first few came through the CudaMail system, they were quickly analyzed and are now being caught and blocked, but for non-CudaMail customers, make sure you keep an eye on your inbox, and stick with "safe emailing" practices with regard to clicking on anything!

PushDo Botnet Crippled by Researchers

There has recently been a huge win against the PushDo botnet by reseachers, who have severely crippled the network. The article below is from ThreatPost, and there's a link to the full article below. Researchers have made a huge dent in a major variant of the Pushdo botnet, virtually crippling the network by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet's spam operations. After doing an analysis of Pushdo's command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for a variant of the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said.

Recommended Reads

• Researchers Cripple Pushdo Botnet
• New Storm Botnet Variant Making Spam
• Where Are We A Year After McColo Shutdown?

"We identified a total of 30 servers used as part of the Pushdo/Cutwail infrastructure, located at eight different hosting providers all over the world. The information about the activity was extracted from Anubisreports, which contain details about the system and network activities, including a pcap file that contains the network traffic we observed while doing the analysis. We contacted all hosting providers and worked with them on taking down the machines, which lead to the take-down of almost 20 servers. Unfortunately, not all providers were responsive and thus several Command & Control servers are still online at this point," researcher Thorsten Holz wrote. The result is that the volume of spam that Pushdo is producing has dropped to nearly zero.

At the time of Pushdo's appearance several years ago, researchers found evidence that Pushdo's creators had gone to some lengths to avoid detection and prevent removal of the malware associated withthe botnet. The creators had changed the way that Pushdo made HTTP requests, creating overly long GET requests to make them less identifiable. "The length of the request will likely change between different service pack levels of Windows. IDS/IPS signatures can still be written around such a request, taking advantage of the fact that no other HTTP headers are sent as one characteristic to key in on. However, even with this approach, false positives may still occur," SecureWorks researcher Joe Stewart wrote in an analysis in 2007. "Clearly the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild." One of the interesting aspects of the original version of Pushdo is that its creator was using it not just to send spam, but also to spread other pieces of malware. This has become a more common business model in recent years as bot herders have looked for new ways to make money from the millions of compromised PCs under their control. The original post is available at ThreatPost Spam volume graph from M86 Security Labs.

Rustock Botnet Responsible for 40 Percent of spam

An interesting article on the Rustock Botnet. It's been an ongoing battle between them and anti-spam forces for a long time. This article is by Jeremy Kirk (IDG News Service).

--- Original Article ---

More than 40 percent of the world's spam is coming from a single network of computers that computer security experts continue to battle, according to new statistics from Symantec's Message Labs division.

The Rustock botnet has shrunk since April, when about 2.5 million computers were infected with its malicious software that sent about 43 billion spam e-mails per day. Much of it is pharmaceutical spam.

Now, about 1.3 million computers are infected with Rustock, and the botnet is making up for its decreased size with increased volume, said Paul Wood, a MessageLabs intelligence analyst with Symantec. Those infected computers -- most of which are in North America and Western Europe -- are collectively sending around 46 billion spam e-mails per day.

The reason for the drop in infected computers could be due to a number of factors, Wood said. Those computers' antivirus programs may have detected the infections or the people controlling Rustock could have lost the connection to those computers for various reasons.

The computers infected with Rustock have also stopped using TLS (Transport Layer Security), an encryption protocol used to securely send e-mail. Spammers were believed to encrypt their spam using TLS because it was harder for other network equipment to inspect the traffic and figure out if it was spam, Wood said.

But sending e-mail using TLS required more resources and was slower. "It would seem that the botnet controllers, especially those behind Rustock, have perhaps realized that the use of TLS gave them little or no discernible benefits and instead impeded their sending capacity owing to the additional bandwidth and processing overhead needed for TLS," the report said.

Rustock has proved to be a robust botnet. It was nearly killed off when McColo, an ISP in San Jose, California, was cut off from the Internet in November 2008 by its upstream providers. McColo had hosted the command-and-control servers for several botnets, including Rustock.

But Rustock's operators were able to switch the command-and-control servers when McColo briefly regained connectivity again before finally being shut off, which has allowed it to run for nearly four years now.

View the original story here.

-----

URL Shortening Services Used in SPAM

This summary is not available. Please click here to view the post.

FTC Permanently Shuts Down Notorious Rogue I.S.P.

3FN Service Specialized in Hosting Spam-Spewing Botnets, Phishing Websites, Child Pornography, and Other Illegal, Malicious Web Content

At the Federal Trade Commission's request, a district court judge has permanently shut down a rogue Internet Service Provider that recruited, hosted, and actively participated in the distribution of spam, spyware, child pornography, and other malicious and illegal content. The ISP's computer servers and other assets have been seized and will be sold by a court-appointed receiver, and the operation has been ordered to turn over $1.08 million in ill-gotten gains to the FTC.

In June 2009, the FTC charged that 3FN, which does business under a variety of names, actively recruited and colluded with criminals to distribute harmful electronic content including spyware, viruses, trojan horses, phishing schemes, botnet command-and-control servers, and pornography featuring children, violence, bestiality, and incest. The FTC alleged that the defendant advertised its services in the darkest corners of the Internet, including a chat room for spammers.

The FTC complaint alleged that 3FN actively shielded its criminal clientele by either ignoring take-down requests issued by the online security community, or shifting its criminal elements to other Internet protocol addresses it controlled to evade detection.

The FTC also alleged that 3FN deployed and operated botnets – large networks of computers that have been compromised and enslaved by the originator of the botnet, known as a "bot herder." Botnets can be used for a variety of illicit purposes, including sending spam and launching denial-of- service attacks. According to the FTC, the defendant recruited bot herders and hosted the command-and-control servers – the computers that relay commands from the bot herders to the compromised computers known as "zombie drones."

---

An excerpt from an interesting announcement by the Federal Trade Commission - taking action against a notorioius Internet Service Provider. (* from the FTC Website - original post here).

Millions Continue to Click on Spam

This is an interesting article from MAAWG that talks about the fact that consumers are still clicking on spam, and conducting riskyk behaviour, despite knowing the danger of malware, spam and botnets. We here at CudaMail we haven't seen any reduction in the volume of spam - in fact, it's been increasing!

The Article:

Consumers Don't Relate Bot Infections to Risky Behavior As Millions Continue to Click on Spam

San Francisco, March 24, 2010 –A significant percentage of consumers continue to interact with spam despite their awareness of how bots and viruses spread through risky email behavior, according to the Messaging Anti-Abuse Working Group (MAAWG) based on a new survey it released today covering North America and Western Europe. Even though over eighty percent of email users are aware of the existence of bots, tens of millions respond to spam in ways that could leave them vulnerable to a malware infection, according to the 2010 MAAWG Email Security Awareness and Usage Survey. In the new survey, half of users said they had opened spam, clicked on a link in spam, opened a spam attachment, replied or forwarded it – activities that leave consumers susceptible to fraud, phishing, identity theft and infection. While most consumers said they were aware of the existence of bots, only one-third believed they were vulnerable to an infection. "Consumers need to understand they are not powerless bystanders. They can play a key role in standing up to spammers by not engaging and just marking their emails as junk," said Michael O'Reirdan, MAAWG chairman. "When consumers respond to spam or click on links in junk mail, they often set themselves up for fraud or to have their computers compromised by criminals who use them to deliver more spam, spread viruses and launch cyber attacks," O'Reirdan said. The research findings on awareness of bots, email security practices, and attitudes toward controlling spam were generally consistent with the first MAAWG consumer survey in 2009 covering North America. The new 2010 survey was expanded to cover Western Europe and looks at consumers' attitudes in Canada, France, Germany, Spain, the United Kingdom and the United States. It Won't Happen to Me Syndrome Less than half of the consumers surveyed saw themselves as the entity who should be most responsible for stopping the spread of viruses. Yet, only 36% of consumers believe they might get a virus and 46% of those who opened spam did so intentionally. This is a problem because spam is one of the most common vehicles for spreading bots and viruses. The malware is often unknowingly installed on users' computers when they open an attachment in a junk email or click on a link that takes them to a poisoned Web site, according to O'Reirdan. Younger consumers tend to consider themselves more security savvy, possibly from having grown up with the Internet, yet they also take more risks. Among the survey's key findings:

• Almost half of those who opened spam did so intentionally. Many wanted to unsubscribe or complain to the sender (25%), to see what would happen (18%) or were interested in the product (15%).
• Overall, 11% of consumers have clicked on a link in spam, 8% have opened attachments, 4% have forwarded it and 4% have replied to spam.
• On average, 44% of users consider themselves "somewhat experienced" with email security. In Germany, 33% of users see themselves as "expert" or "very experienced," followed by around 20% in Spain, the U.K. and the U.S.A., 16% in Canada and just 8% in France.
• Men and email users under 35 years, the same demographic groups who tend to consider themselves more experienced with email security, are more likely to open or click on links or forward spam. Among email users under 35 years, 50% report having opened spam compared to 38% of those over 35. Younger users also were more likely to have clicked on a link in spam (13%) compared to less than 10% of older consumers.
• Consumers are most likely to hold their Internet or email service provider most responsible for stopping viruses and malware. Only 48% see themselves as most responsible, though in France this falls to 30% and 37% in Spain.
• Yet in terms of anti-virus effectiveness, consumers ranked themselves ahead of all others, except for anti-virus vendors: 56% of consumers rated their own ability to stop malware and 67% rated that of anti-virus vendors' as very or fairly good. Government agencies, consumer advocacy agencies and social networking sites were among those rated most poorly.

The survey was conducted online between January 8 and 21, 2010 among over a thousand email users in the United States and over 500 email users in each of the other five countries. Participants were general consumers responsible for managing the security for their personal email address. Both the survey's key findings and the full report are available at the MAAWG Web site, www.MAAWG.org. The 2010 research was conducted by Ipsos Public Affairs, and the full report includes country comparisons for many of the questions along with detailed charts. About the Messaging Anti-Abuse Working Group (MAAWG) The Messaging Anti-Abuse Working Group (MAAWG) is where the messaging industry comes together to work against spam, viruses, denial-of-service attacks and other online exploitation. MAAWG (www.MAAWG.org) represents almost one billion mailboxes from some of the largest network operators worldwide. It is the only organization addressing messaging abuse holistically by systematically engaging all aspects of the problem, including technology, industry collaboration and public policy. MAAWG leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services. Headquartered in San Francisco, Calif., MAAWG is an open forum driven by market needs and supported by major network operators and messaging providers.

Consumers Don't Relate Bot Infections to Risky Behavior As Millions Continue to Click on Spam

San Francisco, March 24, 2010 –A significant percentage of consumers continue to interact with spam despite their awareness of how bots and viruses spread through risky email behavior, according to the Messaging Anti-Abuse Working Group (MAAWG) based on a new survey it released today covering North America and Western Europe. Even though over eighty percent of email users are aware of the existence of bots, tens of millions respond to spam in ways that could leave them vulnerable to a malware infection, according to the 2010 MAAWG Email Security Awareness and Usage Survey.

In the new survey, half of users said they had opened spam, clicked on a link in spam, opened a spam attachment, replied or forwarded it – activities that leave consumers susceptible to fraud, phishing, identity theft and infection. While most consumers said they were aware of the existence of bots, only one-third believed they were vulnerable to an infection.

"Consumers need to understand they are not powerless bystanders. They can play a key role in standing up to spammers by not engaging and just marking their emails as junk," said Michael O'Reirdan, MAAWG chairman.

"When consumers respond to spam or click on links in junk mail, they often set themselves up for fraud or to have their computers compromised by criminals who use them to deliver more spam, spread viruses and launch cyber attacks," O'Reirdan said.

The research findings on awareness of bots, email security practices, and attitudes toward controlling spam were generally consistent with the first MAAWG consumer survey in 2009 covering North America. The new 2010 survey was expanded to cover Western Europe and looks at consumers' attitudes in Canada, France, Germany, Spain, the United Kingdom and the United States.

It Won't Happen to Me Syndrome

Less than half of the consumers surveyed saw themselves as the entity who should be most responsible for stopping the spread of viruses. Yet, only 36% of consumers believe they might get a virus and 46% of those who opened spam did so intentionally.

This is a problem because spam is one of the most common vehicles for spreading bots and viruses. The malware is often unknowingly installed on users' computers when they open an attachment in a junk email or click on a link that takes them to a poisoned Web site, according to O'Reirdan.

Younger consumers tend to consider themselves more security savvy, possibly from having grown up with the Internet, yet they also take more risks. Among the survey's key findings:

• Almost half of those who opened spam did so intentionally. Many wanted to unsubscribe or complain to the sender (25%), to see what would happen (18%) or were interested in the product (15%).
• Overall, 11% of consumers have clicked on a link in spam, 8% have opened attachments, 4% have forwarded it and 4% have replied to spam.
• On average, 44% of users consider themselves "somewhat experienced" with email security. In Germany, 33% of users see themselves as "expert" or "very experienced," followed by around 20% in Spain, the U.K. and the U.S.A., 16% in Canada and just 8% in France.
• Men and email users under 35 years, the same demographic groups who tend to consider themselves more experienced with email security, are more likely to open or click on links or forward spam. Among email users under 35 years, 50% report having opened spam compared to 38% of those over 35. Younger users also were more likely to have clicked on a link in spam (13%) compared to less than 10% of older consumers.
• Consumers are most likely to hold their Internet or email service provider most responsible for stopping viruses and malware. Only 48% see themselves as most responsible, though in France this falls to 30% and 37% in Spain.
• Yet in terms of anti-virus effectiveness, consumers ranked themselves ahead of all others, except for anti-virus vendors: 56% of consumers rated their own ability to stop malware and 67% rated that of anti-virus vendors' as very or fairly good. Government agencies, consumer advocacy agencies and social networking sites were among those rated most poorly.

The survey was conducted online between January 8 and 21, 2010 among over a thousand email users in the United States and over 500 email users in each of the other five countries. Participants were general consumers responsible for managing the security for their personal email address.

Both the survey's key findings and the full report are available at the MAAWG Web site, www.MAAWG.org. The 2010 research was conducted by Ipsos Public Affairs, and the full report includes country comparisons for many of the questions along with detailed charts.

About the Messaging Anti-Abuse Working Group (MAAWG) The Messaging Anti-Abuse Working Group (MAAWG) is where the messaging industry comes together to work against spam, viruses, denial-of-service attacks and other online exploitation. MAAWG (www.MAAWG.org) represents almost one billion mailboxes from some of the largest network operators worldwide. It is the only organization addressing messaging abuse holistically by systematically engaging all aspects of the problem, including technology, industry collaboration and public policy. MAAWG leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services. Headquartered in San Francisco, Calif., MAAWG is an open forum driven by market needs and supported by major network operators and messaging providers. You can also read the original post at MAAWG (Messaging Anti-Abuse Working Group)