-
75 Percent Of World’s Spam Knocked Offline
Score one for the security industry-a big one, a massively ginormous and temporary strike against spam. A slew of security companies and the Washington Post tracked massive amounts of spam back to one San Jose-based hosting company, now offline, and 75 percent of the world's spam went offline with it-for about 12 hours.
 | | 75 Percent Of World's Spam Knocked Offline |  |
But hey, that's a pretty good leap right?
Alert after alert went out about spam operations tracing back to McColo Corp. servers. Complaints were made to the company, which gave lip service about addressing the issue before simply moving offending clients to different addresses.
Spam traced back to McColo servers covered pretty much all forms, from pharmaceutical spam to child pornography hosted there. Upon the evidence, two providers, Global Crossing and Hurricane Electric took the company offline.
"MessageLabs documented a massive drop in spam volume to levels eight times less than typical volumes for a period of 12 hours immediately following the takedown before spam levels began to rise again, proving that taking out the kingpin members of the underground spam economy can have a massive effect on global spam levels," Matt Sergeant, Senior Anti-Spam Technologist for MessageLabs told SecurityProNews.
"First with Atrivo and now the demise of McColo is a testament to how community action is absolutely vital in the fight against spam."
Said community, which also includes the investigative security reporting from the Washington Post, was made up of SecureNetworks, FireEye, ThreatExpert, and SysInternals, and published data confirming McColo as the host for all of the top botnets.
It's unclear what, if any, criminal charges can be made against McColo. Most laws regarding hosting companies protect them from liability for third-party content. However, there may be grounds for exception if the company knowingly hosted illegal content, which in this case includes copyright infringing content and child pornography.
While this is a major coup, realists understand that massive takedowns like this only spread out offenders across the Web as they relocate to other dummy hosting providers. But recent actions by service providers and by ICANN, which used a contract breach to takedown a Russian network, have shown more aggression toward where malicious content is known to be hosted.
Indeed, researchers seem to be getting more skilled at locating, even manipulating sources of spam. For a recent study out of Berkeley and UCSD, researchers successfully hijacked the Storm botnet to study the profitability of spam. The study concluded it was unlikely offenders were spread out over third-party affiliate networks. Spammers and the malicious websites they attempt to lure people to were likely run by the same central operation. For example, to generate a profit, a pharmaceutical site selling knockoff drugs is likely to be run by the same people generating botnets.
In the future, then, it's likely security experts will find ways to target hives of malicious material, as it seems taking one offender down could be highly efficient.
-
Zombies, How to Fight Them
Just so you're warned: If the zombies come back it could be your fault. "It is only a matter of time until the next W32/ZMist heads our way," premonishes McAfee's Vinoo Thomas. And it could all be because of something stupid.
 | | Zombies, How to Fight Them | |
Thomas warns IT security may be so focused on the more sophisticated threats of the day-botnets, rootkits, and spyware-that they may be letting their guards down when it comes to good old-fashioned parasitic file-infectors out there in the wild. Such carelessness could result in "widespread damage to computer systems."
"We regularly come across simple parasitic infectors that manage to infect every workstation and server on the network," writes Thomas in a free whitepaper he presented at the 3rd International Conference on Malicious and Unwanted Software. "And administrators are at their wits' end trying to figure how the simplest of viruses managed to spread and infect every networked machine in so little time and with such stunning effect."
File-infecting viruses are on the rise, says Thomas, and they're getting more sophisticated, but IT administrators can avoid them with common sense practices. If for example an employee with low computer skills has managed to contract the simplest of worms, the virus is likely blocked from the company network for lack of administrator access to the network.
But what happens with apparent alarming frequency is IT administrators log onto the computer using their own account and password in order to address the employee's computer problem.
"[W]hen an administrator logs to the affected machine using their domain admin account, the worm now runs on the affected machine using the elevated credentials of a domain administrator. Straight away the worm can now infect and spread to any host on the domain using these newly acquired administrative credentials. And in a matter of minutes the entire network with thousands of machines gets infected-by the dumbest of worms. And all this because an ignorant administrator committed the cardinal sin of logging into an infected machine using their own account."
He uses lots of other condescending adjectives like "dumbest" and "hapless" in his whitepaper, too. But he also recommends a course of action that mimics systems in place at McAfee. Thomas proposes using area networks (VLANs) technology to mass deploy a SAMBA-based honeypot to the entire site. In addition, Thomas recommends setting up a server message block (SMB) based sniffer to capture file-infector activity.
Maybe then you won't be the hapless harbinger of network-brain-eating zombies.
-
AVG Update Labeled Windows File As Trojan
File this one under super embarrassing: Some users of the latest two versions of AVG's free virus scanner ended up with a computer in eternal boot mode. The antivirus software had falsely identified a critical Windows XP file as a Trojan virus.
 | | AVG Update Labeled Windows File As Trojan | |
And when you remove that, see, Windows doesn't work anymore.
Alarms went up soon after the release of an update to AVG 7.5 and 8.0, when forum posters reported an incorrect virus signature identifying Windows XP file user32.dll as containing Trojans PSW.Banker4.APSA or Generic9TBN. AVG recommended deleting this file, which is a really, really bad recommendation.
Fortunately English speakers, the problem only affected users of the Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP.
AVG was pretty quick about addressing the problem, even though it was the middle of the night in Amsterdam, so kudos to them on that. The company confirmed it was a false positive and offered instructions for how to fix the problem from safe mode or recovery console. Soon after that, they issued this press release:
AVG is actively working to remedy the problem some users are experiencing related to the most recent update to commercial and free versions of AVG 7.5 and AVG 8.0 in some languages. A number of users who installed the update mistakenly received a warning that the Windows system file user32.dll product version 5.1.2600.3099 was infected with a Trojan virus and were prompted to delete a file essential to the operation of Windows XP.
The problem only affects users of the Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP.
AVG is taking these steps to assist users in remedying the problem:
- Immediate release of a new update to correct the problem.
- Creation of a specific informational section on the AVG website that enables users to resolve the problem.
Affected users should follow the weblinks below for further information and to download the fix tool:
(1) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll
(2) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll - fix tool
Affected users unable to use their PCs should contact their AVG reseller or ask a friend to download the information and fix tool for them. After running the fix tool, users should run the AVG update program to download and install the correct AVG update.
AVG sincerely regrets the inconvenience users have experienced. We are working to remedy the problem and ensure that any other potential vulnerabilities are identified and eliminated before they can impact users.
|
