Tuesday, September 29, 2009

Canadian Pharmacy Spam

I plan to update this blog about my research on Canadian Pharmacy spam. All of us online who use email have certainly seen this form of spam for at least 5 years now. Their spam still persists today, even in larger quantities that previously.

The scammers typically break into webservers to spam out of and host redirect links. They then buy a bunch of domains with registrars who do not disable fraud domains on a regular basis.

Saturday, August 29, 2009

5th Annual GFIRST Conference Atlanta 8/23/09-8/28/09

I was very fortunate enough to attend the GFIRST conference here in Atlanta. My manager allowed me to attend for most of the week. I was really only able to go because it was local and it did not cost much to attend. The previous four GFIRST conferences were held in Orlando, but this year, it was in downtown Atlanta at the Omni Hotel which is next to the CNN Center. Most of the attendees either worked in the federal government in some capacity or for the vendors which sell products to the government and private sector. I had the pleasure of meeting some very interesting federal employees as well as those who work for large companies such as IBM ISS, McAfee, Symantec, and others.


TRAC Class

On Sunday and Monday (8/23 -8/24) I took a class called TRAC to learn how to use IDS tools such as Wireshark, Splunk and SNORT. It was an Incident Response initiative. I had already known how to use SNORT, but was quite rusty. Our class was divided up into teams to compete in scenarios. A hypothetical situation is you are in charge of solving the problem of a small business network that you are assigned to "fix". You have to figure out what is wrong with the small network. TRAC was taught by some fine qualified individuals at Carnegie Mellon's CERT team. In particular, I enjoyed talking to Rob Floodeen, a very knowledgeable member of the CERT team. I met other great people as well, who were on my team and others in the class. The first day was pretty comfortable for me, but the second day was much more challenging in reading the logs. CERT had these VMWare computers setup for these exercises, we would remote into them to diagnose the problems.

Tuesday through Friday at GFIRST, there were presentations by Federal Government representatives and private sector. I sought out the technical presentations, particularly on botnets and spam. Unfortunately due to work obligations, I could not attend all the presentations that I wanted to hear.

Highlights of Presentations
I made a few notes of highlights about each of the presentations I attended and will post them here as time permits (almost 90% done as of 8/29/09).

Tuesday 8/25/09


On Tuesday, I was able to stay most the time and talk to some interesting people. Seth Geftic of RSA, "Intelligence Report from the Online Criminal Underground: Latest Threats & Challenges"
This speech was geared toward the general audience, but mentioned some great highlights of recent cybercrime cases. McColo shutdown of late 2008, etc,

I had attended some "CHIPS" presentations only in part due to time constraints. CHIPS basically is (Cybercriminal prosecutions and legal cases involving the US Justice Department and FBI) The highlight was Howard Cox, who I have seen speak before. Mr. Cox, Assistant Deputy Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the US Department of Justice, is a dynamic speaker and makes legal cases very interesting. Mr. Cox highlighted some recent legal cases involving computer hard-drive searches and benchmark federal lawsuits relating to cyber-criminality. One thing I noticed about Mr. Cox as a personal observation is those who work with him really seem to like him a lot.

I also went to a presentation by Phil Poras of SRI International. "Botnet Hunter" - Mr. Poras runs the website bothunter.net and it is a tresure drove of information about botnets. I was only vaguely familiar with it before. Also, a similar website to mention is Shadowserver, which also tracks botnets. Shadowserver, particularly, was mentioned in passing on at least a few occasions. These guys really do great work behind the scenes and work closely with law enforcement for tracking purposes and eventual capture of some of the criminals who are behind the very sophisticated botnets.


Wednesday 8/25/09

On Wednesday, August 25th, I enjoyed MANDIANT's Wendi Rafferty's presentation on The State of the Hack - Combating the Advanced Persistent Threat" - she covered some very relevant information, however, I had missed part of this presentation due to time constraints to get some work done.

I also caught only part of CERT's Will Dormann's presentation on "ActiveX Vulnerability Mitigation with Dranzer" - this was a very technical presentation about ActiveX vulnerabilities in web applications in particular when using Internet Explorer. This definitely satisified the geek side of me (learning more detail about malware code and registry edits).


Thursday 8/26/09

Unfortunately, on Thursday, 8/26, was the last day I attended GFIRST, I was only able to attend fewer presentations in part. There were some great presentations I missed out on, maybe some other attendee can comment on my blog or let me know how some others were that I did not attend or mention here.

I managed to catch most of Ashar Aziz of FireEye regarding "Examining the Nexus of Cyber Crime, Cyber Warfare and Stealth Malware" was pretty technical in general, which, I of course, enjoyed. Mr. Aziz was talking about various malware and in particular he mentioned Zbot. Zbot was the most interesting mention regarding botnet activity. I then had to leave close to the end of his presentation.

Overall, I enjoyed my presentations. To get another view about the recent GFIRST conference, Andy Willingham, an infosec specialist in Atlanta wrote about his view of the GFIRST conference in these recent blog entries. Andy noted that there was this apparent theme of FUD found through out the conference. I also got to meet up with local infosec guru, Martin Fisher, who is very fun to follow on Twitter as @armorguy. Martin was able to get a few of us people who "twitter" at #GFIRST to meet on Tuesday. It was a great opportunity to network and meet some very interesting people, particularly the local infosec group we have in Atlanta.

I would also like to thank a few vendors who gave me nice amounts of swag as the booths were being closed down. A complete list of vendors that participated is here. A few mentions: IBM ISS, McAfee, Verisign, and ForeScout. ForeScout gave me generous helpings of reusable "green" friendly bags, thanks, guys!

Saturday, July 25, 2009

Update: SORBS is not shutting down

SORBS owner, Michelle Sullivan, said she was made some substantial offers to keep SORBS operating. Apparently SORBS will stay online as it is now past its shutdown date of July 21, 2009.

Friday, June 26, 2009

Blacklist SORBS Shutting Down very soon


SORBS is a blacklist service based in Australia. The University of Queensland that sponsors SORBS hosting no longer wants to renew the contract, so on July 21st, SORBS is scheduled to be shutdown.

Anti-spam movement was quite chattery right after the announcement. One can see a flurry of posts on Twitter under search word SORBS.

SORBS has been in operation since 2002 so that amount of time as a DNSBL is long. Many DNSBLs come and go because they are largely a volunteer effort that can run quickly into trouble (legal threats, expensive hosting, research intensive).

Just a few days ago around June 23rd, SORBS owner and operator, Michelle Sullivan announced the shutdown on Spam mailing lists, NANAE and on her homepage of her website.

Then the SORBS announcement was picked up by Slashdot, and after just reading a handful of comments, you could tell that SORBS was not going to be missed by many based on some of the negative posts there. It was almost like the diatribes from NANAE moved over to Slashdot for the day. In fact, that probably is what it was. NANAE used to be the online hangout for a small group of anti-spammers, but as time has marched on, anti-spammers, and the such have moved on to either web forums such as Inbox Revenge, open and closed mailing lists, such as SPAM-L or other outlets to share information on battling spam.

In times past, I used to deal with SORBS at my job. They were the most difficult list to deal with from what I recall. So I personally won't miss them.

Further recommended blog posts about the recent SORBS imminent shutdown which provide more detail than is in this particular post:
Al Iverson Spamresource - "SORBS Information Roundup"

InBoxRevenge Forum - "Blacklist service SORBS shutting down in July 2009"

Sunday, May 24, 2009

When Spammers Are Spoofing Your Email address

What I mean by spammers spoofing your email address, you are getting spam from yourself to yourself and particular to others. All the sudden your email box gets all these returned messages and you know you never email out that much, so you think: what is going on and why am I getting all this garbage in my box? This has happened to nearly all people who are online who use their email as a primary means of communication online. Not only do you get spam, but you get bouncebacks. Typically the subject line will indicate something to the effect of "This message has been returned" or "Undeliverable." In addition to getting junk email, receiving bounceback messages of spam complaints from other unknown recipients can be very vexing for an email users.

I suspect in most cf these cases, your email is simply being spoofed. It is very annoying when spammers spoof your email address. I am sure for most of us this has happened at one time or another. Unfortunately, the best way to deal with this issue is to wait it out and delete the bouncebacks you get.

In most cases, I suspect, spammers will sometimes use real email accounts in the forged Reply field of their spam. What then happens in some cases, is the spammed mail servers return that unwanted spam to you, the innocent recpient whose email address was used in the forged Reply field.

Unfortunately, the best thing to do is to wait it out by deleting all the returned messages you get. Some people who have this happen get thousands of returned messages a day, so deleting them can be very time consuming.

There could be a few reasons why this might happen to you. Below are three valid reasons why this may have happened to you.

Below is a great summary as to what may have happened to your email address: taken mostly verbatim from InBoxRevenge forum with permission:

- Someone you know has an email worm - most unlikely as it is an old exploit

- Your email address was forged randomly

- Your email address was forged as retaliation, for instance for reporting spamming

- The "bounce" message is not a real bounce message, but a spam crafted to look like one, since most mail servers are now set up to refuse mis-addressed email, not to bounce it to the forged "from" address. In that case, if you look at the spam, you will see they usually didn't even bother to put your email address in the "from" of the "original message." Spams like that are more likely to be opened by the recipients, as that's the only way to know they are fake if you don't have a customizable spam filter like Mailwasher that lets you look for the information in the headers that would identify a real bounced or refused email

- It could mean your online email account has been hijacked and the spammer is sending mail that way (in which case it's immaterial whether you have a mac or PC). It may be to get past spam filters, since spam originating from those accounts is less likely to be blocked by filters, or it may be for scams similar to spearphishing, where the people in your address book get an email that appears to be from you and includes personal information they gained from your stored emails, making them more likely to be sucked into a scam.

But if your computer were sending spam as part of a botnet, it's unlikely the spammer would put your email address in the "from" of spam. If he can forge any address he wants, why let anyone know which computer is compromised and risk it being cleaned of malware?

Tuesday, May 5, 2009

Spam-L will shut down 5/11/09

The venerable listserv: Spam-L will shut down 5/11/09 - reason stated: ""Recurring incidents involving animosity between list members have taken their toll. The SPAM-L list will be shutdown on Mon,2009-05-11."

NANAE (Usenet anti-spam group) is where anti-spammers argue to where it is pointless to read at least for me for the most part. Spam-L contained largely engaging exchanges about spam. Sure there was some bickering, but I didn't read it all the time to know how bad the in-fighting had become. The owners said the emails from the list will be archived for about a month.

According to twitter user, hanov3r, SPAM-L was started on 19 Aug 1995 and plans to shutdown Monday, 11 May 2009.

I will miss the Spam-L list. Others have chimed in saying they want to replace it. I guess it is a wait and see what will happen.

Friday, April 17, 2009

iBotnet - MAC compromised and used for Botnets

ZDNet reports that malware researchers have found zombies on Macs that could be used in DoS attacks. If the Mac has certain pirated software running, it could be part of the botnet. Sometimes OS fanboys as I like to call them are so snobbish of THEIR OS, they don't think THEIR OS can be 0wn3d. Very wrong, it is all up to the enduser in this case in making sure his system is secured. If one wants to download torrents or run pirated software, he is at risk, along with looking at dubious websites, such as pr0n.

Tuesday, April 7, 2009

Firefox Add-Ons - ASN and IP Info

I have gotten kinda crazy about FireFox add-ons in times past, but nowadays on my new desktops, I have limited what I have installed due to supposed compromising activity with browsers with numerous add ons.

For spamvertized domain research and for sometimes just plain curiosity, I have ASNumber and ShowIP plugins installed. They show up in the bottom right of the browser. When you right-click on the IP info also let you copy and past the IP if you want to find out more using ARIN searches. Once in a while, the ASN won't be associated with an IP, but for the most part this add on is great.


Sunday, April 5, 2009

Castlecops Gone - Other alternatives - InBoxRevenge.com


Castlecops closed down on December 23, 2008. Castlecops was an internet security site that offered internet security information. There were many tasks Castlecops took on from reporting phishing sites to webhosting companies, to assisting people showing them how to remove malware from their home computers. The volunteers scattered to different sites. One forum where anti-spammers congregate is InBoxRevenge.com - This forum shows some real research in its posts about spam operations.

Some of the other volunteers can be found at other active forums such as: Bleepingcomputer, DSLReports, MalwareRemoval, PCPitstop, SpywareWarrior, and others. Perhaps the highest concentration of former Castlecops' volunteers have made their online forum home at SpyWareHammer.com.

Castlecops shutdown because the owners could no longer donate the time and resources to keep the task going.