Ryan Singel from Wired.com outted Pfizer yesterday in a great article based on Support Intelligence data.The article
highlights the ongoing security difficulties at the pharmaceutical giant despite our efforts to inform them of the situation over the past few months. And if I wasn't crying about how bad things are I'd be laughing because frequently the spam their bots send touts illegitimate knock-offs of their own flagship product, Viagra.
The spam also promotes black-market versions of Cialis produced by competitor Eli Lilly, and Levitra by Bayer. Ruh roh.
The good news for Pfizer is the makers of "Mandik", another spammed pharmaceutical coming out of their servers, are unlikely to sue anybody any time soon. Phew.
On a more serious note - we've received spam from an absolute heap of Pfizer addresses, along with everyone else. In total 138 separate Pfizer IP addresses have turned up on various black lists. Holy cow Houston! This isn't a single employee surfing warez and getting infected - this is a serious breakdown of systemic control over their corporate network.
The unfortunate bit about all this is the company was informed of the scope of the problem back in early April - over five months ago. It's hard to imagine that as an industry of security professionals we can't do better than this.
Spread the word:
This week we've got a double-header for you - first read about Support Intelligence on BBC News
, then read about the security issues at the BBC we've observed.The article
, written by Mark Ward, highlights the message we've been bringing home in this blog - Corporations have a Bot Problem. The article relies on us as well as Tim Eades of the security firm Sana, and Alex Raistrick of Con Sentry in outlining the problem with infected PC's. All in all it should be familiar stuff to the readers of this blog, but we're happy to see the message continuing to echo farther and farther afield.
The next best thing about our conversation with Mark Ward was the opportunity if afforded us to tell someone at the BBC about the security problems on their network. And I must say, they took it quite in stride. Fortunately the problems were fairly benign.
We began tracking the BBC in late February and started receiving spam from them almost immediately on a nearly daily basis for several months in a row. All the spam flowed through: 18.104.22.168, mail0.thdo.bbc.co.uk, which is the same mail server that provides the "Email a friend" facilty on the BBC's main website http://www.bbc.co.uk. This is a separate mailserver than the one that outbound BBC employee mail comes from, or that delivers Radio 4 newsletters and such.
All the spam showed received headers from BBC webservers internal facing addresses such as www3-mgt.thny.bbc.co.uk - 192.168.208.33 and www15-mgt.thdo.bbc.co.uk 192.168.201.115.
Were these bots at work on the BBC network? Possibly. A much more likely explanation however is an insecure script on one or two of their webservers allowing them to proxy mail which the spammers identified. Possibly a cross-site scripting vulnerability or sql injection attack.
Whatever the case, the good news is the BBC folks apparently nabbed it - all malicious activity stopped dead on the 23rd of May, prior, in fact to our notification. Hats off the the BBC security team for plugging the hole and stopping their flow of spam.
See - sometimes these stories do have a happy ending.
Spread the word:
Golly, now it's getting personal. IndymacBank isn't just a lending giant with $1.34 billion in revenue - they also hold the mortgage to my house. And in addition to my monthly payment reminder in May, this month they also sent over a little something extra:
Gosh, and all this time I thought they only cared about the size of my check. Who knew?
But should we blog about them we asked ourselves? This particular run lasted only 44 minutes, on the 21st of May. And prior to that Indymac was clean for 80 days - not a single sign of bot activity. Could be a sign of an excellent effort.
But... wait, this wasn't the only incident - we spotted a second occurrence on the 1st of March which blasted stock spam for 1 hour 16 minutes, and a third on February 27th pumping pharmaceuticals and stocks for a similarly brief amount of time.
So what gives?
All this garbage came from a single IP address: 22.214.171.124, routed by ASN 19347, and showing no reverse DNS. We get a fair amount of marketing mail from Indymac via 126.96.36.199, obb.indymacbank.com, and other mail from 188.8.131.52, smtpout002.indymacbank.com, but never anything bot related and both look like completely legitimate senders.
So, as the guy with his personal information at this bank, including my social security number, income details, and event the square footage of my bathroom, It bothers me that some unknown host on their corporate network is controlled by a third party over which they exert no legal or operational control.
And though I'm hoping that what this evidence shows is a very diligent sec-ops team hard at work shutting down the bots as soon as they pop up, my concern is I have no idea if that's really the case. Is this a single host that's been hacked since February 27th, possibly datamining, and password sniffing the whole time? Or is this three separate incidents, each of which was stamped out within an hour or so? Even if this best case scenario is true - how do I know these systems weren't hacked long before they ever started spewing spam? How do I know I'm safe if they can't even stop themselves from sending out photos of smiling young ladies touting two foot phalli? Does it get anymore outrageous?
People - this is a bank. Think about it...
But what's the point? Is it that Indymac are bad guys? No. Is it that the internet is a scarry place? Sort of. Is it that I need to be concerned about my personally identifiable information. Absolutely.
The whole point of this blog is to raise awareness about the Botwar going on - a war raging around us as we speak. We can smile and laugh about penis spam, but the fact is that millions of carjacked computers, controlled by criminal third parties are doing god knows what 24/7, inside our homes, our hospitals, our government offices, our corporations, and even inside our banks. And in this case, inside my bank.
Our goal is not to make these hard working sec-ops folks look bad, but instead to help raise awareness with their CIO's, CEO's, and even the general public, so they can get the funding and support they need to fight this problem. It's raging around us. It's a predatory criminal activity making victims of many
organizations. We can stick our heads in the sand or we can fight it.
So corporate American CIOs - Which are you gonna do?
Address: 155 North Lake Ave
NetRange: 184.108.40.206 - 220.127.116.11
Comment: Addresses within this block are non-portable.
Spread the word:
Question: Do bots affect high tech companies too? Answer: Yes, even high tech companies fall prey to these crimes. Today we have Intel squirting out botspam with the best of 'em, in a very recent infection somewhere on their network.
A trio of IP addresses, all with no reverse DNS, have been firing off stock pump and dump, viagra, and home loan spam the past few days - the first of this run being spotted on April 29th.
All are routed via origin AS 4983 INTEL-SC-AS - Intel Corporation - the first being domestic, and the later two routing to approximately Haifa, Israel.
Previously we'd spotted 18.104.22.168 shooting out Cialis spam back on April 21st, but the good folks at Intel shut it down within half a day - so hardly worth mentioning. But this run seems to have lasted 8 or 9 days since inception (with nothing in the past 24 hours, so hopefully they've nailed it already).
My favorite piece of garbage sent from this batch of Intel spam brought the following title -Subject:
Gimme your thoughts on this
Indeed, gimme your thoughts...
Spread the word:
So, it looks like banks, insurance companies, publishers, manufacturers, and retailers all have problems with bots. But do airlines have problems with bots? You betcha.
On April 7th, something at ATA Airlines changed. Out of previous total silence, spam started arriving in our traps from ATA. It was clearly botspam, this time pushing Humet PBC, which trades as L9Z.F on the Frankfurt Stock Exchange. According to the good folks at Spamnation
, this was part of a two part run between March 31st, and April 19th perpetrated on this stock.
All the spam from ATA touting the stock came from a single IP address: 22.214.171.124 - h-253-165.iflyata.com. The spam was nearly identical, 100% of it touted the same company, and the run itself lasted three days, peaking in the middle. Then poof - radio silence again.
Until the 28th of April that is when stock spam started arriving in our traps from ATA a second time. This run came from a different IP address: 126.96.36.199, resolving to h-253-225.iflyata.com. Again, the spam uniformly pumped a single stock - Electronic Koursewar - EKII.PK -, which was part of a much larger, distributed spam run, used forged received headers ( some from unrouted IANA space) , and mysteriously disappeared after three days.
Did ATA catch the problem and shut it down? We sure hope so. Out of the 10 weeks we've been watching ATA, they've sent spam on only six days, so hopefully this is a sign of a vigilant, if not perfect, security regimen.
Will the problem spring back up a third time? Were these systems also key-logging? Is there a drop file somewhere with other information in it? Impossible for us to say, but someone has to ask the question. Neither of the IP addresses delivering the botspam to us delivered a single piece of legitimate mail, and neither appear to be regular mail transfer agents - so what are they?
And if the IT security of civilian airlines isn't enough to get your attention, don't forget, ATA is also a big time carrier for the U.S. military, operating charter missions around the globe everyday.
And so, the bots rampage on...
Spread the word:
We have been watching the Nationwide Insurance Network for a few months now, and have been impressed with the spam/ham ratio. Its spammyness is something like 100:1 in spam to ham. We have collected some 1,857 SPAM from 6 IP addresses on Nationwide's Network. The breakdown of spam and the hosts that sent it out are listed below:
The kinds of spam we received from Nationwide included Pharmacy spam advocating various Erectile Dysfunctions drugs, Rolex watches, graphic pornography, mortgage loans, weight loss and stock pump-n-dump. While writing this blog post we received 10 more stock pump-n-dumps touting stock ticker EKII
which is down 9% as of Monday evening. Senderbase.com lists 188.8.131.52
as having a 10% increase in daily activity and notes that the host is blacklisted by SORBS.
The main question is if any of Nationwide's consumer data was compromised. We believe that 184.108.40.206 is an outbound NAT and that the 1,342 SPAM emitted from that IP address represent some set of internal machines that are compromised. The way that the headers were forged leads us to believe that there were several machines behind the suspected NAT.
Most malware does some form of key logging or post logging. Could an infection of this size compromise the integrity of their consumer data? Remember that in the TJX Data Breach
researchers still don't understand how they got in, how they unencryped the data and the company is currently facing litigation in excess of over 1.6 Billion. CISOs need to understand that todays malware easily captures data before it gets encrypted and moves it off corporate networks without setting off an IDS. A good hint -- if your company is sending out spam you probably have a good botnet infection.
When we finally do get an IT security manager on the phone the first question they ask is if any of these spam have been forged. We answer this question as follows:
- We track all BGP announcements since Jan 2005. We monitor the BGP at several locations including our trap locations.
- We match up any bogons or route hijackings with the TCP connect data our spamtraps collect.
- AS26578 [ NATIONWIDEASN2 - Nationwide Services, Inc ] which is responsible for routing the addresses in question has not had a routing hijack during our period of analysis.
Furthermore, based on observations, had one of these blocks been hijacked the block would have had to be hijacked for a continuous period of several months. Such a routing hijack would have also been noticed as it would have effected outbound corporate e-mail delivery.
From the points above we conclude that the Nationwide Insurance network blocks were not hijacked in any way; and that several machines internal to their network have been compromised to send SPAM to the greater population of Internet users.
Not every Fortune 500 company we analyze are in as bad of shape as Nationwide Insurance. For example, we haven't received a single SPAM from Geiko Insurance during the same period. Next week we will let you know if Nationwide has brought their systems under control and if they have mitigated their problems.
We're of course ready to share information with Nationwide to help track the problem down and get it stopped.
OrgName: Nationwide Mutual Insurance Company
Address: One Nationwide Plaza
NetRange: 220.127.116.11 - 18.104.22.168
NetType: Direct Assignment
OrgTechName: West, Cher L.
------- ASN Deligation ------
OrgName: Nationwide Services, Inc
Address: ONE NATIONWIDE PLAZA
Address: M.S. 1-05-31
RTechName: West, Cher L.
Spread the word:
We started our tracking project for Affiliated Computer Services on March 10th. It took about a week to catch our first spam from this company which does BPO for numerous corporate clients. On the 18th we received an offer soliciting Russian Lovers
from 22.214.171.124 better known as pat.acs-inc.com.
This single machine sent us 96 additional spams over the next few weeks.
The flow began as image spam touting various pharmaceuticals and masculine enlargement techniques. Eventually the content changed to Hooudia diet supplements and OEM Software. It wasn't until the 23rd of March that 126.96.36.199 really started to spew however. This address then delivered us another 174 spam on similar topics plus a stock pump-n-dump pushing CWDT.OB (yahoo charts)
The interesting thing is that during the time the Affiliated Computer Services computers were filling your and my inboxes with stock spam, the stock for CWDT did actually swing back and forth. There has been a fair amount of research into stock touting and its apparent effectiveness. Meaning that the spam emitting from Affiliated Computer Services might have played a role in some investor loosing their shirt purchasing CWTD. For more information on stock spam touting see Spam Works: Evidence from Stock Touts and Corresponding Market Activity.
These two ip addresses continued to spew until the 16th of April. All in all we received almost 300 SPAM/UCE from ACS. Between the Stock spam or the genital enlargement it's hard to say which is most bothersome.
Spread the word:
Borders seems to do a fairly good job with their containment; unfortunately today we bring you an analysis of a Pharmaceutical spam run launched from Borders servers between March 29 and April 3rd that used resources from six different countries.
As the story goes, on March 29th we began receiving botspam messages from 188.8.131.52 on the Borders network sending us off to buy Viagra at domains created March 23rd and registered to:
Sos. Mihai Bravu,No. 5
Bl. 4, Entr. 4, Apt. 9
Bucuresti, Sector 2 76101
The domains are serviced by Name Servers hosted in Iran, Chile, and Argentina, and registered to owners in China and Texas. All three Name Server domains were registered in February or March of '07, with a 1 year expiration - quite cheaply disposable.
Name Server: ns1.nopadvene.com
Name Server: ns2.razovinag.com
Name Server: ns1.thefeminine.net
The websites themselves were ultimately hosted by China Telecom, somewhere in Shandong Province.
So as you can see, this single SPAM run makes a six country tour in its setup and makes a nice little case study in how crooks create jurisdictional nightmares to cover their tracks. Odds of successful prosecution anyone?
Strangely, on the Borders side there are also wiggles that make the diagnosis less than straightforward. The reverse DNS for the ip address sending all this SPAM points to bordersgroupinc.com, however, the forward A Record for bordersgroupinc.com points to 184.108.40.206 which is routed by AS4595 (ICNET).
It's odd that the machine at 220.127.116.11 has a reverse entry pointing to bordersgroupinc.com. Could this be the outbound facing NAT? Well, the box in question (if it was a box) forged headers from Yahoo, Google, Gmail and others - noticeably lacking any DomainKeys headers that indicate legitimate mail from Yahoo!
As for the legitimate Borders mail, it comes from 18.104.22.168 - outboundsmtp.bordersgroupinc.com. And all the mail from this server has Received headers from internal RFC1918 space with reverse DNS pointing to an internal zone claiming to be corpex01.bgpcorp.net which doesn't jive with the global DNS, but seems more or less legit. All of which just shows some of the oddities encountered when tracking these types of incidents down.
This kind of compromise happens every day to large and small companies, with the odds of successful prosecution of the criminals involved nearly zero. On the positive side, we're happy to report that Borders was able to mitigate the infection within a week, which is fast compared to some companies that have had infections for months. Stay tuned, we'll be highlighting some of those shortly.
We'll also review some of the companies we've analyzed over the past few weeks to see if any have cleaned themselves up or continue to pollute our mail boxes.
Received: from 22.214.171.124 (HELO mx5.biz.mail.yahoo.com)
by locaos.com with esmtp (20Q,WW067.4I )HQ8)
for firstname.lastname@example.org; Thu, 29 Mar 2007 13:56:55 +0400
From: "Denis Denton"
Subject: Fwd: Pharmacy bulletin
Date: Thu, 29 Mar 2007 13:56:55 +0400
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
Dear valued member!
More and more people are getting concerned with the problem of fake drugs
sold on the Web. This letter is aimed at helping you choose a really reliable Internet drugstore.
It�s not a secret that many Web pharmacies are trying to make profits by
selling fake drugs that not only prove to be totally useless but also can
cause serious health problems. USDrugs is one of very few Internet
drugstores that always offer only 100% generic meds.
Hope that you will find the information provided useful.Please click here
for more information.
With Best Regards, Denis Denton
Whois for the IP address that sent us the lovely request to look for new meddications
OrgName: Borders, Inc.
Address: 54 S. State Road
City: Ann Arbor
NetRange: 126.96.36.199 - 188.8.131.52
CIDR: 184.108.40.206/24, 220.127.116.11/23, 18.104.22.168/24
NetType: Direct Assignment
Spread the word:
In our effort to bring attention to the facts that many corporations unknowingly send SPAM we bring you an analysis of Clear Channel. Every day we receive many legitimate emails from Clear Channel touting radio and TV stations with titles like Newsradio 850, KOA Traffic Alert
or Free Money - Free Trips
as well as loads of concert updates for every major metropolitan area of the United States.
Back in March, we started getting titles like Best Prices on Medication
mixed in with our KOA
Traffic Alerts. We first noticed image based Pharmaceutical
spam from 22.214.171.124 on 03/12/2007 advocating Viagra and HGH
. Similar spam arrived from another Clear Channel address, 126.96.36.199, this time from Europe. These compromised machines appear to have been cleaned up as we haven't see anything from them for nearly 2 weeks.
On March 29th
however, we noticed 188.8.131.52 pumping Pharma
spam with 184.108.40.206 joining in just a few minutes later. This particular infection ran much longer. These two addresses were responsible for delivering some 212 spam email to our traps. Then around April 4th
we received Mortgage spam notifying us of our load acceptance for $396,000 - we just need to click here.
On April 10th
, 220.127.116.11 stared sending us OEM
spam pushing Adobe and Microsoft products.
In summary it looks as though Clear Channel has a continuing problem with infected computers pumping SPAM advocating Illegal Pharmacies, Unlicensed Software, and Identity Theft. It's not that Clear Channel is different from Intel, Best
Buy, or Bank
of America. All these companies
have had botnet
activity on their networks in the last 30 days. The point is that a great many companies have been hit by these problems.
The differentiator is whether a company cares, what they do about the problem, and how fast they clean it up. Nobody expects security to be flawless - but our internet shouldn't be Unsafe at Any Speed
, and especially not from organizations that have the resources available to address the problems - Once Awareness of the Problem Exists
- hence our blog and DOA list.
FYI, Clear Channel delivered over 2,000 emails to our traps in under 45 days - only 10% of which was botnet
SPAM. But it's that 10% that's making our internet an unsafe place to be. The question is - what are you going to do about it?
OrgName: Clear Channel Communications
Address: Clear Channel Worldwide
Address: 20880 Stone Oak Parkway
City: San Antonio
NetRange: 18.104.22.168 - 22.214.171.124
Spread the word:
Bank of America
We had to wait for this one to settle down a bit before we brought it out in the open. We track many of the major Banks in the USA. Today we review a week of SPAM from Bank Of America. We have observed many months of good behavior from BofA but starting on April 2, 2007 a lone system named system6.bofasecurities.com
[126.96.36.199] got infected with something nasty. The situation lasted until the evening of April 6th. During this time we collected 226 SPAM.
Support Intelligence wasn't the only place that noticed this box spew, System6
was blacklisted by CBL, TQM3
, and UCEProtect. We also note that this same system has been blacklisted by SpamHaus before on 2006-12-31 and 2007-03-30.
None of the Spam we collect from System6
had any Received headers so we believe all the mail to have originated from hosts outside of Bank of America, probably via socks proxy - so lets be clear that this appears to be a casual penetration of [our attorney has encouraged us to leave this space blank]
On April 9th a new system popped up, host-63-117-180-6.eprimebroker.com
[188.8.131.52] which is routed by AS 19438 ( PRIME-BROKERAGE - Bank of America ). This host primarly unloaded OEM software spam. It appears that the folks at ePrimeBroker are on top of it as this host only got 4 spam into our traps before being shut down. The 4 spam from ePrimeBroker all arrived within 90 minutes of each other, and we have not detected a new spam since April 9th . During its prime it was blacklisted by CBL
and SpamHaus, while SenderBase showed a 316% increase in its SMTP traffic.
With 9 weeks of analysis that shows no indication of bots I'd say BofA did a great job up until our 10th week of observation when they had a two separate infestations. The good news is at least on was noticed and shut down quickly.
Bank of America will get infected again and we'll bring you a timely report of it.
Spread the word:
at 4:07pm PDT today we received yet another spam from Conseco, specifically the webserver at 184.108.40.206 which has sent our traps some 296 SPAM in the last 30 days. Today it was Viagra links, yesterday HGH and OEM software, the day before -- image spam. The week of March 12th brought us some Tranny pornography with titles like Beusty Wkoman Srucks BIGFCOCK & Taitty Fjuck In Piool
and Cjlassy Tdanned SHYEMALE Balowjob & Djoggystyle Feuck.
Several of the lovely notes from the server at 220.127.116.11 had Received: headers. The following machines apparently proxied 6 of the 296 transactions through it.
- Received: from 18.104.22.168 (HELO mrclean.mnimaging.com)
- Received: from 22.214.171.124 (HELO mail.ftwoods.com)
- Received: from 126.96.36.199 (HELO mx1.freeola.net)
- Received: from 188.8.131.52 (HELO mail.ijb.de)
- Received: from 184.108.40.206 (HELO smtp.yepa.com)
- Received: from 220.127.116.11 (HELO sesmail-com-bk.mr.outblaze.com)
The forward and reverse for these hosts do seem to match up, and none are listed on any DNS RBL that we know of. The only oddity is that the FQDN matches the forward ip address and some reverses don't match the FQDN but are close enough. This isn't how SMTP servers work though.
With Nmap reporting all the ports on 18.104.22.168 as closed, I'm confused how other servers could proxy any of the SPAM through 22.214.171.124. therefore I'm going to call the headers in the 6 aparently proxied transactions as forged.
My best guess is that the host is a decommissioned web server for conseco.com as the reverse DNS points to conseco.com however the forward DNS for conseco.com as an A record of 126.96.36.199. Since these are different and 188.8.131.52 has the reverse for 10 or so other names I can imagine a transition that just left the old conseco.com.
web server out dangling.
This server has been infected for over a month and sits on the same /24 that all of the other main company resources reside on. We will come back and review this one again in a week or so and see of anyone has cleaned it up.
Spread the word:
We started watching Toshiba's network on Feb 23 2007. Since that very day one host has shone above the others, spewing every variety of spam. The host [184.108.40.206] has activity sent spam dating back as far as July 17th 2006. It has been listed on CBL, SpamHaus, TQMcube, UCEProtect, and WPBL. All in all it was listed some 105 times for sending SPAM/UCE in the last 9 months.
Every spam we captured from the host used a different HELO in the SMTP transaction to deliver mail to our traps. There were no Received headers Of the 716 spam we have received from this one host, we collected stock touts for WSDC.PK (up big!) and CDYV.PK up a hefty 25% today, CCTI.PK (ouch, down almost 100% from its high) and SPSY.PK. There were also Rolex Watch and other Trademark/Brand SPAM.
I don't buy the nmap analysis below but I thought it interesting enough to include. This device is determined by nmap to be a Cisco load balancer. We are constantly surprised.
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-17 20:51 PDT
Interesting ports on 220.127.116.11:
Not shown: 1681 closed ports
PORT STATE SERVICE
178/tcp filtered nextstep
605/tcp filtered unknown
654/tcp filtered unknown
1076/tcp filtered sns_credit
5050/tcp filtered mmcc
5101/tcp filtered admdog
5190/tcp filtered aol
5192/tcp filtered aol-2
5193/tcp filtered aol-3
5510/tcp filtered secureidprop
5520/tcp filtered sdlog
5530/tcp filtered sdserv
5540/tcp filtered sdreport
5550/tcp filtered sdadmind
5555/tcp filtered freeciv
5560/tcp filtered isqlplus
Device type: load balancer
Running: Cisco embedded
OS details: Cisco CSS 11501 Content Services Switch
Spread the word:
We've been collecting spam from a corporate email gateway (18.104.22.168) over at Business Week which is owned by McGrawHill which is responsible for announcing the 22.214.171.124/22 block from AS 4546.
This particular computer is one of Business Week's outbound mail gateways better known as mail03-1.mcgraw-hill.com. Its been showering our traps with titles like Become a better lover
and Enjoy complete and total confidence every time
. This server isn't botted it's just an IronPort[aren't they owned by cisco now] box that's forwarding SPAM, but where is the spam coming from? Upon deeper inspection a received header indicates that this mail server received the message from a host (bw-www2-hts.mcgraw-hill.com) with an RFC1918 address [172.16.40.20]
This all sounds very complicated. It gets worse, the are other compromised web servers in other business units all leveraging the same technique of using a compromised system to send out spam through outbound corporate MX servers, in this case a IronPort anti-spam system.
One of the other systems that caught our eye is [corona.eppg.com] which sprouted titles like Obesity is the number one cause of premature death in Americans
This box used the same technique exiting its spam through another outbound mail server at 126.96.36.199. This host's block were registered to "Macmillan/McGraw-Hill School Publishing Company" which does K-6 Schoolbooks. That's friggn kinder garden through 6th grade books, do you think they interact with kids over their website... yep, the kiddies log in at http://glencoe.passkeylearning.com/LoginController
These computers have been spewing spam for some time now, I'm interested to know if they also have key loggers operating on them. Well, I doubt we will hear from their systems administrator, we wrote this post because we couldn't figure out how to report instances like this. Hey, Mr. Business Week, you got 0wned!
A set E-Mail Headers from the ~100 messages we analyzed
X-ENVELOPE: EHLO mail04-1.mcgraw-hill.com
Received: from unknown (HELO bw-www2-hts.mcgraw-hill.com) ([172.16.40.20])
by mail04-1.mcgraw-hill.com with ESMTP; 07 Apr 2007 09:56:20 -0400
Received: (from busweek@localhost)
by bw-www2-hts.mcgraw-hill.com (8.11.7p1+Sun/8.11.7) id l37Dtc705382;
Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Date: Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Subject: An all natural solution that studies prove works wonders
Another message's headers for the PASSKEYLEARNING.COM site
X-ENVELOPE: EHLO corona.eppg.com
Received: (from passkeylearning.com@localhost)
by corona.eppg.com (8.11.7p3+Sun/8.10.2) id l2BDxSl23545;
Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
Date: Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
Subject: Obesity is the number one cause of premature death in Americans
The ARIN IP Address Deligation for the ip addresses mentioned above.
OrgName: Businessweek Corporation
Address: 1221 Avenue of the Americas
City: New York
NetRange: 188.8.131.52 - 184.108.40.206
NetType: Direct Assignment
Spread the word:
Aflac's Email Dysfunction
Today we look into why Aflac, Inc (AFL) an Insurance company with millions of consumer records at risk can't keep from sending out a MegaTon of Pharm SPAM. According to Sender base
220.127.116.11 has increased its outbound e-mail by 757% in the last 24 hours.
I guess it is hard to keep bots off your network with over 7,700 employees and a Market Cap of over 23 Billion. Maybe Mr Amos with his 6M in salary can do something to protect all those innocent customer records being sniffed. We will tune in next week to see if anything has changed.
Spread the word:
We analized over 22,000 ASNs for every kind of eCrime including DDoS, Scanning, hosting Malware, sending Spam, hosting a phish, or transmitting virous. Below are the top 100 networks and the volume of incidents in the last 7 days.
We posted the complete list of networks with more than 28 incidents in the last 7 days to the DOA report list which you can sign up at http://www.support-intelligence.com/doa/
| asn | trim(left(org_name,40)) | volume |
| 4134 | No.31,Jin-rong Street - Beijing - 100032 | 80279 |
| 5617 | Polish Telecom's commercial IP network | 63652 |
| 3320 | Deutsche Telekom AG | 37871 |
| 9121 | Turk Telekom A.S. | 34459 |
| 19262 | Verizon Global Networks | 27315 |
| 7738 | Telecomunicacoes da Bahia S.A. | 26695 |
| 27699 | TELECOMUNICACOES DE SAO PAULO S/A - TELE | 21487 |
| 3462 | Data Communication Business Group - Chun | 19756 |
| 4766 | Korea Internet Exchange - | 15632 |
| 8151 | Uninet S.A. de C.V. | 15376 |
| 9498 | BHARTI BT INTERNET LTD. - BHARTI BRITISH | 14749 |
| 3215 | France Telecom Transpac Domestic IP Back | 14216 |
| 3209 | Arcor AG & Co. | 13672 |
| 4788 | TMnet, Telekom Malaysia - AS list of TMn | 11714 |
| 3269 | TELECOM ITALIA - INTERBUSINESS NET | 11470 |
| 3352 | Internet Access Network of TDE - Spanish | 9751 |
| 9318 | HANARO Telecom | 8438 |
| 5483 | Hungarian Telecom - Public Internet Acce | 8206 |
| 6147 | Telefonica del Peru S.A.A. | 8070 |
| 8359 | MTU-Intel Moscow region network | 7992 |
| 6713 | Itissalat Al-MAGHRIB - MAROC TELECOM | 7840 |
| 1267 | Infostrada S.p.A. - IUnet S.p.A. | 7290 |
| 7470 | ASIA INFONET Co.,Ltd. - Internet Service | 7152 |
| 2856 | BTnet UK Regional network | 7065 |
| 4814 | IP networkChina169 Beijing Broadband N | 6755 |
| 4755 | Videsh Sanchar Nigam Ltd. Autonomous Sys | 6218 |
| 17813 | Mahanagar Telephone Nigam Ltd. - ISP Div | 6191 |
| 4713 | NTT Communications Corporation | 5470 |
| 13184 | HanseNet Telekommunikation GmbH - Hambur | 5453 |
| 15557 | LDCOM NETWORKS pan european service Prov | 5192 |
| 7418 | Terra Networks Chile S.A. | 5057 |
| 209 | Qwest | 5041 |
| 5430 | freenet City LINE GmbH - Willstaetterstr | 4743 |
| 1680 | NetVision Ltd. - NetVision Ltd. | 4525 |
| 6849 | JSC UKRTELECOM | 4460 |
| 20115 | Charter Communications | 4412 |
| 22047 | VTR BANDA ANCHA S.A. | 4361 |
| 5486 | Euronet Digital Communications - (1992) | 4106 |
| 11427 | Road Runner | 4075 |
| 7132 | SBC Internet Services - Southwest | 3851 |
| 3243 | Telepac - Comunicacoes Interactivas, SA | 3689 |
| 9583 | Satyam Infoway Ltd., Private ISP in Indi | 3586 |
| 8764 | LIETUVOS-TELEKOMAS Autonomous System - V | 3549 |
| 3257 | Tiscali International Network B.V. | 3541 |
| 5462 | Telewest Broadband - UK Broadband ISP | 3467 |
| 9304 | Hutchison Telecom (HK) - Mobile, pager, | 3280 |
| 17858 | KRNIC - Korea Network Information Center | 3236 |
| 6739 | Cableuropa - ONO - C./ Basauri, 5 - Urba | 3222 |
| 5089 | NTL Group Limited - Hook, Hampshire - Un | 3190 |
| 18101 | Reliance Infocom Ltd Internet Data Centr | 3163 |
| 10036 | C&M Communication Co. Ltd. | 3140 |
| 4230 | Embratel | 3110 |
| 20001 | Road Runner | 3056 |
| 7552 | Vietel Corporation - Internet Exchange a | 2987 |
| 17974 | PT TELEKOMUNIKASI INDONESIA - JL JAPATI | 2934 |
| 6805 | Telefonica Deutschland Autonomous System | 2840 |
| 8881 | KomTel routing policies | 2826 |
| 5391 | HT, HiNet, Croatian telecom | 2683 |
| 16338 | AUNA Autonomous System - AUNA Group. - P | 2632 |
| 18403 | The Corporation for Financing & Promotin | 2632 |
| 24863 | LINKdotNET AS number - for any abuse com | 2564 |
| 15311 | Telefonica Empresas | 2524 |
| 12271 | Road Runner | 2522 |
| 6327 | Shaw Communications Inc. | 2511 |
| 33287 | Comcast Cable Communications, Inc. | 2460 |
| 9689 | Future's Cable Television, Inc. - 463-57 | 2444 |
| 13285 | Opal Telecom - Northbank Industrial Esta | 2444 |
| 17839 | Dreamcity Media - 423-6 Songnae-dong Sos | 2433 |
| 7029 | Alltel Information Services, Inc. | 2423 |
| 5610 | CZECH TELECOM, a.s - Olsanska 6 - Prague | 2395 |
| 19429 | ETB - Colombia | 2390 |
| 7015 | Comcast Cable Communications Holdings, I | 2277 |
| 12479 | Uni2 Autonomous System - Spain | 2242 |
| 11351 | Road Runner | 2196 |
| 5384 | Emirates Internet - Public Internet Serv | 2182 |
| 11426 | Road Runner | 2158 |
| 12542 | TVCABO Autonomous System - Portugal | 2136 |
| 1221 | Telstra Pty Ltd - Locked Bag No. 5744 - | 2082 |
| 12741 | Netia Telekom SA | 2049 |
| 6057 | Administracion Nacional de Telecomunicac | 1969 |
| 4775 | Telecom Carrier | 1943 |
| 9506 | Magix Broadband Network - Singapore Tele | 1848 |
| 33651 | Comcast Cable Communications, Inc. | 1846 |
| 10796 | Road Runner | 1825 |
| 5603 | SiOL Internet d.o.o. - Internet Service | 1799 |
| 36727 | INSIGHT COMMUNICATIONS COMPANY, L.P. | 1781 |
| 5713 | Telkom SA Ltd. | 1751 |
| 20214 | Comcast Cable Communications Holdings, I | 1745 |
| 4808 | IP networkChina169 Beijing Province Ne | 1726 |
| 9141 | UPC Poland | 1714 |
| 9050 | RTD-ROMTELECOM Autonomous System Number | 1689 |
| 5668 | CenturyTel Internet Holdings, Inc. | 1669 |
| 33491 | Comcast Cable Communications, Inc. | 1663 |
| 6478 | AT&T WorldNet Services | 1638 |
| 1257 | SWIPnet - Swedish IP Network | 1635 |
| 17864 | Hanvit I&B - 519-1, Gojan-Dong, Ansan-Ci | 1609 |
| 7693 | KSC Commercial Internet Co. Ltd. - 2/4 S | 1601 |
| 22291 | Charter Communications | 1593 |
| 3816 | Empresa Nacional de Telecomunicaciones | 1576 |
| 10091 | SCV Broadband Access Provider | 1429 |
Spread the word:
American International Group pulls in $113 billion in revenue per year, with $77 billion in cash on hand. They also have bots running on their network.
AIG wrote us to let us know that Britney Spears loves Rolex Watches
! Apparently. Or maybe just replicas. In either case, AIG sent us over 275 Rolex come-ons in the last month.
They're also apparently interested in our sex life, as they've asked us to visit this website:
The repeated requests have arrived from breeze.agfg.com and hail.agfg.com at 18.104.22.168 and 22.214.171.124 respectively.
The site offers what are apparently black market pharmaceuticals from a company with no phone number, false whois information, and a domain registered on February 18th - less than a month before receiving the advertisement.
The products offered on the site use the trademarks of Pfizer, Eli Lilly, Bayer, GlaxoSmithKline, you name it.
The company also has 15 public black listings since December 2206, on 3 separate public lists, from 11 separate IP addresses.
We encourage AIG to take a close look at breeze and hail listed above.
Spread the word:
Thomson Financial Corporation - number two in our profile of companies with bots running on their networks.
April 1st, we noted 126.96.36.199 ( 153-10.tfn.com) connecting to a command and control server via IRC. Unfortunately this is no April Fool's joke. Nor is the Botspam they've been sending us over the last month, such as this pump and dump sent from 188.8.131.52 on 3-15-2007:
We'd also recommend checking out 184.108.40.206 which sent us over 25 pieces of botspam in March most of which touted different over the counter stocks.
Spread the word:
Brian Krebs of The Washington Post
wrote an insightful piece on Fortune 500 companies, the bots on their networks, and the spam coming from their networks. The article
, appeared in Brian's Security Fix blog and called out ExxonMobile, American Electric Power, Indymac Bank, Dow Jones and a handful of others with recent problems on their networks.
Which is no bit deal if you don't drive a car, light your home, carry a mortgage, or read the news. Then again, doesn't the security of our power plants, oil tankers, banks, and news organizations affect every one of us?
Spread the word:
Dan Goodin of The Register
wrote an excellent article on bots operating on corporate networks. The article entitled Bots inside the Perimeter
features data collected from the Support Intelligence network and highlights distinct cases of bot spam flowing out of Oracle, HP, Best Buy, and others.
In the case of Oracle, the botspam was actually a phishing attack on Paypal. And with Best Buy the amount of spam pouring out its scuppers was in the thousands per week.
Houston, we have a problem.
Spread the word:
Our first review is the 3M company (Ticker MMM). In 23 days we collected 11 spam from 220.127.116.11 which is delegated to 3M by ARIN:
The spam were all image based Stock Pump-n-Dump SPAM touting stocks EXVG (up 15% today) BTOD (up 13% today) and GDKI (down 37%) Stock spam continues to plague companies traded on Over The Counter markets like the Pink Sheets. We reviewed the routes announced by 3M (AS7792) which announced the entire 18.104.22.168/14 as one block. Our analysis of the routes for this prefix shows no more specific announcements or any other origin for the 3M block. Once we have reasonably shown there were no route hijacking we can determine that our spamtrap did actually connect with and recieve SPAM from one of 3M's machines.
OrgName: 3M Company
Address: 3M Center
Address: Bldg 224-4N-27
City: St. Paul
NetRange: 22.214.171.124 - 126.96.36.199
3M shoulod consider taking a look at the following addresses:
Spread the word:
We have been collecting data on the top 500 networks in the Fortune 1000 companies evaluating how much SPAM/UCE they send. Over the next couple of weeks we will explore which global Fortune 1000 companies have bots inside their perimeter and sending out spam.
We will continue this coverage until corporate america is clean (ETA 2012)
Spread the word:
Get out the big microphone - what we've been saying all along about the growing bot problem finally hit the NY Times. John Markoff investigated the article which includes quotes from Dave Rand, David Dagon, Gadi Evron, K.C. Claffy, the ShadowServer folks and others.The article
quotes some good ballpark numbers on the threat:
- 11% of the 650 million computers on-line contain botnet code
- 250,00 new systems get botted every day
- 80% of all spam originates from botnets now
- We passed the billion spam a day by a single ISP point back in December
Anyway, it's a thoughtful read that brings some badly needed attention to the size of the problem.
Plus you can check out our spooky picture in the paper
too in case the facts themselves don't scare you enough.
Spread the word:
Today we're launching a little something we like to call the Digest of Abuse Report - or DOA Report for short.
The Digest has two parts:
1) A summary list of new
abuse broken down by Autonomous System
2) Individual notifications to AS operators about abuse on their networksThe Summary List
We track the 23,000+ ASN's announced in the global routing system and assign abuse on each ASN to it. Since listing all 23,000 would be terribly long, we've elected to just list the top 100 or so for now.
In future reports, we plan on breaking down the lists by geography, either country or RIR area, and possibly by type of network as well - mil, edu, net, com. We'd also like to offer trending data and more detail for those who are interested.
If you have suggestions on ways to present the data let us know there's a lot we could do with it.The DOA Mailing List and Monthly Postings
The list comes out weekly - if you'd like to receive a copy just sign up for our mailing list
. Additionally we'll be posting the list on a monthly basis to NANOG, and a few other lists.Individual Notifications
On top of that, we'll be informing network operators of the abuse we observe on their networks over the past week. The reports have specific IP Addresses, Issue Types, Reporting Source, and UTC Timestamp. Our hope is these reports will inform network operators of the scope of the issues on their networks, and help them identify and clean up specific abuse problems.
We will of course respect the wishes of operators who don't want to receive follow-up reports. If this is you, just reply to the report and we won't send you future reports.Let's Hear Your Feedback!
This stuff is important! It affects network stability, individual privacy, business continuity, and everyone's pocketbook. We need to be informed about the overall view of abuse, the trends, and where it's lurking. So we want to get it right. The point isn't to shame anyone - every network has an abuse problem - it's simply to inform the community on the lay of the land.
Many, many people have asked us to publish this data in a digestible form to the community to raise awareness. So if you have any suggestions or feedback for us let us know!
rick or adam 'at' support-intelligence.com
Rick and AdamDOA Report for Week of 11-21-2007 - Top 100 Networks
| ASN || || New Issues || ||AS Name |
|4134 || ||363688 || ||CHINANET-BACKBONE |
|4837 || ||172003 || ||CHINA169-Backbone |
|9121 || ||149716 || ||TTNet |
|5617 || ||101372 || ||TPNET |
|4766 || ||98485 || ||KIXS-AS-KR |
|3352 || ||94837 || ||TELEFONICA-DATA-ESPANA Internet Access |
|3320 || ||89415 || ||Deutsche Telekom AG |
|3215 || ||84594 || ||AS3215 |
|9829 || ||81474 || ||BSNL-NIB |
|19262 || ||80989 || ||Verizon Internet Services |
|3269 || ||67398 || ||ASN-IBSNAZ |
|4788 || ||65140 || ||TMNET-AS-AP |
|8151 || ||59492 || ||Uninet S.A. de C.V. |
|3462 || ||55358 || ||HINET |
|9498 || ||48106 || ||BBIL-AP |
|22927 || ||37388 || ||Telefonica de Argentina |
|3209 || ||34786 || ||UNSPECIFIED |
|8359 || ||32696 || ||MTUONLINE |
|4814 || ||31552 || ||CHINA169-BBN |
|12322 || ||31364 || ||PROXAD AS for Proxad ISP |
|9318 || ||29769 || ||HANARO-AS |
|4812 || ||29068 || ||CHINANET-SH-AP |
|8551 || ||28112 || ||ISDN-NET-AS |
|6147 || ||24673 || ||Telefonica del Peru S.A.A. |
|6713 || ||23637 || ||IAM-AS |
|9105 || ||21123 || ||TISCALI-UK |
|4755 || ||21067 || ||VSNL-AS |
|1267 || ||19952 || ||ASN-INFOSTRADA Infostrada S.p.A. |
|13184 || ||19924 || ||HANSENET HanseNet Telekommunikation GmbH |
|2856 || ||19472 || ||BT-UK-AS |
|7418 || ||18973 || ||Terra Networks Chile S.A. |
|7470 || ||18958 || ||ASIAINFO-AS-AP |
|15557 || ||18033 || ||LDCOMNET |
|12479 || ||17065 || ||UNI2-AS Uni2 Autonomous System |
|4713 || ||16881 || ||OCN NTT Communications Corporation |
|12876 || ||16834 || ||AS12876 |
|9116 || ||16735 || ||Goldenlines main autonomous system |
|3243 || ||16519 || ||RIPE NCC ASN block |
|5486 || ||16102 || ||Euronet Digital Communications |
|5713 || ||15296 || ||Telkom SA Ltd. |
|9583 || ||13911 || ||SIFY-AS-IN |
|6739 || ||13856 || ||ONO-AS |
|1680 || ||13730 || ||NETVISION |
|9299 || ||13709 || ||IPG-AS-AP |
|8708 || ||13436 || ||RDSNET |
|8228 || ||13124 || ||CEGETEL-AS CEGETEL ENTREPRISES |
|8584 || ||12926 || ||Barak AS |
|16338 || ||11415 || ||AUNA_Telecom-AS |
|9304 || ||11369 || ||HUTCHISON-AS-AP |
|4230 || ||11148 || ||Embratel |
|12715 || ||11066 || ||JAZZNET |
|1257 || ||10944 || ||TELE2 AB |
|5430 || ||10919 || ||FREENETDE |
|209 || ||10853 || ||Qwest |
|17974 || ||10781 || ||TELKOMNET-AS2-AP |
|5462 || ||10469 || ||CABLEINET Telewest Broadband |
|20115 || ||10301 || ||Charter Communications |
|8452 || ||9883 || ||TEDATA TEDATA |
|8167 || ||9816 || ||TELESC - Telecomunicacoes de Santa Catarina SA |
|24863 || ||9602 || ||LINKDOTNET-AS LINKdotNET AS number |
|5384 || ||9277 || ||EMIRATES-INTERNET |
|9506 || ||9063 || ||MAGIX-SG-AP |
|7132 || ||8863 || ||SBC Internet Services |
|22047 || ||8407 || ||VTR BANDA ANCHA S.A. |
|8764 || ||8334 || ||TELECOMLT-AS |
|6478 || ||8156 || ||AT&T WorldNet Services |
|6400 || ||8141 || ||Codetel |
|5483 || ||8126 || ||HTC-AS Hungarian Telecom |
|5089 || ||8105 || ||NTL NTL Group Limited |
|3257 || ||7803 || ||TISCALI-BACKBONE |
|7693 || ||7696 || ||COMNET-TH |
|12542 || ||7594 || ||TVCABO Autonomous System |
|6849 || ||7444 || ||UKRTELNET |
|15311 || ||7095 || ||Telefonica Empresas |
|1221 || ||6908 || ||ASN-TELSTRA |
|6057 || ||6886 || ||Administracion Nacional de Telecomunicaciones |
|6799 || ||6715 || ||OTENET-GR OTEnet S.A. Multiprotocol Backbone |
|7029 || ||6510 || ||Alltel Information Services, Inc. |
|6830 || ||6482 || ||UPC |
|13285 || ||6291 || ||OPALTELECOM-AS |
|8881 || ||6178 || ||VERSATEL |
|8402 || ||6086 || ||CORBINA-AS |
|2860 || ||6038 || ||NOVIS Novis Telecom, S.A. |
|6855 || ||5853 || ||SK SLOVAK TELECOM, AS6855 |
|20838 || ||5851 || ||YIF-AS |
|11427 || ||5718 || ||Road Runner |
|7018 || ||5587 || ||AT&T WorldNet Services |
|10091 || ||5542 || ||SCV-AS-AP |
|19548 || ||5507 || ||Adelphia |
|12880 || ||5472 || ||DCI-AS |
|10318 || ||5206 || ||CABLEVISION S.A. |
|15475 || ||5140 || ||NOL |
|5668 || ||5103 || ||CenturyTel Internet Holdings, Inc. |
|4775 || ||5080 || ||GLOBE-TELECOM-AS |
|5466 || ||5067 || ||EIRCOM Eircom |
|4780 || ||4962 || ||SEEDNET Digital United Inc. |
|11426 || ||4949 || ||Road Runner |
|6327 || ||4871 || ||Shaw Communications Inc. |
|8866 || ||4803 || ||BTC-AS |
|28573 || ||4753 || ||NET Servicos de Comunicao S.A. |
Spread the word:
We've been busy as bees here at SI the last month despite the endless sunshine here in SF tempting us to go ride mountan bikes instead. So what's new you ask?New REACT Features
First of all, we've released a new rev of the REACT anti-abuse tool with new knobs and dials. The new version includes a column for data source letting users see exactly where individual abuse reports are coming from. You'll now be able to see your favorite black lists called out in addition to the type of abuse listed. A lot of our users asked for this so here it is. You'll also see data labeled SI which comes from our own spam traps and honey pots. Very cool.
For the large networks, we've also instituted pagination for networks with longer abuse reports. And as always the Download CSV button will give you a full view of your abuse report.
If you haven't checked out the demo - log on in -
We think it's pretty cool.Upcoming REACT Features
So what's coming next? As always we follow our users feedback - Real time alerts, a trouble ticketing system interface so you can automatically open tickets, reverse DNS lookups, volume data on spam senders, more data sources and a handful of other goodies to help you track down and stomp out abuse.
We'll have at least two more releases before the end of the year, so hang onto your hats.Digest of Abuse
In addition to working on REACT, we're also launching a new list tracking the overall state of internet abuse called the DOA List. Maybe it really stands for Dead on Arrival, maybe not - we're not saying. Either way, the weekly list will contain abuse reports on the top networks broken out by ASN and geography. Should be fun and a bit surprising. Check it out on the Digest of Abuse Page
.Rick Wesson at APWG
Rick will be speaking on a pannel at the upcoming Anti-Phishing Working Group meeting in Orlando Florida on the 15th of November. Sharing the pannel with him will be Randy Vaughn of Baylor University and David Dagon of Georgia Tech. The subject? Botnet infection rates.Adam and Rick at ISPCon
Both of us will be down in Santa Clara next week at ISPCon meeting folks and talking about what's going on on their networks. It'll be a good time and informative as always.
As always, feel free to contact us with ideas, feature requests, and questions....
Spread the word:
One of the scarriest things about getting hacked is you won't even know it.
Sooner or later your virus scanner will fail, you'll click on the wrong web page, or someone will plug an infected laptop into your network and Kapow! You'll be the latest victim. But odds are you won't notice it until it's too late. Botnets are Designed for Stealth
Modern botnets are sneaky creatures. They disable virus scanners, swap out diagnostic tools, and use just enough system resources to fly under the radar. Some polymorphic varieties even reload themselves every six hours in a morphed form so signature scanners can't detect them.Virus Scanners Fail
Even if you're armed with the latest defenses that may not be enough to detect bots running on your systems. Recent reports by Australian CERT show that many popular virus scanners miss up to 80% of viruses.
Old fashioned signature detection is failing against these rapidly morphing, low profile viruses. Taking the same-old precautions you used to take yesterday isn't enough to deal with these new security threats.And Now for the Bad News
But it gets worse. Not only are these bots sending spam like they have for years, they're also stealing more identities than before. Keylogging and packet sniffing are on the rise as organized crime moves into the cyber world.
Modern botnets for example capture all forms before
they're encrypted by HTTPS - so any
online transaction gets captured, including logins, passwords, social security numbers, addresses, and of course, credit card numbers.
Once a bot starts running on your systems, it's a race to see how much identity information it can steal before being detected and shut down. Speed is of the essence.Behavioral Detection
So if signature detection isn't enough what are we supposed to do? Fortunately there's a new school of bot detection. Behavioral detection looks for signs of bot activity as opposed to the profile of the infected code.
For a bot to be effective it has to do
something - and these somethings are detectable. Propagation, "phoning-home" to command and control servers, spamming, offering proxy services, and other behaviors all leave tell tale signs of an infection.IP Monitoring
So unless you're looking for signs of botnet activity on your network you're pretty much sleepwalking into rush hour traffic. The good news is with behavioral based IP monitoring you can be alerted instantly to signs of bot activity on your network.
No defense if perfect, so you'd better know when they fail. And as soon as possible, because the identity theft clock starts ticking as soon as you're hacked. Behavioral monitoring offers us the best next wave of detection and response to these kind of threats.
Spread the word:
Okay, so your network is sending spam. Who cares?
Believe me - you care - you just don't know it yet. Why? Because that might not be your spam flooding out of your network. Marketing Mail or Botnet?
The most important question about spam from your network is did you intentionally send it or not? If it's really your junk mail, you've got a small problem. You need to review the CAN-SPAM act and clean up your marketing program.
But if you didn't send it, you've got a much bigger problem - you've been hacked. Botnets and Spam
66% of spam on the internet is sent by botnets these days. Why? Because hacked computers are cheap, easy, and highly disposable. Hackers and spammers will gladly use your systems to send spam if they can - and when the fallout lands on you they just walk away. At the benign end this means your mailserver ends up blacklisted, your email marked as spam and thrown on the floor. At the scary end, you end up in violation of CAN-SPAM which has penalties of up to $10,000 per incident. Yikes! So, if your network is sending spam you'd better be aware of it. From Spam to Identity Theft
As if this wasn't bad enough. Increasingly hackers are loading key loggers, screen grabbers, and packet sniffers on these same systems. Makes sense - why earn 10 cents a day sending spam when a single keylogger can capture credit cards, social security numbers, account passwords - everything you need to make several thousand dollars. According to the FTC the average identity theft reaps $4800 for the thief, and leaves the victim with 60 hours of clean up.
How to Protect Yourself
Okay so this all sounds pretty bad. So what can you do about it? First, you need to know when your network is sending spam, or making other suspicious transactions on the internet. This means monitoring your network! Otherwise you're flying blind. If you're sending spam unintentionally, it's probably a botnet operating on your network. And if you've been hacked it's only a matter of time before your identity gets stolen, so speed is of the essence. The good news is once you know you've got a problem there are a number of easy ways to fix it from anti-virus software to reinstalling the operating system. So don't lose hope, pay attention to spam you're sending, and be sure to monitor.
Spread the word: