Of Spam & Men

To content | To menu | To search

Monday 3 March 2008

no free speech to spam

Virginia's Supreme Court on Friday upheld the first US felony conviction for spamming. The spammer will serve nine years in prison for sending what authorities believe to be millions of messages over a two-month period in 2003.

While defending Jaynes, his lawyers attempted to argue that a provision of the Virginia Computer Crimes Act violates constitutional First Amendment rights to "anonymous speech," as well as the interstate commerce clause of the US Constitution. The court rejected these claims due to Jaynes' use of fake e-mail addresses, which breaks the US CAN SPAM law's condition of giving recipients a means of contacting the sender.

from ars technica

Monday 11 February 2008

Nigerian Scam: from help requests to death treats

Who has not yet gotten one of those Nigerian Scam or 419 scams? For those who haven't:

This scam usually begins with a letter-form e-mail8 sent to many target recipients making an offer that will purportedly result in a large payoff for the intended victim. The stories behind the offers vary, but the standard plot is that a person or government entity is in possession of a large amount of money or gold.This person, for myriad reasons, either cannot access the wealth directly or is no longer in need of it. Such people, who are fictional or impersonated characters played by the scammer, could include the wife of a deposed African or Indonesian leader or dictator, a terminally ill wealthy person, a wealthy foreigner who had deposited money in the bank just before dying in a plane crash, leaving no will or known next of kin, a U.S. soldier who has stumbled upon a hidden cache of gold, a business being audited by the government, a disgruntled worker or corrupt government official who has embezzled funds, a refugee21, and similar characters. The money could be in the form of gold bullion, gold dust, money in a bank account, so-called "blood diamonds", a series of cheques or bank drafts, and so forth. The sums involved are usually in the millions of dollars, and the investor is promised a large share, often forty percent or more, if they will assist the scam character in retrieving the money from holding and/or dispense of it according to the scam character's wishes. The proposed deal is often presented as a "harmless" white-collar crime, in order to dissuade participants from later contacting the authorities.

Anyway, since this form of polite request doesn't seem to work well enough anymore, they have changed their technic: They now tell you to give them money or.. they will shoot you dead:

Am very sorry for you my friend, is a pity that this is how your life is going to end as soon as you don't comply. … I don't have any business with you, my duty as I am mailing you now is just to KILL/ASSASINATE you and I have to do it as I have already been paid for that."

If people aren't gullible enough to believe in polite help requests are they really fall for those brute death treats?

from STLToday

Monday 28 January 2008

Studying Malware Analysis In College

F-secure is about to start a course called "Malware Analysis and Antivirus Technologies" at the Helsinki University of Technology. I really wish we had that kind of classes when I was attending college!

And since F-secure is full of cool people, they provide the slides from the courses that were already done!

On the menu:

  • General introduction of the course [slides]
  • Fighting Online Crime [slides]
  • Windows operating system: Antivirus perspective.
  • Legal aspects of reverse engineering. Reverse engineering I
  • Reverse engineering II
  • Reverse engineering tools hands on classes
  • Mobile malware.
  • Using debuggers to analyze malware
  • Emulators and disassemblers. Behavioral analysis of malware.
  • Reverse engineering III
  • Unpacking and decrypting malware
  • Antivirus engine design.

from F-secure

Saturday 26 January 2008

Google as an RBL

From SecuryTeam:

For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM

This is actually interesting, i've been googling urls found in spams for a little while now but those kind of search never return tons of pages, but it does return a few of them, and most of the time they are security related site. This "google rbl" could be pretty usefull coupled with a list of trusted security sites. If the search returns a few urls from those sites, then the mail is likely to be a spam or malware related. What about a mail with "http://securityfocus.com" in the body? uhuh...definitely not bulletproof! So better stick to the IP of the sender and just count the number of hits returned by google.

from securiteam

Wednesday 23 January 2008

Storm Worm: Early Valentine

Looks like the spammers are a little early on that one but here is the subjects used by this version of storm worm:

  • A Dream is a Wish
  • A Is For Attitude
  • A Kiss So Gentle
  • A Rose
  • A Rose for My Love
  • A Toast My Love
  • Come Dance with Me
  • Come Relax with Me
  • Dream of You
  • Eternal Love
  • Eternity of Your Love
  • Falling In Love with You
  • For You....My Love
  • Heavenly Love
  • Hugging My Pillow
  • I Love You Because
  • I Love You Soo Much
  • I Love You with All I Am
  • I Would Dream
  • If Loving You
  • In Your Arms
  • Inside My Heart
  • Love Remains
  • Memories of You
  • A Token of My Love
  • Miracle of Love
  • Our Love is Free
  • Our Love Nest
  • Our Love Will Last
  • Pages from My Heart
  • Path We Share
  • Sending You All My Love
  • Sending You My Love
  • Sent with Love
  • Special Romance
  • Surrounded by Love
  • The Dance of Love
  • The Mood for Love
  • The Time for Love
  • When Love Comes Knocking
  • When You Fall in Love
  • Why I Love You
  • Words in my Heart
  • Wrapped in Your Arms
  • You... In My Dreams
  • Your Friend and Lover
  • Your Love Has Opened
  • You're myDream

we caught about 67 000 of those in less than 15 days already.. talk about a storm!

Saturday 15 September 2007

Greylist effect

We decided to active the greylisting antispam solution for all our mailboxes at work.. here how it shows on our graphs:

greylisting.png

Thursday 16 August 2007

Web Server Software and Malware

From Google Online Security Blog:

"In this post we investigate the distribution of web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads."

Their numbers are slightly different from Netcraft's ones, but they give a fairly good explanation about it. According to Google IIS and Apache are sharing the same percentage in the overall malware distributing web servers.

Interesting facts: in the US Malwares are served at 80% by Apache, in China at 95% by IIS...

From Google Online Security Blog

Tuesday 7 August 2007

Spam King gets 30 years in jail

smith.jpgChristopher Smith, the notorious "pharmacy spam king," has received a 30-year-jail sentence for running an illegal internet store that sold millions of dollars in prescription drugs.

via Secure Computing Magazine

Wednesday 1 August 2007

Dectecting doc/zip/xls/pdf spams with Spamassassin

When trying to build Spamassassin rules to detect a new kind of spam, it's always usefull to have several copies of the spam so you can check what parts never changes.
In the case of the pdf/zip/doc/xls/etc. spam, even if the spammer did a lot of work to try to make it indetectable, he forgot something: the boundary line of the content-type header is always built the same way and isn't common at all:

------------ then a random 24 characters alphanumeric string.

I've searched in my INBOX (more than 50 000 messages) and this boundary pattern only matches the spams.

From this, we can build our first SA rule:

full __UN_KNOWN_BOUND /boundary="------------\d{24}"/

Now, it's safer if we make sure it's really a spam by adding some attachment detection:

full __UN_PDF_ATTACH /application\/pdf/i
full __UN_OCTSTREAM_ATTACH /application\/octet-stream/i
full __UN_WORD_ATTACH /application\/vnd.ms-word/i
full __UN_EXCEL_ATTACH /application\/vnd.ms-excel/i


Then you can build a meta rule that will match our spams:

meta UN_ATTACH_SPAM __UN_KNOWN_BOUND && (__UN_PDF_ATTACH || __UN_OCTSTREAM_ATTACH || __UN_WORD_ATTACH || __UN_EXCEL_ATTACH)
score UN_ATTACH_SPAM 10

Tuesday 31 July 2007

more stupid tricks from spammer

spampdftxt.pngAlready found out how to block image spam included in .xls and .doc documents? Lucky you. Spammer got a new challenge for you (ok, an easy one): I just received a spam with "pdf" as the subject, with a pdf.zip file attached, which contains a pdf.txt file with the actual spam in it... That's not very original, it's even boring (i'm suspecting it's even counter productive for them to generate all those files when the victim has to open 3 applications to get the actual spam)

Come on spammers! you can do better than that!

Tuesday 24 July 2007

iphone vulnerability video

A vulnerability was found in SafaryMobile allowing an intruder to get accès to your iphone filesystem. See the video:

Get the iphone's technical security analysis by securityevaluators.com: here

Monday 23 July 2007

Chat^WTroll with malware authors

castlecops.gifCastelcops.com is a popular site aiming at providing informations assisting computer security education. Their forums are particularly useful when you think something fishy's going on. A lot of very well informed people are participating.

Recently a conversation about rogue domains used by the (nasty) zlob malware was posted and the malware author came and tried to explain that his little creation wasn't a malware and that they weren't doing anything bad. No need to tell you the discussion literally went kaboom.

via The SpywareGuide Greynets Blog

facetime: IM & P2P attacks on the rise

header_logo_186_r.gifFacetime Security Labs, an IM Security focused research lab, recently reported that IM & P2P attacks were on the rise: a 5% inscrease of incidents targeting public IM and P2P channels for Q2 2007 compared to Q1 2007. Just to compare, over the same period in 2006 a 35% decrease was seen.

The SpywareGuide Greynets Blog summarizes:

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half > (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

via The SpywareGuide Greynets Blog

tired of pdf spams? try the new .doc, .xls and .zip spams!

Some reports are made that a new kind of spam just appeared. This time the spam is embedded in a .doc file. I heard people saying they also got .xls and .zip spams. This is getting interresting..what will they use next?

via securiteam

Monday 7 May 2007

harvesting using adblock

drivebydownload1.png

Or The Amish Virus through Adwords

Didier Stevens conducted a little experiment: What if he used adword and told people to visit his blog to get infected by a malware? His ad was saying “Is your PC virus-free? Get it infected here!” and it ran for 6 months. Of course clicking on the link would not infect the visitor's computer, but still, it could have. Guess how many people clicked? 409.

409 people wanted their computer infected? well, i guess people dont read. How many person use google to surf, thinking that adwords are actually results given by google?

Wednesday 21 March 2007

Stocks spams do work

diaaf-chart-annotated.pngChoose an unknown, forgotten, valueless stock value like DIAAF.OB, quoted at $0.0008 per share. Buy millions of shares, it will make the value rise (you are creating a demand) to $0.0011. Now, flood the world with spam, advertizing how the stock value is raising... you'll create more demand, the share value will rise... And now? Sell. You're rich.

Continue reading...

Saturday 10 March 2007

Fun with cellphones

Ever heard of the Cellphone Cloning method? It's a way of transfering the identity of a phone to another, generally for the purpose of making fraudulent calls. It's fun because if you are located near the same transmission tower as the cellphone you cloned, you'll get copies of text messages and calls made to the original phone. You'll need to have access to the original cellphone and clone the sim, then upload the sim data into your phone. No easy thing.

What about being able to get any unencrypted transmission made around your cellphone directly on it?

Continue reading...

virus watch: warezov domains

Warezov, Spamthru... Virus used by spammers. They are pretty easy to detect if you can monitor http connections. Indeed more and more viruses will try to fetch data (spam templates or updates) from dedicaded domains. If you can monitor those domains, you can can detect infected computers on your networks.

Continue reading...

Saturday 3 March 2007

greylist experimentation results

Here at work, we are averaging 66% of spam, which means that most of our users get twice as much spam as regular mails. I know some users who even gave up on email because they were getting 90% of spam. We use spamassassin and CRM114 so we tag every detected mail (we aren't allowed to delete mails, even if spamassassin scores it at 1000, security reasons). Still, users like to complain that they get too much spam.

Anyway.. we decided it was time to test greylisting to try to reduce the amount of pollution in users' mailboxes.

Continue reading...

Tuesday 27 February 2007

New Image Spam: obfuscated AND animated

I just got a new piece of image spam and it's not only obfuscated but also animated

2cmPSN9TBs.gif

(click on the reduced picture to get to the original one)

Continue reading...

- page 1 of 3