Of Spam & Men

To content | To menu | To search

Friday 9 February 2007

Yay! More Virus Wars!

Remember in 2004 the war between Mydoom, Netsky & Bagle? Each new variant would uninstall and destroy previously installed variants of the two others? Looks like there is a new war starting out there.

Continue reading...

Monday 5 February 2007

Online System Security Scanners

Claus Valca posted a long list of online scanners:

  • Primarily virus/trojan related online scanners
  • Single-File Upload Scanners
  • Malware (spyware/adware/etc.) Online Scanners
  • Online "single-file" Multi-Scan Test Websites
  • Software or System Security Vulnerability Scanners
  • Not Quite "Fully-Online" Based Software or System Security Vulnerability Scanners

Continue reading...

Thursday 18 January 2007

68 Gigabytes

68 Gigbaytes is the amount of email addresses f-secure downloaded from a server used by the medbot spam-virus.

Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.

The server addresses keep changing. Last week seek21.zootseek.com was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 Gigabytes of e-mail addresses from this

Continue reading...

Friday 12 January 2007

Disposable Email Services

A good way to prevent your main email address from being spammed is not using it when creating web accounts or subscribing to websites. Managing different email accounts isn't trivial and dropping a free account when it starts being spammed to open another one in the next minute isn't really usefull either.

What you really need is a temporary email address you can use to prove you're not a robot. One you can throw away as soon as you have used it. That's what disposable email services are for.

Continue reading...

Wednesday 10 January 2007

Mysterious drop in fraud and spam

Security firm SoftScan noticed a 30% drop in spam levels last week attributing that cut to a "broken" botnet.

SoftScan is still investigating the possible cause of the significant drop in junk mail volumes it's recording but reckons the most likely explanation is that hackers have temporarily lost control of a significant network of compromised machines. It seems unlikely that new computers at Christmas had much to do with affecting the number of compromised machines out there.

Alternatively the drop in spam might be a result of the recent earthquake in Asia disrupting spamming activity from that region, but this theory fails to explain a gradual (rather than more sudden) drop off in spam levels this month.

By contrast junk mail levels remained much as normal throughout December including the period around the 26 December earthquakes off Taiwan. Nine in ten emails processed by Softscan last month (89.4 per cent) were >identified as junk mail. Only one in 200 emails (0.5 per cent) scanned by the firm last month were infected by malware, despite the outbreak of a worm that posed as a seasonal "Happy New Year" greeting late in the month.

Continue reading...

IM worm on Yahoo!

Trend Micro has a report of a new worm using Yahoo (which has unfortunately nothing common with my ICQ mystery). The worm sends links looking like pictures for some of them (but they are not):

    1. http://{blocked}.info/who.jpg
    2. http://{blocked}.info/friendpic1.jpg
    3. http://{blocked}.com/Gallery/albums/album/index.php
    4. http://{blocked}.com/Gallery/albums/album/index2.php
    5. http://{blocked}.com/Gallery/albums/album/YMworm.exe
    6. http://{blocked}.com/Gallery/albums/album/worm2007.exe

Continue reading...

Wednesday 3 January 2007

Research: IM Malware Attacks on the Rise

According to a new research report produced by security software maker Akonix Systems, in San Diego, experts at the company unearthed some 406 new IM-borne threats over the last 12 months, compared with 347 attacks tracked by the company in 2005.

In 2004 the company's security analysts discovered just under 50 attacks that were carried out either via IM or peer-to-peer technologies.

However, attacks delivered via P2P networks appear to be falling in popularity, as Akonix researchers recorded an 11 percent decrease in that type of threat during December 2006, with only 16 such attacks reported for the month. Akonix traditionally reports its research of IM and P2P threats simultaneously.

Continue reading...

Monday 1 January 2007

SMTP Stats for December 2006

In december:

  • Received: 5,895,458 mails (+11%)
  • Sent: 1,439,174 mails (-22%)
  • Detected Spam: 3,737,015 (63,3%, +8.1%)
  • Image Spam: 911,715 (24,3%)
  • Dectected Viruses: 55511 (0.9%, Hello, Trojan-Downloader-390 !)

Continue reading...

Wednesday 27 December 2006

ORDB.org is shutting down

ordb.org was one of the rare open-relay rbl (Realtime Blackhole List) that would actually perform a check on the servers before blacklisting them. You could always remove your servers after correcting the problem since ordb would also perform a check before removing a server from its RBLs. It was my favorite RBL and it's shuting down:

Continue reading...

Thursday 21 December 2006

What's going on with Warezov on ICQ?

A few weeks ago our network provider reported that they caught a few HTTP requests (a few GET for map.src and picture.pif) to a known warezov domain coming from one of our ip. Warezov and its variants are easily trackable since once activated they will try to update themself by fetching an update on several domains created for this purpose. So, a computer was suspected to be infected on our networks. I investigated and discovered that the actual IP involved was a linux box. No, not even a dual boot box.

After asking the lady who used to computer that day, i understood that she certainly didn't go fetch the warezov update on purpose and that she only used meebo.com (webmesenger service) and yahoo mail. She reported a few weird messages from people she didn't know on ICQ, though. A few days later, another user reported the same kind of messages on ICQ, but this time from an unknown warezov domain! No antivirus vendors are actually linking Warezov and ICQ. So what's going with Warezov on ICQ?

Continue reading...

Saturday 16 December 2006

Catching image spams with Spamassassin

Image only based spam are now for more than 40% of the total spam being sent (here, yesterday: 155833 spams were detected and 67401 of them were image based, that's a nice 43%), how to dected them?

Well, first i want to warn you: there's no 100% safe way to detect that a mail containing an image is a spam or not. Of course you don't want to stop every mail containing a jpg or gif file. No safe rule, but still, you can use several criteriums:

Continue reading...

Wednesday 13 December 2006

Hacker Infiltrates UCLA, Data on 800,000 People

eWeek reports:

An unknown hacker has infiltrated a massive University of California, Los Angeles database with personal information on 800,000 people, the school said on Tuesday, in one of the worst computer breaches ever at a U.S. university.

Continue reading...

Spam Statistics from Marshal TRACE

Marshal a company specialized in mail and internet security has some very nice statistics about what's going on in the world with spam, virus and phising. They provide interesting stats:

  • percentage of spam detection using their own solution
  • percentage of image spams
  • average size of spam messages
  • spam volume index
  • spam by category
  • spam sources by country
  • (...)
  • Image Spam Over Time

Continue reading...

Thursday 7 December 2006

Bypassing Virus Scanners Using MIME Encoding Tricks

Hendrick Weimer talks about how you can fool some virus scanners by unvalidating the base64 encoded data by inserting random characters not in the alphabet:

Base64 encoding for MIME is defined in RFC 2045, which lists such an alphabet and clearly states: All line breaks or other characters not found in the alphabet must be ignored by decoding software. So it shouldn't make any difference if we insert some random characters not in the alphabet into a Base64 encoded version of our good old EICAR string, right? Wrong. Some virus scanners will happily pass viruses once they come in an unusual but still RFC-compliant encoding. This is even more astonishing given such attacks have already been discussed before.

Continue reading...

New York Time on new spam methods

Brad Stones from The New York Times writes about the new surge of spam:

You’re not the only one. Spam is back — in e-mail in-boxes and on everyone’s minds. In the last six months, the problem has gotten measurably worse. Worldwide spam volumes have doubled from last year, according to Ironport, a spam filtering firm, and unsolicited junk mail now accounts for more than 9 of every 10 e-mail messages sent over the Internet.

Much of that flood is made up of a nettlesome new breed of junk e-mail called image spam, in which the words of the advertisement are part of a picture, often fooling traditional spam detectors that look for telltale phrases. Image spam increased fourfold from last year and now represents 25 to 45 percent of all junk e-mail, depending on the day, Ironport says.

Continue reading...

Monday 4 December 2006

Bagle Returns

Several Antivirus and Security companies are reporting that Bagle's back on business.

Indeed F-Secure reports that some of the old Bagle update urls were activated on Nov. 30th.

Continue reading...

Saturday 2 December 2006

Spamhaus TOP 10 lists

top10tin.jpg Spamhaus is a well known organisation tracking spams and spammers. It offers services like the Spamhaus Block List and the Exploits Block List which are both realtime block list to be used with your mail servers. Spamhaus also tracks spammers and publishes data about them:

For example, the worste spammer today is an ukrainian citizen named Alex Polyakov also known as Alex Blood, Alexander Mosh, etc. (Alex Polyakov is the big Soviet spy character in John LeCarre's spy novel "Tinker, Tailor, Soldier, Spy.").

Continue reading...

Friday 1 December 2006

Malware against virtual keyboards

malware-virtualkeyboard1.jpg

More and More banking institutions are replacing the usual username/password form with a virtual keyboard. The sole purpose of thie method is to defeat keyloggers.

Unfortunately for them, more and more malwares also defeat the purpose of using virtual keyboards. The guys at VirusTotal analyze a new trojan that performs a series of small screen captures of the area aroundthe mouse cursor.It also adds a red arrow pointing exactly where the user clicked.

Continue reading...

Thursday 30 November 2006

SMTP stats for November 2006

I work for a large french University so i thought it could be interesting to post every month: For november 2006:

  • Received: 5,227,481 mails
  • Sent: 1,858,770 mails
  • Detected spams: 2,890,236 (55.2%)
  • Detected viruses: 39,945 (0.7%)

Continue reading...

Sunday 26 November 2006

Catching fake replies with spamassassin

The most common (and useless?) trick used by spammers to fool users is the fake reply method. By adding "Re: <something>" in the subject, spammers assume that the victim will believe it's a reply to one of their mail. Unfortunately for them, the SMTP RFC (rfc 822) offers optional and commonly used headers for defining a reply and Spamassassin can be used to detect when those headers are missing.

Continue reading...

- page 2 of 3 -