Thursday, January 14, 2010

Banking trojan "BankAsh-A"

I am not sure if this is vaguely related to this story we just posted, but there is a trojan out there which lies dormant on your machine until you visit a banking site. Then it tries to mimic that site and steal your information. This is nothing new, these have been out there for some time - but it seems this particular one is news due to how sophisticated it is and how prevalent it is.

The article mentions that your best bet is to make sure you use anti-virus and anti-spyware tools, frequently update them, and make sure that they stay running. I would add in there that ideally users would educate themselves about this as well - an educated user is the safest user.
Unfortunately that essentially never happens and worse yet, it hurts all of us as they get infected and spread it out to others.

Telewest is blacklisted

One million Telewest customers have been blacklisted for spamming. That doesn't mean that they were all sending out spam, but it means that there were many (over 17,000 IP addresses) sending out spam - likely through bot infected machines. Now they are in the SPEWS database and forced to address the problem which they were apparently too lax about previously.

Watching the worms

When malware spreads across the internet, there are a few key figures that are tracked like the rate of spread and the breadth of area covered among others. While those numbers are interesting to some, Slashdot has a post up pointing out that Symantec Research Labs has a program that shows the spread with pictures.

Note that it is a simulator, and also please feel free to make your own Dune reference.

BigPond filters out 6 million spam messages a day

Australia's largest ISP, BigPond, says they filter out 6 million spam messages a day. They are upgrading their systems to be even better as they are currently planning on getting even more subscribers on top of their current 2 million customers.

Washington State Bans Spyware

Slashdot points out that Washington has now outlawed spyware. This is mainly important in that now companies can be sued more easily and successfully for sleazy actions such as making it hard to uninstall the software, or installing without you being aware of it.

Making spammers pay for your attention

Again, from Slashdot, there is a professor at Boston University who is releasing a paper discussing the details of an idea to charge spammers based for your attention. If you read a message and you feel it was a waste of time, then they have to pay you for that time. Otherwise, no fee.
Similar things have been discussed before and generally shot down - I think the very first post on that Slashdot article actually comments towards this very well (and amusingly) as well as the responses to said comment.

Canada's Spam Task Force Releases Report

We had mentioned before that Canada formed a task force to investigate what course of action to take in the legal sense in regards to spam. They have now released their final report on the matter.

RX Spammers Getting Shutdown

Spam Kings covers the recent shutdown of a major internet prescription spamming group.

Good to see that these are getting cracked down upon since a large bulk of the non-bot related spam is for prescription drugs through these places. On the amusing side, apparently this case exposes that someone finally isn't afraid to go after Diaper Deck.

Contextual Spam

While I was posting regularly to this site, I had wondered to myself why more spammers weren't trying out contextual spam. After all, they already had bots out there scanning web pages for email addresses, and they already had bots that were trying to manipulate their SpamAssassin scores down by using Bayesian theory in reverse (well, really more of a Markov Chain I guess)...

So it seemed to me the next step was that they would scan in the text from sites where they get the email address, and then use that text to build up a Markov Chain of text for the email.

Theoretically, that should then mean that whatever was generated would click more with the end recipient of the spam. Think about it, if you see an email come in from an address that you never deal with, and it says "Hey Friend!" in the subject, you are likely going to think "Hey Spam!" and delete it (I know I do).
But if it were to have a name of someone you talk to on a discussion board where your email was, or a subject that you were just talking about in a blog, etc - then you might be more drawn to the email.

So time passed and then within the last 6 months I have seen an absolutely huge increase in my spam that is doing exactly this. At first I thought I was just seeing things, but then I started to see enough links to things that I had publicly on the web that it was becoming clear this is what at least one bot system is doing out there.

On the good side, they are doing it very poorly - perhaps partially due to poor programming, or perhaps due to the limits of the data - if it doesn't have much text to build a database on, then it is going to output some fairly garbage data.

I won't go into the nitty gritty details of what is involved since it is boring and I don't really want to tell spammers what they are doing wrong, but the general idea is that you build a Markov Matrix in which you track some level of granularity of the text you are looking at. I'm guessing that these people are doing it at the word level. You then essentially just count how many times that word shows up in the text following the word before it.
Then you reverse your way out of it when generating text, based on the statistically probability of the next word, with a random weighting thrown in there.
And out comes something that looks somewhat like what it learned on (there are ways to greatly improve on that, but that is the general idea).

What is interesting is that even though it tends to get by the Bayesian based spam filters, it will also get by the human many times, at least to the level where they open the email.
Of course, then once they open it and see that it is junk, it will get tossed by the bulk of all users. But then spammers survive on that tiny percentage of people who apparently open that email and then actually do click through and buy whatever is on the other side.

Investing based on spam, bad idea

In what should be one of the more obvious concepts to be presented to you,MarketWatch reminds us that if you invest in a stock based on something touted in a spam email, then you are very likely to lose money.
This is known as a pump and dump, where someone buys a stock and holds it, and then goes out and tells everyone they know (or in this case, many people they don't know at all via spam) that it is a great stock and they should buy it. Some number of those people buy it, the price goes up, and the original person sells out their position, having made their money, after that, leaving the other people holding on to a stock that may or not be any good (usually not, especially in the case of a pump and dump when many people are going to dump out since it is a scam that got you in there).

This goes back to the idea of maybe not doing whatever someone says to do in an email since you know, they might have their own interests at heart and not your interests.

WORM_SOBER.S Virus

At my day job, part of my duties are as a sysadmin. That includes managing our mailserver and the flow of mail in and out. We run TrendMicro's ScanMail (and love it) and it checks every hour for new updates. When it scans mail that has a virus, it sends me a report of it and also flags when we have blocked greater than X virus messages over some short time period and then it calls that an Outbreak.

Well, today I noticed a huge number of viruses getting stopped and multiple times it alerted me to an Outbreak.

The virus that we are seeing an Outbreak of is the WORM_SOBER.S virus. OnTrendMicro's main page they are listing it as their top threat (I think top in terms of most hits, not as in most dangerous since it is listed as a "medium" severity virus. Itslisted aliases are "W32.Sober.O@mm", "W32/Sober.p@MM", "W32/Sober-N", "Sober.P", and "Email-Worm.Win32.Sober" - which pretty much just depends which virus scanner catches it as to what it is named.

I'm seeing this one on some of my home accounts too - it will add in a note that it has been scanned by whatever your domain is, which is designed to make you think it is safe to open the attachment. Then when you do, it grabs your addresses and propagates itself that way.

As is very common these days, only Windows machines are susceptible to this at this time. Also note that it doesn't appear to do any damage to your machine, aside from angering the people who get it from you, and taking up bandwidth.

Normally I don't mention these sorts of things, but in this case the volume I am seeing right now is much larger than most outbreak conditions I have seen here in the past.

Subliminal ads in spam

This actually was news a few weeks ago, but I wasn't posting here again at that point. The issue is that some spammers have latched on to the concept of flashing content at you in the hopes that your conscious mind might not see it, but your subconscious will and then act on that without you realizing why you are doing it.
The idea of seeing a frame in a movie where it shows some product just for a flash and then you have a craving to buy that product - supposedly they did this with Coke and popcorn during movies.

Studies have shown that it doesn't really work any better than regular ads and that people tend to buy the products that they were inclined to buy in the first place, so the "trick" ad isn't changing their minds.

AdRants has a post up about this that also has a shot of the animated GIF used in the stock spam that was sent out.

McAfee

On the flipside of the other two, I don't really like McAfee in general and have heard of many issues with them. But one client of mine wanted to use theGroupShield product because that is what another consulting group for them recommended. They weren't going to be interested in anything else, so this is the route we went. The customer service wasn't relevant since I dealt with this other consulting group, and then off we went, installing it on Exchange 2003.
The install was "easy" although it took about 7 tries. I couldn't tell if this was a difficult install process, if this server was special, if the person installing it was clueless (I was on site, but not doing the install), or if the product was faulty. After looking back on it - I am going with the fact that the user was clueless (she messed up several other installs that week and so I think she hadn't done them before).
Once installed, configured, the white/black lists are setup correctly, etc - then the product works great. BUT (always the but) the UI is absolutely awful. It runs in Java and is extremely slow (on an 8 processor 3Ghz machine with 8GB of RAM, nothing should be slow) and it is not at all intuitive. It also will toss your settings and other times will warn you that you will lose changes made, but then it won't show you the changes you made - the easiest way around this is to make changes, save, and then exit the app, and then go back in. Suffice it to say, the interface is just extremely painful. On the good side, once you have it setup to your liking, you don't need to go in there that often - especially if you keep your white/black lists in separate text files and as you update them, you can occasionally just go in and reimport those instead of having to use their interface for adding.
I am torn on this product - it works really well in some respects, but it is literally painful to use in other respects.

This is enough for now - this is a long entry and has a lot of pure opinion content in it. I would rather have a few posts of factual references before I veer off on another opinion based rant... for now.

Trend Micro

Similar to Symantec above, but with a variation - I love these guys. We used their anti-virus product on Exchange and it was absolutely beautiful. Easy to install, easy to maintain, great features, and it worked perfectly. I loved it.
But... (there is always a but) we decided we wanted to upgrade to their more complex solution and get their anti-spam features in there as well. Essentially meaning that we wanted to give them more money and they would then in turn take it and do whatever it is they do with money. Presumably roll around in it and squealing with glee, I don't know.
But no, their customer service and sales department is awful and they were so rude and condescending that I cut off the transaction and am done with them. I still use them for personal computing needs, the PC-cillin Internet Security product is a good product for the price - but I won't be using them for Enterprise level applications since I don't want to reward their poor service.

Symantec

I must note that I haven't used Symantec's antispam solution(s). So this is not a review of their product(s) in any way in terms of that - but it is a review in the broad sense of that I refuse to let any company for which I have purchasing authority buy any Symantec product. I have had years of nothing but awful experiences with them, and I refuse to further bother with them.
So while perhaps in the past year or two they have dramatically changed, become wonderful people, and have the best product in the world - I suspect that the reality is that they are still awful.
Again, note that this is dripping with personal opinion, feel free to ignore it.

Built-in Features for MS Exchange 2003

Exchange 2003, especially post Service Pack 2 and 3, has some pretty nice tools built into it for blocking spam. It can query real time black lists, has an intelligent message filter (which is MS's variation on Bayesian filtering), and it makes use of Sender ID as well.
As with any of the solutions, once you get the tweaks in place and modify your white/black lists, it works pretty well.

Spamassassin on Exchange

I had been using Spamassassin an a FreeBSD system for a few years when I set out to try and get it working on an Exchange 2000 box. I wrote a hack that allowed that to work, and have documented that before on this site (here and here for example).
For a small amount of mail (certainly say within a thousand messages a day, each, for 20 users) this solution works pretty well, especially once you get it tweaked and have your white/black lists worked out and the Bayesian filters trained.
As noted by this person who tried it, it takes less than a second per email, so the better your hardware, the more you could theoretically handle. Also as that same person notes though, there are better solutions - they ended up switching overto SpamStopsHere (something I will try and cover at a later date since I don't have any personal experience with it, yet).
Do note that the best part of this option is that it is totally free and allows the admin to tinker with it and have as much control as they like. This is admittedly not always a good thing.

MS Exchange anti-spam review

Much of the traffic that this blog gets is from people searching for anti-spam solutions on Exchange. I have had years of experience with this, so I thought I would occasionally try and post up some reviews and thoughts on various solutions available to Microsoft Exchange 2000/2003.
Please note that these are my own opinions and your own opinion may differ, as may your experience with any given suggested product. Also note that this is the short list of major tools I have seen used on Exchange most frequently - I am quite positive there are more, but I just do not have much experience with them and therefore can't say much about them good or bad.