The report 1 Billion Spammers Served “celebrates” the project receiving it’s one billionth spam message in it’s worldwide network of spam traps. Some salient points:

• Number of bots has quadrupled each year with nearly 400,000 bots active on any given day.
• Most spammers still seem to be in the United States (as opposed to where it’s actually sent from, eg. China)
• Phishing spam most often claim financial institutions as the fictitious origin, followed by Facebook.
• Comment spam (e.g. on blogs) is increasing,  but bots are as widely used (yet) to post comment spam.

The full report is here.

Consider joining the project. They offer some useful services: an HTTP blacklist to reduce address harvesting from your sites, an IP monitor service to alert you of suspicious activity form your netblocks (which I wrote about before), and real-time spam feeds to tune your filters. You can help the project via direct donations, installing a honeypot or donating an MX record to catch spammer scum yourself.

No related posts.

The Morris Worm, the first Internet worm, was released by Cornell grad student Robert Morris back in November 1988 that infected maybe 10% of Internet-connected machines. It exploited a vulnerability in Sendmail and fingerd to propagate itself.

The worm didn’t do anything intentionally malicious, but it spread itself with great vigor and chewed up system resources. It’s lasting effect was to open the eyes of the computing industry regarding network security, application vulnerabilities, and the value of having an incident response process (the effects of the worm was made worse by system administrators knee-jerk response of shutting down their Sendmail daemons).

Another result was creation of the U.S. Computer Emergency Response Team CERT, Forum of Incident Response and Security Teams (FIRST) and many other national and private incident response groups.

No related posts.

From Containing Conficker: tools and info you can download:

• Lists and generators for domain names that Downadup/ConfickerA, B, and C try to contact to download payloads.
• A memory “disinfector” that terminates Conficker threads without touching the process it runs in.
• File and registry scanner to check for Conficker B and C DLLs
• A “vaxination DLL” to make conficker A, B and C think the machine is already infected.
• A python-based network scanner to identify infected machines
• SNORT intrusion detection patterns for Conficker A and B

Very nice work.

Apparently updates for Nessus and other major vulnerability scanners are out, as is a plugin for nmap.

See also Dan Kaminsky’s blog and the Conficker Working Group.

Update: Tools and whitepaper have been released:

• Conficker detection script for NMap
• Nessus plugin 36036: Conficker Detection – Network check
• Honeynet paper Know Your Enemy: Containing Conficker

Related posts:

• Detecting botnet infections for free
• Fast flux botnets

Botnets infect millions of home computers but also infiltrate corporate networks. Security software vendor Damballa claimed recently that  “3% to 5% of enterprise assets are compromised with targeted attack/bot malware – even in the presence of the best and most up-to-date security tools.”

Botnet client malware (drones) are almost never detected by antivirus software… the better-written bots regularly download new versions of themselves, both to change behavior and to evade the utterly obsolete signature detection methodology used by AV software.

The only effective way of detecting bots is by detecting their activity: monitoring outbound network traffic to catch bots phoning home to their command and control centers and when they launch attacks.

Some large organizations do proper egress filtering and outbound activity monitoring to detect botnet activity, but  smaller organizations rarely have the resources even to outsource such monitoring.

Fortunately, free services exist to monitor outbound malicious activity originating from your netblocks:

Project Honeypot IP Monitor Service:

Project Honeypot is an effort primarily to catch email address harvester robots and identify spam sources. An international network of honeypots detects suspicious activity and reports the source IP.

Their IP Monitor service will monitor a Class C netblock plus five unrelated addresses for free and email a regular report. Sending spam is a common use of botnet clients, so this can alert you to bots on your network or even an employee misusing coporate resources.

The IP monitor is just one of many services offered.  The service works even better if you can install one of their honeypots or setup a subdomain to detect spammers.

To sign up and learn about other offerings, visit the Project Honeypot Services page.

Shadowserver Alerting & Reporting Service:

The Shadowserver project aims to raise awareness of compromised servers, malicious attackers, and the spread of malware. They monitor malware, botnet and fraud activity and produce daily and historical reports.

The group recently announced an ASN & Netblock Alerting & Reporting Service. The service claims to detect a wider range of activity than Project Honeypot:

• Detected Botnet Command and Control servers
• Infected systems (drones)
• DDoS attacks (source and victim)
• Scans
• Clickfraud
• Compromised hosts
• Proxies and spam relays
• Malicious software droppers and other related information.

The service is available for a wider range of IP addresses than the Honeypot offering. For details and to sign up, see Shadowserver ASN & Netblock Alerting & Reporting Service.

Limitations

Obviously, these services can only detect malicious activity that hits one of their honeypots. The above projects have a large ever-changing number of honeypots scattered around the net, so chances are good that eventually bots on your network will hit one eventually.

Still, this could take months, or even not happen at all if the bots on your network are used in targeted attacks against specific networks.

A report of malicious activity originating from a public IP address won’t tell you the specific source on your internal network. Further investigative work on your part will be needed to track down the offender.

Free but please contribute

Both Project Honeypot and Shadowserver are volunteer efforts.

The Honeypot monitor service is provided free for a small range of IPs and available for a fee for larger ranges. Even so, please contribute if you use the service. You can also assist the project by running one of their honeypots and setting up a subdomain to act as a spamtrap.

Related posts:

• Free host intrusion prevention for Windows
• Free antivirus – what’s available now
• A few interesting articles

Most notable was that while ClamAV and Norton detected 100% of the “in the wild” samples, McAfee found only 83.3%, the worst of all the major vendors tested. That’s alarming… detecting malware that is actively circulating is what AV is all about.

ClamAV nearly beat both Kaspersky and Norton in this test… it really only failed when scanning encrypted ZIP files, which most organizations delete at the gateway anyway.

The complete results, presentation and the actual test malware are available for download.

The results are amusing, but the test is far from the controlled and comprehensive testing performed by outfits like ICSA Labs. For one, an “in the wild” test set is typically 200 to 500 items .

Er… maybe. Untangle says that one motivation for doing this bake-off was that the AV testing labs refused to test ClamAV and would not reveal their test set. ISCA for example only gives products a pass/fail rating and rates detection of traditional propagating malware only… they ignore detect rates for non-relicating malware like spyware, trojans and backdoors.

What does it say when the leading commercial products perform worse than a volunteer-driven open source alternative? What does it also say when a testing lab refuses to test a product that happens to be free? (hint: they’re a for-profit company funded by the vendors they test).

We’ve been using ClamAV on our email gateways for about two years now and found it to be adequate. It’s proven to be at least as accurate as other products we’ve used, and the project releases updated pattern files faster than many commercial products.

Of course, getting hung up about detection rates is a like arguing which brand of buggy whip makes your car get more miles to the gallon. Regardless of what AV product you choose, the concept of pattern-based malware prevention is obsolete. Enterprise management features and how often the vendor has released updates that cripple every desktop in your organization are more important. Yes, you have to use AV since every operational security standard requires it and it’s another layer to your defense in depth, but in terms of actual protection against malware, AV is virtually useless.

Related posts:

• ClamAV bought by Snort vendor Sourcefire
• Free antivirus – what’s available now
• Death to antivirus

Essentially, criminals are now using DNS records with a short time-to-live that return hundreds of A records of compromized hosts. Both the NS records for the domain and the A records returned are changed rapidly (e.g. once every few minutes) , making it more difficult to get a complete list of compromized hosts and to shut down the hosting name server.

Further, the A records may not point directly to the final destination server hosting the malware or phishing web site. Instead they may point to a compromized host that either redirects the victim elsewhere or proxies the HTTP traffic to the actual destination. What fun! SecurityFocus has more discussion here .

This greatly complicates tracking down compromized hosts and the command and control centers that direct their malicious activities. Imagine how much this also complicates the task of explaining the network to a jury.

There is hope in detecting these DNS tricks. The fast flux service networks paper describes some ways an IDS could be used. It should be possible to identify DNS replies that return hundreds of IPs for one name, have very short time to live, and also return different A and NS records on subsequent queries. Rotating NS records would seem to be a dead giveaway… as far as I’ve seen those rarely change in legitimate DNS records.

There’s an interesting study of DNS anomalies done by researchers at the University of Aukland that examines DNS issues, including fast flux domains and determining the “reputation” of domains and IPs by logging DNS traffic.

No related posts.