Sudden massive bot recruitment campaign by Srizbi botnet drives malicious spam up 9.9%, according to researchers at Marshal

A massive bot recruitment campaign appears to be behind a record surge early this month in the volume of malicious spam -- from 3 percent of all spam traffic to nearly 10 percent, according to researchers with  Marshal’s TRACE team .

The Srizbi botnet, which has been making bigger waves these days than the fizzling Storm botnet, is the main driver of this malware-laden spam, according to Marshal, which says malicious spam traffic tripled within just one week. Srizbi is behind nearly half of all spam, malicious or otherwise, according to the researchers.

“When you see a 9.9 percent jump in one week, that’s significant. They either accidentally sent out too much spam or are on an ambitious recruitment drive at the moment,” says Bradley Anstis, vice president of products for Marshal. Anstis says he thinks it’s more the latter.

MX Logic last week reported a worm that had generated over 8 million spam messages in an apparent attempt to recruit bots for Srizbi.

There is a general paranoia about server virtualization in the security community that goes something like this. The server virtualization hypervisor acts as a resource switch enabling multiple virtual hosts to share a single physical system. In theory, if you compromise the hypervisor, you gain access to every virtual host along for the ride. Imagine an instance where 50 hosts live on a single Intel server and you can see that a hypervisor attack could have extremely serious ramifications.

Yes, this is theoretically possible, but virtualization vendors understand this threat and are pretty conscientious about protection. [..] So what is it about server virtualization that should really keep chief information security officers up at night? A more pedestrian worry--lack of control. In a virtual server world, IT administrators can clone virtual hosts, move them around, or turn them on and off by accident or with malicious intent. What happens when an IT administrator moves a critical database server instance without re-configuring application servers or the network?  How about when someone mistakenly adds a test server to the production network? The security "uh-oh" possibilities are endless.

E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing

The bounceback email messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: "Cyails, Vygara nad Levytar," "UNSOLICITED BULK EMAIL, apparently from you."

You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter -- bounceback messages from legitimate e-mail servers that have been fooled by the spammers.

Spammers like to put fake information in their e-mail messages in order to sneak them past e-mail filters. Because e-mail filters now just delete messages that come from nonexistent domains, the spammers like to make their messages look like they come from real e-mail addresses. That means, if your e-mail address has been published on the Web somewhere, you're a prime candidate for backscattering.

Small businesses are indeed the latest target for spammers. Most small businesses -- unlike their big business counterparts -- have less sophisticated anti-spam protection, and spammers have shifted their tactics to take advantage of an easier target.

Unwanted email is a threat to both productivity and security. Spam now comprises more than 50 percent of all enterprise email and represents somewhere between 40 and 70 percent of all Internet traffic. Some data show that more than 30 percent of spam is generated by virus-infected computers, and more than 30 percent of viruses are propagated by spam.

The increasing interconnectedness of big businesses with small businesses, which are employing at best basic desktop antivirus defenses and very little spam protection, means that a large percentage of spam, virus, and blended attacks are spawned small businesses.

But it’s not a losing battle. New technology can filter out more than 97 percent of spam — without axing legitimate messages.

SoftScan, a European managed-security services provider focused on messaging, reported that spam levels dipped slightly in January to 96.8 percent of all email scanned, compared with 97.02 percent in December 2007.

While SoftScan’s reported drop isn’t much of a break in unsolicited email (the company describes it as a “lull before the next surge”), other observers failed to detect even a limited respite.

“While logic would dictate that spam levels would subside after the holidays, they’ve continued to soar and reached 78.5 percent of all email traffic during January,” Symantec Corp. noted in its recent spam report.

Spam and virus threats to enterprise messaging security and compliance may level off this year compared to 2007, but social engineering techniques are evolving to challenge businesses and security software providers, according to a new report released by Google's Postini team.

The report, released March 6 after Google's Postini team commissioned the study to survey 575 IT professionals, found that Postini data centers recorded 57 percent more spam and virus attacks in 2007 compared to 2006.

The size of spam e-mails also increased considerably as spammers included images, .pdf files, documents, spreadsheets and even multimedia files to spoof spam filters, according to report author Adam Swidler, senior solutions marketing manager for Postini.

Understand the basic facts about email management -- what it is and why you need it.

What is email management?
Email management encompasses four areas: Security, Backup/Storage/Recover, Spam and Virus Protection, and Compliance. Each of those categories can be subdivided by technology class and coverage. While not every company will need top of the line products in all categories, no business, regardless of size, should be completely vulnerable in any area. As with almost all business decisions, the trick is finding the solution that matches a business' needs without providing unnecessary features or costs.

For years, the specter of viruses, Trojan horses and worms caused many a chief security officer to lose sleep. But it’s the enemy within that is now prompting IT staffers to ramp up security efforts. According to Forrester Research, the majority of security breaches involve internal employees, with some estimates as high as 85 percent.

Inadvertent employee error, laptop theft, contractors’ unauthorized access to information, disgruntled employees, password mismanagement – all of these factors can mean drastic revenue loss, legal liabilities, diminished productivity and brand erosion.

What are the top internal security threats – and how can you avoid them? Read on to find out.

Dead giveaways that an email is bogus — or phishing to steal your identity.

Each day, most Internet users are assaulted by "important" emails that require "immediate attention" about some type of banking or e-commerce matter. The email urges you to click a link to go to the company's site to straighten out the problem. The catch is that the link takes you to a site that has been designed to look exactly like the real company's site, but is instead just a front for gathering personal information.

Most financial or commercial crisis messages are bogus, but a few might not be. So how do you sort out the real email from the garbage? These tips from the Anti-Phishing Working Group can keep you from getting hooked as another phishing victim:

    - Be automatically suspicious of any email with urgent requests for personal financial information.
    - Don't use the links in an email, instant message or chat to get to any Web page if you suspect the message might not be authentic or you don't know the sender or user's name.

Authentication provides email senders and receivers some additional ways of differentiating legitimate email from spam, phishing and other forms of fraudulent email that threaten the safety of consumer and damage the reputation of the brands whose domain names are abused.

But wait, there's more!

Undertaking the sometimes daunting task of deploying authentication also provides a great excuse for IT managers to begin tackling the unruly and sprawling beast that is today's modern corporate email infrastructure.

One of the benefits of deploying authentication is that it necessarily requires you to survey – and perhaps rein in – all of the ways the organization uses email. Thus this process provides IT managers with an excellent opportunity to bring some order, or at least some understanding, to what can sometimes be a chaotic mess.

Ask any Internet user what they hate most about being online and you will usually hear an earful about spam. Spam is considered by many to be the scourge of the Internet. It is certainly a costly problem, both in time and in the costs organizations expend to fight it.

The first, and least common, is spammers that obtain temporary legal and real accounts with ISPs. This is less common because most ISPs quickly shut down these accounts. There are a few ISPs that turn a blind eye, but they are likely already known and blacklisted.

The second method used to send spam is through compromised hosts, usually workstations and home computers on high-speed connections such as DSL or cable modems. These systems are usually compromised and have become part of large networks of zombie systems called bot-nets.

Phishing is one of the most prevalent of all Internet scams. At any one time, a large number of major financial institutions and online entities around the world will be the target of phishing scammers. Some high profile institutions such as Citibank and PayPal are targeted almost continually. Phishing scams attempt to trick people into providing sensitive personal information such as credit card or banking details.

Phishing scams, exposed. Read about:
How Phishing Scams Work, How Scammers use Information Harvested from Phishing Scams, Common Characteristics of Phishing Scam Emails, What to do if you Receive a Suspected Phishing Scam, What to do if you Have Already Been Tricked into Submitted Information, How to Avoid Becoming a Victim of a Phishing Scam, and Examples of Phishing Scams.

During a security assessment, I found that I could connect to the SMTP gateway using Telnet. I tried sending mail from a fake domain, but it was detected as a mail relay and stopped. When I sent messages to fake employees inside the organization's domain, however, the mails were accepted. Can this be termed as a mail relay vulnerability? Can this be exploited for purposes other than social engineering? Most importantly, what is the best possible resolution?

What you describe is actually a very common situation and is not a cause for alarm. You can Telnet to most mail servers on TCP port 25 and send messages to the organization that uses the particular server. But, you should not be able to send email to other organizations. If you could, a spammer would find that mail server and use it to relay spam.

So, what actions should the mail server take if the destination email address is fake?

A white-list is a list of email senders whom you trust and would like to receive mail from. Conversely, a blacklist contains those that are not to be trusted. Blacklists need to be configured and administered on a server, at the ISP (Internet Service Provider) level or on your network. If you do not have such access, and most people do not, you can use the blacklists by choosing email services from companies that use such blacklisting techniques.

A mail server is designated as having an open relay when mail is processed in a location that is not local to either the sender or receiver. The mail server is unrelated to either party, and as such, has no business processing that email. Think of driving from your home in Washington, DC to your friend's home in Boston. If you pass through New York City on the way, that is to be expected. However, if you stop in Dallas, the route becomes suspect. An open relay mail server, whether intentional or not, is allowing mail to be routed through it that shouldn't be.

Thousands of legitimate Web sites are hosting an infection kit that evades detection by attempting to compromise each visitor only once and using a different file name each time, Web security firm Finjan warned on Monday.

The attack, dubbed the "Random JS toolkit" by the security firm, currently uses dozens of hosting servers and more than 10,000 legitimate domains to attempt to exploit the systems of visitors to the sites, the company said in an analysis posted to its Web site.

Don't be surprised if you see a Valentine's spam originating from Europe that was linked on Google.

Symantec's February State of Spam report indicates that attackers are getting more sophisticated and elusive -- sending copious amounts of spam out of Europe and overseas, capitalizing on holidays and tax season and finding ways to get their sites at the top of the Google pages.[...]

Some of the those tactics include diversifying their geographic locations. Researchers found that European countries are hosting unprecedented amounts of spam compared to months and years past. The number of spam messages originating from Europe surpassed that of North America for the third month in a row, reaching approximately 44 percent of total spam, compared to spam sent from North America which composed about 35.1 percent.

Back in the days when Windows 98 was the latest Microsoft operating system, HTML email messages accounted for a large number of infected Windows-based systems. Surprisingly, things have not changed much nowadays either. Accepting and displaying HTML email messages still pose a great deal of threats for email users, regardless of what operating system they are using, or if the latter is actually immune to an attack based on vulnerabilities of other systems.

To illustrate, here are some of the possible threats posed by the use of HMTL messages; including, but not limited to virus or other malware infections, which still account for a high degree of risk.

A short presentation of MailScanner and ClamAV, as free email scanners alternatives for Linux, from ServerWatch:

I've never been comfortable with Windows-based e-mail scanners because they run on the same porous, malware friendly platform they're supposed to protect. Paying big bucks for software licensing fees year after year isn't a very attractive proposition either.

Fortunately, there are powerful, free alternatives, like MailScanner and ClamAV. Using these two together delivers stout protection again viruses, spam, phishes, and all manner of e-mail-borne malware. Both run on just about any Linux or Unix-type operating system, so you have the benefit of choosing your favorite operating system as well as the benefits of superior security, efficiency and performance.

ClamAV just keeps getting better. It installs with a nice set of default options, and thus requires minimal tweaking. It defaults to checking for new virus signatures several times per day, and it can scan outgoing mail. You should definitely scan outgoing e-mail — if this were a routine practice, 90 percent of e-mail would not be spam or malware.....

Estimates vary, but generally it is believed that there are 100 to 500 Linux viruses out there. The tiny number of Linux viruses that do exist have never resulted in a significant outbreak. In comparison to the plethora of viruses and worms in Windows-based platforms, the volume of Linux viruses is insignificant. So this leads us to two questions: why are there so few Linux viruses and are Linux anti-virus tools necessary?

The answer to the first question has a lot to do with the differences between Linux and Windows desktops. Linux hosts are an unwelcoming environment for a virus because the multi-user access controlled model makes traditional virus propagation methods problematic.

Let's look at an example:

Virus attacks often start with the victim receiving an email containing a malicious attachment. If the user attempts to execute the attachment on a Windows platform, it will run if it has a suitable file extension, appropriate executable content or configured to be executed by association with a particular application. Even worse, some clever Windows-based viruses don't even require the user to execute the attachment. Viruses can be activated by merely reading the email containing it. As users of many Windows-based hosts, especially Windows XP, are also running with local administration rights, the virus may potentially infect and subvert the entire host.

Spam may be cheap for the people who send it, but it can be a serious expense for your business. According to a study conducted earlier this year by Nucleus Research Inc., spam management costs U.S. businesses more than $71 billion annually in lost productivity — $712 per employee.

Here's a quick look at the various ways that spam drains your company's bank account and how you can calculate the real cost to your business.

Anti-Spam Technology: Spam-fighting products and services are a big business, and anti-spam vendors aren't generating their revenue from the people sending junk email. Most companies not only spend thousands of dollars on anti-spam software and hardware solutions, but they also drop cash on employees and consultants to plan, deploy and maintain the technologies.

Lost Productivity: Spam wastes employees' time. The average employee spends 16 seconds reviewing and deleting each spam message, according to Nucleus Research. The company estimates that at businesses that quarantine spam (where junk messages are placed in a directory for review and confirmation by recipients), each user spends an average of 4.5 minutes per week reviewing messages. Deleting messages, however, turns out to be the most expensive spam strategy. The average employee at companies that delete spam messages loses an average of 7.3 minutes per week looking for lost legitimate messages.

In today's Internet environment, the spam issue cannot be eliminated 100%. It is a new problem, for which no conventional solutions have yet been designed. To address this increasing issue, many solutions for the stages before and after accepting mail messages were designed, to ensure most of the spam messages do not get to reach users’ mailboxes.

This article will focus on the most relevant ones, with a high degree of usability.

This article will focus on the tactics used by spammers to successfully deliver a mail message to the mailboxes on your server, despite any implemented sorting or blocking filters.

Just as the title implies, this article will focus on SPAM messages, on the "know your enemy" principle. We will first describe the different types of spam, to then move to analyzing the issue in perspective, and in detail.

The purpose of spam messages is marketing (advertising to be more precise), corresponding to the conventional ways of advertising, when you are normally able to choose which adverts you want to watch or not. Internet advertising has more options than the conventional ways, since no physical boundaries can be used to accurately select or sort the content (you cannot put a doorman to your server that is able to let the mailman in and keep the flier guys out), the virtual world offers new ways of doing advertising.

This article describes an attack method against Web applications that communicate with mail servers, particularly WebMail applications. Some of the applications that are vulnerable to the mail injection threat can be exploited and forced to send arbitrary commands through e-mail protocols such as IMAP and SMTP. Hopefully, this information will prove useful to auditors and mail server code developers.

Microsoft Thursday shipped Exchange 2007 Service Pack 1 that includes support for the forthcoming Windows Server 2008 and enhancements to real-time communication and mobile device integration. Microsoft also made available Forefront Security for Exchange Server 2007 SP1, which includes improved content filtering and management, and support for Windows Server 2008. Even though it's a little later than previously announced, hopefully, this patch will straighten out some issues.

Most people lock their doors and windows, use a paper shredder to protect themselves from identity theft, and install antivirus software on their computers. Yet they routinely surf the Internet without giving a second thought to whether their browser is secure and their personal information safe. Unfortunately, it's easy for someone with nefarious intentions to use a Web site to glean data from -- or introduce spyware to -- your computer. Even worse, sometimes all you have to do is randomly click on a site to have your data probed in a most unwelcome way.

Competitive Antispam products, proper legislation, efforts towards a better user education, it has all been tried in order to stop spam. However, unsolicited emails keep consuming the space and time of all email users. Moreover, spam messages can be the cause of serious virus and spyware outbreaks, while others “phish” for sensitive information like bank accounts and passwords.

All the spam I am getting in my inbox has made me look into some more effective antispam tools. While googling for more information, I came across this article about SpamAssassin. It looks good so far. Here is the article in full, written by Scott Sidel:

Spam isn't just about deposed Nigerian dictators who want to send you millions of dollars. Spam emails often contain malicious code, viruses, phishing attacks, and drive-by Trojans -- not to mention some inappropriate content. One of the best weapons available to defend your systems against spam is the open source software SpamAssassin.