Botnet Goes Buh-Bye in Quebec

After several early morning raids across 12 towns early Wednesday morning, the RCMP of Quebec apprehended 17 suspects who were running what was one of Canada's largest botnets for the past two years. The cyber-criminals are aged 17-26, all males save for a 19 year old female.
The size of their botnet is estimated to be upwards of 1 million computers across more than 100 countries. It was used for many activities including identity theft, data theft of other kinds, spamming and denial-of-service attacks, and caused an estimated $45 million in damages.
We have yet to find out what the justice system is going to hand down to this group, though one thing that will weigh heavy against these youths is that their botnet was used for making money. This opposed to youthful mischief which can be down played to a moment's indiscretion. This was instead premeditated criminal activity.
Read more about it here.

Hold on to Your Credentials, Here Comes the SPIM!

For those of you unfamiliar with SPIM, it's another in an ever growing list of terms created to categorize specific vectors of delivery for things digital and unwanted, this one refers to Spam via IMer-SPIM. Even though this is nothing new, a lot of people have yet to experience it, but that may change soon enough.
Many campaigns are circulating with the intentions of stealing your IM credentials in order use your account to send out this new annoyance. Often times once they get a hold of your account they'll send other attacks to your friends in your friends list in order to appear legit as it's coming from one of their apparent friends.
Other attacks include luring people into traps by pretending to give them something intriguing such as this attack on MSN instant messenger users. It offers the user a chance to see what other users have blocked them. All you have to do is log-in with your account name and password so it can check for you.
Once a Spammer, or Spimmer, I should say has pharmed enough of these accounts, they could easily put them in a make shift database arranged by Country, or more specific geo-location, along with other tidbits they could scrape from your info, and use it to send very specific targeted camppaigns to its victims. Yet another hastle to add to the list.

iPhone POC DoS and other TLAs

It seems someone's been having fun with the iPhone again. A Proof of Concept Denial of Service attack vulnerability has been found that targets the Safari browser on the iPhone. It takes a little work to be able to see its effects, but that's why it's a proof of concept vulnerability, it proves that it can be done, but in its current form, highly unlikely.
To fall victim to this, you must first have installed the latest firmware v1.1.3. Once installed you'll have to search around the web for sites that will allow you to unlock your iPhone with the new version installed, this allows you access to your file system on the phone. This comes in handy for customizing ringtones or installing 3rd party applications. One particular site that offers direction to unlocking your phone also offers a link to DoS your phone. After clicking the link, it tells you that the site is about to "attempt a crash", and you have to again click a button to allow it. After you do, your phone will become unresponsive, and after a minute will reboot.
The exploit currently does no damage to your phone, however in the future, the same type of exploit can be used to cause harm. Also remember, that they don't necessarily have to give you warning screens explaining that you're about to be the victim of an exploit, it can be used in a drive by download fashion as you're surfing around. That will indeed be much more malicious.

PS screenshot courtesy McAfee

The Shelf Life of Spam

I was perusing the internet today, and I happened upon something pretty interesting. It was from Modern Mechanix Magazine. They told of an occurrence back in 1934 where a floating broadcasting station was set up just outside of international waters in the Gulf of Mexico, and it would use its broadcasting ability to overpower popular radio stations along the coast in order to promote gambling, liquor, and dubious pleasure that could be found on the very ship that was jamming the onshore radio waves.
Sure enough this early version of pirate radio style spamming proved to be extremely lucrative for them, and since they were situated in international waters, it was very difficult to get them shut down, but they eventually were. Unfortunately for the U.S., it was too late. At the same time, several copy-cat spammers began to pop up in the Gulf, and the original radio pirates weren't shut down by any sort of broadcast law, but by having their ship's charter pulled. It would take several more years to get them all down, individually.
I guess this proves two things, you can't beat the power of advertising, especially if you find a way to do it for free, and if you come up with a good idea, get ready to see it replicated by someone else.

Valentine's Day Storm Part 2

After an unexpected early run on Valentine's Day infection attempts, the Storm Worm crew has officially begun round two of the V-Day themed campaign. Friday afternoon saw the scattered beginnings of this campaign, and now it is full swing.
The layout is very typical of past Storm runs, with Subject lines such as "Love Rose", "Rockin' Valentine", and "Just for You", to name a few, along with a short simple text message body note including:
Happy Valentine's Day!       Valentine's Day
Valentuna      Be My Valentine
Valentine Invitation      With All My Love
, and many others. All of these messages are followed by an IP address link that, as usual, directs the recipient to another site where they enjoy one of the eight different pictures, along with a prompt to click the link if their download doesn't start in 5 seconds.
The site then downloads 2 different pieces of malware this go around. The first a rootkit, and the second a mass mailer to either infect more computers, as in this case, or to be used for spam campaigns in future runs.
You should know the drill by now, if you don't recognize the sender, or it looks sketchy in general, throw it out.

Another .pdf Exploit

Yep, it's true, another new .pdf exploit is circulating presently in the wild. Once your Adobe reader has been exposed to this exploit, your computer is then instructed to begin downloading a trojan, from the Zonebac family, onto your system that attempts to disable your anti-virus scanning, and installs further malicious software. So, you'll need to get on it again, and make sure that you have the latest updates from Adobe. Get them here. Or use Foxit .pdf reader which still flies under the radar of the malware authors.

Malware Served Up By AV Company

The Web site for Indian antivirus vendor AvSoft Technologies has been hacked and is being used to install malicious software on visitors' computers, according to security researchers.
One of their pages was infected via iframe injection, which goes to show that even the professionals can be victims, though you would hope they weren't. The download section of the S-Cop site hosts malicious code that could easily be spread to all who visit the site. The malicious software is a variant of the Virut virus family which is a very difficult to remove virus once it infects. It begins by corrupting all of the programs on your local drive before searching out network drives.
Luckily, however, most Anti-Virus software already have definitions in place to block this family of virii, so public infection should be minimal.

Battle of the Botnets

There is a new leader in the botnet world. A botnet by the name of Mega-D has taken over the lead with 32% of all spam attributed to its zombie army. It has surpassed Storm, at 11% which has been hindered lately by many factors, including Microsoft's claim that its malicious software removal tool has been the reason for much of Storm's demise as they clean up 200,000 computers a month.
Mega-D has been the one flooding you with herbal pharmaceutical spam, as well as ploys to continue its growth by attempting to trick the recipient with current headlines, a technique used by the Storm Worm authors more than once. This leads many security officials to believe that Mega-D may actually be run as an offshoot by the Storm gang.
Security vendor Marshal has observed that 70% of the world's spam currently is coming from just 5 different botnets. The Pushdo botnet, a.k.a. the Celebrity botnet, being one of them. It's so named because of its attempts to make recipients believe that its infectious attachments are actually videos of nude celebrities.

A Break in the Storm?!

In an article by internetnews.com, it is purported that US and Russian officials have learned the identities of the authors of the Storm Worm. Can that be true? It seems like that should be bigger news, let's see if it develops.
Anyway, they say that they have figured it out, but the big problem is going to be cutting through bureaucratic red tape in order to actually arrest these people. This is due to international law involving cybercrime.
Many countries don't even have laws against cybercrime, such as in Japan, where just recently a malware author was arrested after years of activity. His Trojan named "Harada", would attempt to delete pirated media from its victims computers, apparently he was on the side of the movie/record companies. After someone would illegally download media from a P2P network, the trojan would erase it, and then taunt them with a picture of an unidentified man, or "Harada". Well, trouble for him came when he used a popular animated character instead of the usual Harada. So the coppers picked him up on copyright infringement, and they completely ignored the fact that his software and intent had been malicious for years.
So the issue here is considering most of Storm's damage has been to computers, and people in the US, it's going to be very hard to get these guys extradited. Even though the article also says that the authors are located in St. Petersburg, Russia, and we have help from the Russians, the authors could quite possibly run off to Asia, or somewhere else as these cybercriminals are known to do, just to add another degree of bureaucratic difficulty.
Well, I'll keep my eyes open and see if this story pans out, or develops.