David Kirkpatrick

July 16, 2010

Spambot “most wanted” list

Filed under: Business, et.al., Technology — Tags: , , , , , , — David Kirkpatrick @ 2:16 pm

You know what to do

From the link:

1. Rustock (generating 43% of all spam)

The current king of spam, its malware employs a kernel-mode rootkit, inserts random text into spam and is capable of TLS encryption. Concentrates solely on pharmaceutical spam.

2. Mega-D (10.2%)

A long-running botnet that has had its ups and downs, owing to the attention it attracts from researchers. Concentrates mostly on pharmaceutical spam.

3. Festi (8%)

A newer spambot that employs a kernel mode rootkit and is often installed alongside Pushdo on the same host.

4. Pushdo (6.3%)

A multi-faceted botnet or botnets, with many different types of campaigns. A major distributor of malware downloaders and blended threat e-mails, but also sends pharma, replica, diploma and other types of spam.

5. Grum (6.3%)

Also employs a kernel-level rootkit. A wide range of spamming templates changes often, served up by multiple Web servers. Mostly pharma spam.

6. Lethic (4.5%)

The malware acts as a proxy by relaying SMTP from a remote server to its destination. Mostly pharma and replica spam.

7. Bobax (4.3%)

Another long-running botnet that employs sophisticated methods to locate its command servers. Mostly pharma spam.

8. Bagle (3.5%)

The name derives from an earlier mass-mailing worm. Nowadays, Bagle variants act as proxies for data, and especially spam.

9. Maazben (2.0%)

By default, uses a proxy-based spam engine. However, it may also use a template-based spam engine if the bot runs behind a network router. Focuses on Casino spam.

10. Donbot (1.3%)

Donbot is named after the string “don” found in the malware body. Mainly pharma spam.

March 3, 2010

Dirty ISPs better watch out

A new ranking system from the Oak Ridge National Laboratory and Indiana University will ferret out providers run by cybercriminals.

From the link (goes to Oak Ridge National Laboratory story tips for March 2010):

Cybercrime—Exposing hackers . . .

Unscrupulous Internet service providers will have no place to hide because of a ranking system conceived by researchers at Oak Ridge National Laboratory and Indiana University. “Criminal enterprises have created entire Internet service providers dedicated to sending spam, phishing messages or spreading viruses,” said Craig Shue of ORNL’s Computational Sciences and Engineering Division. While some have been caught by the Federal Trade Commission or other Internet service providers unwilling to do business with them, many are able to escape detection. “These other Internet service providers have customers whose machines become infected and can be used to launch attacks or steal the customer’s data,” Shue said. This work, which creates a ranking system Shue likened to grading systems for comparing school districts, is funded in part by the National Science Foundation and Indiana University.

April 15, 2009

Conficker not done?

Filed under: Media, Technology — Tags: , , , , , — David Kirkpatrick @ 4:56 pm

Either the Conficker virus has some very nasty surprise in store sometime soon, or it’s been the biggest over-hyped flop to come along in a very long time. The media had people (casual users) frightened to even boot their computers on April 1.

I’m thinking a lot of the ongoing reports — such as security analysts announcing the creator of the computer virus changed the bug’s orders plan after so much publicity broke out — are just signs that “security analysts” don’t want to appear wrong. Very similar to political pundits who declared great truths and when those proclamations turn out to be horseshit simply move on to the next idea.

At any rate, I’ll add to the noise level by posting this press release from one of those experts.

The release:

Conficker Worm Expected to Influence Rise in Spam, Says Commtouch Trend Report
SUNNYVALE, Calif.–(BUSINESS WIRE)– Computers infected by the Conficker worm could cause a meaningful rise in spam levels for the next quarter, according to the Q1 2009 Internet Threat Trends Report by Commtouch(R)(Nasdaq:CTCH). The multiple variations of the worm have infected approximately 15 million computers around the world according to researchers.

Highlights from the Q1 trend report include:

  • Loan spam jumped to the top of the list of top spam topics, with 28% in the first quarter, possibly reflective of the global economic situation.
  • Users of social networking sites were targeted by new, more complex phishing attacks.
  • Computers/Technology sites and Search engines/Portals are among the top 10 Web site categories infected with malware and/or manipulated by phishing according to the Commtouch Data Center.
  • Brazil continues to lead in zombie computer activity, producing nearly 14% of active zombies for the quarter.
  • Spam levels averaged 72% of all email traffic throughout the quarter and peaked at 96% of all email messages in early January. It then bottomed out at 65% in February.
  • Spammers attacked large groups of an ISP’s users and moved to the next ISP in a targeted spam outbreak.
  • An average of 302,000 zombies were activated each day for the purpose of malicious activity.

“To block the flood of spam that the massive botnet created by the Conficker worm is capable of sending, new spam detection methods beyond traditional content filtering must be employed,” said Amir Lev, chief technology officer of Commtouch. “Detection based on analysis of patterns is the best tool to block massive spam attacks as these patterns will be created in seconds and the IP addresses of the infected computers will be tracked within minutes.”

Commtouch Recurrent Pattern Detection(TM) and GlobalView(TM) technologies identify and block messaging and Web security threats, including increasingly malicious malware and phishing outbreaks. More details, including samples and statistics, are available in the Commtouch Q1 2009 Internet Threats Trend Report, available from Commtouch Labs at: http://www.commtouch.com/download/1348.

NOTE: Reported global spam levels are based on Internet email traffic as measured from unfiltered data streams, not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching end user inboxes, due to several possible layers of filtering at the ISP level.

About Commtouch

Commtouch(R) (NASDAQ:CTCH) provides proven messaging and Web security technology to more than 100 security companies and service providers for integration into their solutions. Commtouch’s patented Recurrent Pattern Detection(TM) (RPD(TM)) and GlobalView(TM) technologies are founded on a unique cloud-based approach, and work together in a comprehensive feedback loop to protect effectively in all languages and formats. Commtouch technology automatically analyzes billions of Internet transactions in real-time in its global data centers to identify new threats as they are initiated, protecting email infrastructures and enabling safe, compliant browsing. The company’s expertise in building efficient, massive-scale security services has resulted in mitigating Internet threats for thousands of organizations and hundreds of millions of users in 190 countries. Commtouch was founded in 1991, is headquartered in Netanya, Israel, and has a subsidiary in Sunnyvale, Calif.

Stay abreast of the latest messaging and Web threat trends all quarter long at the Commtouch Cafe: http://blog.commtouch.com. For more information about enhancing security offerings with Commtouch technology, see http://www.commtouch.com or write info@commtouch.com.

Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch is a registered trademark, of Commtouch Software Ltd. U.S. Patent No. 6,330,590 is owned by Commtouch.




<<Business Wire — 04/15/2009>>

October 16, 2008

Spam operation busted

Filed under: Business, et.al., Technology — Tags: , , , , — David Kirkpatrick @ 12:19 am

I knew my spam pretty much disappeared, and here’s the reason. Kudos to all law enforcement enforcement involved. Thank you.

From the link:

Steve Baker, director of the Federal Trade Commission’s Midwest Region announces that the FTC has shut down one of the largest spam operations in the world Tuesday, Oct. 14, 2008, at a news conference in Chicago. The complex network involved countries from New Zealand to China to the United States. Spammers sent out billions of e-mails encouraging people to click through to professional-looking Web sites, which allegedly used false claims to peddle prescription medication, “male enhancement” pills and weight-loss drugs, the FTC said.

July 25, 2008

Convicted spam king kills self, wife and child

Filed under: et.al., Media, Technology — Tags: , , , — David Kirkpatrick @ 4:36 pm

What a lowlife. Convicted spammer, Eddie Davidson, slipped jail to off himself after killing his wife and daughter.

From the link:

Convicted penny-stock spammer Eddie Davidsonhas died of a self-inflicted gunshot wound, apparently after killing his wife and 3-year-old daughter in his home town of Bennet, Colorado, the U.S. Department of Justice said Thursday.

Davidson had been a fugitive from the law since walking away from a federal minimum-security prison camp in Florence, Colorado on Sunday. He had been serving a 21 month sentence after pleading guilty to criminal spam charges late last year.

Here’s what his spamming earned his household:

Known as the Colorado “Spam King,” Davidson earned millions of dollars between 2003 and 2006 by operating a spamming operation, called Power Promoters, out of his home. He would change the header information in his messages to make it appear as if they had come from legitimate companies such as AOL and then send them out to hundreds of thousands of addresses.

And here’s the reaction to Davidson’s final crimes from a US Attorney:

“What a nightmare, and such a coward,” said U.S. Attorney Troy Eid in an e-mailed statement. “Davidson imposed the ‘death penalty’ on family members for his own crime.”