Support Intelligence

Wired Outs Pfizer

2007-09-07T12:40:00.000-07:00

Ryan Singel from Wired.com outted Pfizer yesterday in a great article based on Support Intelligence data.

The article highlights the ongoing security difficulties at the pharmaceutical giant despite our efforts to inform them of the situation over the past few months. And if I wasn't crying about how bad things are I'd be laughing because frequently the spam their bots send touts illegitimate knock-offs of their own flagship product, Viagra.

The spam also promotes black-market versions of Cialis produced by competitor Eli Lilly, and Levitra by Bayer. Ruh roh.

The good news for Pfizer is the makers of "Mandik", another spammed pharmaceutical coming out of their servers, are unlikely to sue anybody any time soon. Phew.

On a more serious note - we've received spam from an absolute heap of Pfizer addresses, along with everyone else. In total 138 separate Pfizer IP addresses have turned up on various black lists. Holy cow Houston! This isn't a single employee surfing warez and getting infected - this is a serious breakdown of systemic control over their corporate network.

The unfortunate bit about all this is the company was informed of the scope of the problem back in early April - over five months ago. It's hard to imagine that as an industry of security professionals we can't do better than this.

SI on the BBC

2007-06-25T13:41:00.000-07:00

This week we've got a double-header for you - first read about Support Intelligence on BBC News, then read about the security issues at the BBC we've observed.

The article, written by Mark Ward, highlights the message we've been bringing home in this blog - Corporations have a Bot Problem. The article relies on us as well as Tim Eades of the security firm Sana, and Alex Raistrick of Con Sentry in outlining the problem with infected PC's. All in all it should be familiar stuff to the readers of this blog, but we're happy to see the message continuing to echo farther and farther afield.

The next best thing about our conversation with Mark Ward was the opportunity if afforded us to tell someone at the BBC about the security problems on their network. And I must say, they took it quite in stride. Fortunately the problems were fairly benign.

We began tracking the BBC in late February and started receiving spam from them almost immediately on a nearly daily basis for several months in a row. All the spam flowed through: 212.58.224.18, mail0.thdo.bbc.co.uk, which is the same mail server that provides the "Email a friend" facilty on the BBC's main website http://www.bbc.co.uk. This is a separate mailserver than the one that outbound BBC employee mail comes from, or that delivers Radio 4 newsletters and such.

All the spam showed received headers from BBC webservers internal facing addresses such as www3-mgt.thny.bbc.co.uk - 192.168.208.33 and www15-mgt.thdo.bbc.co.uk 192.168.201.115.

Were these bots at work on the BBC network? Possibly. A much more likely explanation however is an insecure script on one or two of their webservers allowing them to proxy mail which the spammers identified. Possibly a cross-site scripting vulnerability or sql injection attack.

Whatever the case, the good news is the BBC folks apparently nabbed it - all malicious activity stopped dead on the 23rd of May, prior, in fact to our notification. Hats off the the BBC security team for plugging the hole and stopping their flow of spam.

See - sometimes these stories do have a happy ending.

Company Profile: IndymacBank

2007-05-23T10:39:00.000-07:00

Golly, now it's getting personal. IndymacBank isn't just a lending giant with $1.34 billion in revenue - they also hold the mortgage to my house. And in addition to my monthly payment reminder in May, this month they also sent over a little something extra:

Gosh, and all this time I thought they only cared about the size of my check. Who knew?

But should we blog about them we asked ourselves? This particular run lasted only 44 minutes, on the 21st of May. And prior to that Indymac was clean for 80 days - not a single sign of bot activity. Could be a sign of an excellent effort.

But... wait, this wasn't the only incident - we spotted a second occurrence on the 1st of March which blasted stock spam for 1 hour 16 minutes, and a third on February 27th pumping pharmaceuticals and stocks for a similarly brief amount of time.

So what gives?

All this garbage came from a single IP address: 65.214.149.253, routed by ASN 19347, and showing no reverse DNS. We get a fair amount of marketing mail from Indymac via 63.251.196.251, obb.indymacbank.com, and other mail from 70.42.8.249, smtpout002.indymacbank.com, but never anything bot related and both look like completely legitimate senders.

So, as the guy with his personal information at this bank, including my social security number, income details, and event the square footage of my bathroom, It bothers me that some unknown host on their corporate network is controlled by a third party over which they exert no legal or operational control.

And though I'm hoping that what this evidence shows is a very diligent sec-ops team hard at work shutting down the bots as soon as they pop up, my concern is I have no idea if that's really the case. Is this a single host that's been hacked since February 27th, possibly datamining, and password sniffing the whole time? Or is this three separate incidents, each of which was stamped out within an hour or so? Even if this best case scenario is true - how do I know these systems weren't hacked long before they ever started spewing spam? How do I know I'm safe if they can't even stop themselves from sending out photos of smiling young ladies touting two foot phalli? Does it get anymore outrageous?

People - this is a bank. Think about it...

But what's the point? Is it that Indymac are bad guys? No. Is it that the internet is a scarry place? Sort of. Is it that I need to be concerned about my personally identifiable information. Absolutely.

The whole point of this blog is to raise awareness about the Botwar going on - a war raging around us as we speak. We can smile and laugh about penis spam, but the fact is that millions of carjacked computers, controlled by criminal third parties are doing god knows what 24/7, inside our homes, our hospitals, our government offices, our corporations, and even inside our banks. And in this case, inside my bank.

Our goal is not to make these hard working sec-ops folks look bad, but instead to help raise awareness with their CIO's, CEO's, and even the general public, so they can get the funding and support they need to fight this problem. It's raging around us. It's a predatory criminal activity making victims of many organizations. We can stick our heads in the sand or we can fight it.

So corporate American CIOs - Which are you gonna do?

CustName: INDYMAC
Address: 155 North Lake Ave
City: Pasadena
StateProv: CA
PostalCode: 91101
Country: US
RegDate: 2006-01-13
Updated: 2006-01-13

NetRange: 65.214.149.0 - 65.214.149.255
CIDR: 65.214.149.0/24
NetName: UU-65-214-149-D6
NetHandle: NET-65-214-149-0-1
Parent: NET-65-192-0-0-1
NetType: Reassigned
Comment: Addresses within this block are non-portable.
RegDate: 2006-01-13
Updated: 2006-01-13

Company Profile: Intel

2007-05-09T15:32:00.002-07:00

Question: Do bots affect high tech companies too? Answer: Yes, even high tech companies fall prey to these crimes. Today we have Intel squirting out botspam with the best of 'em, in a very recent infection somewhere on their network.

A trio of IP addresses, all with no reverse DNS, have been firing off stock pump and dump, viagra, and home loan spam the past few days - the first of this run being spotted on April 29th.

192.55.60.93
134.191.248.4
134.191.248.1

All are routed via origin AS 4983 INTEL-SC-AS - Intel Corporation - the first being domestic, and the later two routing to approximately Haifa, Israel.

Previously we'd spotted 192.102.209.12 shooting out Cialis spam back on April 21st, but the good folks at Intel shut it down within half a day - so hardly worth mentioning. But this run seems to have lasted 8 or 9 days since inception (with nothing in the past 24 hours, so hopefully they've nailed it already).

My favorite piece of garbage sent from this batch of Intel spam brought the following title -

Subject: Gimme your thoughts on this

Indeed, gimme your thoughts...

Company Profile: ATA Airlines

2007-05-08T15:24:00.001-07:00

So, it looks like banks, insurance companies, publishers, manufacturers, and retailers all have problems with bots. But do airlines have problems with bots? You betcha.

On April 7th, something at ATA Airlines changed. Out of previous total silence, spam started arriving in our traps from ATA. It was clearly botspam, this time pushing Humet PBC, which trades as L9Z.F on the Frankfurt Stock Exchange. According to the good folks at Spamnation, this was part of a two part run between March 31st, and April 19th perpetrated on this stock.

All the spam from ATA touting the stock came from a single IP address: 205.245.253.165 - h-253-165.iflyata.com. The spam was nearly identical, 100% of it touted the same company, and the run itself lasted three days, peaking in the middle. Then poof - radio silence again.

Until the 28th of April that is when stock spam started arriving in our traps from ATA a second time. This run came from a different IP address: 205.245.253.225, resolving to h-253-225.iflyata.com. Again, the spam uniformly pumped a single stock - Electronic Koursewar - EKII.PK -, which was part of a much larger, distributed spam run, used forged received headers ( some from unrouted IANA space) , and mysteriously disappeared after three days.

Did ATA catch the problem and shut it down? We sure hope so. Out of the 10 weeks we've been watching ATA, they've sent spam on only six days, so hopefully this is a sign of a vigilant, if not perfect, security regimen.

Will the problem spring back up a third time? Were these systems also key-logging? Is there a drop file somewhere with other information in it? Impossible for us to say, but someone has to ask the question. Neither of the IP addresses delivering the botspam to us delivered a single piece of legitimate mail, and neither appear to be regular mail transfer agents - so what are they?

And if the IT security of civilian airlines isn't enough to get your attention, don't forget, ATA is also a big time carrier for the U.S. military, operating charter missions around the globe everyday.

And so, the bots rampage on...

Company Profile: Nationwide Insurance

2007-04-30T22:50:00.000-07:00

We have been watching the Nationwide Insurance Network for a few months now, and have been impressed with the spam/ham ratio. Its spammyness is something like 100:1 in spam to ham. We have collected some 1,857 SPAM from 6 IP addresses on Nationwide's Network. The breakdown of spam and the hosts that sent it out are listed below:

The kinds of spam we received from Nationwide included Pharmacy spam advocating various Erectile Dysfunctions drugs, Rolex watches, graphic pornography, mortgage loans, weight loss and stock pump-n-dump. While writing this blog post we received 10 more stock pump-n-dumps touting stock ticker EKII which is down 9% as of Monday evening. Senderbase.com lists 155.188.254.1 as having a 10% increase in daily activity and notes that the host is blacklisted by SORBS.

The main question is if any of Nationwide's consumer data was compromised. We believe that 155.188.254.1 is an outbound NAT and that the 1,342 SPAM emitted from that IP address represent some set of internal machines that are compromised. The way that the headers were forged leads us to believe that there were several machines behind the suspected NAT.

Most malware does some form of key logging or post logging. Could an infection of this size compromise the integrity of their consumer data? Remember that in the TJX Data Breach researchers still don't understand how they got in, how they unencryped the data and the company is currently facing litigation in excess of over 1.6 Billion. CISOs need to understand that todays malware easily captures data before it gets encrypted and moves it off corporate networks without setting off an IDS. A good hint -- if your company is sending out spam you probably have a good botnet infection.

When we finally do get an IT security manager on the phone the first question they ask is if any of these spam have been forged. We answer this question as follows:

We track all BGP announcements since Jan 2005. We monitor the BGP at several locations including our trap locations.
We match up any bogons or route hijackings with the TCP connect data our spamtraps collect.
AS26578 [ NATIONWIDEASN2 - Nationwide Services, Inc ] which is responsible for routing the addresses in question has not had a routing hijack during our period of analysis.

Furthermore, based on observations, had one of these blocks been hijacked the block would have had to be hijacked for a continuous period of several months. Such a routing hijack would have also been noticed as it would have effected outbound corporate e-mail delivery.

From the points above we conclude that the Nationwide Insurance network blocks were not hijacked in any way; and that several machines internal to their network have been compromised to send SPAM to the greater population of Internet users.

Not every Fortune 500 company we analyze are in as bad of shape as Nationwide Insurance. For example, we haven't received a single SPAM from Geiko Insurance during the same period. Next week we will let you know if Nationwide has brought their systems under control and if they have mitigated their problems.

We're of course ready to share information with Nationwide to help track the problem down and get it stopped.


OrgName:    Nationwide Mutual Insurance Company 
OrgID:      NMI-20
Address:    One Nationwide Plaza
City:       Columbus
StateProv:  OH
PostalCode: 43215
Country:    US

NetRange:   155.188.0.0 - 155.188.255.255 
CIDR:       155.188.0.0/16 
NetName:    NATE
NetHandle:  NET-155-188-0-0-1
Parent:     NET-155-0-0-0-0
NetType:    Direct Assignment
NameServer: NNS1.NATIONWIDE.COM
NameServer: NNS2.NATIONWIDE.COM
Comment:    
RegDate:    1991-11-21
Updated:    2006-08-03

OrgTechHandle: CLW-ARIN
OrgTechName:   West, Cher L.
OrgTechPhone:  +1-614-249-8631
OrgTechEmail:  westc1@nationwide.com

------- ASN Deligation ------
OrgName:    Nationwide Services, Inc
OrgID:      NATION-354
Address:    ONE NATIONWIDE PLAZA
Address:    M.S. 1-05-31
City:       COLUMBUS
StateProv:  OH
PostalCode: 43215
Country:    US

ASNumber:   26578
ASName:     NATIONWIDEASN2
ASHandle:   AS26578
Comment:
RegDate:    2002-10-21
Updated:    2002-10-21

RTechHandle: CLW-ARIN
RTechName:   West, Cher L.
RTechPhone:  +1-614-249-8631
RTechEmail:  westc1@nationwide.com

Company Profile: Affiliated Computer Services

2007-04-26T09:15:00.000-07:00

We started our tracking project for Affiliated Computer Services on March 10th. It took about a week to catch our first spam from this company which does BPO for numerous corporate clients. On the 18th we received an offer soliciting Russian Lovers from 63.87.170.71 better known as pat.acs-inc.com. This single machine sent us 96 additional spams over the next few weeks.

The flow began as image spam touting various pharmaceuticals and masculine enlargement techniques. Eventually the content changed to Hooudia diet supplements and OEM Software. It wasn't until the 23rd of March that 63.87.170.71 really started to spew however. This address then delivered us another 174 spam on similar topics plus a stock pump-n-dump pushing CWDT.OB (yahoo charts)

The interesting thing is that during the time the Affiliated Computer Services computers were filling your and my inboxes with stock spam, the stock for CWDT did actually swing back and forth. There has been a fair amount of research into stock touting and its apparent effectiveness. Meaning that the spam emitting from Affiliated Computer Services might have played a role in some investor loosing their shirt purchasing CWTD. For more information on stock spam touting see Spam Works: Evidence from Stock Touts and Corresponding Market Activity.

These two ip addresses continued to spew until the 16th of April. All in all we received almost 300 SPAM/UCE from ACS. Between the Stock spam or the genital enlargement it's hard to say which is most bothersome.

Borders Group: Books or Bots - A look at a Six Country Spam Run

2007-04-25T17:12:00.000-07:00

Borders seems to do a fairly good job with their containment; unfortunately today we bring you an analysis of a Pharmaceutical spam run launched from Borders servers between March 29 and April 3rd that used resources from six different countries.

As the story goes, on March 29th we began receiving botspam messages from 198.179.227.25 on the Borders network sending us off to buy Viagra at domains created March 23rd and registered to:

Icek Pankovich
Sos. Mihai Bravu,No. 5
Bl. 4, Entr. 4, Apt. 9
Bucuresti, Sector 2 76101
Romania
+040.0212516407
+040.0212516407
icek_pankovich@yahoo.com

The domains are serviced by Name Servers hosted in Iran, Chile, and Argentina, and registered to owners in China and Texas. All three Name Server domains were registered in February or March of '07, with a 1 year expiration - quite cheaply disposable.

Name Server: ns1.nopadvene.com
Name Server: ns2.razovinag.com
Name Server: ns1.thefeminine.net

The websites themselves were ultimately hosted by China Telecom, somewhere in Shandong Province.

Address: 222.173.251.30

So as you can see, this single SPAM run makes a six country tour in its setup and makes a nice little case study in how crooks create jurisdictional nightmares to cover their tracks. Odds of successful prosecution anyone?

Strangely, on the Borders side there are also wiggles that make the diagnosis less than straightforward. The reverse DNS for the ip address sending all this SPAM points to bordersgroupinc.com, however, the forward A Record for bordersgroupinc.com points to 152.160.1.28 which is routed by AS4595 (ICNET).

It's odd that the machine at 198.179.227.25 has a reverse entry pointing to bordersgroupinc.com. Could this be the outbound facing NAT? Well, the box in question (if it was a box) forged headers from Yahoo, Google, Gmail and others - noticeably lacking any DomainKeys headers that indicate legitimate mail from Yahoo!

As for the legitimate Borders mail, it comes from 198.179.227.40 - outboundsmtp.bordersgroupinc.com. And all the mail from this server has Received headers from internal RFC1918 space with reverse DNS pointing to an internal zone claiming to be corpex01.bgpcorp.net which doesn't jive with the global DNS, but seems more or less legit. All of which just shows some of the oddities encountered when tracking these types of incidents down.

This kind of compromise happens every day to large and small companies, with the odds of successful prosecution of the criminals involved nearly zero. On the positive side, we're happy to report that Borders was able to mitigate the infection within a week, which is fast compared to some companies that have had infections for months. Stay tuned, we'll be highlighting some of those shortly.

We'll also review some of the companies we've analyzed over the past few weeks to see if any have cleaned themselves up or continue to pollute our mail boxes.


X-SENDER-IP: 198.179.227.25
X-HELO: bordersgroupinc.com
X-UUID: 9d9baf6b-f6aa-4261-9d50-598887d541ff
X-ECP: BordersGroup
Return-Path: <sociologistsoot's@partyallnight.net>
Received: from 66.196.126.37 (HELO mx5.biz.mail.yahoo.com)
     by locaos.com with esmtp (20Q,WW067.4I )HQ8)
     id 5.0GBD-IAQ'IF-,2
     for rry563@locaos.com; Thu, 29 Mar 2007 13:56:55 +0400
From: "Denis Denton" 
To: 
Subject: Fwd: Pharmacy bulletin
Date: Thu, 29 Mar 2007 13:56:55 +0400
Message-ID: <01c7720a$1c87cdd0$6c822ecf@sociologistsoot's>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0006_01C771E8.95762DD0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: Aca6QO.5147K'S79Y8@PLZ,WW?9U5R==

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C771E8.95762DD0
Content-Type: text/plain;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit


Dear valued member!
More and more people are getting concerned with the problem of fake drugs
sold on the Web. This letter is aimed at helping you choose a really reliable Internet drugstore.
It�s not a secret that many Web pharmacies are trying to make profits by
selling fake drugs that not only prove to be totally useless but also can
cause serious health problems. USDrugs is one of very few Internet
drugstores that always offer only 100% generic meds.

Hope that you will find the information provided useful.Please click here
for more information.

With Best Regards,  Denis Denton
USDrugs B.V.

URLS REMOVED

Whois for the IP address that sent us the lovely request to look for new meddications


OrgName:    Borders, Inc.
OrgID:      BORDER-4
Address:    54 S. State Road
City:       Ann Arbor
StateProv:  MI
PostalCode: 48109
Country:    US

NetRange:   198.179.225.0 - 198.179.228.255
CIDR:       198.179.225.0/24, 198.179.226.0/23, 198.179.228.0/24
NetName:    NETBLK-BORDERS
NetHandle:  NET-198-179-225-0-1
Parent:     NET-198-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.WCOM.NET
NameServer: NS3.WCOM.NET
NameServer: NS2.WCOM.NET
Comment:
RegDate:    1993-11-04
Updated:    2001-10-01

Clear Channel

2007-04-24T09:09:00.000-07:00

In our effort to bring attention to the facts that many corporations unknowingly send SPAM we bring you an analysis of Clear Channel. Every day we receive many legitimate emails from Clear Channel touting radio and TV stations with titles like Newsradio 850, KOA Traffic Alert or Free Money - Free Trips as well as loads of concert updates for every major metropolitan area of the United States.

Back in March, we started getting titles like Best Prices on Medication mixed in with our KOA Traffic Alerts. We first noticed image based Pharmaceutical spam from 207.230.140.240 on 03/12/2007 advocating Viagra and HGH. Similar spam arrived from another Clear Channel address, 62.190.150.183, this time from Europe. These compromised machines appear to have been cleaned up as we haven't see anything from them for nearly 2 weeks.

On March 29th however, we noticed 62.190.150.183 pumping Pharma spam with 207.230.140.240 joining in just a few minutes later. This particular infection ran much longer. These two addresses were responsible for delivering some 212 spam email to our traps. Then around April 4th we received Mortgage spam notifying us of our load acceptance for $396,000 - we just need to click here.

On April 10th, 207.230.140.240 stared sending us OEM spam pushing Adobe and Microsoft products.

In summary it looks as though Clear Channel has a continuing problem with infected computers pumping SPAM advocating Illegal Pharmacies, Unlicensed Software, and Identity Theft. It's not that Clear Channel is different from Intel, Best Buy, or Bank of America. All these companies have had botnet activity on their networks in the last 30 days. The point is that a great many companies have been hit by these problems.

The differentiator is whether a company cares, what they do about the problem, and how fast they clean it up. Nobody expects security to be flawless - but our internet shouldn't be Unsafe at Any Speed, and especially not from organizations that have the resources available to address the problems - Once Awareness of the Problem Exists - hence our blog and DOA list.

FYI, Clear Channel delivered over 2,000 emails to our traps in under 45 days - only 10% of which was botnet SPAM. But it's that 10% that's making our internet an unsafe place to be. The question is - what are you going to do about it?

OrgName:    Clear Channel Communications
OrgID:      CCC-111
Address:    Clear Channel Worldwide
Address:    20880 Stone Oak Parkway
City:       San Antonio
StateProv:  TX
PostalCode: 78258
Country:    US

NetRange:   207.230.128.0 - 207.230.159.255
CIDR:       207.230.128.0/19

Owned hosts of Banc of America Securities

2007-04-19T11:04:00.000-07:00

Bank of America

We had to wait for this one to settle down a bit before we brought it out in the open. We track many of the major Banks in the USA. Today we review a week of SPAM from Bank Of America. We have observed many months of good behavior from BofA but starting on April 2, 2007 a lone system named system6.bofasecurities.com [63.80.4.6] got infected with something nasty. The situation lasted until the evening of April 6th. During this time we collected 226 SPAM.

Support Intelligence wasn't the only place that noticed this box spew, System6 was blacklisted by CBL, TQM3, and UCEProtect. We also note that this same system has been blacklisted by SpamHaus before on 2006-12-31 and 2007-03-30.

None of the Spam we collect from System6 had any Received headers so we believe all the mail to have originated from hosts outside of Bank of America, probably via socks proxy - so lets be clear that this appears to be a casual penetration of [our attorney has encouraged us to leave this space blank]

On April 9th a new system popped up, host-63-117-180-6.eprimebroker.com [63.117.180.6] which is routed by AS 19438 ( PRIME-BROKERAGE - Bank of America ). This host primarly unloaded OEM software spam. It appears that the folks at ePrimeBroker are on top of it as this host only got 4 spam into our traps before being shut down. The 4 spam from ePrimeBroker all arrived within 90 minutes of each other, and we have not detected a new spam since April 9th . During its prime it was blacklisted by CBL and SpamHaus, while SenderBase showed a 316% increase in its SMTP traffic.

With 9 weeks of analysis that shows no indication of bots I'd say BofA did a great job up until our 10th week of observation when they had a two separate infestations. The good news is at least on was noticed and shut down quickly.

Bank of America will get infected again and we'll bring you a timely report of it.

Company Profile: Conseco (NYSE: CNO)

2007-04-18T09:05:00.000-07:00

at 4:07pm PDT today we received yet another spam from Conseco, specifically the webserver at 205.144.127.10 which has sent our traps some 296 SPAM in the last 30 days. Today it was Viagra links, yesterday HGH and OEM software, the day before -- image spam. The week of March 12th brought us some Tranny pornography with titles like Beusty Wkoman Srucks BIGFCOCK & Taitty Fjuck In Piool and Cjlassy Tdanned SHYEMALE Balowjob & Djoggystyle Feuck.

Several of the lovely notes from the server at 205.144.127.10 had Received: headers. The following machines apparently proxied 6 of the 296 transactions through it.

Received: from 65.112.18.68 (HELO mrclean.mnimaging.com)
Received: from 208.180.123.23 (HELO mail.ftwoods.com)
Received: from 62.249.192.203 (HELO mx1.freeola.net)
Received: from 212.14.64.180 (HELO mail.ijb.de)
Received: from 217.12.160.3 (HELO smtp.yepa.com)
Received: from 64.71.166.217 (HELO sesmail-com-bk.mr.outblaze.com)

The forward and reverse for these hosts do seem to match up, and none are listed on any DNS RBL that we know of. The only oddity is that the FQDN matches the forward ip address and some reverses don't match the FQDN but are close enough. This isn't how SMTP servers work though.

With Nmap reporting all the ports on 205.144.127.10 as closed, I'm confused how other servers could proxy any of the SPAM through 205.144.127.10. therefore I'm going to call the headers in the 6 aparently proxied transactions as forged.

My best guess is that the host is a decommissioned web server for conseco.com as the reverse DNS points to conseco.com however the forward DNS for conseco.com as an A record of 205.144.125.110. Since these are different and 205.144.125.110 has the reverse for 10 or so other names I can imagine a transition that just left the old conseco.com. web server out dangling.

This server has been infected for over a month and sits on the same /24 that all of the other main company resources reside on. We will come back and review this one again in a week or so and see of anyone has cleaned it up.

Company Profile: Toshiba America Business Solutions

2007-04-17T19:46:00.000-07:00

We started watching Toshiba's network on Feb 23 2007. Since that very day one host has shone above the others, spewing every variety of spam. The host [12.145.34.103] has activity sent spam dating back as far as July 17th 2006. It has been listed on CBL, SpamHaus, TQMcube, UCEProtect, and WPBL. All in all it was listed some 105 times for sending SPAM/UCE in the last 9 months.

Every spam we captured from the host used a different HELO in the SMTP transaction to deliver mail to our traps. There were no Received headers Of the 716 spam we have received from this one host, we collected stock touts for WSDC.PK (up big!) and CDYV.PK up a hefty 25% today, CCTI.PK (ouch, down almost 100% from its high) and SPSY.PK. There were also Rolex Watch and other Trademark/Brand SPAM.

I don't buy the nmap analysis below but I thought it interesting enough to include. This device is determined by nmap to be a Cisco load balancer. We are constantly surprised.


Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-17 20:51 PDT
Interesting ports on 12.145.34.103:
Not shown: 1681 closed ports
PORT     STATE    SERVICE
178/tcp  filtered nextstep
605/tcp  filtered unknown
654/tcp  filtered unknown
1076/tcp filtered sns_credit
5050/tcp filtered mmcc
5101/tcp filtered admdog
5190/tcp filtered aol
5192/tcp filtered aol-2
5193/tcp filtered aol-3
5510/tcp filtered secureidprop
5520/tcp filtered sdlog
5530/tcp filtered sdserv
5540/tcp filtered sdreport
5550/tcp filtered sdadmind
5555/tcp filtered freeciv
5560/tcp filtered isqlplus
Device type: load balancer
Running: Cisco embedded
OS details: Cisco CSS 11501 Content Services Switch

Business Week wants me to become a better lover?!?

2007-04-12T19:03:00.000-07:00

We've been collecting spam from a corporate email gateway (205.142.53.51) over at Business Week which is owned by McGrawHill which is responsible for announcing the 205.142.50.0/22 block from AS 4546.

This particular computer is one of Business Week's outbound mail gateways better known as mail03-1.mcgraw-hill.com. Its been showering our traps with titles like Become a better lover and Enjoy complete and total confidence every time. This server isn't botted it's just an IronPort[aren't they owned by cisco now] box that's forwarding SPAM, but where is the spam coming from? Upon deeper inspection a received header indicates that this mail server received the message from a host (bw-www2-hts.mcgraw-hill.com) with an RFC1918 address [172.16.40.20]

This all sounds very complicated. It gets worse, the are other compromised web servers in other business units all leveraging the same technique of using a compromised system to send out spam through outbound corporate MX servers, in this case a IronPort anti-spam system.

One of the other systems that caught our eye is [corona.eppg.com] which sprouted titles like Obesity is the number one cause of premature death in Americans This box used the same technique exiting its spam through another outbound mail server at 198.45.24.235. This host's block were registered to "Macmillan/McGraw-Hill School Publishing Company" which does K-6 Schoolbooks. That's friggn kinder garden through 6th grade books, do you think they interact with kids over their website... yep, the kiddies log in at http://glencoe.passkeylearning.com/LoginController

These computers have been spewing spam for some time now, I'm interested to know if they also have key loggers operating on them. Well, I doubt we will hear from their systems administrator, we wrote this post because we couldn't figure out how to report instances like this. Hey, Mr. Business Week, you got 0wned!

A set E-Mail Headers from the ~100 messages we analyzed


X-SENDER-IP: 205.142.53.65
X-ENVELOPE: EHLO mail04-1.mcgraw-hill.com
MAIL FROM:
RCPT TO:
X-HELO: mail04-1.mcgraw-hill.com
X-UUID: 7ce71508-07ab-4427-bafd-cdd5fa56d7fa
X-ECP: McGrawHill
Received: from unknown (HELO bw-www2-hts.mcgraw-hill.com) ([172.16.40.20])
by mail04-1.mcgraw-hill.com with ESMTP; 07 Apr 2007 09:56:20 -0400
X-IronPort-AV: i="4.14,384,1170651600";
d="scan'208"; a="13150503:sNHT79478476"
Received: (from busweek@localhost)
 by bw-www2-hts.mcgraw-hill.com (8.11.7p1+Sun/8.11.7) id l37Dtc705382;
 Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Date: Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Message-Id: <200704071355.l37dtc705382@bw-www2-hts.mcgraw-hill.com>
To: bwwebmaster@businessweek.com
From: planet8094@businessweek.com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
Subject: An all natural solution that studies prove works wonders

Another message's headers for the PASSKEYLEARNING.COM site


X-SENDER-IP: 198.45.24.235
X-ENVELOPE: EHLO corona.eppg.com
MAIL FROM:
RCPT TO:
X-HELO: corona.eppg.com
X-UUID: 5aa1d38b-fb32-4ac6-8aac-8ad1845c09eb
X-ECP: McGrawHill
Received: (from passkeylearning.com@localhost)
 by corona.eppg.com (8.11.7p3+Sun/8.10.2) id l2BDxSl23545;
 Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
Date: Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
From: passkeylearning.com@corona.eppg.com
Message-Id: <200703111359.l2bdxsl23545@corona.eppg.com>
To:
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
Subject: Obesity is the number one cause of premature death in Americans

The ARIN IP Address Deligation for the ip addresses mentioned above.

OrgName:    Businessweek Corporation
OrgID:      BUSINE
Address:    1221 Avenue of the Americas
City:       New York
StateProv:  NY
PostalCode: 10020
Country:    US

NetRange:   205.142.52.0 - 205.142.55.255
CIDR:       205.142.52.0/22
NetName:    BUSINESSWEEK
NetHandle:  NET-205-142-52-0-1
Parent:     NET-205-0-0-0-0
NetType:    Direct Assignment
NameServer: CORP

Aflac Meet Mr. ED

2007-04-11T14:15:00.000-07:00

Aflac's Email Dysfunction

Today we look into why Aflac, Inc (AFL) an Insurance company with millions of consumer records at risk can't keep from sending out a MegaTon of Pharm SPAM. According to Sender base 209.37.4.38 has increased its outbound e-mail by 757% in the last 24 hours.

Apparently SpamCop noticed too.

I guess it is hard to keep bots off your network with over 7,700 employees and a Market Cap of over 23 Billion. Maybe Mr Amos with his 6M in salary can do something to protect all those innocent customer records being sniffed. We will tune in next week to see if anything has changed.

DOA Week 13, 2007

2007-04-09T16:25:00.000-07:00

We analized over 22,000 ASNs for every kind of eCrime including DDoS, Scanning, hosting Malware, sending Spam, hosting a phish, or transmitting virous. Below are the top 100 networks and the volume of incidents in the last 7 days.

We posted the complete list of networks with more than 28 incidents in the last 7 days to the DOA report list which you can sign up at http://www.support-intelligence.com/doa/




+-------+------------------------------------------+--------+
| asn   | trim(left(org_name,40))                  | volume |
+-------+------------------------------------------+--------+
|  4134 | No.31,Jin-rong Street - Beijing - 100032 |  80279 |
|  5617 | Polish Telecom's commercial IP network   |  63652 |
|  3320 | Deutsche Telekom AG                      |  37871 |
|  9121 | Turk Telekom A.S.                        |  34459 |
| 19262 | Verizon Global Networks                  |  27315 |
|  7738 | Telecomunicacoes da Bahia S.A.           |  26695 |
| 27699 | TELECOMUNICACOES DE SAO PAULO S/A - TELE |  21487 |
|  3462 | Data Communication Business Group - Chun |  19756 |
|  4766 | Korea Internet Exchange -                |  15632 |
|  8151 | Uninet S.A. de C.V.                      |  15376 |
|  9498 | BHARTI BT INTERNET LTD. - BHARTI BRITISH |  14749 |
|  3215 | France Telecom Transpac Domestic IP Back |  14216 |
|  3209 | Arcor AG & Co.                           |  13672 |
|  4788 | TMnet, Telekom Malaysia - AS list of TMn |  11714 |
|  3269 | TELECOM ITALIA - INTERBUSINESS NET       |  11470 |
|  3352 | Internet Access Network of TDE - Spanish |   9751 |
|  9318 | HANARO Telecom                           |   8438 |
|  5483 | Hungarian Telecom - Public Internet Acce |   8206 |
|  6147 | Telefonica del Peru S.A.A.               |   8070 |
|  8359 | MTU-Intel Moscow region network          |   7992 |
|  6713 | Itissalat Al-MAGHRIB - MAROC TELECOM     |   7840 |
|  1267 | Infostrada S.p.A. - IUnet S.p.A.         |   7290 |
|  7470 | ASIA INFONET Co.,Ltd. - Internet Service |   7152 |
|  2856 | BTnet UK Regional network                |   7065 |
|  4814 | IP networkChina169 Beijing Broadband N   |   6755 |
|  4755 | Videsh Sanchar Nigam Ltd. Autonomous Sys |   6218 |
| 17813 | Mahanagar Telephone Nigam Ltd. - ISP Div |   6191 |
|  4713 | NTT Communications Corporation           |   5470 |
| 13184 | HanseNet Telekommunikation GmbH - Hambur |   5453 |
| 15557 | LDCOM NETWORKS pan european service Prov |   5192 |
|  7418 | Terra Networks Chile S.A.                |   5057 |
|   209 | Qwest                                    |   5041 |
|  5430 | freenet City LINE GmbH - Willstaetterstr |   4743 |
|  1680 | NetVision Ltd. - NetVision Ltd.          |   4525 |
|  6849 | JSC UKRTELECOM                           |   4460 |
| 20115 | Charter Communications                   |   4412 |
| 22047 | VTR BANDA ANCHA S.A.                     |   4361 |
|  5486 | Euronet Digital Communications - (1992)  |   4106 |
| 11427 | Road Runner                              |   4075 |
|  7132 | SBC Internet Services - Southwest        |   3851 |
|  3243 | Telepac - Comunicacoes Interactivas, SA  |   3689 |
|  9583 | Satyam Infoway Ltd., Private ISP in Indi |   3586 |
|  8764 | LIETUVOS-TELEKOMAS Autonomous System - V |   3549 |
|  3257 | Tiscali International Network B.V.       |   3541 |
|  5462 | Telewest Broadband - UK Broadband ISP    |   3467 |
|  9304 | Hutchison Telecom (HK) - Mobile, pager,  |   3280 |
| 17858 | KRNIC - Korea Network Information Center |   3236 |
|  6739 | Cableuropa - ONO - C./ Basauri, 5 - Urba |   3222 |
|  5089 | NTL Group Limited - Hook, Hampshire - Un |   3190 |
| 18101 | Reliance Infocom Ltd Internet Data Centr |   3163 |
| 10036 | C&M Communication Co. Ltd.               |   3140 |
|  4230 | Embratel                                 |   3110 |
| 20001 | Road Runner                              |   3056 |
|  7552 | Vietel Corporation - Internet Exchange a |   2987 |
| 17974 | PT TELEKOMUNIKASI INDONESIA - JL JAPATI  |   2934 |
|  6805 | Telefonica Deutschland Autonomous System |   2840 |
|  8881 | KomTel routing policies                  |   2826 |
|  5391 | HT, HiNet, Croatian telecom              |   2683 |
| 16338 | AUNA Autonomous System - AUNA Group. - P |   2632 |
| 18403 | The Corporation for Financing & Promotin |   2632 |
| 24863 | LINKdotNET AS number - for any abuse com |   2564 |
| 15311 | Telefonica Empresas                      |   2524 |
| 12271 | Road Runner                              |   2522 |
|  6327 | Shaw Communications Inc.                 |   2511 |
| 33287 | Comcast Cable Communications, Inc.       |   2460 |
|  9689 | Future's Cable Television, Inc. - 463-57 |   2444 |
| 13285 | Opal Telecom - Northbank Industrial Esta |   2444 |
| 17839 | Dreamcity Media - 423-6 Songnae-dong Sos |   2433 |
|  7029 | Alltel Information Services, Inc.        |   2423 |
|  5610 | CZECH TELECOM, a.s - Olsanska 6 - Prague |   2395 |
| 19429 | ETB - Colombia                           |   2390 |
|  7015 | Comcast Cable Communications Holdings, I |   2277 |
| 12479 | Uni2 Autonomous System - Spain           |   2242 |
| 11351 | Road Runner                              |   2196 |
|  5384 | Emirates Internet - Public Internet Serv |   2182 |
| 11426 | Road Runner                              |   2158 |
| 12542 | TVCABO Autonomous System - Portugal      |   2136 |
|  1221 | Telstra Pty Ltd - Locked Bag No. 5744 -  |   2082 |
| 12741 | Netia Telekom SA                         |   2049 |
|  6057 | Administracion Nacional de Telecomunicac |   1969 |
|  4775 | Telecom Carrier                          |   1943 |
|  9506 | Magix Broadband Network - Singapore Tele |   1848 |
| 33651 | Comcast Cable Communications, Inc.       |   1846 |
| 10796 | Road Runner                              |   1825 |
|  5603 | SiOL Internet d.o.o. - Internet Service  |   1799 |
| 36727 | INSIGHT COMMUNICATIONS COMPANY, L.P.     |   1781 |
|  5713 | Telkom SA Ltd.                           |   1751 |
| 20214 | Comcast Cable Communications Holdings, I |   1745 |
|  4808 | IP networkChina169 Beijing Province Ne   |   1726 |
|  9141 | UPC Poland                               |   1714 |
|  9050 | RTD-ROMTELECOM Autonomous System Number  |   1689 |
|  5668 | CenturyTel Internet Holdings, Inc.       |   1669 |
| 33491 | Comcast Cable Communications, Inc.       |   1663 |
|  6478 | AT&T WorldNet Services                   |   1638 |
|  1257 | SWIPnet - Swedish IP Network             |   1635 |
| 17864 | Hanvit I&B - 519-1, Gojan-Dong, Ansan-Ci |   1609 |
|  7693 | KSC Commercial Internet Co. Ltd. - 2/4 S |   1601 |
| 22291 | Charter Communications                   |   1593 |
|  3816 | Empresa Nacional de Telecomunicaciones   |   1576 |
| 10091 | SCV Broadband Access Provider            |   1429 |
+-------+------------------------------------------+--------+

Company Profile: AIG

2007-04-05T15:21:00.000-07:00

American International Group pulls in $113 billion in revenue per year, with $77 billion in cash on hand. They also have bots running on their network.

AIG wrote us to let us know that Britney Spears loves Rolex Watches! Apparently. Or maybe just replicas. In either case, AIG sent us over 275 Rolex come-ons in the last month.

They're also apparently interested in our sex life, as they've asked us to visit this website:

http://womqat.hsuj.hk

The repeated requests have arrived from breeze.agfg.com and hail.agfg.com at 161.159.4.82 and 161.159.4.81 respectively.

The site offers what are apparently black market pharmaceuticals from a company with no phone number, false whois information, and a domain registered on February 18th - less than a month before receiving the advertisement.

The products offered on the site use the trademarks of Pfizer, Eli Lilly, Bayer, GlaxoSmithKline, you name it.

The company also has 15 public black listings since December 2206, on 3 separate public lists, from 11 separate IP addresses.

We encourage AIG to take a close look at breeze and hail listed above.

Company Profile Thomson Financial

2007-04-03T11:13:00.000-07:00

Thomson Financial Corporation - number two in our profile of companies with bots running on their networks.

April 1st, we noted 198.80.153.10 ( 153-10.tfn.com) connecting to a command and control server via IRC. Unfortunately this is no April Fool's joke. Nor is the Botspam they've been sending us over the last month, such as this pump and dump sent from 198.80.128.88 on 3-15-2007:

We'd also recommend checking out 198.80.189.10 which sent us over 25 pieces of botspam in March most of which touted different over the counter stocks.

Unwitting Spammers - Support Intelligence in the Washington Post

2007-04-02T10:42:00.000-07:00

Brian Krebs of The Washington Post wrote an insightful piece on Fortune 500 companies, the bots on their networks, and the spam coming from their networks. The article, appeared in Brian's Security Fix blog and called out ExxonMobile, American Electric Power, Indymac Bank, Dow Jones and a handful of others with recent problems on their networks.

Which is no bit deal if you don't drive a car, light your home, carry a mortgage, or read the news. Then again, doesn't the security of our power plants, oil tankers, banks, and news organizations affect every one of us?

Support Intelligence in the Register

2007-04-02T10:29:00.000-07:00

Dan Goodin of The Register wrote an excellent article on bots operating on corporate networks. The article entitled Bots inside the Perimeter features data collected from the Support Intelligence network and highlights distinct cases of bot spam flowing out of Oracle, HP, Best Buy, and others.

In the case of Oracle, the botspam was actually a phishing attack on Paypal. And with Best Buy the amount of spam pouring out its scuppers was in the thousands per week.

Houston, we have a problem.

Company Profile: 3M

2007-03-28T10:48:00.000-07:00

Our first review is the 3M company (Ticker MMM). In 23 days we collected 11 spam from 69.6.84.102 which is delegated to 3M by ARIN:


OrgName:    3M Company
OrgID:      3MCOMP
Address:    3M Center
Address:    Bldg 224-4N-27
City:       St. Paul
StateProv:  MN
PostalCode: 55144-1000
Country:    US

NetRange:   169.4.0.0 - 169.7.255.255
CIDR:       169.4.0.0/14
NetName:    NETBLK-B-BLK1-3M

The spam were all image based Stock Pump-n-Dump SPAM touting stocks EXVG (up 15% today) BTOD (up 13% today) and GDKI (down 37%) Stock spam continues to plague companies traded on Over The Counter markets like the Pink Sheets.

We reviewed the routes announced by 3M (AS7792) which announced the entire 169.4.0.0/14 as one block. Our analysis of the routes for this prefix shows no more specific announcements or any other origin for the 3M block. Once we have reasonably shown there were no route hijacking we can determine that our spamtrap did actually connect with and recieve SPAM from one of 3M's machines.

3M shoulod consider taking a look at the following addresses:


169.6.84.98
192.28.4.40
169.12.80.180
169.6.84.102

30 Days of Bots

2007-03-26T18:14:00.000-07:00

We have been collecting data on the top 500 networks in the Fortune 1000 companies evaluating how much SPAM/UCE they send. Over the next couple of weeks we will explore which global Fortune 1000 companies have bots inside their perimeter and sending out spam.

We will continue this coverage until corporate america is clean (ETA 2012)

Attack of the Zombie Computers - Support Intelligence in the New York Times

2007-01-07T10:56:00.000-08:00

Get out the big microphone - what we've been saying all along about the growing bot problem finally hit the NY Times. John Markoff investigated the article which includes quotes from Dave Rand, David Dagon, Gadi Evron, K.C. Claffy, the ShadowServer folks and others.

The article quotes some good ballpark numbers on the threat:

11% of the 650 million computers on-line contain botnet code
250,00 new systems get botted every day
80% of all spam originates from botnets now
We passed the billion spam a day by a single ISP point back in December

Anyway, it's a thoughtful read that brings some badly needed attention to the size of the problem.

Plus you can check out our spooky picture in the paper too in case the facts themselves don't scare you enough.

Adam

Introducing the Digest of Abuse Report

2006-11-27T10:59:00.000-08:00

Today we're launching a little something we like to call the Digest of Abuse Report - or DOA Report for short.

The Digest has two parts:

1) A summary list of new abuse broken down by Autonomous System
2) Individual notifications to AS operators about abuse on their networks

The Summary List

We track the 23,000+ ASN's announced in the global routing system and assign abuse on each ASN to it. Since listing all 23,000 would be terribly long, we've elected to just list the top 100 or so for now.

In future reports, we plan on breaking down the lists by geography, either country or RIR area, and possibly by type of network as well - mil, edu, net, com. We'd also like to offer trending data and more detail for those who are interested.

If you have suggestions on ways to present the data let us know there's a lot we could do with it.

The DOA Mailing List and Monthly Postings

The list comes out weekly - if you'd like to receive a copy just sign up for our mailing list. Additionally we'll be posting the list on a monthly basis to NANOG, and a few other lists.

Individual Notifications

On top of that, we'll be informing network operators of the abuse we observe on their networks over the past week. The reports have specific IP Addresses, Issue Types, Reporting Source, and UTC Timestamp. Our hope is these reports will inform network operators of the scope of the issues on their networks, and help them identify and clean up specific abuse problems.

We will of course respect the wishes of operators who don't want to receive follow-up reports. If this is you, just reply to the report and we won't send you future reports.

Let's Hear Your Feedback!

This stuff is important! It affects network stability, individual privacy, business continuity, and everyone's pocketbook. We need to be informed about the overall view of abuse, the trends, and where it's lurking. So we want to get it right. The point isn't to shame anyone - every network has an abuse problem - it's simply to inform the community on the lay of the land.

Many, many people have asked us to publish this data in a digestible form to the community to raise awareness. So if you have any suggestions or feedback for us let us know!

rick or adam 'at' support-intelligence.com

Cheers,
Rick and Adam

DOA Report for Week of 11-21-2007 - Top 100 Networks

ASN	New Issues	AS Name
4134	363688	CHINANET-BACKBONE
4837	172003	CHINA169-Backbone
9121	149716	TTNet
5617	101372	TPNET
4766	98485	KIXS-AS-KR
3352	94837	TELEFONICA-DATA-ESPANA Internet Access
3320	89415	Deutsche Telekom AG
3215	84594	AS3215
9829	81474	BSNL-NIB
19262	80989	Verizon Internet Services
3269	67398	ASN-IBSNAZ
4788	65140	TMNET-AS-AP
8151	59492	Uninet S.A. de C.V.
3462	55358	HINET
9498	48106	BBIL-AP
22927	37388	Telefonica de Argentina
3209	34786	UNSPECIFIED
8359	32696	MTUONLINE
4814	31552	CHINA169-BBN
12322	31364	PROXAD AS for Proxad ISP
9318	29769	HANARO-AS
4812	29068	CHINANET-SH-AP
8551	28112	ISDN-NET-AS
6147	24673	Telefonica del Peru S.A.A.
6713	23637	IAM-AS
9105	21123	TISCALI-UK
4755	21067	VSNL-AS
1267	19952	ASN-INFOSTRADA Infostrada S.p.A.
13184	19924	HANSENET HanseNet Telekommunikation GmbH
2856	19472	BT-UK-AS
7418	18973	Terra Networks Chile S.A.
7470	18958	ASIAINFO-AS-AP
15557	18033	LDCOMNET
12479	17065	UNI2-AS Uni2 Autonomous System
4713	16881	OCN NTT Communications Corporation
12876	16834	AS12876
9116	16735	Goldenlines main autonomous system
3243	16519	RIPE NCC ASN block
5486	16102	Euronet Digital Communications
5713	15296	Telkom SA Ltd.
9583	13911	SIFY-AS-IN
6739	13856	ONO-AS
1680	13730	NETVISION
9299	13709	IPG-AS-AP
8708	13436	RDSNET
8228	13124	CEGETEL-AS CEGETEL ENTREPRISES
8584	12926	Barak AS
16338	11415	AUNA_Telecom-AS
9304	11369	HUTCHISON-AS-AP
4230	11148	Embratel
12715	11066	JAZZNET
1257	10944	TELE2 AB
5430	10919	FREENETDE
209	10853	Qwest
17974	10781	TELKOMNET-AS2-AP
5462	10469	CABLEINET Telewest Broadband
20115	10301	Charter Communications
8452	9883	TEDATA TEDATA
8167	9816	TELESC - Telecomunicacoes de Santa Catarina SA
24863	9602	LINKDOTNET-AS LINKdotNET AS number
5384	9277	EMIRATES-INTERNET
9506	9063	MAGIX-SG-AP
7132	8863	SBC Internet Services
22047	8407	VTR BANDA ANCHA S.A.
8764	8334	TELECOMLT-AS
6478	8156	AT&T WorldNet Services
6400	8141	Codetel
5483	8126	HTC-AS Hungarian Telecom
5089	8105	NTL NTL Group Limited
3257	7803	TISCALI-BACKBONE
7693	7696	COMNET-TH
12542	7594	TVCABO Autonomous System
6849	7444	UKRTELNET
15311	7095	Telefonica Empresas
1221	6908	ASN-TELSTRA
6057	6886	Administracion Nacional de Telecomunicaciones
6799	6715	OTENET-GR OTEnet S.A. Multiprotocol Backbone
7029	6510	Alltel Information Services, Inc.
6830	6482	UPC
13285	6291	OPALTELECOM-AS
8881	6178	VERSATEL
8402	6086	CORBINA-AS
2860	6038	NOVIS Novis Telecom, S.A.
6855	5853	SK SLOVAK TELECOM, AS6855
20838	5851	YIF-AS
11427	5718	Road Runner
7018	5587	AT&T WorldNet Services
10091	5542	SCV-AS-AP
19548	5507	Adelphia
12880	5472	DCI-AS
10318	5206	CABLEVISION S.A.
15475	5140	NOL
5668	5103	CenturyTel Internet Holdings, Inc.
4775	5080	GLOBE-TELECOM-AS
5466	5067	EIRCOM Eircom
4780	4962	SEEDNET Digital United Inc.
11426	4949	Road Runner
6327	4871	Shaw Communications Inc.
8866	4803	BTC-AS
28573	4753	NET Servicos de Comunicao S.A.

What's New at Support Intelligence?

2006-11-02T16:48:00.000-08:00

We've been busy as bees here at SI the last month despite the endless sunshine here in SF tempting us to go ride mountan bikes instead. So what's new you ask?

New REACT Features

First of all, we've released a new rev of the REACT anti-abuse tool with new knobs and dials. The new version includes a column for data source letting users see exactly where individual abuse reports are coming from. You'll now be able to see your favorite black lists called out in addition to the type of abuse listed. A lot of our users asked for this so here it is. You'll also see data labeled SI which comes from our own spam traps and honey pots. Very cool.

For the large networks, we've also instituted pagination for networks with longer abuse reports. And as always the Download CSV button will give you a full view of your abuse report.

If you haven't checked out the demo - log on in -

email: demo
passwd: demo

We think it's pretty cool.

Upcoming REACT Features

So what's coming next? As always we follow our users feedback - Real time alerts, a trouble ticketing system interface so you can automatically open tickets, reverse DNS lookups, volume data on spam senders, more data sources and a handful of other goodies to help you track down and stomp out abuse.

We'll have at least two more releases before the end of the year, so hang onto your hats.

Digest of Abuse

In addition to working on REACT, we're also launching a new list tracking the overall state of internet abuse called the DOA List. Maybe it really stands for Dead on Arrival, maybe not - we're not saying. Either way, the weekly list will contain abuse reports on the top networks broken out by ASN and geography. Should be fun and a bit surprising. Check it out on the Digest of Abuse Page.

Rick Wesson at APWG

Rick will be speaking on a pannel at the upcoming Anti-Phishing Working Group meeting in Orlando Florida on the 15th of November. Sharing the pannel with him will be Randy Vaughn of Baylor University and David Dagon of Georgia Tech. The subject? Botnet infection rates.

Adam and Rick at ISPCon

Both of us will be down in Santa Clara next week at ISPCon meeting folks and talking about what's going on on their networks. It'll be a good time and informative as always.

As always, feel free to contact us with ideas, feature requests, and questions....

-Adam

Have You Been Hacked?

2006-09-07T16:09:00.000-07:00

One of the scarriest things about getting hacked is you won't even know it.

Sooner or later your virus scanner will fail, you'll click on the wrong web page, or someone will plug an infected laptop into your network and Kapow! You'll be the latest victim. But odds are you won't notice it until it's too late.

Botnets are Designed for Stealth
Modern botnets are sneaky creatures. They disable virus scanners, swap out diagnostic tools, and use just enough system resources to fly under the radar. Some polymorphic varieties even reload themselves every six hours in a morphed form so signature scanners can't detect them.

Virus Scanners Fail
Even if you're armed with the latest defenses that may not be enough to detect bots running on your systems. Recent reports by Australian CERT show that many popular virus scanners miss up to 80% of viruses. Youch!

Old fashioned signature detection is failing against these rapidly morphing, low profile viruses. Taking the same-old precautions you used to take yesterday isn't enough to deal with these new security threats.

And Now for the Bad News
But it gets worse. Not only are these bots sending spam like they have for years, they're also stealing more identities than before. Keylogging and packet sniffing are on the rise as organized crime moves into the cyber world.

Modern botnets for example capture all forms before they're encrypted by HTTPS - so any online transaction gets captured, including logins, passwords, social security numbers, addresses, and of course, credit card numbers.

Once a bot starts running on your systems, it's a race to see how much identity information it can steal before being detected and shut down. Speed is of the essence.

Behavioral Detection
So if signature detection isn't enough what are we supposed to do? Fortunately there's a new school of bot detection. Behavioral detection looks for signs of bot activity as opposed to the profile of the infected code.

For a bot to be effective it has to do something - and these somethings are detectable. Propagation, "phoning-home" to command and control servers, spamming, offering proxy services, and other behaviors all leave tell tale signs of an infection.

IP Monitoring
So unless you're looking for signs of botnet activity on your network you're pretty much sleepwalking into rush hour traffic. The good news is with behavioral based IP monitoring you can be alerted instantly to signs of bot activity on your network.

No defense if perfect, so you'd better know when they fail. And as soon as possible, because the identity theft clock starts ticking as soon as you're hacked. Behavioral monitoring offers us the best next wave of detection and response to these kind of threats.