Users of email security and archiving service Postini were frustrated last week when the service began experiencing significant delivery problems.

Users were particularly angered by Postini’s lack of communication about the problem. Postini was acquired by Google in 2007. Similar to our CudaMail Anti-Spam Service, the service scans emails for malware. The problem seems to have been caused by a combination of a bad email filter update and “a power-related hardware failure.”

• http://www.informationweek.com/news/showArticle.jhtml?articleID=220600859
• http://news.cnet.com/8301-30684_3-10374344-265.html
• http://www.theregister.co.uk/2009/10/15/google_postini_snafu/
• http://www.computerworld.com/s/article/9139316/Postini_trouble_stymies_U.S._e_mail_users?taxonomyId=1

[Editor's Note (Pescatore): We used to call the telecommunications infrastructure "the cloud," and we had very high expectations of reliability. We even had required service levels for things like dial tone. Internet-based web services are today's cloud - boy, are they far from achieving dial-tone like reliability.]

- Shaun

It seems to have been going on for several weeks, but in the recent few days it’s apparently been getting much worse. Our CudaMail service has seen an increase in that type of spam recently as well. We’ve put some filters in place fortunately, but there has definitely been an increase.

A lot of it was the “SEO Google first page rankings” type.

US-CERT encourages users to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Maintaining up-to-date anti-virus is vital. Some appliances, like the Barracuda Spam & Virus Firewalls that are used by CudaMail.com to filter mail are updated on a constant basis.

US-CERT will provide additional details as they become available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient’s local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to “breaking news.”

Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user’s IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video.

If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
* Install antivirus software, and keep the virus signatures up to
date.
* Do not follow unsolicited links and do not open unsolicited email
messages.
* Use caution when visiting untrusted websites.
* Use caution when downloading and installing applications.
* Obtain software applications and updates directly from the
vendor’s website.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.

Relevant Url(s):

====
This entry is available at
http://www.us-cert.gov/current/index.html#waledac_trojan_horse_spam_campaign

‘Follow the money’ With the recent stock market volatility creating interest and opportunity for a savvy investor the lure of all that money is attracting the attention of malware writers.

Michael Kassner the Manager of IT for Getinge LaCalhene and a well certified IT Professional recently ran into a piece of malware with a twist. Called Tigger/Syzor it appeared on the PC of a friend of Michael’s who is a day trader and deals with companies like E-Trade, ING Direct, Vanguard, Options Xpress, TD Ameritrade and Scottrade.

Guess what? Tigger/Syzor likes the same friends as it is a safe mode rootkit password stealing Trojan that targets day traders. Michael was able to use tools like Malware Bytes Anti-Malware (MBAM) to find and remove some files that were identified as malware but ultimately he went with a full clean re-install of the operating system and all applications just to be sure.

The day trader does keep his computer up to date with patches and program updates so what else could he have done? How about running in a virtual environment? With tools like VMWare Server being offered for free and giving you the ability to run an isolated second complete copy of the operating system and programs he could have run the tools that are critical to his job in one and done his research (web browsing) in a second. This isolates the whole system so that if one aspect of his system get’s infested he can just roll back to a previous version or snapshot without the infection and continue running with only a few minutes downtime and not a whole panic filled weekend.

He would even be able to turn off the day trading virtual system after the markets close and let his kids (I don’t know if he has any – just speculating) use a separate dedicated kids only virtual machine that was locked down and set to clear all changes when it was rebooted. This may require that a few additional licenses of Windows be purchased and a little discipline to not get lazy and browse from his critical virtual machine but as they say an ounce of prevention is worth a pound of cure. The day trading tools that he uses also have to be able to run in a virtualized environment and be supported by the vendor when running in such a way.

A second thing this day trader should do is run his home network like a corporate network with similar hardware (http://www.firewallshop.com) and protective measures in place. I’d hazard a guess that he is running a consumer level firewall (with unprotected wireless on too I’d bet) that acts as a one way valve using Network Address Translation (NAT) and very little else.

He makes his living by day trading so treat this network like the office it is and install a corporate level firewall like a FortiGate that does layer 7 anti-virus scanning at the edge. With the recent introduction of the FortiGate 30B Bundle the price of a very capable corporate level firewall has dropped to the $500.00 range with one year of updates and basic support. When your living depends on your trading thousands of dollars daily doesn’t it make sense to protect your investment and passwords with an enterprise level firewall?

Tigger.A: Sophisticated trojan that likes stockbrokers
http://blogs.techrepublic.com.com/security/wp-trackback.php?p=960

Michael Kassner
http://techrepublic.com.com/5213-6257-0.html?id=4730583

FortiGate 30B
http://www.firewallshop.com/detail.aspx?ID=257

What does this have to do with spam? Spam is one way that they try to infect your PC so be on the lookout for simple, hard to block e-mail’s with a catchy subject line and a simple link to a website.

The CudaMail System has been seeing and blocking a rise in emails with simple links to malware sites, and even the occasional iframe. They’re definitely trying various ways to sneak malicious links into your inbox.

It bears repeating that if you don’t know where the e-mail came from or if you weren’t expecting it and can’t confirm that the supposed sender really sent it to you be very careful opening the website or better yet don’t open it at all.

MS09-002 exploit in the wild (via Sans)
http://isc.sans.org/diary.html?storyid=5884

- Shaun

US-CERT Current Activity

IRS Stimulus Package Phishing Scam

Original release date: February 6, 2009 at 10:03 am Last revised: February 6, 2009 at 10:03 am

US-CERT is aware of public reports indicating that phishing scams are circulating via fraudulent U.S. Internal Revenue Service emails offering users stimulus package payments. These emails include text that attempts to convince users to follow a link to a website or to complete an attached document. The website and document request that the user provide personal information.

US-CERT encourages users to do the following to help mitigate the risks:

* Do not follow unsolicited web links received in email messages.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
(pdf) document for more information on social engineering attacks.

Relevant Url(s):

====

This entry is available at: http://www.us-cert.gov/current/index.html#irs_stimulus_package_phishing_scam

The first report is from Message Labs and it reports that with spam volume up another 5% so far in January 2009 the top 10 Botnets, while consisting of between 10 thousand to 1 Million bots (estimated), were capable of sending out between 131 Million to almost 40 BILLION Spam messages PER DAY per Botnet. Total Volume from just the top 10 Botnets totalled almost 65 Billion messages per day! Are you getting your fair share?

It is interesting to see that the largest Botnet Cutwail/Pandex placed second behind Mega-D/Ozdok in spam volume per day category (7 Billion to 38 Billion) even though it had more compromised PC’s (1 Million bots to 660,000). This is double interesting as the latest estimates for the recent Conflicker/Downadup botnet size is at 10 million PC’s and they are not sending any spam yet.  With 10 million bots and assuming an aggressive and efficient spam engine Conflicker/Downadup could be capable of sending over half a Trillion (575 Million) messages per day by itself. Are you ready to see your spam volume jump to 10 times its current volume or even higher?

According to Barracuda Central Pharmacy spam still leads with almost 50% of the total volume while Gambling, Illegal Advertizing, ‘Amazing Deals on Software’ and ‘Genuine Replica’s’ round out the top 5 spots and over 90% of the total volume of spam.

If you don’t know how effective your anti-spam measures are or how close they are to running at capacity (out of sight = out of mind) then now is the time to take a serious look at these solutions in your organization and how they are going to handle the new surge of spam that is waiting on the horizon.

It might just be time to invest in a new firewall solution and anti-spam solution.

Don’t say we didn’t warn you!

Other Graphs and reports.

MessageLabs Intelligence: January 2009
http://www.messagelabs.com/mlireport/MLIReport_2009.01_Jan_Final.pdf

Conficker botnet at 10m infections
http://www.theregister.co.uk/2009/01/26/conficker_botnet/

DCC e-mail and spam volume graph last 12 months.
http://www.dcc-servers.net/dcc/graphs/

SpamCop – last 12 months spam volume.
http://www.spamcop.net/spamgraph.shtml?spamyear

Barracuda Central – Spam data last 24 hours
http://www.barracudacentral.org/data/spam

Shaun Sturby

That sad truth has bled Shane Symington out of almost $200,000 USD (£130,000) – all of his life savings – in a Nigerian 419 scam where they came after him not once but twice – the second time posing as a victim of the original scam to get him to shell out money to hire ‘ex-FBI agents’ in an attempt to ‘recover’ some of the original £100,000 taken by ‘Angela Gates’.

I guess you can be a dog and impersonate an FBI agent on the Internet.

More information on the Daily Mail website along with pictures of ‘Angela Gates’
http://www.dailymail.co.uk/news/article-1116067/Postman-loses-130-000-savings-Nigerian-internet-scam-duped-friend-met-MySpace.html

The warning to take from this is that no matter where you meet someone – in person or online – any deal that sounds too good to be true probably is.

- Shaun

This is in contrast to the 2.2 Million dollar USD fine assessed against Atkinson by the FTC in 2005.

The Spamhaus article points out that Australia has very strict anti-spam laws
(http://scaleplus.law.gov.au/html/ems/0/2003/0/2003092501.htm) and the maximum fines for a ‘body corporate with a prior record’ could be as high as 1.1 million (AUS) or $220,000 (AUS) for ‘a individual with prior record’, just for sending the spam messages.

If you add in the maximum fines for not including accurate sender information ($550,000 corporate / $110,000 personal) for not having a functional unsubscribe facility ($550,000 corporate / $110,000 personal) and supplying, acquiring and using address-harvesting software or harvested-address lists ($550,000 corporate / $110,000 personal) these fines could have been much higher for Lance.

Sydney Morning Herald.
http://www.smh.com.au/news/technology/security/kiwis-nail-big-time-spammer/2008/12/22/1229794316883.html

Herbal King
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7802

While this is great that Lance has been fined if we take a step back and look at the bigger picture we have to ask. If fines worked why didn’t Lance and the whole Herbal King group stop spamming in 2005?

While the laws applied in this particular case are very strict they have not stopped the flow of spam. It looks like one solution may be to add confinement in addition to the monetary fines for repeat spammers with additional time for repeat offences similar to how other criminals are treated.

While the botnets are very automated and will continue for a while after the masters are incarcerated eventually with no new commands the botnets will go dark.

But what do I know? Your thoughts on this issue?

- Shaun