Tag Archives: Malware

6 Botnets Responsible for 85 Percent of all Spam

5 Mar

From Ars technica:

Security firm Marshal estimates that six botnets account for 85 percent of the total spam sent world-wide. Srizbi is currently in the lead, with 39 percent of the “market,” followed by Rustock at 20 percent, Mega-D at 11 percent, Hacktool.Spammer at seven percent, Pushdo (6 percent), and Storm (two percent).

These numbers track the amount of spam each botnet is producing rather than the total number of systems infected by each botnet.

Advertisements

More Legitimate Sites Serve Up Malware

23 Jan

From Ars Technica:

“According to security firm WebSense, the number of legitimate web sites that have been hacked and are distributing or enabling various types of malware attacks is greater than the number of malicious sites created specifically for that purpose. The company’s latest report (PDF) discusses this trend, along with the tremendous impact the Storm Worm had on the ‘Net through all of 2007. As WebSense states, there’s a clear advantage to infecting a legitimate site that comes with its own built-in traffic and a user base.

The type of theft varies depending on the site. Personal data and credit card information are the most obvious acquisition targets, but online gaming account theft and click-fraud are apparently common as well. It’s well known that there are forums, discussion groups, and IRC channels devoted to the topics of which web sites are known to be vulnerable. The problem also runs deeper than simply educating administrators about security vulnerabilities in the software that they use—locating the correct host provider for any particular web space can be difficult, and many sites don’t fall off WebSense’s malicious site blacklist quickly, sometimes remaining there for weeks or even months after being notified of a problem. ”

http://arstechnica.com/news.ars/post/20080122-compromised-websites-serve-more-malware-than-malicious-ones.html

Adobe & Omniture Spying On CS3 Users

31 Dec

First Adobe went the paid ad route  with Yahoo, now they are snooping on users. Sounds like Adobe is getting a bit too frisky…and Omniture is getting well…if not untrustworthy…suspicious.

From Ars Technica:

It all began with a post at UNEASYsilence titled “Lies, Lies and Adobe Spies” which caught on to the fact that Adobe CS3 apps were calling out to a suspiciously-crafted IP address. As it turns out, the IP in question—192.168.112.2O7.net (note the capital O instead of a zero)—is not an IP at all, but rather a domain owned by statistics-tracking firm Omniture.

Criticism and conspiracy theories quickly erupted across the web, calling for an answer from Adobe over what looked like a clear invasion of privacy crafted to look like a typical local IP address. The holidays aren’t always the best time to ask a corporation as large as Adobe for an answer on issues like this, but Photoshop Product Manager John Nack came to at least a preliminary rescue. Across a couple of posts at his official Adobe blog, Nack took it upon himself to dig into the matter.

According to Nack’s investigation, Adobe’s CS3 apps call out to Omniture’s services to track a few usage statistics across Adobe products. Specifically, only three things are tracked: the news items presented in some apps’ welcome screens, Adobe-hosted content loaded in Bridge’s implementations of Opera and Flash Player (Bridge is the asset management component of Creative Suite), and Adobe online help systems like forums and the Exchange service, but only upon a user’s request.

As for the suspicious nature of Omniture’s faux-IP URL, Nack is less sure. He also agrees with users’ concerns over the matter and says he’s doing his best to find out more. It is likely, however, that Omniture is not returning Nack’s calls just as it isn’t returning Ars Technica’s, again probably due to holiday vacations. Other theories postulate that the URL crafting is both a technical and social engineering attempt to fool curious users and firewalls that might use some kind of wild card to allow 192.168.* requests. An underhanded tactic to be sure, but one that would allow Omniture to continue collecting usage statistics from many of Adobe’s users.

Adding fuel to the fire, Omniture’s own explanation of the “2o7.net” domain (note the lowercase “o” in Omniture’s usage) explains absolutely nothing about the disguising of the domain its clients’ products call. Even worse, Omniture’s opt-out method only covers individual web browsers, not applications. Neither Adobe nor Omniture offer an opt-out method that covers Creative Suite 3 applications, forcing power users concerned over this issue to add the specific Omniture URL to a firewall or other monitoring utility such as ObDev’s Little Snitch. Needless to say, this isn’t exactly as user-friendly as a splash screen check box, or even an application preference.

There’s a lesson to be learned from this latest marketing and privacy snafu, and Adobe and Omniture had better be taking notes. Omniture is clearly at fault—and still owes consumers an explanation—for trying to sneak this URL into clients’ products, and Adobe can’t be short on alternatives for product statistics tracking. One of the oddest things about the whole situation is that the outcry has focused on the crafty URL and not the stats tracking, suggesting that many CS3 users are used to companies watching (anonymously) over their backs. But no one likes wool, even digital wool, being pulled over their eyes or their routers.

http://arstechnica.com/news.ars/post/20071231-adobe-omniture-in-hot-water-for-snooping-on-cs3-users.html

DNS Hijacking Getting More Virulent

13 Dec

PC World is reporting that with a new form of system-level DNS hijacking is apparently possible to reliably initiate such attacks using web-based malware, rather than relying on an end-user actions to initiate such an attack.

Google and the Georgia Institute of Technology teamed up to  discover a series of open-recursive DNS servers that were termed as behaving “suspiciously.” Open-recursive DNS servers are DNS servers that will answer any lookup request, no matter where it originates. When a DNS servers return accurate information as they usually do, there aren’t any issues. However, when open DNS servers fail to return valid information, a number of issues can result.

http://www.pcworld.com/article/id,140465-pg,1/article.html

Malware Redirects: more info

3 Dec

For an example of the malware, Iframes, redirect issue check out the excellent info below:

http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

Google Asks for Help in Fighting Malware

3 Dec

From Ars Technica:

“Earlier this week, Sunbelt Software issued a report describing how malware creators use sophisticated page redirect techniques and forum-posting bots to increase the ranking of web pages that propagate their viruses. In response to growing concerns about search engine poisoning and the presence of malicious web sites in the Google index, the search company is calling for users to help out by reporting web sites that attempt to distribute malware. ”

“Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking,” wrote Sunbelt malware research team member Adam Thomas in a follow-up to the initial report. “For months now, our Research Team has monitored a network of bots whose sole purpose is to post spam links and relevant keywords into online forms (typically comment forms and bulletin board forums). This network, combined with thousands of pages [with redirects], have given the attackers very good (if not top) search engine position for various search terms.”

http://arstechnica.com/news.ars/post/20071202-google-crowdsources-malicious-web-site-detection.html

More:

Google Blog

http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html

Double Click Serving Up Malware Via Flash

19 Nov

From Wired:

“The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball’s MLB.com to the Canada.com news portal. Hackers are using deceptive practices and tricky Flash programming to get their ads onto legitimate sites by way of DoubleClick’s DART program. Web publishers use the DoubleClick-hosted platform to manage advertising inventory.”

http://www.wired.com/techbiz/media/news/2007/11/doubleclick

%d bloggers like this: