Planet Antispam

John Graham-Cumming: A fascinating little beastie

Thu, 18 Mar 2010 21:41:14 +0000

Back in 2004 I was living in New York and commuting between New York and Washington, DC on the Acela. I was working in a fairly rural part of Virginia and was lucky enough to accidentally experience a once in 17 years event: the emergence of Magicicada Brood X.(Picture from Wikipedia)Now I realize that most people probably don't think that being in a place where millions of large winged insects

Box Of Meat: BBC News: Spammers survive botnet shutdowns

Thu, 18 Mar 2010 20:48:53 +0000

BBC News: Spammers survive botnet shutdowns:

“Early 2010 has seen four such networks, or botnets, tackled via arrests, net access cutoffs and by infiltrating command systems.

The successes have not inconvenienced hi-tech criminals who found other routes to send spam, say experts.

And, they add, despite falling response rates, spam remains too lucrative for criminals to abandon.”

Box Of Meat: AP: SF Attorney Awarded $7K In Spam Suit

Thu, 18 Mar 2010 19:48:53 +0000

AP: SF Attorney Awarded $7K In Spam Suit:

“A San Mateo County Superior Court judge ruled last week the seven e-mails Daniel Balsam received from Redwood City-based Trancos Inc. in 2007 were misleading and violated California’s 2004 anti-spam law.”

Box Of Meat: Sydney Morning Herald: Virgin Mobile punished for sending spam

Thu, 18 Mar 2010 15:21:50 +0000

Sydney Morning Herald: Virgin Mobile punished for sending spam:

“An organisation must respect a person’s desire not to receive commercial electronic messages, even if it is just to ask if they have changed their mind.”

Terry Zink: What we know (and learned) from the Waledac takedown

Thu, 18 Mar 2010 14:27:00 +0000

I was originally going to post excerpts from this and add my comments, but I have decided to post the whole thing. Jeff Williams is part of Microsoft’s Malware Protection Center, and posted this on the MMPC blog. I am reprinting it in its entirety.

Recently, following an investigation to which various members of the MMPC contributed, Microsoft’s Digital Crimes Unit initiated a takedown of the Waledac botnet in an action known as Operation b49, an ongoing operation to disrupt the botnet for the long term. The takedown also marked a new phase of exploration in combating botnets, which we call Project MARS (short for Microsoft Active Response for Security). While it is still too early to know the entire scope of this particular takedown's impact, early returns show that Operation b49 has been delivering on the disruption of Waledac and helping to map new territory in the fight against botnets. I wanted to update you on what we know and what we are still learning regarding the impact of that fight.

To effectively counter a botnet like Waledac, we knew a multi-layered approach was needed – one that included peer-to-peer communication disruption through technical countermeasures, domain-level takedowns to disrupt the ‘phone home’ communications between zombie PCs and the command and control servers for Waledac, and traditional server takedowns to sever the back-end command and control mechanisms most directly under the control of the bot master(s).

With the caveats that there are rarely, if ever, any absolutes regarding botnets and that we are still analyzing and investigating the impact of this action, early data from Microsoft and other researchers indicate that our actions have effectively decimated communications within the Waledac bot network. For example, researchers from the Shadowserver Foundation, the Technical University in Vienna, University of Mannheim, University of Bonn and University of Washington have analyzed honeypot data on Waledac and have observed an effective cessation of commands to Waledac 'zombies.' That’s good news because it indicates that Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet, meaning that those customers are less likely to see rogue security software pop-ups, malware downloads, outgoing spam and ID and password theft associated with the Waledac botnet infection.

We’ve also been tracking Operation b49’s impact on the symptoms of Waledac infection – symptoms that include malware downloads, identity theft and spam attacks from infected computers to other victims. Researchers at Sudosecure who track new Waledac infections have data showing a dramatic decline in new IP addresses appearing within the Waledac network, meaning that Waledac is no longer spreading its infection to other computers. While there will likely always be some fluctuations as long as the underlying malware exists and we must and will continue to work with the security community to stay on top of Waledac over time, the 'zero new infections' number reported by Sudosecure as of February 27 is a great indicator of the success of these efforts so far.

As for spam, the trends we’ve been seeing since the takedown provide valuable insight into the nature of infections on zombie computers. Waledac itself is just one of many sources of spam on the Internet and we never intended Operation b49 to appreciably shrink worldwide spam volumes. The goal, rather, was to disrupt the bot and to learn from that disruption for future actions.

As we knew going in, the computers within the Waledac botnet are still infected with the original malware that gave herders control of them in the first place. What we’ve learned since the takedown from our initial data is that many of them are likely infected by other malware that may still be directing them to conduct attacks outside of Waledac’s control structure. We base this hypothesis on the evidence that honeypot computers infected only with Waledac are not sending spam nor getting commands to execute any other attacks. However, Hotmail data and our examination of the behavior of all the known IP addresses for the previously infected Waledac computers show that about half of the computers once under the control of Waledac are still trying to send spam – and are in fact doing so at higher levels today than they were in our December analysis. Since spam campaigns have spikes and lulls, it’s difficult to make direct comparisons of spamming behavior over time, but this data also seems to align with what we’re hearing from others in the industry.

We’ve also learned from this experience that our legal action has been successful in helping to sever to the command and control communications for Waledac at the domain level thus far. In fact, since the original takedown occurred, we have worked with two affected domain owners (Stephen Paluck and eNom) to successfully address the problems with their respective domains and we have amended our legal filings to reflect that we are pursuing no further injunctive relief from the court on those domains. (See www.noticeofpleadings.com for all legal documentation and presented evidence in this case as it proceeds.) Other registered domain owners named in the legal filings have not yet exercised their due process rights by responding to the court, but the case is still ongoing. Our goal with this lawsuit is to help promote a safer, more secure Internet, and we will continue to work toward that aim as we move forward in the case.

These and other findings demonstrate what, for us, is perhaps the most critical outcome of this case: proof of concept. As we forge ahead with Project MARS, we’ll be looking to the lessons of Operation b49 as successful signposts along the road in this uncharted territory. While no one action will wipe out every threat, any strong action to disable a botnet is significant progress and each action will inform the next. For example, we’ve also recently seen Spanish authorities take down another notorious botnet – Mariposa – with great success and we commend them for their valuable work. These actions demonstrate how critical the incredible cooperation of stakeholders and experts all around the world is to success. Look for more efforts like these as we work together to take a stand against botnets and make the internet safer and more secure for everyone.

Anyone concerned that their computer may be infected by malware should follow the "protect your PC" guidance available at http://www.microsoft.com/protect. Windows customers can also visit http://www.microsoft.com/security/malwareremove/default.aspx to find Microsoft's Malicious Software Removal Tool, which removes Waledac and other malware.

So, stay tuned. The fight goes on.

--Jeff Williams

CAUCE North America: T'is the Season for Apartment Rental Scam Spams - Consumer Alert

Thu, 18 Mar 2010 11:15:39 +0000

Summer tends to be moving time here in Montreal, as it is elsewhere. This year, I have decided to move, and thought it would be an opportune time to share a warning about some scams that are related to this seemingly harmless activity.

First off is the 'Too good to be true' Craigslist posting (or Kijiji, or any other public listings site!). Last time I moved, I went searching on CL for a new place, as so many do. I found a nice listing, and emailed the purported landlord. I got an email back from someone claiming to be on missionary work in Africa, and if I would just send him or her some money, the place was mine; I could pick up the key when the cheque cleared.

I researched a bit further, and found that what the scammers had done was re-post a previous listing on CL from a few weeks past, dropping the price enough to make the offer seem great, but yet remain credible. A call to the landlord and an email to Craigslist Abuse had the listing and a few others taken down.

Scam two: Advance Fee Fraud - I am now subletting my place, and today, a very nice lady ostensibly in Benin is offering to send me money to reserve my flat, sight unseen. No doubt, it will be a cheque, which I would deposit. Then, complications will arise, she will ask for her money back, less a fee for the hassle. The cheque would take some time to clear, but by then, the money would be safely in the hands of the scammers.

Bottom line: Never rent an apartment or house from someone who isn't present to show you around, and pay with a cheque noting the address, and the date of the first month of rental. Here in Quebec, we have government issued lease forms available everywhere, always use them, and make sure the person renting has the authority to do so. Otherwise, come moving day, you may find yourself without a place to live.

Never pay out money from cheques you receive before your bank has had time to clear the payment, and are 100% willing to state the transaction is legitimate. Otherwise, you will find yourself on the hook for the money.

As always, the old saw 'if it seems too good to be true, it probably is' applies. Remain skeptical, especially in your online dealings.

Neil Schwartzman
Executive Director, CAUCE

Justin Mason: spamass-milter != SpamAssassin

Thu, 18 Mar 2010 10:55:43 +0000

Just heading this one off before it gets too much further…

A couple of weeks ago, a researcher found a bug in the spamass-milter project, an open-source milter to integrate SpamAssassin filtering into an MTA. Here’s the exploit details.

This H-Online story covered it:

Security vulnerability in SpamAssassin filter module

The SpamAssassin Milter plug-in which plugs in to Milter and calls SpamAssassin, contains a security vulnerability which can be exploited by attackers using a crafted email to inject and execute code on a mail server. The SpamAssassin Milter plug-in is frequently used to run SpamAssassin on Postfix servers.

(I think this is the source article on Heise.de.)

That was more-or-less accurate — but the problem is the “chinese whispers” effect, where a news story on another site builds on misreadings of another news article. eSecurityPlanet:

Security Flaw Found in SpamAssassin Plug-in

The SpamAssassin Milter plug-in has been found to contain a security vulnerability. [...]

sigh.

To clarify: spamass-milter is not a part of SpamAssassin. it’s a third-party product which allows sendmail/postfix users to integrate spamassassin into their message flows as a milter.

Sophos Blog (Spam Category): Scam of the Day - Bredos targetting Facebook

Thu, 18 Mar 2010 05:07:07 +0000

Today we have seen a surge in emails pretending to be from the social networking site Facebook.

The message suggests that Facebook has modified the user’s password to enhance user safety and that the new password is in a attached document. The message looks like this:

Hey XXXXXXX ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team.

------------5GHH3B84G384ABF1
Content-Type: application/zip; name="Facebook_details_345.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Facebook_details_345.zip"

r7T8++v//3/wtOjsOWyLGBaiX//8H//n//uZ6cmp2QkJSgm5qLnpaTjKDMy8rRmoeaawmc
T8+jM9L34WAM4yRJkiRJkiRJkiRJkiRJkjGEQMQiyqzCqixiVattYkoosQ3YpLnM4f/j//G8AC
BPz/z6z/3dR+v8f+AcA0AEA1sSjmo6eYe/ysNtqC/N+TUZ67EFCXGJmXH7yQW5+UlJizEFe9kFc
dNJBetJBT2PtQXJiTvbS8/PbDgBkvKH7/7/l7+f/iw2tCwAfIvh/Hv9u/8BMP7/PwCwFv7+Cz5+

The attachment is called “Facebook_details_<some number>.zip”. This attachment is malicious and should not be opened.

Sophos detected this file as Troj/BredoZp-AD and the executable inside the zip file as Troj/Bredo-BN.

Box Of Meat: MediaCommons: Cultivated Play: Farmville

Wed, 17 Mar 2010 21:10:55 +0000

MediaCommons: Cultivated Play: Farmville:

“The secret to Farmville’s popularity is neither gameplay nor aesthetics. Farmville is popular because in entangles users in a web of social obligations. When users log into Facebook, they are reminded that their neighbors have sent them gifts, posted bonuses on their walls, and helped with each others’ farms. In turn, they are obligated to return the courtesies.”

Box Of Meat: San Jose Mercury News: Ads for an audience of one

Wed, 17 Mar 2010 19:49:53 +0000

San Jose Mercury News: Ads for an audience of one:

Using technology from top Silicon Valley companies, advertisers are creating digital signs that can change messages depending on a viewer’s age and gender…the signs could revolutionize the retailing industry, but their intrusiveness has led to criticism from privacy advocates and nervousness from some in the marketing industry. …A survey of 1,000 adults last year by UC Berkeley and University of Pennsylvania researchers found that 66 percent opposed such pitches.”

Box Of Meat: Krebs on Security: Researchers Map Multi-Network Cybercrime Infrastructure

Wed, 17 Mar 2010 16:06:52 +0000

Krebs on Security: Researchers Map Multi-Network Cybercrime Infrastructure:

“Last week, security experts launched a sneak attack to disconnect Troyak, an Internet service provider in Eastern Europe that served as a global gateway to a nest of cyber crime activity. For the past seven days, unnamed members of the security community reportedly have been playing Whac-a-Mole with Troyak, which has bounced from one legitimate ISP to the next in a bid to reconnect to the wider Internet.”

Spamresource.com: Now Hiring: AOL

Wed, 17 Mar 2010 16:35:37 +0000

This is the very last post (maybe) highlighting an open email/deliverability/anti-spam position. Maybe.

AOL is looking to hire an Anti-Spam Senior Systems Programmer. From the posting: "The successful candidate will initially be expected to provide programming support for AOL's proprietary anti-spam tools suite, specifically our spam complaint, and Internet and member reputation systems. Additional duties will include analysis, implementation and maintenance of existing state of the art filtering systems used to combat spam, and development of new processes and programs to improve our anti-spam arsenal. Other responsibilities may include, but are not limited to: developing scripts and programs in support of more global Anti-Abuse objectives and interfacing with the global anti-spam community on common interests. Candidates should have extensive experience with systems and database programming in an enterprise-level environment. Specific skills required: perl, java, python, sybase and mysql programming, and familiarity with IT Security and anti-abuse initiatives and general best practices. "

For more information, visit the AOL Jobs website, click on "search openings," select "Communications - Mail" under "Brand," and hit submit. The "Sr. Systems Programmer" job should be the first position returned.

Box Of Meat: Globe and Mail: Privacy is still a social norm

Wed, 17 Mar 2010 15:04:51 +0000

Globe and Mail: Privacy is still a social norm:

“…there is little evidence to change our view that privacy remains a social norm. Privacy relates to freedom of choice and control in the sphere of one’s personal information – choices regarding what information you wish to share and, perhaps more important, what you do not want shared with others. What has changed, however, is the means by which personal information is now readily exchanged, at the speed of light.”

Terry Zink: A little love for the Waledac takedown after all

Wed, 17 Mar 2010 14:47:00 +0000

On another corner of the Internet, ThreatPost reports that Microsoft’s Waledac take down a couple of weeks ago did, in fact, have far reaching impact. While some on the Internet were claiming that Microsoft’s actions had little to no effect, it turns out that others are saying that Waledac appears to be crippled, if not dead:

After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero.

One researcher said that Waledac now seems to be abandoned. "It looks crippled, if not dead," said Jose Nazario, a senior security researcher at Arbor Networks.

An analysis of the effects of the Waledac takedown, known internally at Microsoft as Operation b49, by the company and other researchers has shown that Microsoft's efforts, combined with those of other researchers from universities in Europe, have rendered Waledac toothless.

...early data from Microsoft and other researchers indicate that our actions have effectively decimated communications within the Waledac bot network. For example, researchers from the Shadowserver Foundation, the Technical University in Vienna, University of Mannheim, University of Bonn and University of Washington have analyzed honeypot data on Waledac and have observed an effective cessation of commands to Waledac 'zombies.' That’s good news because it indicates that Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet, meaning that those customers are less likely to see rogue security software pop-ups, malware downloads, outgoing spam and ID and password theft associated with the Waledac botnet infection.
…

Another key indicator of the botnet's demise is the lack of newly infected PCs.

"Researchers at Sudosecure who track new Waledac infections have data showing a dramatic decline in new IP addresses appearing within the Waledac network, meaning that Waledac is no longer spreading its infection to other computers. While there will likely always be some fluctuations as long as the underlying malware exists and we must and will continue to work with the security community to stay on top of Waledac over time, the 'zero new infections' number reported by Sudosecure as of February 27 is a great indicator of the success of these efforts so far," Microsoft's Jeff Williams wrote.

So rather than stopping the spam, the drones are unable to communicate with its central command points, or rather, new commands are no longer being issued. Indeed, here are some snapshots from Sudosecure’s page:

You can see that on Feb 23, the amount of new IPs drops dramatically. So, rather than stopping the flow of spam coming out of Waledac, this action by Microsoft may have interrupted Waledac’s ability to refresh itself. If that’s the case, then it means that the stoppage of Waledac’s spam will slow down over time since the current zombies will finish spewing what they are spewing but will not be issued new commands.

Box Of Meat: Next: Foreign cybercrime experts to partner with [Nigerian] lawmakers

Wed, 17 Mar 2010 14:03:53 +0000

Next: Foreign cybercrime experts to partner with [Nigerian] lawmakers:

“…Nigeria’s case is disturbing because there are no laws to protect agencies, corporate institutions and the federal government from falling victims to online crimes.

Mr. Etim said that the process of enacting enabling laws in Nigeria to regulate the operations of the cyber environment has been quite slow, but noted that this would be a more meticulous way of ensuring that the laws, if put in place, would be strong enough to serve their purpose.”

Amir Lev: Text message spam: is it a big problem?

Wed, 17 Mar 2010 12:08:08 +0000

In this week's Security Levity, I want to talk about spam again -- not email spam, but spam sent via SMS. Also known as text message spam. I want to get to the bottom of whether SMS spam is as a big a problem as email spam -- and if not, why not?

Sophos Blog (Spam Category): Troj/JSRedir-AU: Troj/JSRedir-AK redux?

Wed, 17 Mar 2010 12:00:38 +0000

Late last year I blogged about Troj/JSRedir-AK and how it was very prevalent ~40% of web-based malware. Earlier this year I mentioned it had changed and late last month I saw that it had changed again into Troj/JSRedir-AU.

The infection numbers of Troj/JSRedir-AR and Troj/JSRedir-AU haven’t been quite as impressive as those of Troj/JSRedir-AK, but the sites compromised have included several high profile victims. For instance this morning I was alerted to an infection on a major European newspaper by one of our Sophos web security appliances and earlier in the week Sophos notified a Dutch menswear outfitter of an infection on one of their sites.

The outfitter after being notified did not want ‘our help’ and three days latter hasn’t cleaned up their website.

As you can see this is another case of an old website with a redirect to the new site with extra malware on the side.

The malicious code like previous examples, Troj/JSRedir-AK and Troj/JSRedir-AR, has two distinct forms:

injected into HTML files as a malicious <SCRIPT> tag
the other appended to JavaScript files

You can see in the above code snippet:

var Y=F(’89910918991021′,”129″)

The code has a function F which uses the second string to perform a substitution on the first string. In Perl code:

        while (<>){
	        if (/F\('([a-zA-Z0-9]+)'\s*,\s*"([a-zA-Z0-9]+)"/) {
		        my $one = $1;
		        my $two = $2;
		        $one =~ s/[$two]/g;
		        print $one . "\n";
	        }
         }

The other variable w in the image is that of the malicious site the code redirects to.

When infected website owners have talked to us we have been able to diagnose the infection source via compromised FTP credentials.

Sophos Blog (Spam Category): The Dangers Of Freebies

Wed, 17 Mar 2010 05:02:52 +0000

The internet is rife with free tools from anything to everything (almost) - from free HTML web editors to free applications to free games and so on.

We’ve been in this situation before. Sometimes out of curiosity or “affluenza” (also known as “I-GOTTA-HAVE-IT-NOW-NO-MATTER-WHAT”), we are tempted to install some of these free tools and applications from the web.

The unfortunate problem with freebies is that unless you know the source of where you download the tools from and whether the software author who created the application is credible, you are literally at the whim and mercy of the author should you choose to download and install the application.

To make matters worse, some download websites don’t even bother to check and verify every piece of software application that was uploaded to their website. Some do not even bother to perform any kind of anti-virus scanning of the uploaded software.

Take a look at this piece of software that was touted as a web tool obtained from a download website.

This tool was supposed to be a HTML editor but upon running, clearly something was wrong. No trace of the software was visible after running the application. This should signal a giant red flag that something is horribly amiss. To make matters worse, unless you happen to know what to look for, you’d be hard pressed to find what kind of activity or system changes has been made on your computer (click on the picture below to see a clearer image of the registry entry made by this Trojan).

In this case, this backdoor Trojan (Troj/Bifrose-ZI) manifested itself as a file on your Windows System folder and created a registry entry to run itself upon the next startup (notice how notoriously difficult it is to know what and where to look for?). You now have a backdoor Trojan active on your computer which a remote intruder can use to gain access to your computer. The type of malicious activity that can then take place on your computer can range from using your computer to download more malware, to turning your computer into a botnet zombie to stealing confidential information etc. etc. - you get the idea.

If you’re an avid internet user who loves downloading freebies, then this article should scare you and rightly so. Not everything that glitters is gold, as they say.

Great. So how do we protect ourselves against such scams and malware?

For one, I have always believed in the KISS (Keep It Simple Stupid) principle.

Before you download any application, pause and think whether it’s really necessary to have that software or whether it’s going to do nothing but put more “bloat” on your computer (you know a particular software is “bloatware” when you have not touched it in the last 6 months). If you’re uncertain, just go away from the computer for a few moments to think it over. Never ever download free software at a moment’s whim.

Last but not least when you’re browsing the web, always check that your anti-virus software is running, your firewall is enabled and ensure that all these software security solutions are updated regularly.

The Internet Patrol: The Western Union Money Transfer Scam Spam

Tue, 16 Mar 2010 23:11:14 +0000

There is a new Western Union money transfer scam spam making the rounds. It thanks you for "using Western Union Money Transfer", and gives you a fake confirmation receipt transaction number ("control number") - in our case the Money Transfer Control number used was 1629752260. The spam includes ...

Box Of Meat: AP: Break the law and your new 'friend' may be the FBI

Tue, 16 Mar 2010 21:53:55 +0000

AP: Break the law and your new 'friend' may be the FBI:

“U.S. law enforcement agents are following the rest of the Internet world into popular social-networking services, going undercover with false online profiles to communicate with suspects and gather private information….”

The Internet Patrol: How to Stop SMS Text Spam and How to Report SMS Txt Msg Spam

Tue, 16 Mar 2010 21:41:13 +0000

If you're being plagued by cell text message spam (cell phone spam or mobile phone spam) like this one we received from 702-541-4047 - "Do you have $20,000+ in CREDIT CARD DEBT? Our national program REDUCES it by HALF! Reply "DEBT" to see if you qualify! (cuturdebts.com-optout,reply:out)" - you're not ...

Terry Zink: A bit more on stolen information

Tue, 16 Mar 2010 16:21:00 +0000

In my previous post, I called attention to a story where a bank employee in Switzerland stole information from HSBC’s list of clients and gave (or more probably, sold) it to the French government. The government intended to use the data to go after tax evaders.

I put my own spin on things and suggested that not only do banks have to worry about losing data due to phishers and hackers stealing data, they also have to worry about their own employees stealing it. The question that naturally arises: which is the bigger worry? Electronic theft? Or employee theft?

Microsoft’s Security and Intelligence Report actually addresses this, and it’s not even close.

Although security breaches are often linked in the popular consciousness with hacking incidents involving malicious parties defeating technical security measures to gain unlawful access to sensitive data, more than four-fifths of all breaches tracked in the DataLossDB result from something that the OSF database does not classify as a hack, including 87.7 percent of reported 1H09 breaches. Stolen equipment is the largest single category and accounts for twice as many incidents as intrusion, possibly because equipment theft is easily detected and reported. A number of the incident reports reviewed for this analysis mentioned that intrusions or accidental exposure of information on the Web had been going on for quite a while before they were detected.

So in reality, it’s not so much that banks need to be aware of employee theft being another attack vector in addition to hacking or phishing, it’s actually the other way around. In addition to employee theft, banks need to be aware of hacking or phishing.

I am less clear on how to prevent data loss from these supposedly low-tech mechanisms for information loss. A company needs employees in order to function, yet these employees are the weakest link in a company’s security chain. An employer can take great steps like background checks and security policies to ensure that its personnel are not malicious, but ultimately, as a company grows larger the probability of a miscreant obtaining access to its information becomes greater and greater.

Technology can solve some of the problems we have when it comes to security, but it does not address all of the human problems.

[A recent picture of me in Geneva, Switzerland]

Box Of Meat: Jart Armin in Internet Evolution: Lies, Damned Lies & Cybercrime Statistics

Tue, 16 Mar 2010 16:05:49 +0000

Jart Armin in Internet Evolution: Lies, Damned Lies & Cybercrime Statistics:

“You may be forgiven if you’re confused over the plethora of conflicting reports and contrasting figures out there. …To the cynically minded it could seem that some of the statistics produced are meant to be attention-grabbing, even though such tactics often prove to be counterproductive. Even more worrying, however, is a sense that some statistics are leveled at lobbying for government funding, corporate gain, or media hype rather than having any base in reality.”

Ed Falk: Waledac botnet goes down

Tue, 16 Mar 2010 16:51:05 +0000

Another triumph in the "yes, you can fight spam" category: Kaspersky lab's Thread Post newsletter is reporting that the Waledac botnet has been knocked nearly completely off line and is sending almost zero spam.

I briefly mentioned the Waledac botnet in an earlier post in which I reported that Microsoft had significantly damaged the botnet's command-and-control servers via court order.

More details can be found on Microsoft's security blog in the article What we know (and learned) from the Waledac takedown.

Box Of Meat: InformationWeek: Developers Vs. Cybercriminals

Tue, 16 Mar 2010 15:03:51 +0000

InformationWeek: Developers Vs. Cybercriminals:

“For operators of online games…hackers threaten not only revenue and user trust, but user experience and the intellectual property — game source code — upon which the business is built.”

John Graham-Cumming: London Transport Museum: Acton Depot Weekend

Tue, 16 Mar 2010 15:18:15 +0000

This past weekend the London Transport Museum held an open weekend at its Acton Depot where they keep a collection of trams, trolley cards, buses and underground trains, plus all the associated equipment. They only open the depot twice a year so this was a chance to see some things that are rarely open to the public.I didn't include this museum in The Geek Atlas but after a visit it's likely a

Box Of Meat: TechFlash: Classmates to pay up to $9.5m to settle suit over phantom friends

Tue, 16 Mar 2010 14:03:50 +0000

TechFlash: Classmates to pay up to $9.5m to settle suit over phantom friends:

“Seattle-based Classmates.com has agreed to pay up to $9.5 million to its users to settle a lawsuit that accused the social network of sending emails that made people believe their old friends from high school were reaching out to connect — only to discover, after paying for a membership, that their long-lost buddies were nowhere to be found.”

All Spammed Up: Spear phishing attacks on rise

Tue, 16 Mar 2010 08:36:35 +0000

Financial sector is top target for phishers.

Phishing reports were down, but that may be because cyber scammers had bigger fish to fry.

That’s one of the findings in a report released this week by the Anti-Phishing Working Group.

After reaching an all time high of 40,621 reports in August of last year, phishing reports to the organization fell a precipitous 29 percent, to 28,897, in December, the organization revealed in its Phishing Activity Trends Report for the fourth quarter of 2009.

Although raw phishing numbers declined, the organization reported a “substantial increase” in phishing focused on high-value targets, such as personnel with treasury authority.

“Spear-phishing and whale-phishing, where targeted individuals inside of corporations, or of high net worth, appears to be increasing,” APWG Chairman Dave Jevans said in the report.

“Phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources,” he continued.

“These attacks do not contribute significantly to the overall number of unique phishing emails that are sent, as they are not using broad-based spam,” he added. “Rather, the attackers customize their email messages to target individual users.”

Such a targeted attack made headlines recently when it was used to break into Google’s computers.

The number of unique phishing sites identified by the group remained steady during the period. From October to December, unique site figures fluctuated by less than one percent, from 46,522 to 46,190 sites, and the end of year figure was 18 percent below the all time peak hit in August of 56,362 sites.

Attacks on brands hit a new high during the quarter, according to the report. After hitting that peak of 356 in October, though, assaults petered out to 249 by the end of the year.

“The pattern of attacks per brand is particularly noteworthy,” observed Ihab Shraim, chief security officer and vice president for network and system engineering at MarkMonitor and a contributing analyst for the report. “While the number of targeted brands declined in each month of the fourth quarter, the total number of brands targeted in phishing attacks actually increased from
the previous quarter.”

After falling from the catbird’s seat during the first two quarters of the year, the financial services sector regained its dubious distinction as the number one industry targeted by phishers in quarters three and four. In final frame of the annum, 39 percent of phishing attacks were directed at the financial sector, followed by payment services (33 percent), auction sites (13 percent), other (13 percent) and retail (two percent).

In this edition of the group’s report, a new metric has been added: crimeware. Crimeware is malware specifically designed to attack the customers of financial institutions. During the quarter, crimeware’s slice of the malware pie remained consistent at two percent. However, the pie share held by bad apps designed to steal data fluctuated, starting at 31 percent in October, climbing to 34 percent in November and returning to 31 percent at the end of the year.

Patrik Runald, a senior security research manager with Websense and a contributing analyst to the report observed that data stealing code continues to be a major problem for White Hats. “This is due to the high success rate that hackers obtain when unleashing attacks with data stealing code,” he maintained. “These types of attacks will most likely continue at this pace, and possibly increase as attack techniques evolve.”

A popular vehicle for infecting computers in recent months has been rogueware–malware masquerading as security and anti-virus programs. A significant increase in the variants of these applications occurred at the end of the year, according to the group’s report. From the third to the fourth quarter of the annum, rogueware variants increased 36 percent, from 158,980 to 252,025. Still, the high of 122,335 for the final frame reached in December was substantially lower than the record crest of 152,197 reached in June 2009.

Despite the large numbers of new variants, the bad apps actually stem from relatively few software families, the report noted. The more than 200,000 variants in the fourth quarter, for example, belong to only four families:

• Adware/Antivirus2008
• Adware/MSAntiSpyware2009
• Adware/TotalSecurity2009
• Adware/SystemGuard2009

The report also noted that the United States was the top country for phishing sites in the world. In October and November, more than 90 percent of all the nefarious sites were located in the United States; more than 70 percent in December.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spear phishing attacks on rise

Sophos Blog (Spam Category): IMF money-making scam

Tue, 16 Mar 2010 07:55:46 +0000

I have seen a lot of these lately. This one currently doing the rounds tries to dupe the reader into thinking that the International Monetary Fund (IMF) wants to use their accounts to transfer money meant for charity.

In the email. the IMF (supposedly) wants to transfer $10 Million into the reader’s account using NatWest Bank. The contact details within the Bank are given as follows:

Name: Mr. Donald Miller (Co-founder)
Office Address: 11 El Shams Bldgs., 8th District Nasr City
E-mail: Bernisecharityfoundationimf 'at' gmail.com
Tel: (+44) 7031-939-750
Fax: (+44) 7011830323

Some things to notice:

1. Fake e-mail addresses - Both the e-mail addresses mentioned in the message ( Intmonetaryfunds ‘at’ aol.com and Bernisecharityfoundationimf ‘at’ gmail.com ) are from common free e-mail service providers.

2. The letter is not addresed to anyone. Surely if the IMF wanted you to have their $10 Million, they would know your name?

Be very careful of such scams. They are on the rise and appear to be extremely enticing. Never ever divulge your personal details and simply delete such e-mails.

Box Of Meat: VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?

Mon, 15 Mar 2010 18:17:52 +0000

VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?:

‘The co-opting of APT [Advanced Persistent Threat] by the marketing folks have led to the point that people are classifying any malware, rootkit or bot as “APT”. Zeus is not APT, Aurora is not APT. APT is a level of threat, a description of the sophistication, patience and talent behind an attack. The attacks are targeted, typically involving both an exploit and social engineering. Emails containing PDF exploits don’t get spammed to everyone in the organization, they are sent to key individuals with convincing messages. Bots aren’t your commercial, off-the-shelf variety. They are custom built, hard to detect and typically have multiple instances and functions so an initial remediation sweep will appear successful but miss the deeper, quieter processes.

The attackers monitor the state and success of their attacks and channels. As one channel goes down, they activate another. If a node containing valuable data is cleaned, they’ll reinfect it from another computer. They know what they are doing.’

Terry Zink: Stolen information from a bank… and not from phishing!

Mon, 15 Mar 2010 18:10:32 +0000

On Friday, I went to Bloomberg’s financial page and browsed a few articles. I read an article which stated that HSBC revealed that a former employee stole details on 15,000 existing user accounts:

March 11 (Bloomberg) -- HSBC Holdings Plc’s Swiss private bank said a former employee stole details on 15,000 existing accounts, as banking secrecy comes under growing pressure from nations keen to crack down on tax evasion.

An information technology worker took the account information about three years ago, the Geneva-based unit of HSBC said in a statement today. Data were also stolen on 9,000 accounts closed before October 2006, said the bank, which currently has about 100,000 accounts in all.

“This represents a threat to the privacy of our clients,” Alexandre Zeller, chief executive officer of HSBC’s private bank, told reporters today in Geneva. “We deeply regret this situation and unreservedly apologize to our clients.” The bank plans to spend 100 million Swiss francs ($93 million) on improving security, he said.

…

“This is enormous and no-one expected that it could happen to HSBC so it’s a tough lesson for the whole industry,” says Bernhard Bauhofer, founder of Sparring Partners GmbH, which advises companies on managing their reputations. “There’s an increasing demand for data and there will be other cases because governments are looking for funds; where there’s demand there will be supply,” he said.

The French Finance Ministry said in December that it had data on Swiss bank accounts held by French taxpayers, including names provided by a former HSBC employee.

Switzerland suspended treaty negotiations with France in December because of the HSBC case. After talks in January, France agreed to return the original data to Switzerland and not ask for assistance from Swiss authorities based on the stolen information. France will continue to use the data to pursue tax evaders at home.

“The bank does not believe that the stolen data has or will allow any third party to access any client account,” HSBC said. The accounts were all opened before October 2006, the bank said, adding that it is contacting all clients with Swiss-based accounts.

Switzerland’s banking regulator said it will investigate how the theft occurred and what HSBC did to improve security since 2007. The Swiss Financial Market Supervisory Authority, known as Finma, has been in close contact with the bank since December last year, the Bern-based regulator said in an e-mailed statement today.

Swiss secrecy laws, which threaten bank employees with as much as five years in jail if they divulge client information, have failed to stop workers from stealing data.

The former staffer, Hervé Falciani, was a “trusted employee” who worked for HSBC for more than seven years, Zeller said. He took the data “probably over a period of months” while working on a project to transfer client information between computer systems.

HSBC said it became aware of the theft in the middle of 2008 and Falciani was arrested in Switzerland in December of that year after being denounced by a colleague. He later left the country for France. The bank said it is unsure how Falciani physically stole the data.

…

“Nobody will ever tell you that 100 percent of data can always be secure because private banking is a human game,” said Zeller. “Data theft is an ever more serious preoccupation within the industry.”

While the stolen data contains numbers and names, the latter could be powers of attorney rather than the client.

This represents an interesting challenge for banks and clients’ security. Here we have a case of an employee stealing data and governments acquired it in order to look for additional sources of revenue. However, in contrast to phishing, the acquirer of this data could not use it to gain access to the clients’ data – at least not directly. Really, is it that much of a stretch to use this as part of a social engineering ploy? If you have the username, numbers and some more account information, it might not be enough to gain access to the account. But it might be enough to impersonate the actual client and request a reset of login credentials which could allow an unauthorized user access.

Spamresource.com: Now Hiring: Email Service Providers

Mon, 15 Mar 2010 11:53:27 +0000

Here's one more post with a few job offerings listed. If email deliverability, best practices, and industry interaction are your areas of email expertise, maybe one of these positions might be for you. I'm receiving no compensation for posting these; I'm doing this only as a favor to people out there who might be looking for work.

Waltham, MA-based email service provider Constant Contact is looking to hire for the position of Director, Industry Relations & Standards. "This person will actively participate in the email and related industry bodies and will be responsible for developing and communicating Constant Contact's strategy and direction with respect to email authentication, reputation systems ensuring the overall health of the email ecosystem. 30% travel required, will provide relocation assistance." Click here for more information.

Seattle-based email service provider WhatCounts is looking to hire an Email Delivery Manager. From a paid job posting on Deliverability.com: "The Email Delivery Manager is responsible for helping our customers achieve and maintain high email deliverability rates to the inbox, detect and analyze delivery issues, as well as educate our customers on email best practices. This position will also manage the customer experience for those enrolled in the SmartStart Plus and Delivery Plus programs."

And finally, Indianapolis-based email service provider ExactTarget is looking to hire a Deliverability Consultant in London. From the posting: "The ExactTarget Deliverability Consultant is responsible for monitoring and maintaining high email deliverability rates, detecting and analyzing problems, and maintaining industry relationships, as well as educating clients and enforcing email privacy and permission email standards." Note that this is a London-based position; telecommuting is not offered. For more information, visit ExactTarget's Career page and click on the Deliverability Consultant position. (In the interest of full disclosure, please note that I am employed by ExactTarget.)

Spamresource.com: Now Hiring: Microsoft

Mon, 15 Mar 2010 11:51:38 +0000

Someone dropped me a line to let me know that Microsoft is looking for a spam fighter. Since I know a lot of smart people looking for work thanks to the economic downturn, I figured it would be good to pass this along.

"'Do you have anything which doesn’t have quite so much SPAM in it?' We do, thanks to a global team of knowledge engineers who work to apply regular expression based rules to the inbound email of our Forefront Online Protection for Exchange customers. Anti-spam response is a team within the Microsoft Malware Protection Center whose expertise not only benefits the productivity of our corporate customers but also provides insights in to emerging malware, phishing and other threats which are distributed by email."

Think you've got the right stuff? Click here for more information or to apply.

Spamresource.com: Now Hiring: Sears

Mon, 15 Mar 2010 11:51:18 +0000

(Hey, I know the job market is tough right now, and a lot of good email-savvy technology specialists, deliverability experts, and marketing managers are looking for work. To that end, I'm going to continue to share job postings periodically. Hope this helps folks with their job hunt. --Al )

Sears Holdings Corporation in Downtown Chicago is looking to hire a Production Director - Email.

The Production Director -- Email will be responsible for establishing and maintaining production processes and timelines for the addressable marketing channels. The incumbent is responsible for the development of long term relationship with multiple business units to maintain a high level of customer satisfaction in the production of e-mail advertising. Serves as the leadership interface in the production of e-mail advertising. Develops enhancements to production process and outcome as the primary resolution provider between IMC, planning teams, business teams and associated work teams.

RESPONSIBILITIES:

Manages the teams responsible for successful and timely handoff from planning to understand strategic messaging intent for assigned e-mail campaigns.
Directs all aspects of the email production process and systems that support email planning to ensure accuracy of data input.
Monitors production system (IMPACT) capabilities and actively initiates dynamic enhancements that support realization of operational opportunities.
Monitors advancements in email technology and makes recommendations regarding internal enhancements as appropriate.
Develops production flow enhancements that can be institutionalized across the function.
Review and monitor email production to ensure quality and standards are maintained across the process.

To apply for this position, please contact John Bertucci, Executive Recruiter for Sears Holdings, at jbertu0 AT searshc.com, or feel free to contact me if you need help getting in touch.

Spamresource.com: Now Hiring: Cloudmark

Mon, 15 Mar 2010 11:50:42 +0000

It's a good week to be looking for a job if you're a spam fighter or email expert. I've got yet another job posting to share! Jamie Tomasello kindly wrote in to let me know that Cloudmark is looking to hire an Abuse Operations Analyst.
From the posting: "Cloudmark's Security Operations Center provides customers with the peace of mind that a team of highly skilled engineers and analysts are monitoring their systems for new threats and reacting quickly when such threats occur. As a member of this team you will be working with some of the largest Service Providers and Mobile Operators to ensure the highest level of threat detection, analysis and response.

"[As an Abuse Operations Analyst,] you will participate in 24/7 monitoring customer systems for new threats and use best practices to ensure these threats are stopped quickly, provide customers with weekly and monthly reports detailing new threats and attacks, how those attacks were stopped and what impact they had on the customer system, and work closely with our Tactical Accuracy and Professional Services teams to provide customers with a multi-pronged approach to accuracy."

Click here for more information about this position or to apply.

Spamresource.com: On Defending Jigsaw & Similar...

Mon, 15 Mar 2010 11:50:00 +0000

This morning, an anonymous commenter attempted to drop a truth bomb on my post about how Jigsaw was blacklisted by Spamhaus. (They still are, by the way.)

In his comment, he points out that postal junk mail sucks (which I agree with), but he doesn't make it clear why it was important to share that tidbit with us. That spam is a suitable substitute for junk mail? I'm not buying it.

Also, he points out that "e-mail is new, and shiny." Actually, no, email has been around since the 1960s, and Internet (then ARPANET) email in a form similar today, using @ signs in addresses, since 1971.

He then goes on to point out that business contact databases charge too much money for spammers to be able to utilize them. Your bargain basement with a "$99 millions list" bought on Ebay? Maybe. Somebody selling big ticket items, who can still make money even with a higher customer acquisition cost? Hardly. I have actually seen companies buy lists from entities like Zoominfo, Jigsaw, and Netprospex, mail to them, and get busted for spamming. Most recently, I saw a domain registrar threaten to take away a domain after it was used in spam email sent by somebody who bought and mailed to one of these lists.

But hey, I could be completely wrong. In a different comment on my post, somebody called KADIGIGURU wrote, "The DMA publishes a B2B Guide to Ethical Marketing Best Practices. I am a Jigsaw customer, and they've walked me through how to use their (and other sources) data while following both Can Spam AND the DMA Guide to the letter!"

I replied that I'd be happy to discuss in further detail, or even offer up the opportunity for a rebuttal post. He never responded.

Where is that rebuttal? What are those ethical guidelines to follow when marketing to a purchased list of email addresses? Does that even exist? Even if somebody tells you "don't spam this list," while selling it to you, is it said with a wink and a nod? Anybody care to tackle this? (I'm not looking to provide an opportunity for a company representative to shill, so that offer is not open to Zoominfo, Jigsaw, and Netprospex.)

Spamresource.com: Classmates.com Settles Lawsuit over Deceptive Emails

Mon, 15 Mar 2010 11:49:38 +0000

TechFlash reports: "Seattle-based Classmates.com has agreed to pay up to $9.5 million to its users to settle a lawsuit that accused the social network of sending emails that made people believe their old friends from high school were reaching out to connect -- only to discover, after paying for a membership, that their long-lost buddies were nowhere to be found."
Did you know that Classmates.com is owned by United Online, the same company that owns internet service providers Juno and Netzero?

(H/T: Slashdot)

All Spammed Up: Spam Levels Continue to Surge

Mon, 15 Mar 2010 08:34:42 +0000

Security experts say spam levels have continued to surge in the first few months of 2010. Spam levels in February rose

Compromised computers spew spam.

to 89.4%, a nearly 6% increase from January. The rise is blamed on the Rustock and Grum botnets in particular with Grum’s spam output increasing by over 50%. It’s currently responsible for 26% of all spam sent.

Porn was the most popular delivery method with 63.6% of spam messages using this tactic. Phishing has seen a slight decline with claiming 1% of all threats detected. A whopping 84% was malware and 15% was spyware. Cutwail continues to pump out record setting amounts of spam that push scareware such as fake anti-virus programs. These types of campaigns remain wildly popular with cybercriminals because of their high profitability. Experts say Cutwail is also for hire. The botnet’s controllers are apparently offering it up for rent to other cybercriminals, further increasing their profits. The specific services being offered for sale aren’t known but are likely to be spam, malware delivery, DDoS attacks and other criminal activities.

The cybercriminals that run the major botnets have largely turned away from attachment spam, most likely because most ISPs and spam filters automatically block or filter them. Only about .56% of spam contains attachments now. Instead they rely on links because malicious URLs tend to pass easily through spam filters without detection. Use of URL shortening services is also still popular.

What is the best way to fight these surging threats? Security experts recommend a multilayered shield comprised of URL filtering, a strong, constantly updated anti-virus solution, and real-time code analysis.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Levels Continue to Surge

CAUCE North America: Canada's Electronic Commerce Protection Act: It's ON!

Sat, 13 Mar 2010 23:16:20 +0000

From: <Minister.Industry@ic.gc.ca>
Date: March 10, 2010 4:46:47 PM EST
To: neil@cauce.org
Subject: The Electronic Commerce Protection Act

Thank you for your e-mail in which you express concerns regarding the Electronic Commerce Protection Act (ECPA).

The Government of Canada understand the detrimental impact that text message spam, email spam and related online threats pose to both business and consumers. As a result, during the last election campaign, the Prime Minister promised to introduce anti-spam legislation.

Further to the Prime Minister’s commitment, the proposed ECPA was tabled during the last session of Parliament in the House of Commons on April 24, 2009. It prohibits the sending of unsolicited commercial electronic messages. The proposed legislation will deter the most harmful forms of spam and related misleading online activity—such as identity theft, phishing and spyware—from occurring in Canada or being sent from Canada.

As well, with the international cooperation provisions built into the legislation, Canada will be able to work with their counterparts to combat spam.

The federal government is committed to the passage of the ECPA and will act to reintroduce the bill as quickly as possible.

I hope this information will prove useful to you and would like to thank you for taking the time to express your views on this issue. I look forward to seeing this important piece of legislation passed by Parliament.

Yours sincerely,

Tony Clement

Terry Zink: Microsoft sues spammer for spimming

Sat, 13 Mar 2010 19:24:00 +0000

Instant messaging spam, or spim (Spam over IM), is not something I have a lot of experience with. However, yesterday (Thursday, March 11), Microsoft announced that it reached a settlement with Funmobile, a company it sued last July, accusing it of using its service to spam users. From ZDnet:

Microsoft said on Thursday it has reached a settlement with Funmobile, the Hong Kong-based company it sued last July over accusations that Funmobile was using instant messaging spam to trick users into giving up their account information.

The software maker said it has obtained an injunction against Funmobile requiring it to refrain from 'spimming' — sending IM-based spam — to customers or contacts of Windows Live Messenger, and to make a cash payment to Microsoft.

"The successful resolution of this case sends a clear signal that Microsoft does not tolerate abuse of its networks, and we will continue to take action to protect our customers," said Microsoft associate general counsel Tim Cranton in a statement.

Microsoft had accused Funmobile of targeting users on its Live Messenger network to gain their personal information. Live Messenger has more than 320 million users, according to the company.

In the suit, Microsoft cited a number of attacks, including IMs that appear to be coming from users the victims know [TZ – emphasis mine]. It also described phishing attacks that mimic the look and feel of an outside service or an official Microsoft support page.

The company said the successful use of these tactics allowed third parties to obtain these users' personal account information, then exploit it by sending mass spam and phishing messages to the contacts of those users.

"Such attacks on instant messaging services are more than just a nuisance; they are a threat to user privacy," said Cranton.

Technically speaking this is not phishing since phishing, by definition, is the attempt to trick somebody into providing financial information. The tactic is here is known as spoofing and belongs to the broader area of attack known as social engineering. It plays on the psychology of brand recognition. Companies like Coca-Cola rely on their brand to sell their product around the world. People feel good when they are in a foreign place but see the familiar logo of Coke; they are in a restaurant, and so they order one (note: I do this regularly when I travel outside of the US and Canada). Images of familiarity when we are in unfamiliar territory causes our brains to release chemicals – endorphins – that make us feel good. That comfort level breaks down some of our barriers.

If we were to see a message coming from someone we don’t recognize, instantly our guard is up and we are less likely to be complicit in a spammer’s (spimmer’s?) request. However, by impersonating somebody we know, if we don’t realize right away that this is a spoof, our brains release endorphins and we enter a more suggestible state. This is because we recognize the brand of our own personal social network. We like to talk to people we know; we are comfortable with them and therefore our guards are down. The chances of us being more complicit in the release of private information is higher when we are more suggestible.

This isn’t Cranton’s or Microsoft’s stance, however. It’s more of an incidental. The greater point is that Microsoft has Terms of Service and abusive users of its service are subject to being shut down. This also plays into Gary Warner’s blog post where he advocates that “bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door.” While Microsoft’s actions in this case is not about using law enforcement to shut down a botnet, they aren’t far away from it by using the legal arena to force an abusive service to stop doing it. Hopefully, this will cause Funmobile to think twice before they start “phishing” other users. Hopefully even more, it will cause other services like Funmobile to do the same.

Sophos Blog (Spam Category): A Change From Dirty Laundry…

Sat, 13 Mar 2010 16:50:49 +0000

Yesterday evening my student daughter arrived home for the weekend bringing a bag full of laundry, one full of books and, for a change, the laptop belonging to one of her housemates.

It seems that towards the end of last year the impoverished student could not afford to renew his AV subscription and has been, in effect, unwittingly running a malware honeypot on his laptop since it lapsed.

Fortunately for him he managed to acquire a particularly vicious FakeAV last week. The spoofed alerts and flashing warnings alarmed him but since he could not afford to pay the ransom to the bad guys he ignored them. That he couldn’t visit several legitimate websites irritated him but it was not until the FakeAV prevented him from accessing iTunes that he began to complain loudly to the whole household, at which point my daughter called me for advice.

“Bring the laptop home and I’ll see what can be done” was my suggestion.

So while a colleague and I have been working on this sunny Saturday, the dirty laptop has been receiving some rather special attention here at SophosLabs. I’m pleased to report that the months of accumulated malware was all detected by Sophos and that the laptop is now clean. What’s more it should remain clean since it is now running an up to date anti-virus package.

It was fortunate for my daughter’s housemate that he acquired such a visible piece of malware, one that loudly announced its presence to the whole household a few days before she had planned to come home for this Mother’s Day weekend.

So all’s well that ends well.

But I can’t help wondering how many other youngsters are running the risk of surfing the internet without the safeguard of a good anti-virus tool and just how much malware they may unwittingly be spreading. Perhaps we parents should take responsibility for teaching our offspring the Facts Of Online Life and first and foremost should be the golden rule, do not surf without protection.

Spamnation: Hotmail Hijack #5

Sat, 13 Mar 2010 12:55:16 +0000

MXLogic has posted a short article under the title Web Security Breaches Rock Hotmail, which hints at the existence of a previously undisclosed security issue with the popular webmail service. The article is short on useful details, but the ultimate source seems to be a Windows Live help document about account compromises.

MillerSmiles Phishing News: Weekly analysis - 6th March 2010 to 13th March 2010

Sat, 13 Mar 2010 12:00:00 +0000

MillerSmiles provides its weekly phishing analysis for the week of 6th March 2010 to 13th March 2010

Terry Zink: Another one (partially) bites the dust

Fri, 12 Mar 2010 18:11:42 +0000

Following in the footsteps of Lethic, Waledac and Mariposa, yet another botnet has been taken offline. Not completely, though, it was only a partial disconnect. The Zeus botnet, also known as Zbot, is a trojan password stealer that captures passwords and sends them to the attacker. From ITWorld:

March 10, 2010, 04:10 PM — IDG News Service —

Internet service providers linked to the notorious Zeus botnet have been taken down, knocking out a third of the command-and-control servers that run the network of hacked machines.

Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning.

The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks. "There's lots of Zeus and Fragus exploit kit [sites]," he said. Whoever was behind the takedown "just decided to knock out a large area of cybercrime, and this was probably one of the easiest ways to do it."

Troyak is based in Kostanay, Kazakhstan, according to whois records. The company could not be reached immediately for comment.

The Zeus Tracker administrator, who asked not to be named, said that at first he thought that there had been some type of technical error in the Zeus code. On further investigation, he discovered that Troyak had been taken offline, which in turn knocked the networks hosting the botnet servers off the Internet.

Unlike the Waledac “takedown”, which was removed with a court order, and Mariposa takedown which was done by police authorities, or even the Lethic takedown done by Neustar which operates the .us ccTLD, this time around it was done by eastern European network providers. Thus, this takedown more closely resembles the 2008 McColo takedown which resulted in spam levels plummeting by 40% (our figures) to 70% (others’ figures). According to The Register, the network providers Ukraine-based Ihome and Russia-based Oversun Mercury severed their ties to the ISPs in question (Troyak and Group 3). Unfortunately, it also meant that the legitimate customers on those ISPs also had their ties to the Internet disconnected. I bet their customer support desks had their phones ringing off the hooks. I can just imagine the conversation.

Customer: Why can’t I connect to the Internet? I’m paying for your service!
Response: Well, sir, no one can. We’ve been disconnected.
Customer: What? Why?
Response: For engaging in cybercrime.
Customer: Oh. Well, that explains it.

Cisco issued a statement that this takedown “depeered” the botnet. What this means is that the drones that perform the actual password stealing, fast-fluxing, etc, can no longer (temporarily) make contact with command center. The drones are aimless, kind of wandering around with no direction, no purpose and no motivation (a lot like the entire population of Canada would have been had we lost the gold medal game in hockey two weeks ago at the Olympics). It’s kind of like if a military unit were out in the jungle taking orders from central command, and central command is knocked out, the unit will stand around forever doing nothing. The unit is still there, but they are not going to do anything until they get their orders. Since their orders will never come, they will never do anything. It’s classic bureaucracy in action.

It’s important to note three points:

The entire C&C center wasn’t taken down, only about a third of it
It will be rebuilt eventually. The orphaned drones no doubt had some of their instruction locations hard coded, or maybe specified in a config. The botnet operators will send out new malware with new instruction set locations, and users will install the software. These systems will become re-infected and point to other locations upon which to download updates and the whole cycle will start all over again. It will take time, true, but Zeus will be back.
Those who took down this botnet wish to remain anonymous. Whatever their reason is, they aren’t claiming responsibility.

I’ll have a bit more about Zeus/Zbot in my next post.

All Spammed Up: King of Informercial Scams Avoids Jail for Spamming Judge

Fri, 12 Mar 2010 13:28:34 +0000

Sleazy informercial king Kevin Trudeau’s 30-day jail sentence has been stayed by the courts. He was slammed with it for orchestrating a spam email campaign designed to influence the judge in his case. He’s currently on trial in Civil Court fighting a complaint by the FTC that the advertising for his “natural cures” book is misleading. He was first sued by them in 1998 and banned from making false claims in the future, ordered to pay $500,000 in consumer redress and pay another $500,000 for a performance bond to ensure compliance. In 2004 he was sued again for ignoring the order and making false claims about a product called Coral Calicum. He was ordered to pay $2 million in fines and damages and banned from doing informercials except for informational publications like books, provided he make no misrepresentations. He again ignored the order which is why he is in court again. Trudeau has long been hawking his natural cures as the answer to everything from obesity to drug addiction.

In an effort to avoid further prosecution Trudeau urged his supporters to email the judge to tell him what his cures did for them and to urge him to find in his favor. The judge said his inbox was overwhelmed with spam and demands that the complaint against Trudeau be dropped and found him in contempt of court. Trudeau was scheduled to report to jail today. The court gave no reason for the change of heart but said the stay was contingent on no more spam campaigns being aimed at the judge or the court.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

King of Informercial Scams Avoids Jail for Spamming Judge

Sophos Blog (Spam Category): Phishing craigslist - but is it malware?

Fri, 12 Mar 2010 05:02:52 +0000

Malware has traditionally been easy to spot and classify, mainly because it was created to serve a specific nefarious purpose and nothing else. In the ongoing arms race between malware authors and the security industry, stealth and other ‘in plain sight‘ technologies are emerging as clear favorites.

Case in point is a recent Craigslist phish, disguised as a phone update - nothing new about malware pretending to be something it isn’t, but that’s not where the story ends. Examining the executable shows that it is nothing more than a RAR self-extracting (SFX) archive - and thus not inherently malicious.

Contained within the archive are two seemingly innocent files; a HOSTS file and an internet shortcut (.url file). The internet shortcut points to craigslist and draws little or no suspicion when the object is scanned in isolation. The HOSTS file likewise contains mappings for various craigslist sub-domains, but without prior knowledge of the state of the HOSTS file, or dynamic resolution of the domains it is difficult to determine whether the mappings are legitimate (especially so when considered in isolation.)

When deployed as a complete package however, the HOSTS file remaps craigslist to some other IP so that when the internet shortcut is launched it goes to somewhere other than stated destination…in this case, a craigslist phish requesting login information.

So is it malware? Are any of the components malware? Clearly when these benign components are found acting in unison, malicious behavior is observed [1], but what about detection?

Traditional signature-based malware detection is obviously incapable of dealing with such multi-component threats, requiring instead a wider context-based observe-correlate-classify approach which draws from a variety of information sources such as reputation, nearest neighbour and behavior.

Because matches dont start fires, people do!

Spam Wars Dispatches: Another Money Mule Recruitment Letter

Thu, 11 Mar 2010 21:25:17 +0000

Jobs, jobs, jobs! If you want to earn some fast cash by ripping off small businesses so that:

a) your criminal bosses in Eastern Europe collect big time; and
b) you may get caught owing a bank many thousands of dollars (somewhere just under $10,000) you already wired to Eastern Europe

then reply to the following spam message:

Subject: Job position REF47732
From: Shelly Dubois

Compliments

I am a manager of the HR department of a large multinational company. Our company is met in many departments, such as:
- real estate
- companies setting-up and winding-up
- bank accounts opening and maintenance
- logistics
- private undertaking services
- etc.

We need employees in USA:
- salary 2.500 dollars + bonus
- 1 - 2 working hours per day
- free timetable

If you are interested in this job, please, send us your contact information: Shelly@[removed]-target.net
Full name:
Country:
E-mail:
Mobile phone-number:

Note! We are searching Americans only! >

Please mention your name and write the phone number. Our manager will contact you to fix an interview.

And here's a variation that just came in:

Subject: Finance Manager vacansy for USA
From: Jim Woods

Compliments

I am the personnel department manager and I am appealing to you in the name of the large-scale and first-rate partnership. Our company takes an active part in the life of its subsidiaries, for example:
-property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We have vacancies to be filled by American residents only:
- salary 2.500 dollars + bonus
- underemployment
- flexible working schedule

If you would like to work with us, please provide us the following information: Jim@[removed]-target.net
First name:
Surname
Country of residence
Place of residence
E-mail box
Contact phone number

Attention! We need American residents only.>

Please provide us with your Personal data (Phone number and First and Last name) and our manager will contact to you to make a brief interview.

The email address domain was registered a couple of days ago. No web site exists at that domain (at least at the default location), but the Apache server is alive (somewhere in Russia).

Unfortunately, a lot of Americans are under financial stress these days. Offers like these, despite sounding too good to be true, will yield plenty of applicants — lambs to slaughter.

Michael Boyd Clark: FanBox.com Spam

Thu, 11 Mar 2010 20:53:46 +0000

I just got a message from someone I don’t know, with a return address of fbNOREPLY@myfanbox.com. The message was: 7b1d91231a87fb75e0054e886a0dea57

-fake name- says you should see this video clip.

-fake name- thinks you will really like this YouTube Video. Check it out!

This email was sent by -fake name- using the Application: Youtube Video Seach. You can stop receiving emails here.
- , ,

I’ve now blocked all of these domains: myfanbox.com fanbox.com fanboxapps.com sms.ac fanboxnotes.com

216.180.243.10 17/Mar/2010:09:11:56

Copyright © 2010 PlanetMike's Technology Journal. This Feed is for personal non-commercial use only. If you are not reading this material at http://www.planetmike.com or in your news aggregator, the site you are looking at is guilty of copyright infringement. Please contact copyright@planetmike.com so we can take legal action immediately.

FanBox.com Spam

Box Of Meat: CyberCrime & Doing Time: PKK Hackers Arrested in Turkey

Thu, 11 Mar 2010 18:07:52 +0000

CyberCrime & Doing Time: PKK Hackers Arrested in Turkey:

‘…the hackers are associated with the Kurdistan Workers’ Party, or PKK, and were taken to Diyarbakır for further questioning. This article calls the hacker team the “Cold Attack Team”, and says that it took orders from leaders in Kandil in Iraq and in Europe regarding what websites to hack and what messages to place there. It also mentions that the hackers distributed a PowerPoint attachment via email which would trojan the readers computer.’

Terry Zink: What do my stats say on Waledac’s takedown?

Thu, 11 Mar 2010 17:24:00 +0000

In my previous post, I wrote that other security researchers didn’t find much impact after Microsoft obtained a court order to take down 270+ domains associated with the waledac botnet. What do my own statistics say?

Waledac is one of the smaller botnets that send us spam traffic; but since we are enterprise mail while Hotmail is consumer, the attack vectors may be quite different. Anyhow, here’s how many distinct IPs we were seeing in the month of February before and afterwards:

Going by this, we didn’t really see much difference either. Waledac kind of bounced around before and afterwards with no real drop off in uniqueness. I then decided to compare the rest of the botnets I track and none of the other ones showed any distinguishing feature either.

Except for one.

While this may be an anomaly or a reporting error in my script, the rustock botnet was affected for a short period of time following waledac’s disruption. A day after the takedown, the amount of mail it sends us went to almost zero:

You can see that it kind of oscillates around but it never gets lower than a thousand. Yet on Feb 23 (don’t let the date on the chart fool you, Excel is being weird for some reason), the amount of post-RBL spam that we get from rustock nearly disappeared. That has never happened before, rustock may fluctuate within a range but it never disappears. Admittedly, this could simply be a reporting error in my script. We have had other problems that seem to have arisen around Feb 22 for some strange reason. The problem is that none of the other botnets that I track show this odd behavior of nearly vanishing after waledac was taken offline. So, there are some possibilities here:

My data is valid. If so, then that means that there is a link between rustock and waledac. Perhaps rustock uses the waledac domains to spam, not waledac itself. Rustock also recovered quickly so perhaps waledac also recovered quickly, or else rustock has a robust infrastructure and is self-healing.
My data is invalid. I have a reporting error in my script, or some of our logs didn’t rotate, or perhaps the list of IPs didn’t download properly. I grant this as a possibility but then it means that the rustock reporting is an anomaly, or I need to revisit my other data.

Indeed, if it is point 1 then we have established a relationship between the two botnets.

Update: Upon further investigation, I discovered that my script had a reporting problem on Feb 23. It turns out that another set of numbers that I track demonstrate that every other botnet had similar disruptions in their total patterns, not just rustock. As it turns out, it was too good to be true.

That means that my data is invalid, and all I have been able to confirm is that the waledac botnet take down a couple of weeks ago doesn't appear to have made much of an impact.

Box Of Meat: Globe and Mail: Ontario adds Internet safety to elementary curriculum

Thu, 11 Mar 2010 17:06:51 +0000

Globe and Mail: Ontario adds Internet safety to elementary curriculum:

‘Next fall, there will be specific sections in the curriculum for grades 4 and 7 about Internet safety and the potential risks of online activities. …there will also be “age appropriate” discussions about online dangers in Grades 1 through 8.’

John Graham-Cumming: My bio

Thu, 11 Mar 2010 15:58:43 +0000

Occasionally I get asked for some sort of official bio. Here's one people can use:John Graham-Cumming is computer programmer and author. He studied mathematics and computation at Oxford and stayed for a doctorate in computer security. As a programmer he has worked in Silicon Valley and New York, and the UK and France. His open source POPFile program won a Jolt Productivity Award in 2004.He is

All Spammed Up: New “Chuck Norris” Botnet On The Loose

Thu, 11 Mar 2010 13:41:00 +0000

Look out Waledec, Zeus and Conficker! Chuck Norris is in town. A new botnet named after the iconic action star is targeting and infecting routers, or as one writer joked “The Chuck Norris botnet doesn’t infect routers, it stares them down until they infect themselves.” The botnet, first discovered by Czech researchers, looks for badly configured routers and infects them by guessing the default password. It uses the remote access feature to take control.

It takes over MIPS-based devices running Linux by launching a password guessing dictionary and changes the DNS settings of the router, and then redirects the user to a poisoned webpage that downloads even more malware. It also scans the network for other devices to infect. Experts say the botnet has infected machines from South America to Asia. There’s no information on exactly how many machines have been compromised, who is behind it, but like other botnets, its goal is to steal personal information like passwords and bank account numbers. Some researchers say it may also conduct DDoS attacks.

For a botnet named after Chuck Norris (it got the name from a line in its code: “in nome di Chuck Norris” which means “In the name of Chuck Norris”) the malware it delivers has a surprising weakness. Since it is installed in the router’s RAM, a simple restart will remove it. To protect against it, make sure all routers and modems on your network are not using the default password and that each device has a unique and hard to guess one.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New “Chuck Norris” Botnet On The Loose

Amir Lev: Ask Amir #4: What's a Web reputation service?

Thu, 11 Mar 2010 11:39:21 +0000

This week in Security Levity, I want to talk about 'web reputation' and how it's used to protect users from malicious Web sites, or sites with malicious content for some other reason.

Enemieslist: Links Roundup

Wed, 10 Mar 2010 22:08:55 +0000

Terry Zink: No love for Microsoft’s Waledac takedown

Wed, 10 Mar 2010 18:58:33 +0000

A couple of weeks ago, I wrote on the story that Microsoft had obtained a court order to take down numerous domains associated with the Waledac botnet. It’s now been a period of time since then, did the takedown actually affect spam levels out of waledac?

According to Spamhaus in a statement granted to ZDNet, it had little effect, if any:

The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday.

"The amount of spam coming from Waledac [before the takedown] was less than one percent [of all spam], and that hasn't changed much," said Spamhaus chief information officer Richard Cox. "There's been a slight change, nothing major, and we would expect it to be a lot different."

According to Cox, and Sophos Labs, Microsoft’s targeting of Waledac is odd because it is such a small botnet and accounts for so little traffic:

"I've been chatting to colleagues, and we don't understand why Microsoft took these measures [against Waledac]," said Cox. "There are other botnets, for example Zeus, that do immense harm fraud-wise."

Computer security company Sophos agreed that it had seen no appreciable difference in the amount of spam coming from Waledac after Microsoft's action.

"We can't see a direct correlation between [Microsoft's] takedown efforts and a reduction in spam from Waledac," said Fraser Howard, a principal researcher at Sophos Labs.

In addition, there has been no noticeable reduction in spam volumes overall, according to Howard.

"If the botnet contributed significantly to spam, we would have expected to see a sharp step down in spam volumes," said Howard. "There is no distinct difference between before and after the takedown."

Not everyone agrees that the Waledac takedown was fruitless, though.

Security company F-Secure said on Wednesday [March 3] it had seen a drop in spam coming from Waledac zombies, and a decrease in the number of binary samples from Waledac-related messages.

"Microsoft might have decapitated [Waledac], it should be interesting to watch," said F-Secure researcher Sean Sullivan.

Sullivan said the ability of the botnet to spread malware may have been severely inhibited by Microsoft's action. From 8 February to 21 February, F-Secure detected 58,913 instances of Waledac malware attempting to circumvent F-Secure security software. After the takedown, from the 22 February until 3 March, F-Secure detected 1,113 instances.

Despite this respite in Waledac attacks, Sullivan said F-Secure would not be surprised to see the botnet come back.

So, according to this article, and some other sources I have talked to, here is the reaction to Microsoft’s take down:

Waledac was a small player to begin with
The takedown didn’t do much at all
Although in some places, it did have a noticeable effect
Waledac will be back eventually

The reason for Waledac’s resiliency is that while several domains were taken offline, Waledac also relies on peer-to-peer traffic. In that regards, it doesn’t matter if a domain is taken down because the nodes are not communicating with it anyway. Thus, if that is the case, then it suggests that Waledac doesn’t rely on domains for spam distribution and instead uses it for something else, such as pointing to payload in spam.

Ed Falk: And another botnet goes down

Wed, 10 Mar 2010 18:20:35 +0000

Via Slashdot: IT World reports that the Zeus botnet was partially knocked offline when its supporting ISPs, Troyak and Group 3, were disconnected by their upstream servers. IT World is reporting that the Zeus botnet lost a third of its command-and-control servers overnight.

According to IT World, the Zeus botnet was responsible for a wave of financial fraud that caused hundreds of millions in losses over the past year.

The first and most effective such takedown ocurred just over a year ago when McColo was taken down by its upstream providers. The Rustock and other botnets were knocked offline, resulting in a 60-70% drop in spam overnight.

Box Of Meat: Wired: 10 Years After: A Look Back at the Dotcom Boom and Bust

Wed, 10 Mar 2010 15:58:19 +0000

Wired: 10 Years After: A Look Back at the Dotcom Boom and Bust:

a bit off-topic for Box of Meat…or is it?

All Spammed Up: Could Better URI Filtering Cure Email Spam?

Wed, 10 Mar 2010 15:30:28 +0000

A highly desirable goal of businesses and web users is the complete eradication of spam from the internet. That is perhaps a bit too much to hope for, but certainly the goal of reducing spam is something we can all keep working towards.

One of the more effective methods of reducing spam in recent years is through IP filtering. This technique involves checking the IP address of the computer or server that is trying to send you email against a list of known or highly suspect spam sources. The lists are provided by various third party organizations such as Spamhaus and are typically integrated into the products sold by security vendors.

The best part of this technique is that the check occurs at the earliest stage of the initial communication between the two servers. If the IP address is considered to be a spam source then the connection is terminated before time and server resources are wasted by accepting any further part of the email content.

This meant greater efficiency in spam protection systems compared to earlier techniques that involved checking the entire message content for certain keywords or strings that matched a database of known spam. This technique is still used today, but it is only performed on email that first passes the IP filtering checks.

Some estimates put the amount of spam that is typically stopped by IP filtering at around 80-90%. That is up to 90% of spam (not of total email traffic) that can be prevented by IP filtering, usually with very few false positives.

The remaining 10-20% poses a bigger challenge. These emails need to be checked more thoroughly for other characteristics such as:

Sender address/domain
Email body content such as text or URI (Uniform Resource Identifier, often called a URL by web users)
Images and file attachments

This is because spam emails can come from trustworthy sources such as webmail providers and ISPs in which specific accounts have been compromised by a phishing attach. As a result they cannot be blocked reliably on the basis of sender address/domain.These checks are also computationally more expensive and more prone to false negatives when new spam techniques emerge. One of these new techniques is the use of URL shortening services to cloak malicious website addresses.

URL shortening sites typically do not police the links that people create using their services, which elevates the risk of them being used for malicious purposes. However, the services do often provide an API that can be accessed by other applications, which has led to the emergence of sites and web browser add-ons that can be used to manually check a shortened URL before it is clicked on.

This process is manual and tedious though, and relies on the weakest point in spam prevention – the end user. Only the most security conscious end user will do this check even some of the time.

But the combination of URI filtering and URL shortening APIs offers the chance for the problem to be attacked from two angles. Email security products could possibly detect shortened URLs and perform a check against the provider’s API to determine the actual destination address. That destination address can then be checked against URI filtering lists for known malicious sites.

Though this check may be effective it is not particularly efficient. Email servers will need to send API requests and wait for responses before determining if an email is malicious or not. And it does not solve the issue of these services being used by spammers in the first place.

As an alternative, the URL shortening services could make use of URI filtering lists when providing shortened URLs to their anonymous users, and deny the creation of short URLs that lead to malicious sites. This might eliminate the problem at the source.

As a positive flow on effect of this type of change the use of shortened URLs by spammers on social networks and other non-email communications would also be reduced, reducing the risk of several different threats at once.

These checks are obviously not being performed by shortening services yet. I tested several spam URLs from a URI filtering list on a few of the popular services and none of them prevented me from creating a shortened URL. I wonder if soon we will see them forced into action as spammers exploit their systems to the point where they are completely untrusted and actively blocked by security systems.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Could Better URI Filtering Cure Email Spam?

Sophos Blog (Spam Category): Internet Explorer 0-day targeted in spam runs

Wed, 10 Mar 2010 15:27:27 +0000

Hot on the heels of the Patch Tuesday announcements yesterday (see blog or links to vulnerability assessment pages), came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806).

Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link.

the tried and tested “delivery failed, please confirm address details” messages
request for details confirmation for insurance quote

Example messages are shown below.

In either case, clicking on the link takes the victim to a web page which kickstarts the infection process.

Generic detection for the exploit scripts seen thus far has been added as Troj/ExpJS-R. A script used to query the browser/OS version before loading the exploit script (or redirecting to a games site) has been added as Troj/JSRedir-AW.

The malicious payloads installed in such attacks are liable to change of course, but the ones seen thus far have been either proactively detected as Mal/Dropper-Y, or added as Troj/Dloadr-CYS.

SophosLabs will continue monitoring for new attacks looking to exploit this vulnerability. In the interim, aside from keeping your protection up to date, take note of the following from the Microsoft announcement:

Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected.

If you are an IE user and have not yet upgraded to version 8, take a hint! It is strongly recommended that you do so. Aside from not being affected from this particular issues, there are a whole bundle of other security related features you are missing out on otherwise.

The SophosLabs vulnerability assessment page for the IE 0-day vulnerability will be updated accordingly.