Finally, Chalk One Up For The Good Guys!!!!

In this day and age, we seem to read everyday about how we are losing the battle against spam, malware, and fraud while using the internet. Like the FBI’s investigation regarding allegations that Citicorp’s system was hacked to the tune of tens of millions. Something that Citicorp denies. Or the hijacking of personal pages on social networking sites like Facebook that are resulting in identity theft, it is nice to finally read about a success story. Well here is one of those successes.

In November 2009, FireEye Inc. successfully shut down one of the most notorious and nefarious botnets on the internet to date. For more information regarding “Botnets”, press HERE. In it’s hayday, the Mega-D botnet (aka Ozdok) was responsible for up to 15% of the spam that infests our emails on a daily basis. This literally equates to millions upon millions of spam messages being sent daily by this botnet. Here is a blow by blow about how FireEye succeeded in the take down.

For 2 years, FireEye researcher Atif Mushtaq had been checking on new ways in order to keep malware from infecting networks. During this research, he obtained crucial information about how these botnet controllers , known as “Command & Control” (C&C) servers, actually functioned.  This was the turning point and in November, the defensive posture that was being implemented regarding these huge botnets, was suddenly changed to an offensive one.

With cooperation from Internet Service Providers (ISP’s) located in the U.S., who were unknowingly hosting the C&C servers that were being utilized for the “zombie” computers to connect and receive new commands, were able to redirect these connections and effectively point them to “no-where”. So when these “zombie” computers tried to connect to their master, they could not. Note that there were two ISP’s over-seas, one in Israel and one in Turkey who did not cooperate in the siege.

Next, FireEye contacted the domain registrars in order to obtain the IP addresses for these C&C servers. With this pertinent information, FireEye was then able to see any and all alternative addresses that were written into the code for the botnet. These alternative domains were set up, as a backup, should the zombie computers not be able to contact the C&C servers. Remember, the infected computers could no longer “phone home” due to the ISP’s cooperation. With these alternative domain names and IP addresses in hand, FireEye was then able to create, what is known as a “sinkhole”. Basically, they could then monitor the attempted incoming messages from the “zombie” computers without them actually contacting the C&C. By reviewing the log files from these transmissions, FireEye was able to determine that this botnet was an army of over 250,000 infected computers strong. With each zombie computer having the capability of sending up to 15,000 spam messages per hour. Mega-D certainly was most capable.

But not anymore. The day after Mega-D was brought down, it’s “market share” of total spam messages being sent, went from a staggering 15% to less than .5%, and this low number is probably because of the ISP’s that did not cooperate in crushing this botnet. Mega-D may try to reassert itself by registering new domains for it’s C&C servers, but with eyes now on them, it is more likely that the criminals responsible will simply move on and attempt to create a new botnet.

Even with that in mind, we now know how to bring these botnets down, however Mega-D was only the tip of the iceberg. Although a substantial threat, it was not the most aggressive, nor the largest. Finding the resources to knock these botnets off of the internet is the real challenge.

The “Good Guys” won this battle, but the war rages on……………

What are your thoughts??

What Now…..This is getting old fast!!!

Are you a Verizon Wireless customer?  Well if you are, then pay special attention.  There is a new scam in the wild right now that is targeting Verizon Wireless customers directly.  It is estimated that about 16% of all Verizon Wireless customers have come into contact with this scam.  This is how it works.

You will receive an email, which appears to be from Verizon Wireless, which states that you have exceeded the minutes limit on your account and asks you to check your account by downloading a “balance checker” tool.  Keep in mind that this message looks exactly like a legitimate Verizon message.  But it is not from Verizon Wireless. If you should download and run the tool, what you are in fact doing, is installing a Trojan Horse. By installing this Trojan Horse, you open up your computer to a myriad of other malware from the Zbot Botnet.  This Bot is notorious for lifting banking and credit information from User’s accounts.  So as you can see, this is a serious threat.

The first emails were sent around 11:30 AM Pacific Time on Friday, 11/13/09.  Friday the 13th’s are always notorious for the launch of new scams on the internet.  Since then, it has been estimated that about 200,000 messages have been sent per hour.  So this scam is already well established.

So how do I know if the Verizon Wireless message is legit? and what should I do if I do receive this message?  First off, and I have stated this many times before in past posts, do not EVER open a message that states that there is a problem with your account from an email that you receive without having asked for the information prior to receiving the message.  Even then, I would be real cautious.  The best way to keep yourself from falling for these scams, is to never open an email from anyone, even if you have an account with them, that states that there is a problem with your account.  Instead, go to the company’s website, in this case Verizon Wireless’, and log into your account.  From there, you can check to see if there is anything that needs your attention.  As always, make sure that you log in over SSL, meaning that the URL starts with ‘https://” and not “http://”.  I cannot say this strongly enough……never, ever open a link in which the email states that there is a problem with your account.  These are almost always scams as companies do not alert you of problems in this manner.  Always, manually log into your account and check it once you are securely logged into your account.

This new Verizon Wireless scam will render your computer useless, should you fall for it, and believe me, it is easy to do.  These scammers know what they are doing and create fake sites, and messages that look exactly like one that you would receive from Verizon Wireless, complete with logo.  They are easy to fall for.  Knowing the basics is all you need though to ensure your safety. Always delete those emails alerting you to account problems and log into your account from the vendors website and check to see if the message is valid from there.  Never click on any link that was sent to you without you asking for it. It is that simple.

For more information, check out the Trend Micro Security Blog Site.

Watch out for this scam as it is a serious one and is easy to fall for.

Let me know your thoughts……