McColo Corp downed, spam down

by certifiedbug on November 12, 2008

in Security

The stats at Spamcops and MxLogic, along with my own spam filter, makes me a believer in the claim of researchers that McColo provided the connectivity responsible for half the world’s spam.

No doubt the cyber crooks who lost their botnet’s ‘command and control’ servers will resume business somewhere else, but right now we can enjoy the temporary drop in spam.

Let’s not forget the child pornography (child abuse) vendors. At least 40 websites, nameservers or payment services used for child pornography were recently found to be hosted by McColo, according to HostExploit’s Report (PDF)

Third “Bad ISP” Dissolves — McColo Gone
Jose Nazario writes that in arbornetworks own database they have been tracking a few dozen botnets that phoned home to McColo IPs, and also nearly 1000 distinct URLs from hundreds of different malcode samples.

These guys ran a dirty operation.

As with Atrivo/Intercage, McColo relied on US transit peers.

Tags: ---

{ 1 comment }

McColo Cyber Crime USA

by certifiedbug on November 12, 2008

in Security

HostExploit’s Cyber Crime Series - Version 2.0

This second CYBER CRIME USA report highlights those Internet players that currently host the world‟s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography. This study from HostExploit.com is based on tracking and documenting ongoing cyber criminal activity.

HostExploit Report (PDF)

Certifiedbug, August 28, 2008. Cyber Crime USA

GarWarner, November 12, 2008. Internet Landfill: McColo Corporation

Certifiedbug, November 12, 2008. McColo Corp down for the count

Tags: ---

{ 0 comments }

McColo Corp down for the count

by certifiedbug on November 12, 2008

in Security

Brian Krebs at the Washington Post reports,

A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network.

1) Major Source of Online Scams and Spams Knocked Offline

2) Host of Internet Spam Groups is Cut Off
“This story was updated from an earlier version to clarify McColo’s role in hosting of suspicious sites.”

Certifiedbug,

Spamcop stats, week.

I doubt that is a coincidence, more later.

Edit: Spamcop, 24 hours.

CIDR Report for AS26780
Global Crossing still shows a listing.
“26780 MCCOLO - McColo Corporation
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS3549 GBLX Global Crossing Ltd.”

FireEye Malware Intelligence Lab, 2008.10.26.

If you look back in our articles, you’ll see a fairly deep connection between Malware, Botnets, and McColo. With the shutdown of Atrivo, McColo seems to be the frontrunner for Botnet/Malware hosting -

Rogue.AntiVirus2009 hosted by McColo

Tags: ---

{ 0 comments }

AVG update removed critical Windows file

by certifiedbug on November 11, 2008

in Programs

An update over the weekend for AVG Technologies virus scanner contained a flawed virus signature, which flagged ‘user32.dll’ as a Trojan Horse.

Choosing ‘heal’ or ‘quarantine’ caused systems to either stop booting or go into a continuous reboot cycle.

AMSTERDAM, Netherlands, Nov. 11 /PRNewswire/ — AVG is actively working to remedy the problem some users are experiencing related to the most recent update to commercial and free versions of AVG 7.5 and AVG 8.0 in some languages. A number of users who installed the update mistakenly
received a warning that the Windows system file user32.dll product version 5.1.2600.3099 was infected with a Trojan virus and were prompted to delete a file essential to the operation of Windows XP.

The problem only affects users of the Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP.

AVG is taking these steps to assist users in remedying the problem:
— Immediate release of a new update to correct the problem.
– Creation of a specific informational section on the AVG website that enables users to resolve the problem.

Affected users should follow the weblinks below for further information and to download the fix tool:

(1) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll
(2) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll - fix tool

Affected users unable to use their PCs should contact their AVG reseller or ask a friend to download the information and fix tool for them.
After running the fix tool, users should run the AVG update program to download and install the correct AVG update.

AVG sincerely regrets the inconvenience users have experienced. We are working to remedy the problem and ensure that any other potential vulnerabilities are identified and eliminated before they can impact users.

AVG Press Statement Regarding Problems from Product Update

Tags: -

{ 0 comments }

MSN Featured Offers catch all

by certifiedbug on November 10, 2008

in Security

This spam looks like the recent ones pushing pharmaceuticals.

Except this time “One-stop for all your meds here” hid an url to globalmarketingsolutions where I landed on what appeared to be a real estate page containing a lot of links. Clicking on one of them brought this up.

http://safeweb.norton.com/report/show?name=66.96.85.221

Searching in Google I was warned, “this site may harm your computer”.

MSN Featured Offers, Spam from Canadian Pharmacy

Infector Spam ‘Free Update Windows XP,Vista’

Fake IE7 email Spam

Spam posing as MSN Featured Offers

Hit delete when it appears in your mailbox, and again do not click the ‘unsubscribe’ link contained in the spam. Doing that would just confirm to spammers that your email address is alive and working.

Tags: ---

{ 0 comments }

MSN Featured Offers, Spam from Canadian Pharmacy

by certifiedbug on November 8, 2008

in Security

This week I have seen a resurgence of the “MSN Featured Offers” scam, this time from Canadian Pharmacy, pushing Viagra and other pharmaceuticals.

Previous Certifiedbug alerts:
Infector Spam ‘Free Update Windows XP,Vista’
Fake IE7 email Spam
Spam posing as MSN Featured Offers

Domain Name: xhtnnfx.cn
Created: 2008-10-28
Expires: 2009-10-28
Whois Server: whois.cnnic.net.cn
IP Location: Latvia - Latvia - Vdhost Ltd

Domain Name: progressconsider.com
ICANN Registrar: 35 TECHNOLOGY CO., LTD
Created: 2008-11-05
Expires: 2009-11-05
Updated: 2008-11-05
Domain servers in listed order:
srv1.reachfarm.com
srv2.reachfarm.com
ZHANGJIE
JIANSHELU263
TS,HB,CN 063002

hxxx://ler.rightachievement.com
Canadian Pharmacy

hxxx://myx.poseindependence.com
Canadian Pharmacy

hxxx://xkx.rightachievement.com/
Canadian Pharmacy

Those are just an example, the links will change frequently.

Fake pharmaceuticals on-line, buyer beware

Tags: ----

{ 21 comments }

Scheduled November bulletin release day, Tuesday, Nov. 11, 2008.

The Microsoft Security Response Center (MSRC)

Preliminary information, subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release two security bulletins:

  • One Microsoft Security Bulletin affecting Microsoft Windows/Microsoft Office rated as Critical, and one affecting Windows rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

The November edition of the monthly security bulletin webcast will be held on Wednesday, Nov. 12, 2008 at 11 a.m., Pacific Standard Time.

Register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374642&Culture=en-US

Tags: --

{ 0 comments }

Critical update, version 9.0.151.0 for Flash 9 users unable to update to Flash 10.

In addition to issues previously reported in Security Bulletin APSB08-18, the update addresses several other security vulnerabilities.

http://www.adobe.com/support/security/bulletins/apsb08-20.html

Certifiedbug, October 15, 2008.
Adobe Flash Player update 10.0.12.36

Tags: -

{ 0 comments }

Congratulations America

by certifiedbug on November 5, 2008

in This and That

Tags:

{ 0 comments }

The Microsoft Security Intelligence Report has been released.
Microsoft Malware Protection Center

The Microsoft Security Intelligence Report (SIR) provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows users, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications.

Not surprisingly a high percentage of users chose to ignore potentially unwanted software (PUPS) they had installed themselves, 90.1% for Bearshare. We see a lot of P2P file sharing programs on infected computers in the forums.

The full report contains 150 pages.
SIR Volume 5 (January through June 2008) and Key Findings Summary
Key Findings Summary 18 pages.
Microsoft Security Intelligence Report volume 5 Executive Summary

Tags: -

{ 0 comments }