Spam

The stats at Spamcops and MxLogic, along with my own spam filter, makes me a believer in the claim of researchers that McColo provided the connectivity responsible for half the world’s spam.

No doubt the cyber crooks who lost their botnet’s ‘command and control’ servers will resume business somewhere else, but right now we can enjoy the temporary drop in spam.

Let’s not forget the child pornography (child abuse) vendors. At least 40 websites, nameservers or payment services used for child pornography were recently found to be hosted by McColo, according to HostExploit’s Report (PDF)

Third “Bad ISP” Dissolves — McColo Gone
Jose Nazario writes that in arbornetworks own database they have been tracking a few dozen botnets that phoned home to McColo IPs, and also nearly 1000 distinct URLs from hundreds of different malcode samples.

These guys ran a dirty operation.

As with Atrivo/Intercage, McColo relied on US transit peers.

{ 1 comment }

HostExploit’s Cyber Crime Series - Version 2.0

This second CYBER CRIME USA report highlights those Internet players that currently host the world‟s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography. This study from HostExploit.com is based on tracking and documenting ongoing cyber criminal activity.

HostExploit Report (PDF)

Certifiedbug, August 28, 2008. Cyber Crime USA

GarWarner, November 12, 2008. Internet Landfill: McColo Corporation

Certifiedbug, November 12, 2008. McColo Corp down for the count

{ 0 comments }

Brian Krebs at the Washington Post reports,

A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network.

1) Major Source of Online Scams and Spams Knocked Offline

2) Host of Internet Spam Groups is Cut Off
“This story was updated from an earlier version to clarify McColo’s role in hosting of suspicious sites.”

Certifiedbug,

Spamcop stats, week.

I doubt that is a coincidence, more later.

Edit: Spamcop, 24 hours.

CIDR Report for AS26780
Global Crossing still shows a listing.
“26780 MCCOLO - McColo Corporation
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS3549 GBLX Global Crossing Ltd.”

FireEye Malware Intelligence Lab, 2008.10.26.

If you look back in our articles, you’ll see a fairly deep connection between Malware, Botnets, and McColo. With the shutdown of Atrivo, McColo seems to be the frontrunner for Botnet/Malware hosting -

Rogue.AntiVirus2009 hosted by McColo

{ 0 comments }

This spam looks like the recent ones pushing pharmaceuticals.

Except this time “One-stop for all your meds here” hid an url to globalmarketingsolutions where I landed on what appeared to be a real estate page containing a lot of links. Clicking on one of them brought this up.

http://safeweb.norton.com/report/show?name=66.96.85.221

Searching in Google I was warned, “this site may harm your computer”.

MSN Featured Offers, Spam from Canadian Pharmacy

Infector Spam ‘Free Update Windows XP,Vista’

Fake IE7 email Spam

Spam posing as MSN Featured Offers

Hit delete when it appears in your mailbox, and again do not click the ‘unsubscribe’ link contained in the spam. Doing that would just confirm to spammers that your email address is alive and working.

{ 0 comments }

This week I have seen a resurgence of the “MSN Featured Offers” scam, this time from Canadian Pharmacy, pushing Viagra and other pharmaceuticals.

Previous Certifiedbug alerts:
Infector Spam ‘Free Update Windows XP,Vista’
Fake IE7 email Spam
Spam posing as MSN Featured Offers

Domain Name: xhtnnfx.cn
Created: 2008-10-28
Expires: 2009-10-28
Whois Server: whois.cnnic.net.cn
IP Location: Latvia - Latvia - Vdhost Ltd

Domain Name: progressconsider.com
ICANN Registrar: 35 TECHNOLOGY CO., LTD
Created: 2008-11-05
Expires: 2009-11-05
Updated: 2008-11-05
Domain servers in listed order:
srv1.reachfarm.com
srv2.reachfarm.com
ZHANGJIE
JIANSHELU263
TS,HB,CN 063002

hxxx://ler.rightachievement.com
Canadian Pharmacy

hxxx://myx.poseindependence.com
Canadian Pharmacy

hxxx://xkx.rightachievement.com/
Canadian Pharmacy

Those are just an example, the links will change frequently.

Fake pharmaceuticals on-line, buyer beware

{ 21 comments }

Judy Devenow pleaded guilty to fraud and conspiracy charges Tuesday in federal court in Michigan, admitting she had sent millions of spam e-mails a day helping spam kingpin Alan Ralsky.

Devenow said she was paid US$150,000 to send e-mail and manage others from January 2004 through September 2005. She, Ralsky and nine other people were charged in January 2008. Thomas Dukes, who specializes in computer crimes at the U.S. Justice Department in Washington DC, is quoted as saying that Ralsky sent tens of millions of e-mails over a 20-month period - and that’s a “conservative number,” Dukes told the judge. We agree; Spamhaus regularly sees spammers like Ralsky and his gang sending tens of millions of spam e-mails each day. They use innocent people’s virus infected PCs to do this and also forge the addresses of innocent people onto the spam’s “From:” line (”spoofing”) causing untold damage and costs.

Spamhaus

{ 0 comments }

A U.S. district court has ordered a halt to the operations of a vast international spam network that peddled prescription drugs and bogus male-enhancement products. The network has been identified as the largest “spam gang” in the world by the anti-spam organization Spamhaus. The Federal Trade Commission has received more than three million complaints about spam messages connected to this operation, and estimates that it may be responsible for sending billions of illegal spam messages. At the request of the FTC, the court has issued a temporary injunction prohibiting defendants from spamming and making false product claims, and has frozen the defendants’ assets to preserve them for consumer redress pending trial. Authorities in New Zealand also have taken legal action, working in tandem with the FTC.

According to papers filed with the court, the defendants deceptively marketed a variety of products through spam messages, including a male-enhancement pill, prescription drugs, and a weight-loss pill.

The defendants include two individuals – Lance Atkinson, a New Zealand citizen living in Australia, and Jody Smith of Texas – and four companies they control: Inet Ventures Pty Ltd., Tango Pay Inc., Click Fusion Inc., and TwoBucks Trading Limited. The FTC’s complaint alleges that both Atkinson and Smith are liable for the spamming. It holds Lance Atkinson responsible for all product claims, and Smith liable for claims made for the pharmaceutical products. In June 2005, the FTC obtained a $2.2 million judgment against Atkinson and another business partner for running a similar spam affiliate program that marketed herbal products.

News Release: http://www.ftc.gov/opa/2008/10/herbalkings.shtm

Civil Action No. 08-CV-5666
FTC File No. 072 3085

Complaint for Injunctive and Other Equitable Relief
http://www.ftc.gov/os/caselist/0723085/081014atkinsoncmpt.pdf

Memorandum Supporting Plaintiff’s ex parte Motion for a Temporary Restraining Order with Asset Freeze, Other Equitable Relief, and Order to Show Cause Why a Preliminary Injunction Should not Issue
http://www.ftc.gov/os/caselist/0723085/081014atkinsonmemo.pdf
Interesting read. Snippet:

SanCa$hSupport i guess so… they’ll never find you
sancashl well they bought me up, but nothing linked to me, most i do is provide services for spammers

O what a tangled web we weave when first we practise to deceive.
(Sir Walter Scott. Marmion, Canto VI, Stanza 17)

Temporary Restraining Order with Asset Freeze, Other Equitable Relief, and Order to Show Cause Why a Preliminary Injunction Should not Issue
http://www.ftc.gov/os/caselist/0723085/081014atkinsontro.pdf

Certifiedbug: March 30, 2007.
Fake pharmaceuticals on-line, buyer beware

{ 0 comments }

Email spoofing basically is when someone forges the header information making the email appear to have originated from somewhere other than the real source.

One such spoof is doing the rounds falsely claiming to be from Steve Lipner at Microsoft urging recipients to install an attached update.

The email is not from Microsoft, the malicious attachment contains Backdoor:Win32/Haxdoor, and of course you should not open it.

The Microsoft Security Response Center (MSRC)

First and foremost, we never, ever, ever send attachments with our security notification e-mails. And, as a matter of company policy, Microsoft will never send you an executable attachment. If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof. You can think of our security notification e-mails as a notification for you to go the security bulletin to get the updates from the link in the bulletin to the Microsoft Download Center http://www.microsoft.com/downloads. You should always get our security updates from the links in the bulletins or through our deployment tools such as Microsoft Update or Windows Update, Windows Software Update Services (WSUS) or Systems Center Configuration Manager.

Article: Microsoft Security E-mail Spoofs with Malware

{ 0 comments }

Another rogue spreading fast. If your computer has been infected please seek assistance with removal at one of the security forums, short list in right side column.

Domains on the same IP.

1. Antispyware2008b.com
2. Antivir–2008.com
3. Antivirus2008proxp.com
4. Directnameservice2008.com
5. Mediatubeforme1.com
6. Onsafepro2008.com
7. Smart-antivirus-2009-buy.com
8. Smart-antivirus-2009.com
9. Smart-antivirus-2009buy.com
10. Smart-antivirus2009-buy.com
11. Smart-antivirus2009.com
12. Smart-antivirus2009buy.com
13. Smartantivirus-2009-buy.com
14. Smartantivirus-2009.com
15. Smartantivirus-2009buy.com
16. Smartantivirus2009-buy.com
17. Smartantivirus2009.com
18. Smartantivirus2009buy.com
19. Traff-drive.com
20. Viruswebprotect2008.com

SmartAntivirus2009
Registration Service Provided By: ESTDOMAINS INC
Domain Name: SMARTANTIVIRUS2009.COM
Dates: Created 22-aug-2008 Updated 29-aug-2008 Expires 22-aug-2009

Certifiedbug:
Spamhaus Report, Cybercrime’s U.S. Hosts

Edit
Harry Waldon has a nice article Malware Close Encounters - Close Pop-ups using Task Manager to safely exit which could help users to exit a pop-up install before too much damage is inflicted.

{ 0 comments }