Return of the Botnets- Spam is on the rise again
After three months of reduced spam volumes I am now seeing a sudden resurgence, especially in the form of the fake Canadian Pharmacy, unapproved Asian made Viagra and various male enhancement pills, strips and patches. All of this spam, like all spam from the year before, is sent via compromised Windows computers which have been unknowingly recruited in spam Botnets. These Botnets are commanded and controlled by criminals in Eastern Europe (in the former Soviet Union) and other places where authorities tend to turn a blind eye to cyber criminal activities.
It is difficult to know which Botnet is sending out this new round of pharmacy spam without capturing a Bot and logging its actions and reading its spam templates, but this has all the earmarks of the Mega-D Botnet (speculation). Mega-D, otherwise know as Ozdok, was one of the most prolific Botnets still running after the takedown of the McColo Corp. spam control and command servers, on November 11, 2008. The majority of the colocation servers in that facility were used for illegal activities, including command and control of several Botnets. It was the first to re-emerge and resume spamming and is very likely responsible for the current resurgence I saw yesterday and today. If not, it is a similar Botnet, being rented out to spammers (the Bot Masters usually rent portions of their Botnets to spammers, rather than doing any spamming themselves).
I didn't write my usual Sunday spam report this week, because the amount of spam for the week of February 2 - 8, 2009 was ridiculously low (around 7%) and only encompassed four categories, as defined by my MailWasher Pro custom filter rules. Still, a pattern was developing an I can now report on it. Maybe this will help others in identifying the Botnet behind this recent spam run. Most of the spam coming in from February 8 through 11 is identified by my "Hidden ISO or ASCII Subject" filter. The emails sent to English speaking North American inboxes do not require any ISO or ASCII codes to be read by the recipients, as long as the Subjects are typed in English. However, messages composed in European locations, or in Asia, by non-English speakers might require this code to become readable at various destinations. They can tailor the ISO code to display the spam subject in the language of the desired recipient country. This is what has been going on since the Mega-D Botnet emerged in late November, 2008.
For you folks who use MailWasher Pro to filter out spam and aren't using my custom filters already can apply the following filter to detect and either flag, or auto-delete any spam containing a hidden ISO subject. The following code must only occupy one long line and goes into your filters.txt file, located in your logged in identity's %AppData%\MailWasherPro folder. Note, that you must close MailWasher before editing filters.txt, save the changes, then reopen the program.
[enabled],"Hidden ISO Subject","Hidden ISO or Ascii Subject",16711680,OR,Delete,Automatic,EntireHeader,containsRE,^Subject:[^\n]*?=?ISO-8859-[^\n]*?\n,EntireHeader,contains,"Subject: =?us-ascii?",EntireHeader,contains,"Subject: =?windows-1251?B?",EntireHeader,contains,"Subject: =?gb2312?B?"
If you don't trust the accuracy of my filter you should remove the word: Automatic, from the rule. This will cause the rule to only flag such messages as spam, matching the Hidden ISO rule, with a checkmark in the Delete column, in MailWasher Pro.
If you are reading this on a Windows computer you need anti-malware protection that operates as a "resident service" and monitors every file opened, saved, run or downloaded, plus scans website you try to visit for infected or hostile scripts or forced downloads. This will protect you against Bot infections, as long as the security program is updated regularly (daily is just barely acceptable anymore). I personally recommend Trend Micro Internet Security (PC-cillin and Pro versions) to perform these tasks. PC-cillin is updated with new malware and infected website information constantly, using "in-the-cloud" technology. Every Trend Micro paying subscriber is automatically protected as soon as a definition is sent to the "cloud" servers. Instead of loading down your computer with huge definitions files, the largest portion of the updates occur in the cloud and your PC is in contact with that secure cloud server all the ime you are online. Of course, you still get some updates downloaded to your PC, but not so many as to cause it to grind to a halt!
If you can't afford this kind of realtime, in the cloud protection, but must rely upon free anti virus and anti spyware applications, at least install Trend Micro's free utility called RUBotted. RUBotted will notify you if it detects Bot-like activity, or finds a known Bot in a quick scan. You would then be instructed to click on the link to scan your computer with the free Trend Micro Online Housecall scanner to remove the threat.This is a lot of user interaction, but hey, it's free!
Norton offers a more advanced tool that is similar to RUBotted, known as Norton Antibot. AntiBot costs $29.99 US per year for a subscription to updates and allows you to install it onto three PCs at no additional cost. It uses Active Behavioral-Based Analysis that stops and removes malicious bots before they can cause damage, turn you into a spammer, or steal personal information.
One note of good news for Srizbi Bot infected PC owners: Microsoft has updated the Malicious Software Removal Tool (MSRT), on Patch Tuesday, February 11, 2009, to detect and remove the Srizbi Bot infection.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.