According to SecureWorks, the security company, its researchers have come upon “Bugat,” a new Trojan that steals banking information.

The discovery occurred during January 2010, with researchers finding that Bugat’s capabilities resembled the infamous Zeus and Clampi Trojans that stole data. Security researcher Jason Milletary, member of the Counter Threat Unit of SecureWorks Research Team told this to SCMagazineUS.com on February 9, 2010.

Furthermore according to Milletary, SecureWorks has seen some 1,200-3,000-attack attempts from Bugat in the 1st week of February 2010. These attacks targeted the company’s clients, the researcher reports. Darkreading.com published this on February 9, 2010.

Milletary states that his team observed a particular Zeus botnet spreading the Bugat.

So far Bugat has been mainly targeting corporate financial accounts.

Remarking about this characteristic marking the Trojan, security experts stated that with Trojan Bugat emerging, it became definite that new malware was greatly demanded for committing theft of financial credentials. They also said that with such malware, criminals still found it greatly profitable to execute wire and Automated Clearing House related frauds.

Evidently, the demand for new malware can be attributed to criminals’ search for inexpensive substitutes, or malware, which security professionals haven’t scrutinized much. With criminals steadily bringing in this kind of malicious software, it can unfortunately mean malware cost reduction and easier admission into the crime market.

Curiously, Trojan Bugat contains certain capabilities that aren’t common for other bank information stealing Trojans. One of these is that it secures its interactions with the command-and-control center so that other hackers may not steal its stolen data. Moreover, it’s capable of stealing FTP credentials.

However, Bugat has certain common attributes. These are capturing forms from Firefox and Internet Explorer browsers; seizing and erasing Firefox, Flash, and IE cookies; browsing as well as uploading files or folders stored on the victim’s computer; and downloading code as well as running it. Additionally, the Trojan can wipe out system files as well as restart the infected system to prevent Windows from starting up.

Finally, SecureWorks reports that the new Bugat thus far is detectable by only 20 anti-virus scanners out of a total 51.

» SPAMfighter News - 16-02-2010

Websense Security Labs ‘ThreatSeeker Network’ has detected an ongoing scam which is sending malicious e-mails apparently from Google in responses to job applications.

The spam mail begins with the acknowledgement of recipient’s resume after which it thanks him for showing his interest in joining Google. The e-mail also explains that Google staff members will assess the resume and if they find matching vacancy in the company, they will revert to the recipient.

According to Websense, if the recipient didn’t apply Google for work, then he should understand that the e-mail is a fake. Another thing that raises suspicion about the e-mail is its attachment that contains both .zip and .exe extensions.

The e-mails appear extremely well-written as well as convincing by spoofing scrapes of Google’s real job application replies. Generally, unsolicited spam mails have spelling mistakes and grammatical errors that clearly suggest that the messages are unauthorized while the errors act like red flags. However, these e-mails’ texts are flawless, lending them a professional and convincing touch, particularly if the targeted person is a genuine applicant for Google job.

Ironically, all efforts are put to create clean-looking e-mails, but the scam becomes evident via an easily detected deceitful name, which tries to pose as a legitimate file type.

According to Websense, the e-mail attachment (malevolent payload) hasn’t been caught the notice of most anti-malware software.

Job related online scams are common on Internet, but they have increased in number along with a multiplicity of victims since the global recession. Cyber criminals have been targeting vulnerable people and the problems of law enforcement to track down the miscreants have emboldened the crooks as they chase job-seekers much more vigorously now.

The security experts have explained that authorities can perform no more than documenting incidents. Hunting down culprits is nearly impossible as cyber criminals use proxy domains and networks, causing an un-ending scale of jurisdictional impediments.

Finally, Websense suggests that job-seekers should remain utterly cautious while browsing through recruitment sites so they don’t become victims of scam.

» SPAMfighter News - 09-02-2010

On December 3, 2009, it was announced by the respectable Tony Clement, Minister of Industry, (Ottawa, Canada) that in the House of Commons, the proposed ECPA (Electronic Commerce Protection Act) has unanimously passed the third reading. As the next step in the legislative process, the Act is now proceeding to the Senate, as reported by exchangemagazine.com on December 3, 2009.

If any one goes against the ECPA or anti-spam act, this legislation or bill would permit consumers and businesses to take civil action against the offender. This bill will give the Competition Bureau, the Canadian Radio-television and Telecommunications Commission (CRTC), and the Office of the Privacy Commissioner the authority to share proofs and information with their equivalents in other countries who implement similar (anti-spam) laws globally, so that criminals beyond Canada’s boundaries cannot use Canada to operate their malicious business.

According to the ECPA, business groups using spam for marketing purposes could be charged with the administrative monetary penalties of up to $10 Million and individual spammers, up to $1 Million.

Such an act will be an option that will show the spammers that penalties do exist for their misdeeds. Also, the government expects that this step will be more than a fine, substantial enough for the offenders to deal with, and it will probably curtail such malicious activities.

Moreover, this legislation will help Canada to become a leader in the digital economy as it will ensure a safer marketplace. The Senate is expected to act immediately on this bill to ensure protection for Canadian consumers, said Clement.

As a matter of fact, passing of the proposed bill is much required because Canada is the host to around 5% of the global spam. In terms of spamming, Canada holds the fourth position globally following Russia and just before Brazil. The government presented these statistics provided by Cisco, vendor of network management and networking equipment for the Internet.

However, the effectiveness of Canada’s new anti-spam law remains to be experienced as despite hundreds of cases pending in US courts and huge penalties being imposed, there doesn’t seem to be a dent in the spam levels.

» SPAMfighter News - 14-12-2009

According to the new State of Spam and Phishing Report from security company Symantec issued on November 9, 2009, over 90% of the total electronic mails are either phishing or spam messages.

Symantec states in its report that increasing number of spam mails are presently emerging from Asia-Pacific and Japan, and based on the observations, these regions are likely to surpass earlier key offenders, North America and Europe.

Amanda Grady, Principal Analyst at Symantec, stated that increasing junk e-mails from Asia Pacific, Japan and South America weren’t totally unexpected if one took into account the enormous rise in Internet connections there, as reported by V3 on November 9, 2009.

According to Symantec, while most of the spam continues to originate from Europe (28%), this has dropped 6% since June 2009. The security company also discovered in its report that spam attacks increasingly targeted people using social-networking websites, particularly Facebook.

During October 2009, phishing activities were found to have increased, as per earlier months’ forecasts. The company saw a 17% rise in phishing attacks since September 2009, with 30% of all related fraudulent websites had been created with phishing toolkits, accounting for a 24% increase.

Symantec also found that non-English phishing websites increased 45% from September 2009. These websites used the hosting services of over 97 companies and they resulted in 8% of the total number of phishing attacks, but represented a 19% decline in the aggregate number of Web-host URLs in relation to September 2009.

Moreover, the company witnessed a significant rise in phishing websites created with phishing toolkits.

In the meantime, the most current trend of declining e-mail scams or phishing e-mails possibly has halted since toolkit attacks revived during October 2009, which suggests that the holiday period is approaching, Symantec stated.

Symantec in its October State of Spam report has stated that there is frequently a rough correlation between the total amount of spam mails and the condition prevailing over an economy. According to the company, spam represents the main portion (86%) of the total e-mail.

» SPAMfighter News - 20-11-2009

While most of the current tech-related news regarding ISP content-filtering centers on a certain other protocol, ISP-based SMTP filtering is an issue lurking in the shadows that I feel should be given more critical thought, especially given the potential effect it could have on The War on Spam (TWoS). Before many of you start screaming about privacy issues and other possible personal rights infringements (in which you would be fully justified, of course), let’s put that aside for the moment and consider the more immediate pros and cons of such an arrangement.

Unsolicited email has been around nearly as long as the concept of ‘email’ itself, and people have gone to extraordinary lengths to design web and software-based solutions for intercepting said spam, utilizing mathematics based on Bayesian statistical classification. For the most part, they actually work remarkably well; I can barely recall the last time I’ve had to manually delete spam email from my work and/or Gmail account inbox. Heck, my current spam filter could probably beat me in a game of chess.

However, most current anti-spam solutions are invoked only upon the reception of an email (ingress based filtering), placing the responsibility of spam filtering squarely on the shoulders of the recipient, rather than the sender (egress based filtering). A virtual bottleneck thus ensues, whereby your email client (desktop or web-based) must protect you from the never-relenting onslaught of little blue pill adds and Nigerian princes who want to give you a piece of their fortune, both of which have become quite prolific in the past several years.

A recent discussion thread on The Usenix Special Interest Group for Sysadmins (SAGE) has revived some interest in the concept of ISP-based outbound SMTP filtering, whereby the service provider could perform their own spam-filtering duties on outgoing emails, thus preventing a large chunk of junk mail from being distributed in the first place. While there are several political, technological and economical issues that would need to be resolved in order for any of this to ever become effective (see the discussion thread for insightful commentary on all of these topics), it would be difficult to argue that the two-pronged approach would be less effective than ingress-based filtering alone.

Until more ISPs are convinced that by implementing outbound SMTP filtering they would be saving more money than spending, however, I’ll continue to think of my inbound spam filters like the Spartans at the Battle of Thermopylae - they’re quite good at doing their job, but inevitably they will be overwhelmed by the sheer number of their enemies.

I personally think that Hot Spot should do “application firewalling” and not allow SMTP connection out, whatever the port used. 

Some Hot Spot allow anything out, other block 25 out, but as you know a lot of OnLine service use ports other than 25 to send out eMail.

 If all HotSpot or  It administrator were blocking SMTP at a higher level, whatever the port used ( FireWall at the application level), it would help a lot… Else if an IT administrator block 25 out for his stations, but allow any other ports outbound, it’s a question of time before some spam goes out using some external relay server on a weird port other than 25

 Any comments are welcome.

Too many IT administrators forget to restrict wich  IP addresses on their network can send email out, I mean to use SMTP Outbound

 It’s providing virus Writer/Spammer an easy way for any infected stations to Spam the planet.

Only eMail server should be able to go out on port 25..

Probably some of your already experienced how painfull it could be to be removed from IP addresses BlackList… Often we endup changing IP as a shortcut (for for how long)

Note : Several eMail security provider or eMail security product product allow customer to make their Outgoing email be filtered.

Spamhaus $11 million fine thrown out

http://www.virusbtn.com/news/2007/09_07a.xml?rss=

The case was first brought last autumn, and after initially challenging the charges Spamhaus withdrew from the case, as the US court in which it was brought had no jurisdiction over the organisation’s UK-based operation. e360 was thus granted a default ruling in its favour, with the $11.7 million fine called for based on its own uncontested evaluation of the damage caused by Spamhaus filtering out its mails. The spam fighting organisation was also ordered to apologise publicly and to remove e360 from its ‘ROKSO’ list of known spammers in perpetuity - another ruling whose legality has been questioned by the appeal court.

The appeal court ruling still grants 360 the case, due to Spamhaus’ refusal to contest it, but has passed the settlement award back to the lower court to be analysed more closely. Spamhaus continues to include e360 on its list of spammers, and has suggested e360 brings the case to a UK court, where its activities would fall under stricter anti-spam laws. Attempts by e360 to have Spamhaus’s domain registration revoked have been ignored by US courts.

A Wired.com blogger looks into the case in more detail here, and carries a full copy of the latest ruling (in PDF format) here.

07 September 2007

Hi All

As you know it’s  now very important to comply to all e-mail internet standards if you want your eMail to be accepted by e-mail security solutions and large provider

SPF records (TXT records) known as Sender Policy FrameWork http://www.openspf.org/

This very important DNS record confirm from wich IP addresses eMail from something@yourdomain.com may originate.

It helps detect e-mail address forgery (i.e. My e-mail address is user@domain.com and I’m sending an e-mail message as if I was user@yourdomain.com.

Imagine that I pretend I’m you@yourdomain.com and send 3 millions e-mail messages Smile, and that most of those eMail are sent to invalid addresses. To whom you think the NDR will come back…? You!

You must be very carefull if some of your remote user don’t send e-mail from the main office (let’s say some ISP smtp server), then ISP mail server must be included in your SPF. If every e-mail are sent from your main office from a single IP, then it’s really easy. One way to avoid having to deal with ISP smtp servers is to use VPN connections or SMTP-AUTH for roaming users.

http://www.mtgsy.net/dns/spfwizard.php is one tool I found (one ISP tool) that is easy to use.

PTR records/ Reverse DNS records

More and more e-mail servers are doing a reverse lookup of the sending e-mail server. When you don’t have a PTR record or have a generic one (like isp-pool-adsl10-90-122-32, then they could refuse the e-mail (SMTP) communication, or consider the message as spam.

The Hosting or ISP providing the IP address is responsible for setting PTR records. So you should request them something like :

Please create a PTR record for us :

IP address: 209.200.200.256 match mail.ourcompany.com (fictive address, doesn’t even exist)

(HELO / EHLO)

 When you set up an e-mail Server, it often takes a default name for the HELO greeting. Basically when your e-mail server talk to another e-mail server, it is saying : Helo, I am mail.ourcompany.com 

Some hosting company or security solution could refuse to communicate with you or consider e-mail from your server as spam if the HELO do not match the reverse DNS, or if it doesn’t make sense.

Example : most Microsoft IT people, when they install an Exchange server in a Windows Active directory environment, forget to set the HELO greeting so the SMTP Banner end up being ’servername.domain.local’. This is not a routable internet FQDN (and an HELO greeting should be).

So to avoid any problems, make sure the HELO also matches the A records & reverse DNS (PTR) of that machine.

So, in our example, to be compliant:

IP address: 209.200.200.256

HELO: mail.ourcompany.com

PTR record for 209.200.200.256: mail.ourcompany.com A record for mail.ourcompany.com -> 209.200.200.256

Any comments are welcome