Feeds

back to article Zombie-animating malnets increase 200% in just 6 months

Crybercrooks are beefing up the infrastructure behind the delivery of botnets, a move that is leading towards more potent and numerous threats, say researchers. Botnet infections are commonly spread though compromised websites seeded with malicious scripts and promoted via black hat SEO tactics such as link farms. These malware …

COMMENTS

This topic is closed for new posts.
Facepalm

drop in FB malware?

"The full reasoning for this drop is not fully known, but part of it is attributable to greater awareness of social networking users and more robust policing of malicious content on the part of the social networks themselves,"

really? I didnt think either of those things would ever happen, if i had to guess which did i'd say the second, cos it aint gonna be the users.

Whenever i've been dragged onto facebook I look around in horror at the orgy of sharing pointless crap which must do for malware what the free-love of the 60s did for STDs

1
0
Bronze badge

It's quite sad to still, in 2012, see huge IP ranges of dynamic IP customers who shouldn't be sending email spamming mail servers with junk. Why aren't we just turning these ISP's off, literally dropping their AS blocks, so they can't do anything until they sort out their problems?

My own mail server with a single domain sees 99.9% of its connections being from either dynamic IP ranges (the simple tests of "no valid reverse host name" and "not listed on spamhaus" eliminate 99.9% of all connection attempts!).

And yet I *still* see Google sending me bounce-backs which have been sent by someone else, forging my address in the "from" (so which mail server allowed that in the first place?), Google noticing that it is spam or to an undeliverable address, and then sending back TO ME. Standard practice? What's INCREDIBLY annoying is that when the email is sent "from" me and "to" me, the Google servers include headers into the email which suggest they not only looked up my domain, but read my SPF records and then rejected the message because my SPF records tell it that it's a fake, but then Google BOUNCES IT BACK right back to the fake domain that it knows is fake because it just looked it up. I wrote a script to reject bounce-backs from Google where they have obviously looked up my domain name's SPF record and spammed it on someone else's behalf anyway with a customised message to their mail admins - not that they'd bother to look.

That's not to mention making up email addresses that have never existed, even trying to forge DKIM signatures for my own domain when sending email to it! What is the point in a little home-server guy implementing all this stuff properly, from SPF to DKIM to just plain blocking of stupid amount of connections that are obviously fake, if the big companies don't do the same, don't enforce the same for their customers, and are too stupid to do anything but add to the mess themselves, let alone start cleaning up their customers and blocking machines?

About 90% of the blocked IP's that I bother to go look up are marked as being part of a botnet, and have been for an extended length of time. Just what are the ISP's of those users (who *aren't* all in the legally-unreachable corners of the globe) doing to not know they are listed and to allow their users to just directly spam sometimes hundreds of connections a second to mail servers direct?

We have perfectly good systems in place to DRASTICALLY reduce this amount of junk but nobody is using them. When 99.9% of email fails because of simple checks even AFTER they've arrived at my domain (which has SPF and DKIM records), we need to give it up. But yet what we're instead doing is chasing tails of botnets which would be pretty useless if they couldn't spread email and thereby create funds and attack vectors for their controllers.

When almost every IP I bother to manually look up on CBL shows me instantly that it's part of an established botnet and is known to be spewing spam, sometimes for YEARS, we're just not doing enough to stop the problem.

Implement SPF, DKIM and other measures. Stop being part of the bounceback mechanism with obviously-forged return headers. Block outgoing email from your users unless authenticated to your internal mail server. That will honestly cut out so much spam that it would become quite impractical to operate a botnet in the first place. And we seriously just need a DNSBL with high update rates for such things so we can just block at the firewall and thereby prevent spreading of the infection, attacks from infected machines, and incur such fallout from ending up on the lists that some places will cry if they end up on it because of an internal infection.

What we actually need is just a new mechanism for email entirely, and for people to secure their damn machines. But what's practical is an ISP-level agreement on what to block and what not. Lots of ISP's block outgoing SMTP unless through their servers (or you provide an exception with appropriate guarantees of non-abuse measures), and I've even seen a couple that block SMB ports too. There are just too many dumb home users with no security (or Norton Antivirus, which is pretty much the same thing) causing problems for everyone else and it's about time we started shutting them off and cleaning them up.

2
0
Bronze badge
Holmes

So-called good economic models

Lots of business models work well in terms of making money and badly in terms of the external costs born by everyone else. Spam qualifies as one of those economic models, and the model deserves to be disrupted and even broken to increase the value of the Internet for everyone else but the spammers. The zombots are only one of the uglier parts of the economic model that drives the spammers, but at the bottom there are human suckers who feed the spammers.

Hey, why not leverage the LARGE number of people who hate spam against the SMALL number of suckers who feed the spammers? It can be purely voluntary, but if it's easy enough then a significant number of the spam-haters will cut the spammers off from the cash. I'm not saying the spammers will become decent human beings. They started as sociopaths and will always be sociopaths, but they can be urged to crawl under less less visible rocks.

My suggestion is an improved anti-spam system integrated into the major Web-based email systems. It would have several rounds of increasingly refined analysis seeking to disrupt EVERY part of the spammers' infrastructure, pursue ALL of the spammers' accomplices, and help and protect EACH victim of the spammers.

0
0
This topic is closed for new posts.