Spammers survive botnet shutdowns

Posted in: Spam at 19/03/2010 16:56

Spam levels have not been dented by a series of strikes against controllers of networks of hijacked computers.

Early 2010 has seen four such networks, or botnets, tackled via arrests, net access cutoffs and by infiltrating command systems.

The successes have not inconvenienced hi-tech criminals who found other routes to send spam, say experts.

And, they add, despite falling response rates, spam remains too lucrative for criminals to abandon.

Also see:

Trend Micro Threat Research Report: 9 Million ZeuS Attacks Blocked by Trend Micro in the Last 6 Months [news release]
Trend Micro has seen a recent rise in average of around 300 unique ZeuS samples per day, according to a recent threat report that examines the Eastern European criminal enterprise behind one of the world's most prolific crimeware kits designed for wholesale monetary theft. Trend Micro witnessed more than 13,000 unique ZeuS samples within January 2010 alone.

"ZeuS is nothing new - we've seen it at work for years. But what's alarming is the recent rise in attacks," said Raimund Genes, CTO of Trend Micro. "It's one of the most notorious security threats to Internet users and Trend Micro is fighting back: In the last 6 months, we've blocked about 9 million ZeuS attacks and we're not stopping."

Latest developments
For the greater part of last year, Trend Micro discovered that ZeuS variants were also distributed via the Avalanche botnet - a fast-flux botnet -- which sent spammed messages en masse. The spam runs imitated several popular social networking sites. The cybercriminals behind the operations even tried to copy email messages and Web sites of U.S. government institutions like the Federal Deposit Insurance Corporation (FDIC), the Centers for Disease Control and Prevention (CDC), the Social Security Administration (SSA), and the Internal Revenue Service (IRS).

Another significant feature that was recently added to the current ZeuS versions is the "Jabber" functionality. Jabber is an open source instant messaging protocol and JabberZeuS is a ZeuS variant where the credentials stolen during a banking session are relayed in real-time to the ZeuS botmaster via instant messages so she can immediately log in to the same account undetected using the same credentials as the victim.

ZeuS-BREDOLAB connections
According to Trend Micro research, BREDOLAB and ZeuS are individual tools that are freely available in the cybercriminal underground. Their uses complement each other, which is why they're often seen together. While ZeuS specializes in stealing information from infected systems, BREDOLAB enables cybercriminal organizations to deliver any kind of software to its victims. Once a user's machine is infected by BREDOLAB, it will receive regular malware updates the same way it receives software updates from the user's security vendor.

Poor economy fueling ZeuS
The success of ZeuS is partly attributed to cybercriminals' ability to recruit money mules that move their stolen money around through bogus work-from-home scams. Given the current economic situation in the United States -- with millions of people out of work -- cybercriminals know they have a high success rate in recruiting accomplices.

Work-from-home recruits are instructed to provide bank account information, which the cybercriminals use to access compromised online bank accounts and to wire money amounting to less than US$10,000 to money mules, indicating that they are fully aware of banking alert limits. The money mules then wire the money back to Eastern Europe.

How can companies protect themselves?

Designed to quietly steal banking information and other sensitive data, the ZeuS botnet can turn itself off to remain undetected. Trend Micro offers the most advanced technology and expertise to immediately eliminate botnet attacks. The Trend Micro™ Smart Protection Network™ provides instant, real-time protection and is the infrastructure behind Trend Micro products. It correlates more than 20 billion emails, Web sites and files a day, using that data to immediately identify and respond to the latest emerging threats.

Read more now

Registrar Solutions