A recent study of the University of California, entitled Click Trajectories: End-to-End Analysis of the Spam Value Chain comes to a similar conclusion, albeit from a different point of view.

95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks.

According to the university’s study the most effective approach of taking down botnets is to stop the money flow at the bank level.

Considering that it is only three banks that “provide the payment servicing for over 95% of the spam-advertised goods in [the] study” it is safe to say that payment processing is the biggest bottleneck in botnet operation.

The researches analyzed other possible bottlenecks, domain registrars and hosting companies for instance, but came to the conclusions that this angle was not as effective as the payment processing angle:

For example, while only a small number of individual IP addresses were used to support spam-advertised sites, the supply of hosting resources is vast, with thousands of hosting providers and millions of compromised hosts. The switching cost is also low and new hosts can be provisioned on demand and for low cost.

By contrast, the situation with registrars appears more promising. The supply of registrars is fewer (roughly 900 gTLD registrars are accredited by ICANN as of this writing) and there is evidence that not all registrars are equally permissive of spam-based advertising. Moreover, there have also been individual successful efforts to address malicious use of domain names, both by registries (e.g., CNNIC) and when working with individual registrars (e.g., eNom). Unfortunately, these efforts have been slow, ongoing, and fraught with politics since they require global cooperation to be effective (only individual registrars or registries can take these actions). Indeed, in recent work we have empirically evaluated the efficacy of past registrar-level interventions and found that spammers show great agility in working around such actions. Ultimately, the low cost of a domain name (many can be had for under $1 in bulk) and ease of switching registrars makes such interventions difficult.

When it comes to payment processing and banks, the researchers concluded:

Finally, it is the banking component of the spam value chain that is both the least studied and, we believe, the most critical. Without an effective mechanism to transfer consumer payments, it would be difficult to finance the rest of the spam ecosystem. Moreover, there are only two networks—Visa and Mastercard—that have the consumer footprint in Western countries to reach spam’s principal customers. While there are thousands of banks, the number who are willing to knowingly process what the industry calls “high-risk” transactions is far smaller. This situation is dramatically reflected in Figure 5, which shows that just three banks provide the payment servicing for over 95% of the spam-advertised goods in our study. More importantly, the replacement cost for new banks is high, both in setup fees and more importantly in time and overhead. Acquiring a legitimate merchant account directly with a bank requires coordination with the bank, with the card association, with a payment processor and typically involves a great deal of due diligence and delay (several days or weeks). Even for so-called third-party accounts (whereby a payment processor acts as middleman and “fronts” for the merchant with both the bank and Visa/Mastercard) we have been unable to locate providers willing to provide operating accounts in less than five days, and such providers have significant account “holdbacks” that they reclaim when there are problems.21Thus, unlike the other resources in the spam value chain, we believe payment infrastructure has far fewer alternatives and far higher switching cost.

The study, available here as a pdf document confirms that the most effective way of seriously impact the operation of botnets is at the payment processing level.

Over four million and a half million PCs have become infected with the TDL trojan in the last three months.  In a report on the new botnet, security researchers at Kaspersky labs said “The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and anti-virus companies.”

TDL installs itself into the Master Boot Record of Windows, where anti-virus programs often fail to look and uses a new encryption method for protecting communication between the infected PC and the operators.  This makes it very difficult to trace the traffic from the PC and locate the people controlling the botnet.

In addition, this botnet doesn’t use direct communication between machines, but instead uses a peer-to-peer system, such as those used in file sharing.  This decentralises the communication, making it even harder to trace.

In their report the researchers said “It’s definitely one of the most sophisticated botnets out there.”

The majority of infections so far have been reported in the USA (28%) with India second in the infected list at 7%.  The infection rates are rising sharply though, and there’s been no reporting yet from Microsoft on whether the enhanced protection and security in Windows 7 will help defend against infection.

It’s clear that the best way to fight the TDL trojan so far will be in individual machines, though it is still common for millions of people to leave their computers open to infection by not understanding the risks involved and how they can protect against them.

There are also still millions of people running Windows XP still and the hugely insecure Internet Explorer 6 web browser.  This will aid the distribution and infection rates for TDL.  Finally it is critically important that people have Windows Update activated on their computers.

The trojan has been distributed via booby-trapped websites.  It has so far been discovered lurking on porn and pirate movie websites, along with some sites offering storage for photos and video files.

Despite having successfully orchestrated a major hack on Sony just a few days ago, they announced Friday that they had successfully infiltrated the Atlanta chapter of Infragard. For those not in the know, Infragard is an FBI affiliate. The hackers then uploaded Infragard’s user database to the internet, compromising security for the company and its affiliates. An associated company’s use of botnets was exposed as well, claims the group, and they are claiming that the documents they exposed also reveal an attempt by someone involved to pay LulzSec not to expose the breach.

LulzSec actually took complete control of Infragard’s Atlanta Chapter website, defacing it. One of their main reports was that while there were not many logins (around 180), all of them were affiliated with the FBI in one way or another.

Ironically, Infragard is a private-public partnership between the FBI and US businesses. Their business is “designed to protect IT systems from hacker attacks and other intrusions.” It would appear they are going to have to rethink their security protocols.

LulzSec really seems to be driving home the intense need for appropriate security measures to be taken by companies who are holding extremely valuable personal information for clients. One “weak link” can expose literally thousands of networks to a security breach, as was well demonstrated by their exposure of Karim Hijaz’s indiscretions when it came to his password. It must be understood that reusing passwords in several different places is frowned upon by both the FBI and Infragard handbooks and, indeed, by any person or organization concerned about security.

The attack on Infragard exposed Hijazi’s repeated use of his Infragard password in other places, including accounts of his personal business as well as his personal e-mail. Hacking one system gave them access to all of the major information Hijazi was privy to, compromising not only his own security, but that of the FBI, Infragard, his personal business, all of this clients as well as his personal activities. Particularly interesting to note is the fact that Hijazi’s personal business, “Unveillance” is a whitehat company that specializes in data breaches and botnets. LulzSec reported on their website that Karim was contacted personally by them and told all that they had done and that he purportedly offered them money in exchange for eliminating his competitors by illegal hacking means and for their silence. Supposedly they even discussed plans for him to give them insider information regarding his botnet information.

Hijazi issued a public statement shortly thereafter and is quoted here:

Over the last two weeks, my company, Unveillance, has been the target of a sophisticated group of hackers now identified as “LulzSec.” During this two week period, I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence that would have put many other businesses, government agencies and individuals at risk of massive Distributed Denial of Service (DDoS) attacks.

In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities.

While this author cannot vouch one way or the other for the truth of Hijazi’s or LulzSec’ claims, she can provide the last response LulzSec regarding Hijazi’s claims:

Karim compromised his entire company and the personal lives of his colleagues, then attempted to silence us with promises of financial gain and mutual benefits … [he] used the same password for all of his online accounts and all accounts linked to a company he owns. Then he tried to bargain with hackers so his company wouldn’t crumble.

Regardless of whose claims are the complete truth, one thing is for certain: LulzSec is not playing around. Companies holding vitally sensitive information would do well to make sure their security protocols are truly secure, for their own sakes as well as the sakes of the clients who trust them.

As a side note, as this article was being written, it has come out that Lulzsec has hacked Nintendo as well, though Nintendo claims that no user information has been compromised. We will update this article as more information becomes available.

Last week however thousands of websites running Microsoft SQL Server 2003 and 2005 were hit by cyber-criminals with an attack designed to circumvent their security. The attack injected code into the servers that meant every visitor thereafter would be greeted by a message saying their computer had been infected by hundreds of viruses.

This of course wasn’t true, it was a way to trick people into paying for a downloadable trojan that would clean the virus problem but would really install botnets, keyloggers and more onto your PC. Worse, in paying for this software, the criminals would then have your credit card details… or more!

This attack could have compromised 28,000 websites according to some reports and is frightening news, especially for all those of us with personal data held by web companies A, B and C.

This brings me back to SSL. If we want to shop online then for over a decade our web browsers have been able to warn us whether or not the information we send is being encrypted, and if that website is deemed safe for financial transactions or for the exchange of personal data.

Then we have companies including Microsoft and Google maintaining blacklists of unsafe websites, shared between them and anti-virus companies, to warn us further of malware-ridden websites by turning our browsers red.

What we don’t have are warnings about how secure the underlying technology on a website is, and whether we can trust that.

There’s no reason why this would be hard to do either, an encrypted file located on the server (probably with the SSL certificate) that could be read by the browser and certificated by a third-party would be all that would be needed, after all this is tried and tested technology. This file would contain informaton about the hosting on that computer, what operating system version it runs and the versions of what other technologies it is using.

In the cases outlined above a system such as this would have warned visitors to the websites that the sites they were visiting and trusting their personal information to, were using older technologies that, even when properly patched, could be vulnerable to attack.

Indeed many people who already know about such things, might choose to steer clear of all servers running Windows in favour of those running Linux and MySql.

It truly amazes me that we don’t already have a system such as this but I’m even more stunned that so many companies and hosting firms are using technologies on their website that are almost a decade old. So come on people, agree a standard by which, within a small margin of error, we can see a traffic light of how secure our personal information will be on a website before we hand it over.

New reports came in shortly after I wrote the article that the Rustock botnet, which has been responsible for as much as 48% of all global spam and which went suddenly and inexplicably silent in December has sprung back into life.

Overall, the level of spam sent worldwide is still down considerably on previous levels and there is still no apparent reason for this.

In an interview with the BBC, Alex Cox of NetWitness said ”As best we can tell, they took a holiday, The people running Rustock are running a business – albeit an illegitimate one – so maybe they needed time off too.”  This was the best guess anyone so far has been able to offer.

Rustock was expected to have sent out 67 billion spam emails yesterday, more than doubling the amount sent worldwide the day before.

While Rustock has restarted its activities, it is too soon to say, according to security experts, whether spem levels will again reach the volumes we saw back in August.

The fall, which you can see in the graph below, shows a steady decline from almost a quarter of a trillion messages every day to just 50 billion now.  The largest drop was seen over the Christmas period when the total volume of spam halved in just a few short days.

Security experts are warning that the lull may not last though they are at a loss to explain why the global spam levels have dropped so far and so regularly in recent months.

While authorities, especially in the US which generates the most spam worldwide, have had great success in the last year closing illegal operations, these were a drop in the ocean overall.  According to a report by the BBC, Botnets are responsible for the majority of spam and the largest of these, Rustock, was at its peak responsible for up to 48% of all global spam.  By December however Rustock was responsible for only 0.5% of global spam.

Around the same time two other global spam botnets also went quiet.

While we have seen global drops in spam before, it is uncommon for a drop to last so long.  It will be interesting to see if the levels rise again or if they will continue to drop for the next few months.

The software has been designed to discover communication patterns that are typical for malware infected computers. While Bothunter has been designed as a network security software that can analyze the traffic of the network it can also be used to analyze a single computer or basic home network.

Bothunter is supplied as a Linux or Windows version. The Linux version comes as a installation but also in form of a live CD that can be used from any computer that is capable of booting from CD and compatible with Ubuntu Linux.

Bothunter needs some configuration in the beginning. Most home users will only need to enter the local network IP which they can discover this way:

Click the Windows desktop Start Menu, Control Panel, Network Connections. Find the local area connection that is “Connected”. Double click the connected network icon. Click the Support Tab. Your IP address will be listed.

Optional data like the IP address of SMTP servers or DNS servers can be entered if they are used in the computer network. Home users usually leave these information blank. The only other information needed is the network adapter that should be used to scan and analyse the computer network.

Once that is done the network security software will scan the computer network in two minute intervals and display any potential bot infection in the interface.