IT Security Blog

Do we really know?  Recent research would say that we don't.

In late April two conflicting articles were published: One was an article was posted at IT Brief which appears to have been supported by AVG that states 250,000 malicious web sites are created every day and another article was published by Security Pro News that says MessageLabs claims 3,500 new malicious sites daily. 

So, which is it?  The truth in my opinion is that we don't really know.  Also, what neither of these articles discuss is the increase in compromise of legitimate sites due to trojans like Gumblar.  The number of compromised legitimate sites is also harder to quantify because it is likely there are a lot more of them out there than are currently known. 
One thing appears to be for certain and that is that we have reached the tipping point with the web being used as the primary threat vector for the distribution of malware ahead of email.

Happy 5th Birthday to the CAN-SPAM Act (The Controlling the Assault of Non-Solicited Pornography and Marketing Act) of 2003!  The CAN-SPAM Act was the brainchild of Senators Burns of Montana and Wyden of Oregon in April 2003 before undergoing some revision and being signed into law by President Bush on December 16th, 2003 (ok, so the real birthday was yesterday).  The CAN-SPAM Act took effect on January 1, 2004.

Although a standard for how ESPs enforce compliance on the part of their customers, it has largely been ignored by spammers.  MX Logic has been tracking adoption of the CAN-SPAM Act since its inception and even at its peak only about 3% of all spam was in compliance.  This was in May 2004.  Compliance has typically hovered around 0.2-0.3% since 2005.  As a result, many have resorted to calling it the U-CAN-SPAM Act.

If you are not familiar with the CAN-SPAM act it imposes a number of requirements on commercial email:

-- Ensure that the "FROM" line clearly reflects the sender's identity

-- Include subject line text consistent with message content

-- Include the advertiser's valid postal address

-- Contain a working opt-out mechanism as a way for the consumer to decline to receive further commercial email from the sender

As part of the CAN-SPAM Act the FTC was also authorized to create a "Do Not Email" registry, much like the existing "Do Not Call" registry for telemarketing.

We blogged back in October about a loophole that auspiciously exists in the CAN-SPAM Act which does not disallow the mass sending of unsolicited political email, due to its non-commercial nature.  This opinion drew quite a bit of both positive and negative comments from both sides of the aisle. 

So, as we move forward into 2009 and you toast in the New Year, be sure to raise a glass to the CAN-SPAM Act.  Five years of reducing spam to nobody!

Apparently you just can't keep a good botnet down.

As expected, the honeymoon that we have been on since the November 11th shutdown of McColo is over.  As we discussed in our previous post about the volume declines after the McColo shutdown, the Rustock botnet was able to update some of its infected machines during an approximately 12 hour period that McColo was brought back online by TeliaSonera, a Swedish ISP.  Rustock has come back and come back strong over the past few days mostly sending out Canadian Pharmacy spam (one of our all time favorites).








Above are traffic graphs for the three major botnets that were affected as a result of the McColo shutdown.  The big dropoffs for Srizbi and Mega-D are both on November 12 (the day after McColo was taken offline).  Traffic from both the Srizbi and Mega-D botnets have been virtually non-existent since the 12th.

The Rustock spike started on November 20, about 5 days after McColo was temporarily brought back online. 

Just to keep us all on our toes, we've even seen some signs of life from the Storm botnet that most of us had written off for dead.  Although it is felt that some of this traffic was coming from poorly configured Barracuda devices, we're still keeping an eye out in the event that there is potential of this botnet coming back.

Despite the resurrection of the Rustock botnet, overall mail volumes are still down about 30-35% from where they were prior to November 11.  Today, Fireeye is reporting that the Srizbi botnet is back under the control of its original owners and that new command and control servers have been registered in Russia.  So, it stands to reason that Srizbi will not be dormant for much longer before we start to see spam volumes increasing again.  The last two weeks has been a nice holiday before the holiday, but it looks like we are very quickly getting back to business as usual....and that's just the way I like it!

Last week we reported the significant decrease in spam volumes as a result of the shutdown of McColo, a hosting provider that was catering to spammers.  I wanted to take a few minutes and lend a bit more color and data to what we originally reported now that we have had a few days to let the real effect soak in.

We continue to see over an over 50% decline in total mail flow (all spam).  In fact, that percentage appears to have leveled off at over 60%.  A bit lower than the 75% reduction some are reporting, but no matter how you slice it the effect has been more than significant.

Below is a graph outlining hourly mail flow patterns since November 1:



The significant drop-off that you see about two-thirds of the way through the graph correlates directly with the McColo shutdown on 11/11.  According to our stats that dropoff occurred during the 1pm MST hour on the eleventh. 

A couple of botnets in particular appear to have been severely debilitated as a result of the McColo shutdown.  Those are the Srizbi, Rustock, and Mega-D botnets.  Traffic associated with the Mega-D botnet (named such because of its advertisement of male enhancement products) has declined over 95% since 11/11 and Srizbi volume has declined by over 80%.






Sophos is reporting that McColo was briefly brought back online this weekend by a Swedish ISP named TeliaSonera.  After receiving many complaints about the matter from security researchers they were taken offline again, but not before the folks responsible for the Rustock botnet were able to release a code update to their bots to point them away from McColo.  It is unclear at this point whether that update was released to a significant base of Rustock infected PCs, but it does breathe new life into a botnet that had briefly been put on life support.  So far today we are not observing any significant effect as a result of the Rustock update. 

Spam percentages have also taken a big hit as a result of the decline in spam volume.  For the past 2 years we have been reporting spam at about 90% of all email traffic on the internet.  Since the McColo shutdown those volumes have occasionally dipped down in the low-to-mid 70 percent range, percentages that we have not seen the likes of which since the first quarter of 2006.

Although the short-term effect of the McColo shutdown has been significant we still do not believe that spam volumes will be affected over the long haul.  Botnets come and go and malware techniques will continue to evolve.  As Storm declined in volume, botnets like Srizbi, Mega-D, Rustock, Cutwail, and others have been more than ready to pick up the slack.  The punch line to all of this remains the same.  The people who can have the most impact in continuing to win battles in the battle against spam are the people who are providing domain registrar service, DNS service, and ultimately bandwidth service to bots and botnet owners.  If bots cannot communicate, they cannot thrive.  The events of the past week have been a perfect example of that.

Last week the FBI released its Internet Crime Report for 2007, and there are some interesting trends when comparing this report to the past couple of years. 

Total monetary loss as a result of internet crime continues to increase.  Between 2005 and 2007 total loss from cases of fraud went from just over $185M to over $239M.  That's an increase of 30% over two years! 

So, what constituted these losses? 
According to the report Financial Institutions Fraud has increased over 400% as a percentage of total complaints received) between 2005 and 2007 from 0.5% of complaints received to 2.7%.  Computer fraud also substantially increased as a percentage of overall complaints during that same time frame (1.4% to 5.3%).   Almost a  300% increase!

That's interesting in and of itself, but how does it translate to real dollars? 

As one might expect (lack of education on the threat, perhaps?), the types of fraud that generated the greatest amount of loss per complaint were actually some of the least prevalent types.  In 2005  and 2006, Nigerian Letter Fraud didn't even appear in the top 10 list of types of fraud, however it topped the list of loss per complaint at $5,000 and $5,100 respectively.  Compare that to 2007, where it cracked the list at number 10, but accounted for the third highest loss per complaint at $1,922.  Auction Fraud, which was the most common fraud complaint for all 3 years had consistently one of the lowest loss/complaint numbers ranging from $385 (2005) and $602 (2006).  Thanks to the increase of stock pump and dump scams investment fraud topped the 2007 list at $3,547 per complaint!  Interestingly though, despite the amount of attention and press that these scams have received over the past year and a half investment scams still didn't crack the top 10 complaint percentage list.

How people were contacted in order to be defrauded stayed pretty static between 2006 and 2007 with email leading the charge at just under 74% for both years.  Where the report shows movement, however is in the increase of the web and phone (vishing) being used as a more frequent vector of communication with victims.  In 2005, the internet and telephone accounted for 16.5% and 4.5% of communication vectors, respectively.  In 2006 and 2007 those numbers were in the low to mid 30s for the internet and around 18% for telephone.

So, if you're still with me these obviously are a lot of stats, but what does it all boil down to? 

What this outlines, among other things, is the constantly changing threat landscape and that the least seen threats are the most dangerous.  As such, it is important to not only educate yourself, but educate your organizations as to the types of threats that are out there.  Make sure they also know what is real and what is not.  There are so many virus hoaxes, some several years old, that still make the rounds on a regular basis that it is easy to see how people either get confused as to what is viable and what isn't, and why others think that internet threats are just the industry crying wolf in an attempt to get people to continue to buy product.  It is these types of threats that have also caused a serious drop in consumer confidence in some brands to the point where many users have developed an aversion technique to any email or correspondence from them because they have a hard time determining whether the message is a scam or not.  This loss of confidence has caused a serious problem for when these brands actually do send out legitimate mail because their response rates have suffered.

Is there an answer? 

Many solutions have been on the table for quite some time between email authentication technologies like SPF/Sender ID and DomainKeys Identified Mail (DKIM), botnet detection technologies, and brand protection companies who (among other services) monitor for look alike domains being registered that are intended to look like common brands to be used in phishing campaigns.  Unfortunately, at this point so much social damage has been done to these brands because they are so frequently targetted for phishing and other fraud campaigns that restoring consumer confidence is an extremely difficult mountain to climb.  I'm not saying that it can't be done, but I am saying that the cyber criminals act much quicker than some of these technologies can react and that doesn't appear to be changing anytime soon.

I just wanted to take a moment to throw out a dubious congratulations to Italy who briefly overtook Poland this morning as the #2 spam sending country in the world (according to our Threat Operations Center stats). The victory was short lived, however as Poland has already regained their runner up spot still lagging behind the United States. Italy has dropped to third.

The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.

It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.

Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?

I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?

We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.

Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.