Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Warezov Botnet Is Back in the Spam Game



 By: Brian Prince
2008-10-16
Article Rating:starstarstarstarstar / 6


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
SecureWorks is reporting that the Warezov botnet is back spewing spam--this time using compromised Hotmail accounts. Whoever is behind the spam campaign has defeated Microsoft Hotmail's CAPTCHA system and is part of a trend security researchers call "reputation hijacking."

Just as the Storm botnet appears to have died down, the Warezov botnet has once again reared its head.

New research from SecureWorks shows the Warezov botnet has begun spamming againbut this time, its tactics have changed. Having apparently defeated CAPTCHA, the bot is using a tool to spew spam via Microsofts Hotmail service.

The activity highlights a disturbing trend among spammers known as "reputation hijacking." In its recent "E-mail Trends Security Report," security vendor Commtouch noted spammers are increasingly capitalizing on the good reputations of established sites and senders to bypass reputation-based e-mail defenses.

It's unclear just how CAPTCHA was defeated in this case, but it is commonly known the system has been beaten by spammers via optical character recognition or human "account farming" operations, Joe Stewart, director of malware research at SecureWorks, wrote in a posting on the company's Web site. 

Resource Library:

The resurgence of spam from Warezov comes after months of inactivity following the January indictment of Alan Ralsky and 10 others on charges of illegal spamming tied to a "pump-and-dump" scheme. According to Stewart, it is unknown whether Warezov was used by Ralsky or if the botnets true operators got nervous after his arrest. Whatever the case, the botnet ceased sending spamuntil recently.

On or about Oct. 7, Warezov began spamming againexcept now, rather than send direct-to-MX spam as before, it has begun abusing Hotmail. While monitoring a bot, SecureWorks observed it had been given a list of Hotmail usernames and passwords that appeared to be automatically generated. Each username was used to send a few e-mails, with an average of five recipients each to defeat any rate-limiting imposed by Hotmail to thwart this type of activity, Stewart wrote in his post.

I think the reason for the trend toward reputation hijacking is that it's getting harder to send spam direct to MX from zombie computers, Stewart said later in an interview with eWEEK. Blacklists like the CBL [Composite Block List] are consistently getting better at flagging bot-infected IPs. The PBL [Policy Block List] is blocking large ranges of networks where dial-up/residential bots are located, even without seeing them send any spam first.

Anyone using Spamhaus' blacklists to block spam is cutting out a lot of the direct-bot spew, making the reputation hijacking of major Webmail providers a good way for spammers to reach sites using IP blacklists, he said.

SecureWorks has also seen a trend toward Webmail reputation hijacking by other malware such as Wopla and Hotlan, Stewart noted in the posting. However, the trend may be short-lived because, unlike SMTP (Simple Mail Transfer Protocol), which is a universal and stable protocol, creating Webmail accounts and sending spam through them requires that the spammer constantly change the botnet code to adapt to protection methods employed by the Webmail service.

While that may sound similar to what spammers have been doing for years, there is a difference, Stewart wrote in the posting. Before, spammers had to adapt their content to defeat filters. Now, they have to adapt to changes in the Webmail system, which requires them to pay for highly skilled programmers and possibly other services to maintain their spamming capacity, he explained.

In light of how spammers are defeating CAPTCHA, the best defense for Webmail providers is a multipronged approach such as limiting how many messages per hour a particular account can send or how fast one IP address can register accounts, Stewart said.

If you are OK with forcing your users to have JavaScript enabled, you can use Pramana's HumanPresent system instead of CAPTCHA, he advised during the interview. Also, standard anti-fraud stuff like checking IPs against proxy blacklists or watching for patterns of suspicious usernames being registered. When the spammers discover they just aren't able to send the volume of mail they expected, they will hopefully give up and target another service. But then it becomes someone else's problem.

 






  Reader Comments: Warezov Botnet is Back in the Spam Game
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}kwȲZz>B`Y0ކ;Yw-XHڒCΟ8_κ[zG9'ɲ RuOEHVuLJ>;{Dj{{?WP|oQrevuV3 Ѩizz]5Uh򩛩p ׭YFშ 'UCЖL1|1ժ1Uԓql͎~e0c-NQ:)֐NU7MZP8&9ˉ]mHB<47(>-_T| m߷Tudžž=a\4>ʯш(@osNȀY'F FC~j 11v 45m *cO^3 a` ~5a ٷ]vT0"N%ߝq8I hlD`qIR#fmSOÑcPWMۅ)J T*a7#uj05Tx%y5F@c[R z!1Iͤ'QO#!_TBbp` V?J1yh OLÃ;ɟ;0˶ȭB¿jxkW:߂CUҏ5_M|Yb>>CNH ?yUoBa}ŗtٮE&.U38cYVn`ELCZԗ5$GJ.wR(rG'[>{oX}5bRf;Y͞ժ͛{\IsNuq!>GA jmkh[#B:}rl i H|$Vj}&* DET*Nq&`0i>& t<_B^,: x[^ICvhqnaE4b™EQrG,i!?[u$uyYf0R.%daJ{3B~34V7獛ke{#kh~l5{ KtHu W: ?N[lxnuH25u=k2 `RR<[d_ݳ&iuF2,do];m`HU-@mܼ̐L\ Yk R(Y3k)ߺN@7lX`@8+YO7|SK3㮚9nZK}0Fp& \ ДAC[ش 1"%_su\—V/(!_.[jJ|*ٛ"K;zL\RRC1Al8{È&Q*뇹(L\֛esJt]E1=wmk\;o һ^*>cq4U`A-! hZT7Qd:o76)B!4)߃&rNtf[ԒLPòÔNG|y; VaN:uNlZ{>:AETi#Ţh. _&h`CZ} L_a#^ui6[W < J!pN=xS9LL@#wCߠh&]I-ۃ!7? ; K`rm;xk #`D9+wCPb,TI=v@ơ@XTںMy `/lz:4L03šF\IQ 12r)%s⣋ 4.g@)AH =m99 Ŋ?H~|#!bxENk@ =Jxvn,BV-KPf%e2iiڪ̈́(V=B`&Qea*0pRx5Vn-`oNR>и79[9bi]^yOg:l`a HC";. : h?v{ g>n~l9:V3+X5g?q}a] {9wtݲ٠0̩aqbh:_Aa!teB`9.{cTϒw*,*-vK-b[r {2 yvv[=nQ6Xj7ZuϙϧܑMú[> %](TuΩHJ&k*HL3jmy6y{2+kM'W̭r1r@ +O)XScX`D~w ~b0m/n)hOaࣇV|\vTg˺z+fYz#U/KX<?ub@,Hohm_xmP2D֑Rkl̅Ӳ=4Pr< x EQ܆8TSc  X῔\Pս )Kӈ0q|9Z/k<-`CaPe|CIKgelxuC69zoŸa[X*gbː 3 sN7,hy^b&s(Ḡ5ߓq bb=Eߝ;\w9:j-aY1Juߖ>Q:ϯM V0 ҇D30`  Fz9_GwLR^)"zjٰT%+*2WDT0pn@Aѹ(٩ 7C4a@.,Wa"'6sхڣ.~?CÜU^bx.$rP#rɑ/)J|re\̠ 3y*(Si>L*}SUrJAa߯YQPZمHB&*dH}tݣkop7Phd/+_ hėX_K3$J1N*wY@o&1 zgxٲֆGydq̤ͬN#|5{L{g9~re%k jMsE9\C5HzF{_ 渌{enR#Bchhwy8J>_uhRQpgOY9޸^:9ez6eVA~Xev7Q* 5 УRv3Gn-K_1da:>Af7pu(*=% k@X-vGfGyXc2(Yק>S'w+eE͗sV6r5 "K8.h!2"_Թ>즿f} PXkbW+ `qUDb9Hő1'S6PFzJGXb!wq#{F Ó!wGO=_:ji[tHky13vfm"XvqW$#V KF*U[YW ִ|E*I3J|{Ķ\,2'?'̅B:!`TRx(xi3R)W.~83Ax' "Bk:c#|My.,9Ɨ^w/)ɡXXD>WZTGe";QP(k\|7\}?؇QWrObP$/IRi٦]2;;ރHCޯb.c率VqL y.{ٗV1ca<=sW^^VrlgJRۀeYj]6:&﮻.RSi\P K1ND1:dKC8^;隷a~hy# qD&~p:wK%9n{͏v)GwD's5AN:ڥz% h!DHv~{ly\3 MFd1SV5!i=52l%zFk--ҽn49`pB|0| ^k%><3`nX Jv񄽔coEw|}k`!fx L\ r'@RPOh[#U)7WK0NwfI`+f+ƭ> $u"SPAO&e|>!I^;"Uc8L ]V)gTDSB'k'q^VⲞP6T$3 Qˣfr5Z!.=[Ur{@شƧ{>wg%λF$ k2kt%85(~B}XyKOw4Ţb'k`UKs ŏE~xo'gxhSZCEV9fuϏU*GGeN-ß,-Ob|/F 9ʼSy`Zu +;Noݓw3k{P̵jRs2fGTmBNj{`ճ|c4GלN(f&x.$o-耝JE(ЪEJrc qmGT!_mʲ'q!z1Fa.p]9Yz$AGzgUv|䌜50@;z鵚kHf0W+Xvi"Pq:`)Y8XhHen({rYpJeOeW FXd1P2Y;pOҤEsȮ滪vKWbRcO>^uI.%~W(TR_hdO(J骇\%(3|Z\|nGˋU@, bX|I{OzkY\xlR+Guk鯙 O O= q4٩yKQ`ldae=}5Zʰwƙ3adrC%F[ewVp. v %FJ ץaMَ)!%OhvpfU0B[y N0+&[qVL<:bC\]2@ 32\ ,,81p]qPa7S RRQ20,>(}eiMx\ \CfAWAg>5flL"MZ36d'X6ெrY̲5rk*KfsWRqLg%vԒs{OIGyܛFZLYhecntlpm_w9+M $Dn3=vC| ڮ-vb2pmP'g( _L R}8(f13`SXH$]dma͒b-0 ܈XmS`Έ\̈́ӆ8lD@uQ+.Ծ _-u (um-D\.8= @n-ޤ>k' Đ.WdGn~l5o.R>6)U銺,W9H/p#ze7G |rM11@x֨ޛzF4 d=-9ɜ?0IĒ~Y~b1$$ 0Z >OBmm[m:{Ig!uw*8Rga Z;1mVcT[Wvv 2fK;6i(&!/^yaI{ErdY׾gL2T۱k,W}8RF55*Aoy6J|F,?tE V.+> 01̃B,T]&ǂ6 9͸uTGHkĘxE[vlMz ԡ*BZJU U@+ĺhzǰ:tl Sga?+fFlz\G `uc~XuĮaVڹ戤q[1yKly -Jr%-ize+SmS-*1;, e.]$?>$}y #9 k &K,µO^I$ HeVX;JW>r Ew;o\-|*[35q C1y%yȎ1;r+}\pYDXuv0ڀy?,TJ ̛kI]*!ELS(сr}TK;XH`n3G9vDqGa/ `y0㚏pj+I\ c FiveQbb w=|.E%"[I{y >XHaYAX6iЩ H5AXL{=g;!h@jmVWۏ l`NqgYM&Yqc[TrLխ9va~Duv7H tN.TK @X(@$=j~RLn%uTE/DQx+nO5 BSr䚪*1pw<|UJ:vs(՜Fwd>hTӑ 3R.;A=~gHLR7. /B XR\7lˣcD['gW gEP5vpך7{zM.7vo^*+hQ_3>}GT’ Ba .~ 'l = RX+A+m=YT61$U]?fC7 -l  \, r8G}8[ڼy} IݺLa?Ð3{5Z"UX\1X@Q>~1&f#&":,s^an6`wrD7F#1CLD:5 K3glEN>8 +&(,p D 3wȥ4͒o Ƀ$RC30CLxp(U T?, ?B5DbKJ0Dmn$>E)3Rb"(. :. $[a89|+S!`=ݳ=KvjlxAQ,Gnb,cA~RL9s)aZ;8GpX9<'1.ycq XOyNtxT+3KotjYbt}314Of@h),f,ꝫ(\1xԕ> |/U&+J1C~x v0Ke? #镤B^Ռϐ;wSOУ.v#Dn`9fj'r޽&ur~lއu^;blė*(; tֽt޺l^].OljΟ϶ ˙ţ, r~Y428SI1B*rKv N‹I Gcqq3{ |=~{D(/Ʋb^@ +=; .!~ѸnztjEVN|vyIpșh75 >r;t)sXmn~(hO!u{vOL-0yX{Qvl)埡sJ5_/?SʻPM)GN/o ͔3(?[_~9O;֗_2V#Sk5Ra|uRo}/S{K)֗~;>vNtN IзЧwRvRIO/?Bǔ (H)#坔r˔LK˔).n~J+h:z/KO_?}HᯏP1G@MZ9M @7)ݤ_|u)rV)Ӕbv/苴erB]Ay>+<_`]k W)t.2_R̭Lϭn#a( moYYϵco9:HA^_BBU$X2x#(9?ļY}摍ChtoD.~GY!s$_&}:#WVvWߕ\(ܢ}:H+ǸX2#s"q6G#n _5AS79|.y|ѥ8cNtK-zF[Gܻğaw1\.m`KA*x` ~iO\b~t^<ܻȬuMWVFj+^᛬_%޷^2@b.4 Oǃf.ţu>T+^<- &\a9n(-@B^@w>tUi[FY.U~×q_e/هV{UCחZi>ܯ*hW=cIJpN!3J0?1H-M ԳpNš8߅ppU_ t5^hB97Á4*8T:2VJb9yO;F"ôiN\]L͗rG2D`Q9#Tx|F:eN۴W ]7T=c yVi8cn{z?"F5~D@ ҫ:&TW1cy7 @3p8c+x;@@f@6b/`{nz5070x@Ofue9?W\Rv.Hcc:HOSM\-sm{rnknܙepMc4~:"d`; Ok&!CU<z_t&1\vbixF2#0 MȮ+fAj#&mX/ٮ='fc(9:L\X? 6T|-5;6LDR }Na0zNZ]?@9DEP޹aEbˎQYɶx jSO=Ģ uKğopm.;kQL/R޺Tm*>% mi%cHPWWݞ햏 o} 8O.dlcπ!XwCQ %7` ]՝gUs^nT ~ r@c]T!nG `cwDl .5.5o^& BTnb[byYf&$w:G-\ԵTx kok3gzkW=Q'alhd%+^FHM`WH؂{wXiW1.Sܟ>C*e;M +Kei$V-E^x4"b yu+e!*O0:.XUTM)C[7m#* XEڤZuQaW؞nbP!ˣŬ"D0Ȯ'eZ:psh{h۟3\THՇl"~h&L{+нT~pFK-^Pa> "@Ԃ#'"e}%IDy)/̀/(83}M. qeA T,ozOX{YB(ϻ}i?J򑺺j`g񳓨E']f+NRqOT|l(>붻X74U햗޿~lHAEeiNђu׍fK]xEgO 6.A|>Ðy6nF_>o ЫJ/ǂI#;ov[1b$- K].QRR۽7:"f/XbOf>%}(|M!VKqq7JjTʱY#|Yq'f¦[hp .bF;f1Բkh