Archive for the ‘Spamhaus’ Category

Waledac Spam Delivery Estimates

Monday, March 9th, 2009

Spam operations are progressing indeed. Dancho Danchev recently posted insightful images into an active managed spam service.

So, it may be interesting to catch up on estimating some recent numbers for the ongoing Waledac spam operation. This afternoon’s Waledac spam blasts contained the usual content for this campaign:
1. Discount offer-related subject lines related to and links to ripped coupon themed pages serving up malicious executables
2. Pharma-related subject lines and links to pharmaceutical sites (screenshots above and below)

Subject lines and message content for category 1 (hyperlinks mangled intentionally):
Subject: “I sent you useful thing”
Message:
You probably wish to save your money, look at this
hxxp:(slashslash)greatcouponclub(dot)com(slash)discounts.php

Subject: “Latest sales news and coupons”
I want to suggest this page to you hxxp:(slashslash)thecoupondiscount(dot)com(slash)sales.php

Subject: “We can go through the crisis with it”
It’ll be interesting for you hxxp:(slashslash)greatcouponclub(dot)com(slash)couponslist.php

Subject: “A good way to save money is to use these coupons”
New list with coupons in your city hxxp:(slashslash)greatsalesgroup(dot)com(slash)salelist.php

Subject: “All my friends have already used it”
I sent you useful listing hxxp:(slashslash)smartsalesgroup(dot)com(slash)couponslist.php

Subject: “I’ve already used these coupons”
Cool! You can save your money hxxp:(slashslash)greatsalestax(dor)com(slash)list.php

Subject lines and content for category 2, the pharma spam:
Subject: Get the most of your life!
Helloween sale hxxp:(slashslash)agreeslick(dot)com

Subject: Stimulate better growth
Make your body real TNT, exploding near girls with passion and desire.
hxxp:(slashslash)bestplaceapts(dot)at

Let’s assume that the botnet currently is 30,000-40,000 hosts, with ~30,000 spambots sending out messages every second. Because of fantastic efforts like spamhaus, and the fact that various free mail hosting services have tightened up the sources of email senders that they accept email from, let’s assume that each bot can successfully deliver approximately 1.7 messages per second. With 30,000 bots, that comes to 51,000 messages per second, at a rate of 3,060,000 spam successfully sent every minute (that’s from the bot to the destination smtp server).
Now let’s estimate that 10% of that mail arrives in the users’ inboxes (due to filters and scanners of all sorts). That’s still 306,000 messages getting to users’ inboxes. And 1% of that group may actually buy something or fall for a malicious link? Would it be overestimating to guess that ~3,000 users visit a malicious couponizer page or a phony online pharmaceutical link from a single minute of Waledac spamming?

What does your math look like?

Posted in Malware Estimates, Spam, Spamhaus, Waledac | No Comments »

More 2008 Fbi Botnet Arrests

Friday, January 4th, 2008

As predicted in an earlier post, the slow cooker has been heating it up. Several years of the Fbi’s efforts are resulting in more 2008 arrests related to botnets and cybercrime. Eleven people are indicted in this case, involving spam and a “pump and dump” scheme for thinly traded Chinese penny stocks:

“The charges arose after a three-year investigation – led by agents from the Federal Bureau of Investigation, with assistance from the U.S. Postal Inspection Service and the Internal Revenue Service – revealed a sophisticated and extensive spamming operation that, as alleged in the indictment, largely focused on running a stock “pump and dump” scheme, whereby the defendants sent spam touting thinly traded Chinese penny stocks, drove up their stock price, and reaped profits by selling the stock at artificially inflated prices.”

The fraudulent spam messages were sent off of zombies around the world. Keep those bots off of your Windows systems.

Eight of those individuals charged are being sought, including a Peter Severa of Russia. This individual is one of the longest running spam operators on the internet. You can see a description of this individual on spamhaus:
One of the longest operating criminal spam-lords on the internet. Works with many other Easter Euro and US based botnet spammers.”

Maybe, just maybe, there will be a day when this sort of garbage doesn’t show up in my email:
**********************************************************************************
“Add Enerbrite tech to your Radar
Volume spike today, big news expected this week

Symbol: E-T-G-U
Currently : $ 0.0017

Big News is due out this week and trading volume is off the charts.

People are loading up. Read the latest PR and find out what they know.
You’ll want to get in on ETGU too.

Dont miss this chance to ride a multibagger.

Add ETGU to your Radar and get in MONDAY before the news gets out.

“There is no real excellence in all this world Which can be separated from right living.” David Star Jordan”

**********************************************************************************

Posted in Bot, Fbi, Spam, Spamhaus, cybercrime, pump and dump | No Comments »

High level of activity continues to originate in China

Friday, December 7th, 2007

The folks at spamhouse.org have done a commendable job over the years trying to make the internet a better place for everyone. They provide interesting weekly statistics and information on the world’s worst Spam Kings and sources of spam in general. If you’re a network admin, you’ve heard of these guys.

Over the past year, while malicious servers continue to be set up all over the world, more activity is taking place in China. The servers that were a part of the recent google poisoning that we looked at first were in located in China. Many of the redirected pages from other compromised servers link to exploit pages, downloaders and more malware served in China.

Not surprisingly, this week China is the number two source of spam, according to spamhaus (keep in mind that these numbers do change on their site):

But of their weekly top 10 list of Spam Kings, the top 6 continue to be Russian or Ukranian. Only two are of Hong Kong or Chinese origin:

Also along those lines, the whole Russian Business Network or RBN (a huge network well known for its malicious activity over the past few years), was tracked by iDefense as shutting down and moving from St. Petersburg to China and Central and Southern Amercian region like Panama and Belize.

And from what we are seeing at our user base and in our labs, it looks like this trend is one that will continue.

UPDATE (12.13.2007): The Sydney Morning Herald published a fine article (it appears to be from someone at The Guardian) this morning about the RBN network’s activities.

Posted in Spam, Spamhaus | No Comments »