Botnet Detection

Cyber Attacks and Safeguarding the Internet

Stephanie Jordan — Thu, 15 Sep 2011 04:35:00 +0000

Homeland Security Secretary Janet Napolitano recently stated that we might be able to keep our shoes on while going through airport security checkpoints in the near future. It seems there is technology on the way that will allow for that. Technology has been responsible for many wonders that improve our lives or at least make things easier. The promise of the Internet was one such stride. But according to a recent comment by Napolitano, while the U.S. is ‘categorically safer’ since 9/11, cyber-terrorism is now at the top of the security concern list.

In today’s world there is a wide range of online threats to safeguard against — identity theft, fraud, hackers, spam, viruses and spyware all come quickly to mind. But the persistent threats that have been experienced this year by RSA, Lockheed-Martin, Google, Sony and a host of other well-known brands and companies make us wonder just how vulnerable are we?

Some experts are claiming that cyber warfare will replace traditional warfare. All that has transpired recently makes that seem less far-fetched than the general populace might have thought a few years ago.

Did you read the interesting interview conducted by Cisco’s Jason Lackey with ex-Anonymous hacker known as SparkyBlaze? If you have only read excerpts the full reading is illuminating. For me getting a sense of what is “ethical” and what is not to this 20-something-year-old was revealing. He gives advice too, which very much parallels what security companies have been saying for years. If you missed these 14 points, here they are again direct from SparkyBlaze:

Deploy defense-in-depth
Use a strict information security policy
Have regular audits of your security by an outside firm
Use IDS or IPS
Teach your staff about information security
Teach your staff about social engineering
Keep your software and hardware up to date
Watch security sites for news on computer security and learn what the new attacks are
Let your sysadmins go to defcon ;D
Get good sysadmins who understand security
Encrypt your data (something like AES-256)
Use spam filters
Keep an eye on what information you are letting out into the public domain
Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?

If, like me, you sometimes take for granted all we know about security in messaging and computer security in general, the rest of the world is now starting to wake up to it. The topic is becoming of interest to a wide range of lay-people, let alone legislators and government officials. This current trend has elements of mystery, intrigue, conspiracy and drama. Indeed, a colleague recently brought to my attention a detailed Vanity Fair magazine article that makes some of the recent exploits sound like one big spy novel. What’s the old saying? May you live in interesting times. Well, we sure do.

Data security today, and really for some time now, is no longer just a sys admins job. It is not just a “set it and forget it” appliance. Securing an organization is a complex, on-going battle that needs to be waged with regularity, education and solid company policies. And it isn’t cheap, but it is worth it.

Spam Dips to Lowest Level Since 2008

Stephanie Jordan — Thu, 30 Jun 2011 02:48:49 +0000

Messaging experts expend a great deal of time and energy following trends and offering analysis. The latest report from Symantec states that June spam levels are currently at the lowest level since the November 2008 takedown of McColo, a California based ISP which hosted command and control channels for a number of major botnets. Its June 2011 Symantec Intelligence Report, which is the first Symantec report to combine research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report, reveals spam accounted for 72.9 percent of email in June, returning to the same level as in April earlier this year. According to Symantec Intelligence, 76.6 percent of this spam was sent by botnets, compared with 83.1 percent in March.

“Despite the decrease in botnet spam this month, they should still be considered a dangerous force on the Internet,” believes Paul Wood, senior intelligence analyst, Symantec.cloud. “Cybercriminals continue to use botnets to conduct distributed denial of service attacks (DDoS), carry out fraudulent click-thrus on unsuspecting Web sites for financial gain, host illegal Web site content on infected computers, harvest personal data from infected users and install spyware to track victims’ activities online.”

Wood goes on to say that following the March disruption of Rustock, the largest spam-sending botnet, approximately 36.9 billion spam emails were in circulation each day during April. This number rose to 41.7 billion in May, before falling back to 39.2 billion in June. “Spam remains a huge problem and spam levels continue to be unpredictable,” he states.

Other highlights from the report:

Pharmaceutical Spam: In the latest analysis, spam relating to pharmaceutical products accounted for 40 percent of all spam in June 2011, declining from 64.2 percent at the end of 2010. Symantec Intelligence also reports a new spam tactic in use that introduces the “Wiki” name prefix for the promotion of fake pharmaceutical products relating to a new pharmacy brand, WikiPharmacy. The “Subject:” line in these attacks has a lot of randomization contained in the text. The “From:” header is either fake or a hijacked ISP account that gives a personalized appearance to the email.

Adult Spam: Researchers note that spam subject line analysis shows that adult spam continues to flourish.

Phishing: In June, phishing activity decreased by 0.06 percent since May 2011; one in 286.7 emails (0.349 percent) comprised some form of phishing attack. South Africa remains the most targeted geography for phishing emails in June, with 1 in 111.7 emails identified as phishing attacks. In the UK, phishing accounted for 1 in 130.2 emails, in the U.S. 1 in 1,270 and in Canada 1 in 207.7.

E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 300.7 emails (0.333 percent) in June, a decrease of 0.117 percentage points since May 2011.

Web-based Malware Threats: In June, MessageLabs Intelligence identified an average of 5,415 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 70.8percent percent since May 2011.

Endpoint Threats: The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit[1], a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions.

Read the June 2011 Symantec Intelligence Report (PDF) for more findings.

What's the Harm If I Get What I Pay For? End-to-End Analysis of the Spam Value Chain

Stephanie Jordan — Thu, 16 Jun 2011 12:41:28 +0000

Have you ever wondered what would happen if you actually responded to an online offer for an herbal supplement or an enhancement drug? As any active emailer knows, there is a relentless tide of spam out there, and while filters and other techniques keep an amazing amount of spam out of users’ inboxes, spam still manages to seep in, and those dietary supplements, herbal remedies, enhancement drugs and even watch offers show no signs of stopping.

Christian Kreibich from the Berkeley-based International Computer Science Institute and team wondered about those spam offers too; so they researched the complete lifecycle of a spam offer, from receiving the offer, to ordering, to payment, all the way through to product receipt. It is an interesting analysis to be sure. Kreibich presented the findings of the analysis at the Messaging Anti-Abuse Working Group’s (MAAWG) 22nd General Meeting in San Francisco last week.

The spam trail encountered by Kreibich proved to be 95% pharmaceutical, so much of his talk centered around the tracking and ordering of supplements, enhancers, prescription and over-the-counter drugs. During the analysis period, the group attempted 120 purchases, of which 76 authorized and 56 settled resulting in 49 deliveries. The reason the deliveries and the purchase attempts are not closer in number is that some of the programs stopped taking orders from the researchers, even though they would change where deliveries were to be shipped, and used different names.

“It got progressively harder to make purchases,” admits Kreibich. “Generally, you do get deliveries because the merchant needs to maintain a good relationship with the banks.”

Where Is the Harm?

So, does this mean that it’s okay for you to order that herbal supplement offer you keep receiving, but were afraid to because you might not get what you paid for?

“The analogy I would use for spammers actually fulfilling orders is a bit like a window company throwing a coupon wrapped around a brick through a prospective customer’s window,” responds Michael Osterman, analyst and president of Osterman Research, Inc. “Even if the glass company actually shows up on time to replace the glass and their quality is good, the method of marketing their services is still a problem. In the same way, spammers eat up bandwidth and storage on prospective customers’ servers, desktops, etc. in exchange for potentially offering a decent product. Fulfilling an order is good, but the method of gaining the customer in the first place is not.”

Kreibich agrees, saying, “There is tremendous technical collateral damage in this business. Beyond this, I’d add first that the advertising model of spam is completely illegal virtually any where due to the way it’s realized because it’s facilitated by relying on infected machines. Secondly, a substantial part of the products one can order are illegal in the country you order from. For example, many of these shops will sell you prescription drugs, right up to cancer medications, without the need for a prescription.”

Having your computer become part of a botnet that aids in the spewing of spam is a definite danger of doing business with spammers. Spammers are not reputable in the business world, although they are successful, otherwise they would not continue. So what about the money trail?

Payment Infrastructure

In the sleuthing, a key insight comes from this money trail research: just three merchant banks account for 95% of the processing of payments related to spam. The banks were: Azerigazbank in Azerbaijan (Eurasia), St Kitts-Nevis-Anguilla National Bank Limited in the Caribbean, and DnB NORD in the Baltic States. Indeed some feel that this bottleneck might be a place of vulnerability in the spam trail. Would it be possible to halt the payment processing in a kind of financial blacklist?

Perhaps believes Kreibich, but it would have to be through the Western bank. “If the issuing bank refused to settle certain transactions it could have a significant impact.” Kreibich points to online gambling as a possible precedent for such action.

Asked if the product delivered was indeed the product ordered, Kreibich replies, “In general, you do get a delivery. We have done ‘some’ component analysis via mass spectrometry that confirmed the right active ingredients and composition for some ‘herbal supplements.’ But we are in no way saying that people generally get the real drug or right combination of ingredients.”

Still wondering about responding to a spam offer? Spam experts advise against it: “Very often, those who order by spam don’t always get what they order,” warns MAAWG Chairman and Comcast Distinguished Engineer Michael O’Reirdan. “The problem also is that once they have ordered via spam, they also set themselves up as targets for other spam, which might be a vector for malware.”

Learn more about the research by reading Kreibich et al.’s paper: Click Trajectories: End-to-End Analysis of the Spam Value Chain

Parents’ Work Computers Should Be Off Limits to Teens, Reduce Malware Exposure

Stephanie Jordan — Thu, 16 Jun 2011 09:52:37 +0000

As I mentioned last week in the article National Internet Safety (and Security?) Month, MAAWG, and Passwords , June is National Internet Safety Month. This week a study was released that examines the online behavior of U.S. parents and their teenage children; this is relevant not only because the data is interesting, but also in context of the blurring between home and work and possible exposure of systems (or files) that go from one location to the other.

The 2011 Parent-Teen Internet Safety Report was published by GFI Software and looks at online behaviors related to content, communications and malware exposure. While the study is from a security company - the net finding is that in most cases kids AND their parents engage in risky online behavior – given the state of the Internet today, it is not surprising that the conclusion is that this type of behavior puts the parents’ employers at risk.

According to GFI, report highlights include:

65% of parents say a virus has infected at least one of their home computers, and 62% of these have been either “somewhat” or “serious” problems.

90% of parents who have work computers at home say they’ve used them for non-work related purposes and 37% of these say they let their teens use them as well. Meanwhile, 47% of teens say they have been infected by a virus while using a computer at home.

34% of teens say they have created online accounts that their parents do not know about.

Only 28% of parents who have antivirus software say they update their virus definitions daily, and 24% are unsure if they are updating these definitions at all.

36% of parents use Web monitoring or Web filtering software to keep tabs on their teens’ activities online and to block inappropriate content.

Now for a few highlights in light of Internet Safety Month that might be worth sharing as a discussion starter with the family:

15% of all teenage girls surveyed have been bullied online or via text message.

31% of teens admit they have communicated something to someone online that they would not have said face-to-face.

31% of teenage boys admit to visiting a Web site intended for adults, and 53% of all teenagers who have done so say they lied about their age to gain access.

Nearly one-third (29%) of teens have been contacted online by a stranger, and 23% of those say they have responded in some way.

“The Parent-Teen Internet Safety Report is a real eye-opener as to how modern computing introduces families to a host of new dangers that reflect our evolving online lives,” comments Alex Eckelberry, general manager of GFI Software’s Security Business Unit. “It is not surprising to see teenagers engage in risky online behavior – just as they will often engage in risky behavior in the physical world. It is surprising, however, to see that parents are often compounding this problem with highly insecure computing practices like letting their children use their work computers, or being lax in updating their virus definitions. As a result, home Internet use is a source of significant risk not only to families but also to employers.”

The full report and a document with the full survey questionnaire and responses are available from GFI Software.

Web Trends Thus Far for 2011 Include Outdated Plug-ins, Social Media Policy Struggles, Facebook Domination and Botnets

Stephanie Jordan — Wed, 25 May 2011 20:51:17 +0000

Attackers are no longer targeting web and email servers, contends Zscaler, instead they are attacking enterprises from the inside out, by first compromising end-user systems and then leveraging them to gain access to confidential data. The company announced that its Q1 security research report, State of the Web – Q1 2011, is available this week. In the report, the company published the following findings:

·         Outdated Browser Plug-ins a Tempting Target for Attackers: more than 25% of corporate users are running old, insecure versions of popular browser plug-ins — such as Java, QuickTime, and Adobe Reader — creating an easy target for attackers.

·         Facebook Dominates Web 2.0 Traffic: even in corporate environments, Facebook accounts for most Web 2.0 application usage at 52.40% (up from 47.65% in Q4 2010).

·         US and China Have High Malicious Content Concentration: when considering where malicious content originates from as a percentage of overall content, both USA and China have about 2x more malicious traffic than would be expected based on overall traffic volume.

·         Botnet Nation: America hosts the majority of botnet Command and Control (C&C) servers at 42.48% (up from 38.20% in Q4 2010); Germany takes second place at 32.8% (up from 6.46% in Q4 2010).

·         Are Browsers Dying? Non-browser Internet traffic stemming from third-party applications continues to rise, accounting for nearly a quarter of all web traffic.

·         IE6 Continues its Exit: the outdated and insecure browser continues to wane, at only 8.43% of all browser traffic (down from 11.43% in December, 2010); however, it’s still the third most prevalent browser used, behind IE 7 (27.05%) and IE 8 (24.97%).

·         Enterprises Struggle with Social Networking and Policy: 7 in 10 enterprises block at least some web content based on category, with social networking being the most common category blocked. However, enterprises are still struggling to define policies on how social networking can be used in the workplace. A vast majority have no policy in place, and those that do choose to block all access to social networking sites.

·         AV Landscape: more than half of threats identified by Zscaler AV were delivered by web content (HTML, Javascript) as opposed to standalone binary executable files, highlighting the changing threat landscape. And 31.8% of viruses identified are those that attempt to load or redirect the user to malicious content, often on legitimate web sites.

The full report is available through the company’s site.

UN and ITU team up to fight Cybercrime

Melisa LaBancz-Bleasdale — Tue, 24 May 2011 06:38:57 +0000

On May 19, 2011 the ITU , the United Nations agency for information and communications technologies, cemented new global partnerships designed to make cyberspace a safer, more secure place to be for consumers, businesses, and – most crucially – children and youth.

A Memorandum of Understanding (MoU), signed between ITU and the United Nations Office on Drugs and Crime (UNODC) at this year’s WSIS Forum event in Geneva will see the two organizations collaborate in assisting ITU and UN Member States mitigate the risks posed by cybercrime.

The MoU will enable the two bodies to work together to make available the necessary expertise and resources to establish legal measures and legislative frameworks at national level, for the benefit of all interested countries. It is the first time that two organizations within the UN system have formally agreed to cooperate at the global level on cybersecurity.

“This new alliance with UNODC is a major milestone in implementing a coordinated global approach to an increasingly serious global problem. Together, our two agencies will generate powerful synergies that will help all interested countries fight the scourge of cyberthreats and cybercrime and create a safer online environment for all,” said ITU Secretary-General Dr Hamadoun Touré.

In line with its long tradition of public-private partnership, ITU has also signed an MoU with Symantec, provider of security, storage and systems management solutions. ITU will use Symantec’s security intelligence, in the form of its quarterly Internet Security Threat Reports, to increase understanding of and readiness for cybersecurity risks.

By distributing this report – which captures data from across Symantec’s Global Intelligence Network – to interested Member States, ITU aims to help better prepare governments in developing and developed nations alike to respond to the ever-growing risk from malware, cyber attackers and information thieves. This will facilitate awareness raising and knowledge transfer, complementing the work of ITU and strengthening its effectiveness as a global forum for governments and private sector to build confidence and security in the use of ICTs.

Commenting on the partnership, Enrique Salem, President and Chief Executive Officer of Symantec, said: “Over the past year and a half, the researchers that make up Symantec’s Global Intelligence Network have noted a dramatic increase in the number of cyberattacks, as well as the growing sophistication and impact of threats. The partnership between ITU and Symantec will facilitate an increased understanding of cybersecurity risks and how they can be reduced, increasing confidence in new and emerging technologies and facilitating the evolution of the digital world.”

Further reinforcing ITU’s efforts in this area, ITU’s work and relations with IMPACT continue to gain momentum, with over 130 ITU Member States now part of the ITU-IMPACT coalition.

ITU-IMPACT is the first cooperative global venture to make available cybersecurity expertise and resources to enable interested Member States to detect, analyze and respond effectively to cyberthreats. Of particular benefit to developing countries and smaller states without the capacity and resources to develop their own sophisticated cyber response centres, the coalition also benefits technically advanced nations by providing them with a global snapshot of potential and real online threats.

ITU-IMPACT members enjoy:

· Access to the IMPACT Global Response Centre (GRC), the foremost cyberthreat resource centre in the world for global threat information, at no cost.

· Access to the Electronically Secure Collaboration Application Platform for Experts (ESCAPE), allowing experts across different countries to share their knowledge and best practices with regard to cybersecurity, as well as facilitate the mitigation of cyberattacks, at no cost.

· On-site assessments and elaboration of implementation strategies for the establishment of the Computer Incidents Response Teams (CIRTs). To date 24 countries have been assessed, and work is in progress to move to the implementation phase.

· Specialized cybersecurity capacity building programmes to arm Member States and international agencies with relevant knowledge to face and prevent cyberthreats. To date, more than 200 cybersecurity professionals and 50 law enforcement officers have received specialist training. In addition, 155 training scholarships to 29 partner countries globally have been provided.

ITU-IMPACT also offers Managed Security Services to the UN family of agencies.

Newest Messaging Malware Targets Facebook and Twitter

Stephanie Jordan — Fri, 06 May 2011 17:23:57 +0000

With millions of users adopting Facebook and Twitter, it is not unexpected to see cybercriminals moving towards the mediums as a rich source of users to target. This week Fortinet, a network security provider, released its latest Threat Landscape report, which details two new malware variants aimed toward Facebook users.

The malware, which is intended to look as though its coming from Facebook, claims that the users’ Facebook passwords have been reset. An attachment is included that has the “new” password. Clicking on the attachment can lead to immediate infection.

“The Facebook malware variants we examined are botnet loaders, which, upon execution, connect to a command and control server to download and display a document that reveals a bogus password in an effort to look legitimate,” says Derek Manky, senior security strategist at Fortinet. “Afterwards, the botnet continues to run in the background and requests files to download and execute, one by one.”

Manky warns users to always beware of file attachments, never disclose information generated by an unsolicited request, and attempt to confirm identities of those who contact them.

The lesson for this particular malware to pass along: simply try your original Facebook password to see if it has indeed been changed.

Twitter Attacks
Twitter, one of the newest messaging channels, is not immune to malware as proved recently with the Unfollowed Me rogue application spreading virally. According to Graham Cluley of Sophos, thousands of Twitter users have been tricked into clicking on links that promise to reveal how many people have “unfollowed” the user.

Once users agree to authorize a third-party application access to their Twitter accounts, the third-party can tweet messages in a user’s name and send messages to the user’s followers. In this instance it appears the end game is scammers making money on completed surveys.

The lesson to pass along: don’t allow applications access to your account.

Network Forensics—Beyond Evidence to a New Platform that Empowers all Security Tools

Stephanie Jordan — Thu, 21 Apr 2011 09:17:53 +0000

Network Forensics (NF) has matured in recent years to play a critical role in defending against the increasing number of advanced threats. Previously, NF focused on basic network packet capture to gather evidence to prove a security event—useful to lawyers prosecuting or pursuing recompense for corporate or individual damages. Today’s NF is something altogether different, quickly becoming an invaluable asset that any organization can use. It goes beyond raw packet capture to now deliver critical insight to any and every type of network security incident and enable Next Generation Threat Prevention.

Much like a 24/7 surveillance camera, NF records and stores every packet of network traffic, providing a record of any network activity. NF has been a critical tool for skilled analysts at government agencies to capture historical views of their networks in order to determine the scope of damages from cyber threats and network breaches. With a complete record of network traffic, they can see exactly what happened before, during, and after a security incident or attack.

Today’s high-profile network breaches and cyber threats make it clear that many attacks are unpreventable and that the frequency of attacks are growing at a phenomenal rate.

NF may have had limited use in the past, but advancements in capture speed, indexing, classification and reconstruction have made it an easy-to-use solution for anyone charged with securing the network and information assets. The new NF exposes what’s happening on the network in clear visuals we all can recognize and understand, helping security professionals significantly reduce incident response time. Response teams now have real-time views of security incidents and full reconstruction of network artifacts. Raw packet data is instantly transformed into real evidence like a Word document that was delivered as an email attachment complete with a payload of identified malware; or an IM conversation revealed as an exchange that has enabled the propagation of a botnet within the organization. These are invaluable views into the network that security professionals can’t afford to be without. The new NF now means real-time and immediate threat awareness, accelerated time to remediation, prevention of future threats, and keeping persistent threats off the network. As email, IM and social media continue to be the most frequently used vectors for network threats and malware, NF helps to maintain an edge against outside attacks.

NF also provides immediate visibility into insider threats. With complete real-time and historical network capture of everything that happens on the network, detailed evidence is now clearly revealed as the exact documents, applications and data involved if someone consciously or inadvertently compromises network security. This level of situational awareness is important not only to network managers and email and messaging administrators, but also to Human Resources and individual department managers. Evidence now is delivered quickly and in an easily understood form that enables immediate and complete remediation.

Most organizations have invested heavily in security using DLP, IPS/IDS, SIM/SIEM, and other tools. Today’s NF has become a technology that can serve any security tool, making them more intelligent and thus more effective. By providing real-time and historical visibility into any security incident, NF today is a platform for next generation threat prevention.

About Peter Schlampp, Vice President, Marketing and Product Management, Solera Networks

Schlampp brings a keen understanding of the network security and infrastructure industries with more than a decade of product development and marketing expertise in the enterprise, government and education markets.

DOJ Takes Action to Disable Coreflood—Massive International Botnet

Melisa LaBancz-Bleasdale — Thu, 14 Apr 2011 00:17:51 +0000

More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme

WASHINGTON - On April 13, 2011, the Department of Justice (DOJ) and FBI announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.

“Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation’s information infrastructure,” said Shawn Henry, Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch. “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”

The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country, and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names. Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the U.S. in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” said U.S. Attorney David B. Fein for the District of Connecticut. “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”

“The actions announced today are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware,” said Assistant Attorney General Lanny A. Breuer of the Criminal Division. “Law enforcement will continue to use innovative and responsible actions in our fight against cyber criminals and at the same time, we urge consumers to ensure they are continually taking prudent measures to guard against harm, including routinely updating anti-virus security protection.”

According to court filings, Coreflood is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server. A computer infected by Coreflood and subject to remote control is referred to as a “bot,” short for “robot.” According to information contained in court filings, the group of all computers infected with Coreflood is known as the Coreflood botnet, which is believed to have been operating for nearly a decade and to have infected more than two million computers worldwide.

Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.

In the enforcement actions announced today, five C & C servers that remotely controlled hundreds of thousands of infected computers were seized, as were 29 domain names used by the Coreflood botnet to communicate with the C & C servers. As authorized by the TRO, the government replaced the illegal C & C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.

What Is Coreflood?

The Coreflood malware on a victim’s computer is programmed to request directions and commands from C & C servers on a routine basis. New versions of the malware are introduced using the C & C servers on a regular basis, in an effort to stay ahead of security software and other virus updates. If the C & C servers do not respond, the existing Coreflood malware continues to run on the victim’s computer, collecting personal and financial information. The TRO authorizes the government to respond to these requests from infected computers in the U.S. with a command that temporarily stops the malware from running on the infected computer. During that time, the defendants will not be able to introduce different versions of the Coreflood malware onto the infected computers. By limiting the defendants ability to control the botnet, computer security providers will be given time to update their virus signatures and malicious software removal tools so that all victims can have a reliable tool available to them that removes the latest version of the malware from an infected computer.

The DOJ and FBI, working with Internet service providers around the country, is committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood. Identified owners of infected computers will also be told how to “opt out” from the TRO, if for some reason they want to keep Coreflood running on their computers. At no time will law enforcement authorities access any information that may be stored on an infected computer.

What You Can Do

While this enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely. Nor does it mean that criminals will not attempt to build another botnet using a different version of the Coreflood malware or other malware. The best defense against such malware, and botnets in general, is for users to ensure their computers are protected by regularly-updated anti-virus security software.

The DOJ strongly encourages computer users to ensure they are using security software on their computers and that users regularly update their security and routinely scan their computers for viruses. To learn more about what you can do to protect your computer, including how to download and receive updates on security vulnerabilities, the public may go to the: Computer Emergency Readiness Team (CERT) and the Federal Trade Commission (FTC).

The law enforcement actions announced today are the result of an ongoing criminal investigation by the FBI’s New Haven Division, in coordination with the U.S. Marshals Service. Additional assistance was provided by Microsoft, the Internet Systems Consortium and other private industry partners. The matter is being prosecuted by the U.S. Attorney’s Office for the District of Connecticut, led by Assistant U.S. Attorney Edward Chang, and attorneys from the Computer Crime and Intellectual Property Section in the Justice Department’s Criminal Division.

The "State of Application Security Survey" - 88 Percent Spend More on Coffee Than Security

Melisa LaBancz-Bleasdale — Sun, 10 Apr 2011 21:46:17 +0000

Back in February, Barracuda Networks Inc., Cenzic Inc. and the Ponemon Institute released the“State of Application Security Survey,” which found that 73 percent of organizations had been hacked at least once in the last 24 months through insecure web applications. The news that web apps are insecure isn’t really shocking, but the percentage of organizations that fell prey to attacks is certainly eyebrow raising. I chose to address this report now, because it appears that companies just haven’t gotten around to determining the best way to handle the influx of insecure web apps exposing their organizations to increasingly sophisticated and damaging attacks.

In one of those, “It’s so awful it’s funny” findings, the survey notes that even though website attacks are the biggest concern for companies, 88 percent of them spend more on coffee than securing their web apps. Don’t get me wrong, I love me some coffee, but I also love me some secure banking and private medical files. I think it would be illuminating for an IT manager to use this data point in a meeting, “Last June we spent 50K on our Colombian roast and 2K our web security products. We’ve been hacked 187 times but our coffee is really, really good.”

The results of the survey reveal respondents’ perceptions and experiences protecting web applications. It underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security in general.

Strangely, (or not?), the report found that 69 percent of organizations rely on network layer firewalls to protect their websites, leaving web applications wide open for attack. Haven’t we all learned that firewalls are like long underwear? They offer some protection but won’t cut it on Mt. Everest. I was mystified to find that organizations still feel this is an adequate defense mechanism.

What wasn’t surprising to me was the finding that 72 percent of organizations test less than 10 percent of their web applications for security holes, some knowing they have been hacked in the past. I don’t actually know of any organization that runs the recommended regular security checks. This frustrates the analysts and security experts but time, resources, and competing priorities usually get in the way of such things as routine maintenance and ensuring the safety of the corporate network. I do think it should be required for all financial institutions, government agencies, medical organizations and any other company that deals with sensitive amounts of customer data—which is pretty much everyone right?

According to 74 percent of respondents, web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily web application firewalls and vulnerability assessment.

“While it is encouraging to see that web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks. “The fact that 69 percent of respondents are relying upon network firewalls to secure web applications is like relying upon a cardboard shield for protection in a sword fight—eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall.” I agree. It’s probably never a good idea to use a cardboard shield whilst wearing your long underwear to a sword fight.

Mandeep Khera, CMO for Cenzic says it’s a huge red flag that a quarter of respondents could not provide a range for how many web applications they have. He expressed shock that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their web applications, but as I mentioned above, it’s just never really been part of the day-to-day risk mitigation plan (and it should be). It is shocking though that most of these companies have been hacked multiple times through insecure web applications. “If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?” asks Khera.

Other key findings in the study include:

Data protection (62 percent) and compliance (51 percent) were the top reasons for securing web apps. Job protection was also a significant reason cited by 15 percent of respondents.

Despite 51 percent listing compliance as a key driver for web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.

With 41 percent reporting they have over 100 web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.

More than half (53 percent) expect their web hosting provider to secure their web applications.

Of those respondents who own a web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession.

ESET Mail Security for MS Exchange Designed for Enhanced Spam Detection

Melisa LaBancz-Bleasdale — Fri, 01 Apr 2011 00:47:06 +0000

ESET has released their business-ready ESET Mail Security for Microsoft Exchange Server 4.3. The update offers an advanced anti-spam engine with precision score dials, and spam and grey listing logs.

Out of the top twenty corporate endpoint security vendors worldwide, ESET is the fastest growing company in this category according to IDC. ESET Mail Security for Microsoft Exchange Server is built on the NOD32 Antivirus 4 ThreatSense® engine and provides customers with proactive technology for detecting viruses and other malware. In addition to stripping malware from messages, the integrated anti-spam and grey listing features keep unwanted spam from reaching end users.

“We are always focused on continuous improvement and with that mindset we enhanced the anti-spam capabilities and provided tools and logs for easy management,” said Pavel Luka, Chief Technology Officer, ESET. “Messaging security is the first line of defense against malware outbreaks, spam interruptions, and phishing attacks, and ESET Mail Security for Microsoft Exchange Server provides fast and accurate messaging security with minimal overhead for businesses of all sizes.”

ESET Mail Security for Microsoft Exchange Server was designed to offer proactive protection against emerging threats without having to wait hours or days for signature updates. Additionally, the company says the solution has a light system footprint that has minimal impact on mail server performance and is easy to deploy.

New features of ESET Mail Security for Microsoft Exchange Server 4.3 include:

New Anti-spam engine
Anti-spam score dials—Define anti-spam threshold scores at three levels with greater precision for more control.
Advanced setup tree—Redesigned advanced setup tree for more intuitive navigation.
Automatic exclusions—Automatically detects and excludes critical server files for smooth operation.
License merging—Automatically merges two or more licenses with the same customer name for easier license management.
Spam log—Displays sender, recipient, spam score, classification reason and action taken for actionable information.
Grey listing log—Displays grey listed sender, recipient, action taken and shows status until connection denial period ends for actionable information.

The Never-Ending Spam Story

Melisa LaBancz-Bleasdale — Fri, 01 Apr 2011 00:23:56 +0000

It’s fascinating to me that we are still dealing with spam and all of its inherent issues - overflowing inboxes, possible embedded malware, time wasting, etc. We are a world that can invent a smart phone that essentially replaces our laptops, music players, televisions and email, but we can’t make spam go away? I mean spam is “so 1990’s.” It should be yesterday’s problem but it is in fact, a growing one.

Dennis Fisher writes in his March 2011, article for Threatpost that “Since virtually the dawn of the commercial Web and the advent of widespread email use, spam has been a major problem and it has grown to a point that botnets are now spewing trillions of spam messages every month. But, email spam is just one piece of a much larger ecosystem that now is mainly dominated by Web-based spam pushing users to malicious, or at best, worthless, pages.”

The face of our new enemy is Web-based spam, which is different from the basic email spam you’d get in your inbox. All spam is sent to serve one purpose – money. If even the most miniscule percentage of people fall for a spam scam, it can result in making the spammers many thousands of dollars for absolutely no work.

In Fisher’s article, Sasi Parthasarathy of Microsoft’s Bing explains that the motivation is money, either syndication or ad-based,

What’s interesting to me about the newest batch of Web-based spam is the resourcefulness behind it. Instead of launching unique attacks, the spammers are increasingly hacking legitimate sites (see my post on the Japanese Tsunami) and embedding their illnesses within. The hijacked pages will then use redirect links to take the users to a fraudulent site.

Parthasarathy said that even though we’re aware of the techniques spammers use and have developed tools to combat the problems, dealing with the threats in real time is extremely challenging. With valid keywords embedded in fraudulent sites, it’s not hard to slip past search engines’ security features.

According to Fisher, one of the challenges that Bing, Google and other search engine operators face in this work is ensuring that they don’t mistakenly discount legitimate sites with valid content while still weeding out malicious or spammy links and pages.

Fisher explains that in addition to setting up networks of interrelated link farms and spam pages, the spammers also will add content spam to sites. This can take the form of text set in white type on a white background that’s invisible to the user but is seen by a search engine crawler or machine-generated content such as keywords taken from search engine query logs. This content will often make no sense and look like gibberish on a page, but serves as an attraction for the crawler.

Web-based spam is our new frontier and despite my inability to make peace with the huge amounts of it on my Droid each morning, it looks as if it will always be here in some form. As our technology and needs change, so will the spammers’ approach. Right now, it does appear that they are winning.

The RSA-EMC Security Breach: What's Really Going On?

Melisa LaBancz-Bleasdale — Thu, 24 Mar 2011 04:49:53 +0000

One of the first things I do each day is check out what’s going on in the world. I have quite a few sites bookmarked and it’s a little ridiculous but I want my Kim Kardashian gossip served up hot right alongside the latest news on cybersecurity. What’s interesting to me is that many people get their news from a single source. It’s also a little frightening. Although most tech news wouldn’t interest or apply to a large segment of the population, sometimes it does. Such is the case with the RSA/EMC security breach. Ever since the company admitted they had been the target of an Advanced Persistent Threat (APT), in an open letter on their site, I’ve had some sleepless nights. It’s not what we know that’s cause for worry, it’s what we don’t know. What the company isn’t telling their customers. I understand that RSA may not even know the extent of the damage quite yet and thus, Executive Chairman Art Coviello’s open letter is both scary and vague:

“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

I’ve been avidly reading everything I can on the story and the best comment I read was from an IT Director and RSA customer who, to paraphrase what he said, felt that the “immediate steps” offered to him were akin to lifting the hood of the car to make sure the engine was still there. In other words, even Captain Obvious could have given more helpful instructions than RSA did.

While I was ruminating on the possible implications of this breach with a few of my friends, no one knew what the heck I was talking about. I had to back the bus way up and explain who RSA was and how fraudulently using SecurID tokens to infiltrate systems could impact their lives. In a matter of minutes they went from happy-go-latte-drinking friends to ones that were now afraid of the APT monster living under their beds.

There are numerous experts and analysts quoted in all the stories related to the incident. They all reassure us that depending on what was stolen, there are certain other steps that would need to be taken, or certain amounts of social engineering that would need to be done for anything bad to really happen. Well, as no one knows what was stolen, it’s all just theorizing about what does and doesn’t need to be done. Here’s the thing, if anyone is going to launch an APT (successfully) against an organization like RSA, they’re probably pretty sure of what they wanted to do with the information.

While this is merely my opinion, and not that of Messaging News or its editor and fellow journalists, as a crisis management professional there are several telling clues as to how very serious this whole thing truly is:

The very small and almost innocuous box on RSA’s homepage that says, “Urgent Message to SecurID Customers about their Product Security” that you need to click on to launch the open letter. It should be a really big box that is a bit more noticeable and says something like, “Urgent news on the RSA Security Breach.”
The fact that federal authorities are involved. That’s serious. Always.
That RSA isn’t actually telling their customers anything about what was stolen or what to do next. Can you really layer more security on top of something that is supposed to be incredibly secure?

Coviello goes on to say, ”We regret any inconvenience or concern that this attack on RSA may cause for customers, and we strongly urge you to follow the steps we’ve outlined in our SecurCare Online Note. APT threats are becoming a significant challenge for all large corporations, and it’s a topic I have discussed publicly many times. As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”

I can re-read this paragraph many times over and every time it astonishes me. They “regret any inconvenience or concern?” If I’m a major bank with millions in customer accounts I’m inconvenienced? I just have no words for that. I am also mystified as to why it matters that Coviello has addressed APTs before. Is he saying, “Remember that really bad stuff I mentioned, well, it happened to us?” Yes, yes it did.

While it’s probably in everyone’s best interest not to panic and trample our fellow passengers, it’s also mildly annoying that a power as large as RSA would seemingly attempt to downplay something this big. Maybe by doing so, their clients won’t give it another thought, however, I am falling behind on celebrity gossip and checking my news way more than I ever did before.

Barracuda Labs Releases 2010 Security Report Alongside New Profile Protector

Melisa LaBancz-Bleasdale — Mon, 07 Mar 2011 18:36:03 +0000

Tis’ the season for security reports! Leading up to the February RSA Conference, many organizations prep and release their 2010 findings. Interestingly, fewer than half find the same trends and/or security flaws. This can be confusing and overwhelming unless you look at the context. The types of attack vectors and trending a vendor finds are almost always directly related to the type of vendor - and that makes sense. An email spam defender is going to write a report focused on email attacks (mostly) and a storage vendor will write about data leaks, loss, and breaches. That said, all of the reports taken together can provide an organization with a good sense of where the priority trouble spots are for them in relation to the way they do business.

Barracuda Networks, provider of content security, data protection and application delivery solutions, recently released the findings from their 2010 Annual Security Report, and it wasn’t surprising to see the dramatic shift from email attacks to targeting the Internet. Barracuda saw email spam drop by half during 2010. That’s huge, but spam itself is not a P1 threat but it’s definitely a P1 annoyance. They also found that search engine malware doubled and the Twitter Crime Rate increased 20 percent, signifying a concentrated focus on the more lucrative social networks and search engines as attack vectors. With the use of social networking tools such as Twitter as part of the modern sales and marketing programs, this is definitely news to pay attention to.

In light of their findings, and a perceived market need, Barracuda designed what they hope is a strong solution to the problem. To help combat social network-driven attacks, Barracuda released Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter.The application analyzes user-generated content posted to profiles and is able to block or remove malicious or suspicious content. This includes malicious URLs, embedded photos and/or videos on Facebook and Twitter pages and news feeds.

“Attackers focus on where they can get the most eyeballs and profit, and today that means social networks and search engines,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “As a community we often point to the need for user education as the missing component; however, the levels of social engineering involved in today’s attacks suggest that we must continue to elevate our technological approaches. The research community must continue to build innovative defenses and the industry must make efforts to increase the deployment rates of those defenses.”

Dr. Judge has a good point. Social engineering is increasingly savvy. Nearly every day I get a chat request from an unknown (and fictional) “friend” that wants to add me to their directory so we can get back in touch. With names like Kelly, Todd and Mike, I do find myself pausing to think about whether I’ve connected to friends with the same names. Unequivocally, I delete the requests. If it truly is my friend, they’ll drop me an email asking why I didn’t accept their invitation.

Searching for Malware

Barracuda conducts periodic studies across Bing, Google, Twitter and Yahoo!, analyzing trending topics on popular search engines in order to understand the scope of the problem and to identify the types of topics used by malware distributors. The most recent study was conducted over 153 days. The analysis reviews more than 157,000 trending topics and nearly 37 million search results. Overall, the research found that attackers have increased the amount of search engine malware as well as expanded targeted efforts beyond Google.

Key highlights from the search result analysis include:

In June 2010, Google was crowned as “King” of malware, turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. As malware spread across the other search engines, the ratios were distributed more evenly by December 2010, with Google producing 38 percent of overall malware; Yahoo! at 30 percent; Bing at 24 percent and Twitter at eight percent.
The amount of malware found daily across the search engines increased 55 percent from 145.7 in June 2010 to 226.3 in December 2010.
One in five search topics lead to malware, while one in 1,000 search results lead to malware.
The top 10 terms used by malware distributors include the name of a Jersey Shore actress, the president, the NFL and credit score.

The Dark Side of Twitter

Barracuda Labs analyzed more than 26 million Twitter accounts in order to measure and analyze account behavior. The analysis enabled researchers to model normal user behavior and identify features that are strong indicators of illegitimate account use.

Key highlights from the Twitter research include:

In general, activity continues to increase on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
The number of True Twitter Users increased to 43 percent, up from only 29 percent in June 2010.
For every 100 Twitter users, 39 have between one and nine followers, while 50 percent of Twitter users have more than 10 followers.
Approximately 79 percent of Twitter users tweet less than once per day.
After decreasing at the end of 2009, the Twitter Crime Rate increased 20 percent from the first half of 2010 to the second half of 2010, going from 1.6 percent to 2 percent.
Attackers are distributing malware and exploiting vulnerabilities to achieve their malicious goals.

You can view the complete report at Barracuda Labs 2010 Annual Security Report .

Profile Protector is available for download at http://profileprotector.com/

We're All Sheriffs in the Land of the Walking Dead: The Botnet Fight

Stephanie Jordan — Mon, 22 Nov 2010 18:36:26 +0000

“Wake up!” Or so one might want to shout at those enterprise network operators and IT managers who consistently act as if their operations were islands unto themselves. These are the mavericks that ignore industry best practices and go their own way, believing their networks immune to zombies or bot infections, and who disregard the lessons learned by their peers.

The sad reality is that we all suffer once zombies or bots find their way onto these susceptible networks or Web sites. The bot-delivered malware that ends up surreptitiously installed on users’ computers is a finely tuned parasite, capable of stealing valuable informational assets such as personal identity records or credit card numbers. The bot then turns the computer into an efficient spam machine, sending abusive email just under the network operator’s radar and often launching highly-targeted phishing expeditions—all without the computer owner’s permission or knowledge. Enterprises and their banking operations are being precisely targeted by malware such as Zeus and SpyEye, which is designed and, is very successful, in compromising banking credentials, thereby gaining access to corporate bank accounts and stealing millions of dollars.

Spam from bot-infected computers clogs the Internet and is often loaded with malicious code aimed at other unsuspecting users. According to metrics aggregated by the Messaging Anti-Abuse Working Group (MAAWG), almost 90 percent of all email traffic on the Internet is abusive. Together with social engineering and compromised Web sites, spam is one of the most important ways to get end-user machines compromised with malware.

Beyond the personal and business setbacks it spawns, abusive messaging also has become a huge budgetary drain. Ferris Research, Inc. estimated that spam cost the U.S. $42 billion in 2009. This is just slightly less than the $40 billion that globalissues.org calculates it would cost to provide universal access to basic social services in all developing countries. Ferris puts the worldwide outlay for spam last year at more than three times this amount, around $130 billion globally.

Given the scope of the problem, no one entity alone can stop bots or the resulting spam they generate. Creating a safe online environment is the responsibility of all of us who have an interest in the free exchange of information. This includes network operators and email providers, industry vendors, corporate networks, small business users, and yes, even end-users. We all have a role to play in protecting the Internet.

Taking a Stand

The first priority for end-users is to learn good computing habits and to understand the dangers inherent in spam. Half of the email users in North America and Western Europe opened or accessed spam last year, according to the 2010 MAAWG Email Security Awareness and Usage Survey. Tens of millions clicked on links or opened attachments that could leave their computers vulnerable to a bot. As long as users continue to interact with spam, and as long as spam remains a profitable commerce model, the cybercriminals will be open for business.

In some respects, battling spam and cybercrime is a never-ending arms race. As soon as the industry identifies a bot or a cleverly devised phishing scheme, the cybercriminals quickly morph the code or change their mode of operation, making the malware more difficult to detect. We have to remember that in the time of open source and Internet standards, the tools available to the good guys are just as easily used by the bad guys too.

Yet, there are definite remedies in sight. From the industry’s perspective, one of the best weapons in this battle is the development of generally accepted procedures and tactics. Industry best practices tackle the thorny issues that require a broad, consensus approach to problem solving. They incorporate the industry’s collective wisdom on avoiding common mistakes and how to provide a better online experience for users. Best practices are guidelines freely offered by the industry to be voluntarily applied within a relevant organization’s strategic and technical framework.

The question any enterprise or business should be asking is not if it should implement anti-abuse best practices. Given the enormous cost and risk associated with spam and bots, the question is why would an organization not make adopting best practices a priority? Many of these practices cost next to nothing to implement, in many cases just requiring simple configuration changes or minor modifications to working practices.

Best Practices Illuminate Industry’s Shared Knowledge

Industry associations like MAAWG bring together representatives from all perspectives to work out solutions to common problems. As a result, the best practices developed through MAAWG tend to be more balanced rather than advancing a specific company’s or business sector’s interests. For example, many of the bulk senders in MAAWG worked closely with our network operator members to understand all sides of the issues when developing the MAAWG best practices for email marketers. Likewise, ISPs talked with abuse desk professionals in developing the best practices for notifying users when they have a bot on their computer and in addressing other issues related to remediation of infected machines, which often are placed in walled gardens.

Best practices also help to clarify the processes and technological strategies proven to be most effective in combating abuse. They often spell out common steps abuse and IT managers can take to better serve end users. MAAWG recently issued the first best practices aimed at providers of Web messaging systems. Among the recommendations were several well-known tactics that might otherwise be undervalued by Web messaging developers, such as auditing user account metrics and requiring registration before users can post or send messages.

The outcome of the effort within organizations like MAAWG to develop best practices is that smaller enterprises or regional operators have access to the broader and more varied experience of larger companies. These larger operations, with access to more resources and higher R&D budgets to invest in anti-abuse strategies, willingly share their knowledge and expertise to help advance the industry.

The only way to take down zombies, bots and spam is through this type of socially responsible action. By working together to protect the Internet and users’ online experience, we all profit. To that end, we have all been deputized in the Internet posse.

—

About Michael O’Reirdan

Michael O’Reirdan is serving his third term as chairman of the Messaging Anti-Abuse Working Group (MAAWG), the industry’s largest global trade association that works against messaging spam, viruses, denial-of-service attacks and other online exploitation. Professionally, O’Reirdan is a Distinguished Engineer at a major ISP in North America with over 18 years of experience in the ISP field and with public facing messaging platforms. He has served on executive advisory boards for several major computer vendors and academic institutions and is active in other industry organizations.