News that a number of the world’s spammers have taken a recent hit and had their servers brought down is good news, but worst could be to follow as the cybercriminals have too much invested to walk away.

One huge Botnet was recently reduced to a trickle as one set of anti-spammer guardians fought hard to bring them down. The figures are truly amazing, with some issuing billions of individual spam emails each year, meaning that millions are being sent on a daily basis.

But although these successes are worth a collective round of applause, the sheer size of the spam operations has worrying implications for all to see. Spam started as a mischievous trick on friends – it’s innocent beginnings belong to a different time now.

But once the crooks saw the advantage in sending out emails to a somewhat gullible database of email enthusiasts who appeared to park their brains elsewhere when items dropped into their inboxes, the flood gates opened. Some weren’t completely fictitious of course and no doubt many men have benefitted from under the counter Viagra, but offers of millions from dead kings, or pictures of curvy tennis stars which actually had dirtier things attached than a picture of a raised skirt, soon alerted most to the spammers deadly armoury.

Now the defences are more sophisticated and the computer security industry has woken up to the fact that it’s far better to stop the spam reaching its destination in the first place, than to rely on someone saying no to an offer of a forty million pound fortune from an African chief.

The various internet platforms and mail servers are now far more effective in stopping spam than they used to be, so there’s almost a desperation in the spammers actions now, as though they continually have to up the number of spam in order to get the one profitable hit.

But the crooks face a double whammy. Spam filters continually get better and people get more cynical. Therefore, the numbers have to ever increase, meaning that the servers which push through this rubbish will be easier to spot and bring down.

It sounds like a win win situation; unfortunately, it isn’t.

Spammers are not ‘geeks’ sat in their bedrooms romantically fighting the system to earn a loaf of bread. Nowadays they are geeks sat in huge offices fighting the system to earn their organised crime bosses far more than a loaf of bread (in fact, millions of loaves).

And organised crime bosses always have an eye on the takings. If profits begin to drop, it won’t be a prosaic shrug and a bringing down of the shutters for a while, Make no mistake, the crime bosses (and some Governments), will have invested a fair bit of their ill-earned gains to set up their spam operations and walking away from that, and the potential rewards, means that the focus will switch elsewhere.

Spam will maybe last another five years as a profitable, albeit mostly illegal, road to riches. But as it starts to die, the real danger is where the crime bosses will direct their geeks attention then.

One battle might go to the computer security industry, but the cyber war is far from over.

Guest article by Neil Camp 

Antivirus reviews can take many forms and one from the EU cyber crime agency ENISA, questions how botnets are measured and their impact assessed.

ENISA stands for European Network and Information Security Agency and issues many antivirus reviews and advice documents throughout the year.

ENISA has written two studies about botnets which were published at a recent workshop in Cologne, Germany. They set out to evaluate the threat of the botnet problem and how effective are the current measures in dealing with them.

Botnets are basically a network of zombie computers which are used to send out millions of spam emails. Spammers rely on huge numbers to make their process work: you send out many thousands of emails and expect one reasonable reply (say an order, or someone submitting personal details). Just that one response out of thousands makes the spammer viable. But to send out millions of emails requires time and energy, and many computers.

The advantage with machines that have been compromised (usually by a Trojan which takes control without the user knowing) is that they are effectively anonymous and are not linked with the spammer. They sit there, performing the usual tasks for their owner, yet are also, unbeknown to their owner, performing other tasks for the hacker. And this might include issuing thousands of emails on a daily basis.

And each individual computer (the bot) which has been infected (the zombie) sits within a network of likewise compromised machines (the botnet).

Many local authorities in the UK have discovered that their PCs have been unwittingly enrolled into various botnets exploited by hackers throughout the world.

But ENISA say that the threat of the botnets might be overestimated, given that although millions of machines have indeed been infected, the hacker might be able to employ a fraction of those to perform a single task.

Indeed, the number of machines that can be exploited by the hackers is considerably smaller than many reports have initially suggested. This does not diminish the threat of such networks of zombie computers, but it does try to put forward a more realistic picture.

Both the ENISA antivirus reviews are available online.

Guest Article by Neil Camp 

One of the antivirus companies operating in the crowded internet security market, GFI software, has put together the top ten hit parade of malware nasties for September.

Employing many of the best antivirus strategies, GFI produces a monthly report of the most active and virulent malware.

And the company has warned this month that the activity of botnet operators is increasing. Botnets are network of zombie computers which unbeknown to their owners and operators, act as vast spam mailers, which are the usual way that malicious code is delivered to individual computers.

GFI has found that there is a persistence of Trojan attacks and scareware.

The top ten of these attacks during September showed a pattern of aggressive and persistent attacks via Trojan horse programmes:

1. Trojan.Win32.Generic!BT 23.54%
2. Trojan-Spy.Win32.Zbot.gen 4.27%
3. Trojan.Win32.Generic!SB.0 4.06%
4. Trojan.Win32.Generic.pak!cobra 3.04%
5. INF.Autorun (v) 2.3%
6. Worm.Win32.Downad.Gen (v) 1.44%
7. Trojan.HTML.FakeAlert.e (v) 1.09%
8. PlaySushi 1.08%
9. FraudTool.Win32.FakeAV.gen!droppedData (v) 0.91%
10. Trojan.Win32.Malware.a 0.83%

The biggest culprit was Trojan.Win32.Generic!BT and includes more than 120,000 malicious application traces.

In second place is also a generic trojan which has many versions and centres on password-stealing techniques. Also a password-stealing trojan is number three, Trojan.Win32.Generic!SB.0, which are designed to install keyloggers which monitor and record key strokes, so that hackers can figure out password and username details.

Manager of the malware processing team at GFI Labs, Francis Montesino said:
“These detections are evidence of the activities of botnet operators. They use their networks to pump out the spam that’s intended to infect machines.”

Research Centre Manager at GFI, Tom Kelchner said:
“Trojan.HTML.FakeAlert.e (v), which is in the number seven spot, is a detection for malicious Web pages that display false warnings to scare victims into downloading malware – commonly referred to as rogue security products or scareware. We’re seeing a steady flow of new rogues too – one or two per week. Judging by our ThreatNet reports, VIPRE installations are stopping a lot of the rogue downloaders.”

GFI will continue to watch out for threats under its best antivirus ambitions.

Guest Article by Neil Camp 

Experts in the antivirus security industry believe the Stuxnet worm (what’s known in the industry as a botnet) must have been coded in collaboration with a nation.

Stuxnet is a sophisticated malware code and antivirus security experts believe whoever wrote the original code must have had support from a national government agency.

Stuxnet is a worm which seeks out complex computer systems which act as networks within certain industries. Such is it’s complex nature and sophistication, it’s very unlikely that one person, sat in their bedroom, could create such a Malware weapon. Most believe that it would have had to have had the support of a government to firstly develop it and then direct it towards the computer network being targeted.

Nor does the code have a ‘signature’ of an original coder; a dead give- away and an indication of where the code might have been conceived. This lack of clues also suggests that it is a ‘corporate’ effort.

Stuxnet has already launched an attack on the Bushehr nuclear power station and some antivirus security observers point to the obvious likely candidate.

All the major antivirus security firms have been monitoring the progress of the Stuxnet botnet and believe it to be one of the most refined forms of malware ever released.

In industry parlance a botnet is a network of zombie computers which do the bidding of the hacker. Individual pieces of malware code attack both networks and stand-alone machines, eventually creating a string of computers that are there to be manipulated by the cyber criminal.

One of the commonest uses of botnets is to create huge mailers for spam emails, often without the knowledge of the computer owner, or user.

But this malware attack, if indeed perpetrated by a government, raises all sorts of tricky moral dilemmas for the antivirus security industry. Much is made of China’s alledged attempts to use viruses to hack into Western computers. If an ‘ally’ of many western governments is starting to use the same tactic, then a number of people will find themselves answering some difficult questions.

Guest Article by Neil Camp 

Those owning a sick computer should be banned from surfing says a senior researcher at Microsoft. But although the comment from Scott Charney was seen by many as a sensible addition to the debate about internet security, others were quick to wag an ironic figure at the Seattle based software giant whose own record is far from perfect as regards bug ridden code.

And the suggestion from Charney is that the internet security industry should take its lead from the public health sector which when it identifies a medical virus, it isolates all those connected with it until the problem is solved.

The biggest threat out there according to the experts are botnets. These are networks of computers which have been infected by cyber criminals and then made to do their bidding, including sending out millions of spam emails.

Mr Charney wrote in a blog recently:
“Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.

“In the physical world, international, national, and local health organisations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.

“Simply put, we need to improve and maintain the health of consumer devices connected to the internet in order to avoid greater societal risk.”

Botnets can consist of a few hundred PCs, but also number thousands, or even millions. They operate as zombie machines without the knowledge of the user.

And Mr Charney goes on to say that although millions of firewalls and antivirus programmes are being sold and used, many consumer computers remain vulnerable to attacks from malware code. Which leads him to suggest that all computers should have a health certificate before they are allowed to connect to the internet.

He added:
“Although the conditions to be checked may change over time, current experience suggests that such health checks should ensure that software patches are applied, a firewall is installed and configured correctly, an antivirus program with current signatures is running, and the machine is not currently infected with known malware.”

With many countries starting to introduce versions of the health certificate idea, and with some ISPs spotting machines which appear to be sending out vast amounts of spam email and effectively cutting then off, it would appear that users are going to have to wake up to the prospect of more pro-active action against infected computers.

But a number of internet security experts find it somewhat ironic that a employee of Microsoft should be ‘lecturing’ others on the idea of infected computers. It’s well known fact that many cyber criminals are able to exploit applications such as Microsoft Windows because the original code is so bug-ridden. These bugs are effectively holes, or mistakes in the code which hackers can utilise to attack a computer. Even now Microsoft issues regular monthly updates which are in reality repair ‘patches’ to shore-up gaps in their software.

Some reckon that if software companies are going to accuse computer users of running ‘bad’ computers, then they should do more to make their code more robust and less likely to exploitation from criminals.

Guest Article by Neil Camp