forkb0mb.org - Malware

'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators

nospam@example.com (TJE) — Thu, 11 Feb 2010 02:12:08 -0500

'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators

Researchers find 'markers' associated with authors of Aurora malware used in attacks against Google, others

The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others.

Security experts who have worked on forensics investigations and cleanup of the victim organizations from the attacks that originated out of China say they are also getting closer to identifying the author or authors of the malware used to breach Google and others.

...

He and other forensics firms say they have no direct evidence implicating the Chinese government in the Aurora attacks, but that doesn't mean other investigators or officials have it and just aren't sharing it publicly, Hoglund says. HBGary has found trails left behind in the Aurora code by its creators that are "very specific to the developer who compiled the malware," Hoglund says, and it has Chinese language ties.

HBGary has identified registry keys, IP addresses, suspicious runtime behavior, and other data about the Aurora malware and its origins using the firm's latest analysis tool, he says.

/*
Call me cynical, but it sounds to me like HBG is using this whole 'Aurora' thing to try to sell copies of it's latest product.
*/

Hoglund says HBGary was able to identify "markers" specific to the way the Aurora developer wrote the malware. But he says his firm did not include this in its new report. "This is not in the report because we don't want him to know what we know about his coding," he says. "[It] is algorithmic in nature."

/*
Assuming they did find distinct characteristics about the programmer('s) code, that's like having a partial fingerprint and no database of fingerprints to compare it to. Do they expect to get every person in the world that can write code to submit samples for comparison?
*/

Kevin Mandia, CEO of forensics firm Mandiant, also says his firm's investigators are getting close to exposing the creators of the Operation Aurora malware. "We feel like we know a couple of them in their coding -- we recognize their trademarks ... down to the person."

/*
I also find this hard to believe. In working with people over extended periods of time, a decent programmer can generally figure out which of his coworkers wrote a piece of code based on things such as commonly-used variable names, snippets of syntax, tab-width, 1TBS vs. Allman bracing style and comments. Most or all of this information is lost when the code is compiled and debugging symbols removed.
*/

He says attacks that steal intellectual property typically funnel the goods via IP addresses based in China. But Mandia says he doesn't know if the Chinese government is involved in the recent attacks or other APT attacks, though some trends with these attacks raise questions. "We see patterns that just make us curious. If you're doing merger and acquisition work in China, you're targeted," Mandia says. "We've seen when we respond to client sites [that were attacked] a lot of legal counsel, external counsel, and C-level executives [targeted] in M&A with China."

/*
As usual, I'm going to apply Occam's Razor here and guess that if it walks like a duck, and quacks like a duck, it's probably going to be served with packets of duck sauce. :)
*/

New Russian Botnet Tries to Kill Rival

nospam@example.com (TJE) — Thu, 11 Feb 2010 01:11:52 -0500

New Russian Botnet Tries to Kill Rival

An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown Spy Eye toolkit added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords.

...

Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules -- U.S. residents with bank accounts -- who then move the cash out of the country.

/*
Most of these "money mules" are people who take "work from home" jobs they find on the internet. From the stories I've read, they'll get an official-looking email from their "boss" stating that money will be wired into their bank account, they keep around 10%, and then are instructed to wire the remainder to another account outside of the country.

First, I find it odd that these criminals aren't swindled by their "employees." I'm surprised more people don't just keep the large sums of money deposited into their accounts.

Second, I have a hard time believing that these "employees" don't find it suspicious that their boss is telling them that large sums of money will be deposited into their account, and that they are then to wire most of it to another account. I'd certainly be questioning their methods and intentions. Any legitimate business that needed to move money around would have their own billing/accounting department to handle all of that; and that my pay, for whatever work performed, would be given to me in whole. I've never had a job where I'd be given 10 times my pay with the understanding that I'm to keep what I'm entitled to and then "give back" the rest.
*/

With its "Kill Zeus" option, Spy Eye is the most aggressive crimeware, however. The software can also steal data as it is transferred back to a Zeus command-and-control server, said Kevin Stevens, a researcher with SecureWorks. "This author knows that Zeus has a pretty good market, and he's looking to cut in," he said.

/*
I think this is the genius part of this new botnet. New botnets seem to spring up every couple weeks at most; but this one is intelligent enough to not only gather it's own data (via keyloggers, HTTP POSTs, etc), but to also steal data already captured by a market-leading botnet. Let the others do all of the work collecting the data, and then just swipe the data as they report back to their C&C servers.
*/

Turf wars are nothing new to cybercriminals. Two years ago a malicious program called Storm Worm began attacking servers controlled by a rival known as Srizbi. And a few years before that, the authors of the Netsky worm programmed their software to remove rival programs Bagle and MyDoom.

/*
Such behavior is definitely not new. I recall a worm that spread using the same vulnerability as SQL Slammer that would remove Slammer and download/install the patch for the vulnerability they both used to obtain access. Viruses have used similar tactics in the past, as well.
*/

Spy Eye sells for about $500 on the black market, about one-fifth the price of premium versions of Zeus. To date, it has not been spotted on many PCs, however.

/*
$500 - $2500 is a small investment considering the enormous potential it could buy you. If you only manage to obtain $250 per stolen bank account, it would only take you 10 compromised accounts to see a return on investment.
*/

'Aurora' Code Circulated for Years on English Sites

nospam@example.com (TJE) — Tue, 26 Jan 2010 15:56:46 -0500

'Aurora' Code Circulated for Years on English Sites

Updated An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-~~speaking~~language books and websites, casting doubt on claims it provided strong evidence that the malware was written by someone inside the People's Republic of China.

The smoking gun said to tie Chinese-speaking programmers to the Hydraq trojan that penetrated Google's defenses was a cyclic redundancy check routine that used a table of only 16 constants. Security researcher Joe Stewart said the algorithm "seems to be virtually unknown outside of China," a finding he used to conclude that the code behind the attacks dubbed Aurora "originated with someone who is comfortable reading simplified Chinese."

/*
Doubt is now being cast upon the assumption that someone within China was behind the attacks. I still have my suspicions.
*/

In fact, the implementation is common among English-speaking programmers of microcontrollers and other devices where memory is limited. In 2007, hardware designer Michael Karas discussed an almost identical algorithm here. Undated source code published here also bears more than a striking resemblance.

...

"Digging this a little deeper though, the algorithm is a variation of calculating CRC using a nibble (4 bits) instead of a byte," programmer and Reg reader Steve L. wrote in an email. "This is widely used in single-chip computers in the embedded world, as it seems. I'd hardly call this a new algorithm, or [an] obscure one, either."

/*
Gee, where are nearly all microchips/microcontrollers fabricated these days? China.
*/

Two weeks ago, Google said it was the victim of highly sophisticated attacks originating from China that targeted intellectual property and the Gmail accounts of human rights advocates. The company said similar attacks hit 20 other companies in the internet, finance, technology, media and chemical industries. Independent security researchers quickly raised the number of compromised companies to 34.

/*
Targeting the human-rights advocates kind of seals-the-deal in my mind. We've got three major parts of the world where the vast majority of malware originates; eastern Europe, Russia, and China. Let's see, who has the most atrocious human-rights abuses of the three? China.
*/

One of the only other reported links between China and the attacks is that they were launched from at least six internet addresses located in Taiwan, which James Mulvenenon, the director of the Center for Intelligence Research and Analysis at Defense Group, told The Wall Street Journal is a common strategy used by Chinese hackers to mask their origin. But it just as easily could be the strategy of those trying to make the attacks appear to have originated in China.

/*
This is a valid point; it could be someone wishing to make it appear that the Chinese were behind the attack. I'd have to admit, the Chinese hackers and malware authors are generally smart enough to cover their tracks, so for the attacks to originate in a favored part of the world for the Chinese does seem a little short-sighted.
*/

The lack of evidence is important. Google's accusations have already had a dramatic effect on US-China relations. If proof beyond a reasonable doubt is good enough in courts of law, shouldn't it be good enough for relations between two of the world's most powerful countries?

/*
I would like to see something a little more definitive before saying I'm certain that the Chinese were behind the attacks; but so far, we've got a "smoking gun" (the exploit code contained in the targeted phishing attacks), but have yet to identify any "fingerprints." Applying "Occam's razor," as I'm wont to do, it would appear that someone in China was behind this.

I whole-heartedly support Google on their threat to pull out of China. With Wal-Mart already selling this country out from under us every day, I don't like to see any U.S.-based company doing business with China. Unfortunately, in this situation, it appears that the Chinese citizens will really be the ones that lose.
*/

Law Firm Suing China Hit By Cyber Attack

nospam@example.com (TJE) — Sun, 17 Jan 2010 07:40:59 -0500

Law Firm Suing China Hit By Cyber Attack

Last week, Santa Barbara, Calif.-based CYBERsitter sued the People's Republic of China, the two Chinese software makers, and seven computer manufacturers for distributing Web filtering software known as Green Dam with allegedly stolen code.

This week, the law firm representing the company said that it had been targeted in a cyber attack from China.

In a phone interview, Elliot B. Gipson of Gipson Hoffman & Pancione described what amounts to a spear-phishing attack -- the same technique used against Google in China. "They were e-mails targeted at individuals in our law firm that were made to appears as if they were coming from other individuals at our law firm," he said. "They attempted to get the target to click on a link or attachment."

/*
It looks like China is at it again. When will our government say "enough is enough?"

Given that we've "outsourced" essentially all of our manufacturing jobs to China, India, and Mexico, all we have left to power our economy is our ingenuity; our intellectual property. The Chinese government has made little effort to hide the fact that they are behind these attacks.

I'm really starting to favor a new "Cold War," this time against China. We toppled the Soviet Union without firing a single shot; there's no reason we couldn't do the same to China. With carefully coordinated electronic attacks, we could cripple their booming economy and leave them in ruins without risking one single American life.

For those who have no reason to receive email, or other network traffic, from China and the other "problem children" in APNIC, here is a list of subnets that are managed by APNIC. You may wish to null-route all of them, or fine-tune the list to your needs.

*/

Researchers Identify Command Servers Behind Google Attack

nospam@example.com (TJE) — Thu, 14 Jan 2010 20:29:30 -0500

Researchers Identify Command Servers Behind Google Attack

VeriSign's iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies. The iDefense researchers traced the attack back to its origin and also identified the command-and-control servers that were used to manage the malware.

The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.

/*
Emphasis is my own, but I wanted to ensure that those reading this immediately saw that it was China behind these attacks.
*/

Citing sources in the defense contracting and intelligence consulting community, the iDefense report unambiguously declares that the Chinese government was, in fact, behind the effort. The report also says that the malicious code was deployed in PDF files that were crafted to exploit a vulnerability in Adobe's software.

"The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," the report says.

/*
In other words, these attacks weren't carried out by people who just-so-happened to be Chinese citizens; but were carried out by, or at least encouraged by, the Chinese government.

Later in the article, there's an update stating that it appears the attacks did not use specially crafted PDFs but most likely an unpatched vulnerability in Microsoft Internet Explorer.

I'd bet that there's probably a 0day exploit floating around for every 10 lines of code in IE. It's just pathetic. The single biggest recommendation that I offer all of my friends and family is to not use IE if they value their computer and it's data. I tell them that by using Firefox -- which is not without it's own security issues -- instead of IE, that it's the single most effective action they can take to avoid malware on their systems.
*/

"The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting. The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other," the report says. "Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July."

/*
"six IP addresses apart" is probably within the same /28 or /29.

On my home network, I typically block all subnets handled by APNIC; using either Linux netfilter on the firewall, or regex pattern matching via Squid proxy. This is using a cannon to kill a mosquito, and would definitely not work in the enterprise, but it works fine for my own personal protection. I have no need to visit any sites hosted on APNIC addresses as I cannot read any language other than English.

Unfortunately, my tendency to block wide swaths of IP space would not have protected my home computers from becoming zombies in this attack. It appears that the C&C servers were hosted in the U.S.
*/

Interesting Bit of iptables(8) Hackery

nospam@example.com (TJE) — Thu, 22 May 2008 16:59:13 -0400

/*
A while back, I set up a transparent Squid proxy at my border to limit my exposure to "drive-by downloads." It's a pretty standard setup; Squid running on the gateway/firewall, and iptables configured to route all tcp/80 traffic back into itself on port 3128.

An unfortunate side effect of this is that tcptraceroute breaks. As port 80 is the default port that tcptraceroute uses (as the destination port), you end up with a traceroute that looks something like this:

(root@desktop1) ~# tcptraceroute www.ebay.com Selected device eth0, address 172.25.X.XXX, port 39068 for outgoing packets Tracing the path to www.ebay.com (66.135.200.145) on TCP port 80 (www), 30 hops max 1 hp-core.ebay.com (66.135.200.145) [open] 0.558 ms 0.384 ms 0.315 ms

I can assure you, I'm not 1 hop off from www.ebay.com. Since iptables is mangling the packet at the very first hop, my gateway/firewall, I'm receiving the SYN-ACK from that first hop.

Keep in mind, tcptraceroute will use any destination port you specify, but the default is port 80 since it's usually allowed through most firewalls, and often open.

Given that the default TTL of a Linux-based computer is 64, I can use the TTL match in iptables to selectively capture what tcp/80 traffic goes to the proxy and what does not. Consider the following rule:

iptables -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 \ -j DNAT --to-destination 172.25.X.XXX:3128

This is the rule that routes all outbound traffic, originating on the internal network, to the Squid proxy. Now if we change that rule to match only packets with a TTL larger than, say, 48, we end up with the following:

iptables -t nat -A PREROUTING -m ttl --ttl-gt 48 -i $IF_INT -p tcp --dport 80 \ -j DNAT --to-destination 172.25.X.XXX:3128

With this rule in place, a tcptraceroute headed for www.ebay.com on tcp/80 looks more like the following:

(root@desktop1) ~# tcptraceroute -f6 www.ebay.com Selected device eth0, address 172.25.X.XXX, port 57684 for outgoing packets Tracing the path to www.ebay.com (66.135.200.145) on TCP port 80 (www), 30 hops max 6 so-1-2-0.gar2.chi1.bbnplanet.net (4.79.74.1) 76.668 ms 23.024 ms 30.840 ms 7 ae-31-55.ebr1.Chicago1.Level3.net (4.68.101.158) 57.014 ms 34.438 ms 36.097 ms 8 ae-68.ebr3.Chicago1.Level3.net (4.69.134.58) 25.716 ms 22.857 ms 32.941 ms 9 ae-3.ebr2.Denver1.Level3.net (4.69.132.61) 84.660 ms 49.091 ms 40.722 ms 10 ae-1-100.ebr1.Denver1.Level3.net (4.69.132.37) 79.996 ms 52.921 ms 52.897 ms 11 ae-3.ebr2.SanJose1.Level3.net (4.69.132.57) 71.323 ms 70.999 ms 71.651 ms 12 ae-82-82.csw3.SanJose1.Level3.net (4.69.134.218) 66.468 ms 70.863 ms 72.099 ms 13 ae-32-89.car2.SanJose1.Level3.net (4.68.18.132) 65.688 ms 62.794 ms 59.597 ms 14 EBAY-INC.car2.SanJose1.Level3.net (166.90.140.134) 60.576 ms 65.507 ms 58.566 ms 15 10.6.1.158 71.070 ms 59.413 ms 59.670 ms 16 10.6.1.146 61.397 ms 88.846 ms 68.280 ms 17 hp-core.ebay.com (66.135.200.145) [open] 84.341 ms 59.523 ms 62.286 ms

Now that looks a little more reasonable. Given that I'm 1 hop off from the gateway/firewall, and Linux uses a default TTL of 64, then all of my packets generated by, say, Firefox, will come into $IF_INT with a TTL of 64. With 64 > 48, the DNAT rule matches, and the request gets routed through the Squid. As tcptraceroute works like any other traceroute tool, only using TCP SYN packets, the first packet will only have a TTL of 1. With 1 < 48, it does not match the DNAT rule, and passes through unchanged. The second packet will have a TTL of 2, with 2 < 48, and so on. As most all destinations on the internet are reachable in 30 hops or less, this guarantees that my browser generated requests are proxied, while my diagnostic requests are passed through unchanged.

You can view/change your default TTL as such:
(root@desktop1) ~# cat /proc/sys/net/ipv4/ip_default_ttl 64

Needless to say, the IP addresses have been changed to protect the innocent. ;)
*/

SRI Malware Threat Center

nospam@example.com (TJE) — Tue, 15 Apr 2008 15:11:17 -0400

SRI Malware Threat Center

Welcome to the Malware Threat Center. The data produced on this site is automatically generated each morning, and summarizes our latest observations of malware activity. We provide you this data as is, and without warranty, for your personal research purposes.

/*
This site is apparently fairly new, but has a lot of really useful information.

They maintain daily-updated lists of several malware related rules and filters such as:
Most Aggressive Malware Attack Source and Filters
Most Effective Malware-Related Snort Signatures (very spiff)
Most Observed Malware-Related DNS Names
Most Aggressively Spreading Malware Binaries
*/

Move Over Storm

nospam@example.com (TJE) — Wed, 09 Apr 2008 03:03:10 -0400

Move Over Storm - There's a Bigger, Stealthier Botnet in Town

Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network.

Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of PCs running anti-virus products are detecting the malware. Just as a con artist might throw off detectives by changing his hair color or other physical characteristics, Kraken's ability to morph its code base has allowed it to evade the majority of malware detectors.

/*
Looks like polymorphism is becoming almost a necessity for malware authors. Great for avoiding AV, IPS, IDS, etc.
*/

In addition, the code inside the executable file that infects a PC has been arranged in a way that makes it hard for malware analysis tools to accurately disassemble the malicious program.

"It raises the question of whether this basically has been authored specifically with anti-virus evasion in mind," Royal added.

/*
Gee, you think? It's fairly pointless to write malware that doesn't try to evade detection.
*/

Kraken's primary activity is sending spam that advertises high-interest loans, male-enhancement techniques, fake designer watches and gambling opportunities. Damballa has observed as many as 500,000 pieces of junk mail being sent from a single zombie.

/*
This should make it a little easier to spot these zombies than they're letting on. If you've got a box on your network that's hammering tcp/25 around the clock, you might have a trojan. Checking your local mail server logs for high-volume users would probably also tip you off.
*/

[Storm] has clearly been eclipsed by Kraken, which on March 25 was observed to have compromised 409,912 unique IP addresses during a 24-hour period. Royal predicted the number will grow to more than 600,000 in the next two weeks.

Royal says he's still trying to figure out how the bot is managing to horn its way on to so many machines, many of which are behind well-fortified networks of some of the world's biggest companies.

"Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."

/*
It's finding it's way into so many machines because most users are stupid, fact of life. They click on every object claiming to show them naked pictures of their favorite celebs.

The polymorphism is what's allowing it to slip past AV, IDS, and IPS. The idea started with viruses back in the early 90s; it's been used in shellcode to avoid IDS/IPS detection; and now it's making it's way back to the malware community.
*/

Blocking Malware at the Border

nospam@example.com (TJE) — Fri, 14 Mar 2008 01:50:58 -0400

/*
Blocking Malware at the Border:

I'm about to configure an outbound HTTP filter on my network to block drive-by-malware installs. While most of my systems are not vulnerable to these types of attacks, the extra layer of security is always a good idea.

In an article entitled Botnet malware defense on isc.sans.org, they provide several links to updated lists of malware-hosting domains.

One of the links is to a site called www.malwaredomains.com. Using their updated "domains.txt" list, it's fairly simple to parse into something that Squid will understand.

# wget http://www.malwaredomains.com/files/domains.txt # egrep -v '^$|^#' domains.txt | awk '{print $1}' | sort > sorted.txt

Using the sorted.txt list, you can configure Squid or similar to block access to these domains at layer 7. That way, if DNS changes, such as in a "fast flux network", you will still be protected.
*/

FreeBSD: Virus Scanning

nospam@example.com (TJE) — Sun, 18 Nov 2007 21:41:29 -0500

FreeBSD: Virus Scanning

This article outlines how to setup virus scanning using AMaViS (A Mail Virus Scanner), ClamAV, and Postfix. The actions describe below are particular to a FreeBSD system and are applicable to other operating systems by altering the path to the configuration files, and adjusting for other OS-specific issues.

What? Virus scanning on non-windows? Well, yes. My mail server happens to be running FreeBSD. It also happens to have many clients which are running Windows. Let's just stop the viruses before they get past my mail servers. Thank you. :)

This article is written as a reminder to me for the next time I configure virus scanning with amavisd. It is very high level.

/*
A great article on how to implement a secure anti-virus email gateway. Better to block the virus before it gets to the user's PC, thus saving bandwidth and reducing the reliance on the user to do the right thing.

The majority of email-borne viruses have required some form of user intervention, such as clicking on the attachment. If you value your bandwidth and mail server resources, it's always a good idea to filter as much junk as you can before it reaches the end-user.
*/

Storm Worm Botnet More Powerful than Top Supercomputers

nospam@example.com (TJE) — Fri, 07 Sep 2007 08:53:22 -0400

Storm Worm Botnet More Powerful than Top Supercomputers

The Storm worm botnet has grown so massive and far-reaching that it easily overpowers the world's top supercomputers.

That's the latest word from security researchers who are tracking the burgeoning network of Microsoft Windows machines that have been compromised by the virulent Storm worm, which has pounded the Internet non-stop for the past three months.

/*
Ahem... "Microsoft Windows machines." I guess that rules out anything on my network as being infected. ;)
*/

"In terms of power, the botnet utterly blows the supercomputers away," said Matt Sergeant, chief anti-spam technologist with MessageLabs, in an interview. "If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it."

Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity.

"We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see," he said, noting he suspects the botnet could be as large as 50 million computers. "That means they can turn on the taps whenever they want to."

/*
If these numbers are more than just FUD by the security industry to sell Anti-Virus and crappy personal firewalls, then this is certainly alarming. A bot-net of 2 million computers can still send a flood of traffic. Let's do the math, shall we?

We'll assume that due to bandwidth limitations, being that most of these "bots" are PCs on broadband connections, we'll say that we've got 256k upstream.

256 kbps * 2,000,000 computers = 512 Gbps of traffic.

If we double that upstream cap to 512kbps, which is not uncommon, our potential traffic is now 1 Terabit per second!

Now if we consider that there could be as many as 50 million computers, with an average upstream of 512 kbps, we end up with a figure like this:

512 kbps * 50,000,000 computers = 25 Terabits per second, or 25,000 Gbps, or 25,000,000 Mbps. Holy NetFlow, Batman!

Another thing worth considering is the raw computing power. I'm thinking something along the lines of the distributed.net project. How secure is your encryption scheme? This would definitely be enough processing power to brute-force even large key-length algorithms. distributed.net used your spare CPU cycles, i.e., when you're not using the computer. Someone with enough disregard to install remote-control software on your PC for financial gain surely won't care if you're busy or not, they'll be busy hammering away at blocks of crypto keys.
*/

Sourcefire Acquires ClamAV

nospam@example.com (TJE) — Wed, 22 Aug 2007 11:04:29 -0400

Sourcefire Acquires ClamAV

Sourcefire, a maker of intrusion detection products, announced on Friday that the company had acquired the intellectual property and copyrights to the open-source antivirus project, ClamAV, from five key developers.

...

"Sourcefire pioneered the business of balancing commercial solutions with open source innovation, and we intend to apply those same Snort sensibilities to the ClamAV project," Roesch said in a statement.

/*
This basically sounds like they're going to ruin ClamAV like they've done with Snort. My guess is that ClamAV will not be available for free, at least not the fully capable version, for much longer. You may end up being able to download and install/run a binary version of ClamAV with half the features missing; or just having to come up with the cash to license it legit.
*/

Some more information in regards to the purchase of ClamAV. I think this guy says it best:

Anybody feels like placing bets on how long it’s going to take SourceFire to pull the same trick with ClamAV signatures they pulled with Snort signatures where you’ll need to “conveniently” license the signatures from SourceFire to have the latest ones to be properly protected :-)

The engine source code will be useless if you don’t have the very latest AV sigs…

Know Your Enemy: Fast-Flux Service Networks

nospam@example.com (TJE) — Mon, 20 Aug 2007 12:29:23 -0400

Know Your Enemy: Fast-Flux Service Networks

/*
This is an excellent, in-depth look at how high-profile scammers and phishers are tricking people into submitting their most private information. This is hosted by the HoneyNet project, so it's certainly worth a read.
*/

Beware: Bogus Better Business Bureau Blast

nospam@example.com (TJE) — Mon, 28 May 2007 14:11:25 -0400

Beware: Bogus Better Business Bureau Blast

Security vendor Websense is reporting the return of a bogus Better Business Bureau e-mail. The attached Word document in this release contains a Trojan that, when opened, attempts to download and install a keylogger which then uploads stolen data from the compromised PC to an IP address located in Malaysia.

Battle of the Botnets

nospam@example.com (TJE) — Tue, 15 May 2007 10:47:44 -0400

Battle of the Botnets

For the average user spam has always been an annoyance. For the average spammer it has always been about making money. For the criminal gangs that have muscled in on this lucrative industry during the last few years it is now about territory and control. Control, that is, of the botnets behind the malware distribution networks that they rent out to the spamming middle men to enable them to ply their trade in relative safety from the crippled arm of the law.

/*
This article is a pretty interesting read on the current use of botnets. I remember the days when exploitation was for knowledge, for the challenge of getting into a system. You bring money into the picture and it loses all it's fun. :(

I have to say, I really agree with "shamgar" on his comments at the bottom of the page.
*/