Despite the News, Your Refrigerator is Not Yet Sending Spam

You may have seen media reports based on research by Proofpoint that hundreds of home devices such as entertainment systems and even a refrigerator had been sending spam. We refer to this collection of networked devices as the Internet of Things (IoT). Originally, the reports didn’t provide any evidence so we were unable to validate the claim. However, additional details have now been made available and we can confirm that your IoT devices, including your refrigerator, are not the source of this recent spam run.

From the information that was publicly provided, we have been able to determine that this specific spam run is being sent by a typical botnet resulting from a Windows computer infection. Symantec receives telemetry from a wide variety of sources including our endpoint security products, spam receiving honeypots, and botnet honeypots that await spam-initiating commands. All of these sources traced the spam to multiple Windows computers, some of which were verified to be infected with W32.Waledac (Kelihos). We have not seen this spam originate from any non-Windows computer systems and do not see any unaccounted volume of spam that may originate from other sources.

Even though the refrigerator was innocent, having IoT devices send spam isn’t impossible. Recently, we uncovered one of the first and most interesting IoT threats, Linux.Darlloz, which infects Linux-based IoT devices such as routers, cameras, and entertainment systems. Beyond its ability to infect IoT devices, what makes Darlloz interesting is that it is involved in a worm war with another threat known as Linux.Aidra. Darlloz checks if a device is infected with Aidra and if found, removes it from the device.

This is the first time we’ve seen worm writers fight an IoT turf war and is reminiscent of the 2004 worm wars. Considering these devices have limited processing power and memory, we’d expect to see similar turf battles in the future.

While malware for IoT devices is still in its infancy, IoT devices are susceptible to a wide range of security concerns. So don’t be surprised if, in the near future, your refrigerator actually does start sending spam. As with any computer system, keep the software on IoT devices up-to-date, place them securely behind a router, and change all default passwords to something more secure.

So, how did others incorrectly come to the conclusion that our refrigerators had gone rogue and started to send spam?

Unfortunately, confirming the make and model of an actual physical device on the Internet isn’t that easy. Many home devices sit behind a home router and use Network Address Translation (NAT). From the view point of an outsider, all the devices behind that router share the same IP address. This makes it difficult to determine whether a device behind the router or the router itself was the original source of the network traffic. Furthermore, if you probe the router for open ports the router may employ port forwarding, exposing one or more devices behind the router. You may have enabled port forwarding on your router to allow remote access to a home device, for example, to access a digital video recorder over the Internet while you're on the road so that you can record a TV show. You could be fooled into not even realizing a router is there and think that the exposed device is the sole device using that IP address.

Refrigerator Spam 1.png

Figure. What you see is not what you have

In this particular case, you have computers infected with malware sitting behind a home router along with a variety of other home devices, like an entertainment system or even a refrigerator. When the infected computer receives a new spam template from the bot controller, the spam will travel through the router and appear from a particular IP address. If you probe that IP address, instead of reaching the infected computer you will reach the router.

In addition, if your refrigerator uses a feature known as port forwarding and someone contacts the IP address on port 80, that traffic is allowed to reach your smart refrigerator. Viewed from outside, all you will see is the refrigerator and you may not even realize there is a router with potentially many other devices behind it, such as an infected computer. This misunderstanding was what led to reports of refrigerators sending spam. The truth is that those refrigerators just happened to be on the same network as an infected computer.

To validate how someone might be misled, we probed the public IP address of a Waledac infected computer. As expected, in many cases we ended up reaching entertainment systems and other home devices that happened to be exposed through the router and were just sharing the same network as a Waledac-infected computer.

So while IoT devices weren’t to blame this time, we expect they probably will be to blame in the future.

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information

Canada’s Anti-Spam Legislation (CASL) brings with it new legal violations and penalties, some of which become effective as of July 1, 2014.   The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada will have new enforcement roles with respect to these violations and penalties, in the following areas:

CRTC: spamming, traffic rerouting (altering transmission data without authorization);  malware (installation of “computer programs” without consent)

Competition Bureau: fraud (false and misleading representations online, e.g. websites and addresses)

Office of the Privacy Commissioner: harvesting (using computer system to collect addresses without consent); invasion of privacy (unauthorized access to computer system to collect personal information without consent).

On January 23, 2014, the Competition Bureau announced that it had entered into a memorandum of understanding (MOU) with the Office of the Privacy Commissioner of Canada and the CRTC the regarding the implementation of their mandates under CASL.  The MOU is dated October 22, 2013.

Nature of the MOU

The MOU fleshes out the already detailed CASL provisions on “consultation and disclosure of information” among the agencies, and with foreign states.  The provisions of CASL itself, and the requirements of the MOU, suggest that all concerned are aware that coordination will not be an easy task.  For example, CASL requires the agencies to provide the Minister of Industry with “any reports that he or she requests” on how they are co-ordinating efforts on their mandated areas.  The MOU requires agency officials to meet “at least quarterly” to discuss enforcement activities and any other matters “of mutual interest” relating to CASL.

While the MOU is not intended to be legally binding or enforceable by the courts, it does represent these three agencies’ agreement on how they intend to co-ordinate their responsibilities.  Among other things, that will affect how each agency’s staff will approach their enforcement activities on the ground.


Each agency will notify the others with respect to enforcement activities – including the conduct under investigation and CASL provisions at issue – that ”may potentially affect” the others’ interests under CASL.

Enforcement Cooperation, Coordination and Information Sharing

The agencies will consult with each other, and may share information related to their enforcement activities.  Where those activities potentially overlap, they will “seek to coordinate their efforts”, whether jointly or alongside one another.  The agencies will also coordinate involvement in information requests and arrangements with foreign agencies.  Once the Private Right of Action (PRA) becomes effective as of July 1, 2017, when an agency is informed of a PRA initiated by a third party, that agency will notify the others.

Criminal Law Enforcement by the Commissioner of Competition

The Commissioner of Competition has authority under CASL to pursue enforcement activities under CASL’s criminal provisions.  Under the MOU, the Commissioner is to notify the other agencies where a decision has been made on that front.  That will in turn halt any cooperation and information sharing among the agencies on that enforcement activity.

Competing interests and Confidentiality

The MOU is not intended to override an agency’s obligations under existing laws, including the Access to Information Act.  This extends to sharing information.  Agencies will make “best efforts to share what information they can, consistent with their interests and legal obligations”.  The agencies commit to maintaining confidentiality of information received from another agency “to the fullest extent allowed by law”, and will use that information only for enforcement activities under the MOU – unless the agency that provided the information agrees to the use of the information for other purposes.


The MOU is another indication, in a long line of communications, guidelines, and statements, that the implementation process for CASL will be very new territory, not only for stakeholders, but for the enforcement agencies themselves.

Feds arrest “most hated man on the Internet” in revenge porn hacking case

As the founder of one of the first highly profitable sites to post nude photos of people against their will, 27-year-old Hunter Moore had already been branded the most hated man on the Internet. On Thursday, he was arrested on federal charges claiming that he paid a man to break into the e-mail accounts of hundreds of victims and steal sexually explicit images that later showed up on Moore's notorious site.

According to an indictment filed in federal court in Los Angeles, Moore paid $200 or more per week for images that he knew were obtained by illegally accessing the e-mail accounts. To cover his tracks, he used PayPal accounts that weren't linked to his identity and at one point created new e-mail addresses and deleted data tied to past hack attacks. Moore's arrangement with Charles "Gary" Evens, who is now 25, began at an unknown date and lasted until about May 2, 2012, prosecutors alleged in the 15-count charging document.

According to the indictment:

Read 6 remaining paragraphs | Comments


AT&T Enterprise’s Security Blog Running on Outdated and Insecure Version of WordPress

What we see over and over when it comes to web security is that security providers don’t take basic security measures with their own websites, which doesn’t give much confidence that they will make sure their customer’s security is handled properly and goes a long way to showing why web security is so bad. We can now add AT&T’s Enterprise division to that group. They provide a variety of security services including security consulting, which they could probably use for their own website as their Security Blog is running an outdated version of WordPress:

AT&T Enterprise Security Blog is Running WordPress 3.5.2Keeping software running a website is a basic security measures as it insures that a known vulnerability in the software can be exploited. In AT&T’s case they have failed to update the software in nearly six months and more importantly they failed to update after WordPress 3.6.1 was released in September. WordPress 3.6.1 fixed three security issues including one that could “lead to remote code execution” and users were strongly encouraged to “update your sites immediately”. Considering how easy it is to update WordPress AT&T doesn’t have an excuse for not doing it.