The dirty dozen spam-relaying countries revealed

Dirty keyboardThere’s a zombie invasion going on – and it could have infiltrated your business, your home office, or even the corner of your bedroom.

Of course, it’s not the kind of zombies beloved by the movie theatres but instead the problem of compromised computers being controlled by a remote hacker.

Many members of the public still haven’t understood that spammers don’t use their own PCs to send spam – instead they create botnets of commandeered computers around the globe (also known as “zombies”), which can be used to relay spam, send out malicious links and even launch distributed denial-of-service attacks.

If they did understand the problem, maybe they would put more effort into protecting their computers.

Spam dashboard

Sophos has today published a new report, revealing the top twelve spam-relaying countries around the world. We call the list the “dirty dozen”, and because virtually all spam is sent from compromised PCs, it’s a pretty good indication of where the botnets have got the tightest hold.

The top twelve spam relaying countries for January – March 2011

1. USA 13.7%
2. India 7.1%
3. Russia 6.6%
4. Brazil 6.4%
5. S Korea 3.8%
6. United Kingdom 3.2%
7= Italy 3.1%
7= France 3.1%
9. Spain 2.8%
10. Germany 2.6%
11. Romania 2.5%
12. Poland 2.3%
Other 42.8%

Although the USA and UK contribution to the global spam problem has decreased in percentage terms, it is essential for organizations not to become complacent. Financially-motivated criminals are controlling compromised zombie computers to not just launch spam campaigns, but also to steal identity and bank account information.

Computer users must be educated about the dangers of clicking on links or attachments in spam mails – and many computers may already be under the control of cybercriminals. Businesses and computer users must take a more proactive approach to spam filtering and IT security in order to avoid adding to this global problem.”

Dirty monitorIn all, we counted spam being sent from an astonishing 229 countries around the world during the first quarter of 2011. So everyone, no matter where they live, should be taking more care of their personal computer’s protection.

For as long as spam continues to make money for the spammers, it will continue to be a global problem. Too many computer users are risking a malware infection that sees their computer recruited into a spam botnet. To combat the spammers, it’s not only essential for computer users to run up-to-date security software, they must also resist the urge to purchase products advertised by spam.

So, don’t add to the statistics, do your bit in the fight against spam and don’t allow your computer to become a zombie.

Keeping your security patches up-to-date, your anti-virus defences in place and having a good helping of common sense can help avoid your computer from being recruited by the bad guys.

Dotted Decimal URL Obfuscation

Spamming with dotted decimal URL (a dotted decimal URL refers to the four-byte IP address notation as a sequence of four decimal numbers separated by dots) is one of the most often seen URL-obfuscation techniques employed by spammers. Unfortunately, to the computer, an IP address is just a 32-bit binary number, and a dotted decimal is just one out of the many numeral systems for IP address expression. With this flexibility in interpretation, spammers have developed a new way to obfuscate their URLs; they start converting their dotted decimal URLs into different numeral systems.

Below are some of the IP address numeral system obfuscation techniques Symantec has observed of spammers. (All of the samples below are just different numeral representations of the IP address for Symantec.com)

An IP address converted to hexadecimal format. (Hexadecimal is a base-16 numeral system.)

An IP address converted to dotted hexadecimal format.

An IP address converted to dotted octal format. (Octal is a base-8 numeral system.)

A combination of Hexadecimal and Octal

Previously, spammers only took advantage of hexadecimal obfuscation in their attacks.

However for the past few days, the number of “hexadecimal and octal” combination-obfuscation attacks have increased drastically.   

Fortunately or unfortunately for the average email user, most Web browsers or email applications will translate these numeral encodings; furthermore, dotted decimal URLs are often associated with virus attacks. For this reason, end users should, as usual, not click on links to Web sites they are not familiar with.

Here are some best practices to try and limit the impact of spam attacks.

  • Be selective about the Web sites where you register your email address.
  • When entering personal or financial details online, ensure the Web site has SSL encryption (look for https, a padlock, or a green address bar).
  • Avoid clicking on suspicious links in email or IM messages as these may be links to spoofed Web sites. We suggest typing Web addresses directly in to the browser rather than relying upon links within your messages.
  • Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite. For details on Symantec’s offerings of protection, visit http://www.symantec.com.
  • Do not open unknown email attachments. These attachments could infect your computer.
  • Do not reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.
  • Do not fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details through email. When in doubt, contact the company in question through an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window. Do not click or cut and paste from a link in the message.
  • Do not buy products or services from spam messages.
  • Do not open spam messages.
  • Do not forward any virus warnings that you receive through email. These are often hoaxes.

Thanks to Dylan Morss for contributed content. 

Microsoft Patch Tuesday – May 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is very light month —the vendor is releasing two bulletins covering a total of three vulnerabilities.

One of the issues is rated ‘Critical’ and it affects Windows Internet Name Service (WINS). A remote attacker may be able to exploit this issue to completely compromise a vulnerable computer. The remaining issues are rated ‘Important’ and affect PowerPoint. As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the May releases can be found here.

The following is a breakdown of the issues being addressed this month:

1. MS11-035 Vulnerability in WINS Could Allow Remote Code Execution (2524426)

CVE-2011-1248 (BID 47730) Microsoft Windows Internet Name Service (WINS) Failed Response Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.5/10)

A remote code execution vulnerability affects Windows Internet Name Service (WINS) because it fails to sufficiently validate data structures in WINS network packets. An attacker can exploit this issue by sending a specially crafted packet to a vulnerable computer. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the affected service. This may facilitate a complete compromise of the affected computer.

Affects: Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 R2 for x64-based Systems, and Windows Server 2008 R2 for x64-based Systems SP1

2. MS11-036 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)

CVE-2011-1269 (BID 47700) Microsoft PowerPoint (CVE-2011-1269) Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects PowerPoint because it does not properly handle memory during certain function calls. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious PowerPoint file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft PowerPoint 2002 SP3, Microsoft PowerPoint 2003 SP3, Microsoft PowerPoint 2007 SP2, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2

CVE-2011-1270 (BID 47699) Microsoft PowerPoint (CVE-2011-1270) Remote Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects PowerPoint due to a memory-handling error. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious PowerPoint file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft PowerPoint 2002 SP3 and Microsoft PowerPoint 2003 SP3

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

TA11-130A: Microsoft Updates for Multiple Vulnerabilities

Original release date: May 10, 2011
Last revised: --
Source: US-CERT

Systems Affected

  • Microsoft Windows
  • Microsoft Office

Overview

There are multiple vulnerabilities in Microsoft Windows and Office. Microsoft has released updates to address these vulnerabilities.


I. Description

The Microsoft Security Bulletin Summary for May 2011 describes multiple vulnerabilities in Microsoft Windows and Office. Microsoft has released updates to address the vulnerabilities.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2011. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).


IV. References



Feedback can be directed to US-CERT.


Produced 2011 by US-CERT, a government organization. Terms of use


Revision History

May 10, 2011: Initial release