Jump to content

Bots and botnets


Farelf
 Share

Recommended Posts

Sheesh - seems half of my morning spam either has an infector attachment (according to VIRUSTOTAL) or a URL to an exploit site (according to LinkScanner Online). The spam with exploit links quite closely mimic their non-exploitive cousins in all regards, the link, the body and the (mismatched) "provocative" title. Seems there's quite a recruiting drive going on, using some of the lists I must be on. It's like a time warp. Can't begin to imagine how much of this stuff must be just "bouncing off the windshield", sight unseen.

For the curious, this brief video on the dissection of a bot (no gore, ichor or purulence, I promise) - Botnet Source Code for Overachievers (igotspam.com)

(Note McAfee SiteAdvisor has a red flag on igotspam.com for links to red sites. I don't see any other complaints and no problems were noticed with the specific link above. Just don't blindly trust any external links, on igotspam or anywhere else.)

Link to comment
Share on other sites

Sheesh - seems half of my morning spam either has an infector attachment (according to VIRUSTOTAL) or a URL to an exploit site (according to LinkScanner Online). The spam with exploit links quite closely mimic their non-exploitive cousins in all regards, the link, the body and the (mismatched) "provocative" title. Seems there's quite a recruiting drive going on, using some of the lists I must be on. It's like a time warp. Can't begin to imagine how much of this stuff must be just "bouncing off the windshield", sight unseen.

For the curious, this brief video on the dissection of a bot (no gore, ichor or purulence, I promise) - Botnet Source Code for Overachievers (igotspam.com)

(Note McAfee SiteAdvisor has a red flag on igotspam.com for links to red sites. I don't see any other complaints and no problems were noticed with the specific link above. Just don't blindly trust any external links, on igotspam or anywhere else.)

I am the writer of IGotSpam.com. Can you tell me how I can file a complaint against McAfee? My blog is 100% legit and does not link to or promote scam/spam/phishing sites. I find McAfee, like Norton to be a bloated and system hogging piece of garbage. There are a variety of programs out there that work much better.

Edited by SueWalsh
Link to comment
Share on other sites

I am the writer of IGotSpam.com. Can you tell me how I can file a complaint against McAfee? My blog is 100% legit and does not link to or promote scam/spam/phishing sites. I find McAfee, like Norton to be a bloated and system hogging piece of garbage. There are a variety of programs out there that work much better.
Hi Sue - I don't speak for McAfee but I do note their pages invite the owners of reviewed domains to visit and ?do something?2 if there is objection to the ratings (or reviews). If you've not given that a try you might be missing the simplest avenue of redress. They must have some satisfactory way to handle complaints (considering that spammers, business rivals, all sorts of people would otherwise make the contents quite unusable with their 'gaming' of the review process)1.

From memory (it was just a day ago) the beef was not with your pages as such but with link(s) to specific other site(s) which had supposedly served up malware downloads. I include the plural - the rating was based on linking to one (red) domain which linked to another. I didn't see the first one on casual inspection but the second one was there instead. Following the "bouncing ball", I saw the beef about that one was about a particular (named) download. That's as far as I looked (due diligence satisfied).

Apart from confronting McAfee (I seem to recall they have a SiteAdvisor forum or blog too), I don't know what other extra-legal remedies there might be. The Better Business Bureau, I suppose.

1[on edit] I had a look at the SA forums and came across this topic which deals with disputed ratings - http://community.mcafee.com/showthread.php?t=219781 (I had to undergo a particularly obnoxious captcha to get there, can't promise others won't have to do the same to follow). Anyway, there may be something there which might help, though I wouldn't necessarily characterize it as 'satisfactory', looking just at the opening posts. I notice one of our members here is a voluntary moderator in that venue. If he happens by here he may like to add some commentary.

2In addition, there is provision to add to the reviews in a special igotspam.com Web site owner comments on the page - http://www.siteadvisor.com/sites/igotspam.com (though that may be the bit domain owners in the above forum were saying never worked - looks like there's some sort of verification process involved).

Bottom line, why should you have to clear your name when it should never have been impugned to start with? Well you shouldn't (from what I can see of the 'causes' of flagging - you will be able to see more, I think), I only mentioned the rating to reassure any SA users who might otherwise be put off from following the link I posted. I stand by the caution against blindly trusting (further) exterior links, no-one can blanket guarantee those, not even their owners on occasion.

Link to comment
Share on other sites

My blog is 100% legit and does not link to or promote scam/spam/phishing sites.
Hi, I visited the link and straight away noticed the two following "announcements":

"Guaranteed WINNER

THIS IS NOT A JOKE"

You are the 5,222,015,430th

visitor to see this

lucky banner.

Click here to claim"

"THIS IS NOT A JOKE - CONGRATULATIONS YOU WON!

[yellow exclamation mark icon]

You are the 5,222,015,388th

visitor to see this lucky banner.

Click here to claim"

These are certainly misleading and may well be fraudulent. If I receive unsolicited mail with such content I report it as spam and cooperate with Knujon in their efforts to get the site linked to, taken down. In my opinion any site carrying such "announcements" fully deserves a red flag for that reason alone.

The first time I looked, there was also one of those "ads" which feature what looks like a Windows dialogue box jumping about and attracting your attention, complete with the "usual" cross at the top right which the gullible will think is to close the box. Of course it isn't, the whole thing is a fake and anyone clicking on the cross or anywhere else on the object will be lead I dread to think where.

I realise a site dedicated to botnet analysis is likely to link to dubious other sites by its nature, and if this is the reason for the red flag it's not really fair, the result of the rather too simple McAfee Site Advisor process. However Sue I really think you should take your undoubtedly interesting material elsewhere. Personally I wouldn't even consider clicking on anything on that site, let alone viewing your video! (Perhaps YouTube would be better?)

Penny

Link to comment
Share on other sites

... Seems there's quite a recruiting drive going on, using some of the lists I must be on. It's like a time warp. Can't begin to imagine how much of this stuff must be just "bouncing off the windshield", sight unseen. ...
Botnet master walks free Didn't take him long to get back in the saddle then. NZ$40,000 proceeds. Deja moo - or curiously familiar caca del toro! Talk of him being considered for employment by the Kiwi cops or internet security firms - Freed hacker could work for police. Right, that would be good too.
Link to comment
Share on other sites

Talk of him being considered for employment by the Kiwi cops or internet security firms - Freed hacker could work for police. Right, that would be good too.

In the old (Mitnick) days of hacking, people used to automatically suggest this sort of thing, but not so much anymore.

Not that hiring ex-cons as technical consultants is automatically a bad idea -- in school, I worked for a 7-Eleven (convenience store), and these were notorious targets for stickup artists. The company hired an ex-robber to tell them how to make the stores more secure, and he gave them a lot of simple, practical advice (i.e., the perp tape next to the doors, the drop safe, etc.). Of course, this particluar guy had already demonstrated his bona-fides by getting a degree in criminology while he was in stir.

-- rick

Link to comment
Share on other sites

In the old (Mitnick) days of hacking, people used to automatically suggest this sort of thing, but not so much anymore.

Not that hiring ex-cons as technical consultants is automatically a bad idea --

Indeed, but there needs to be some assurance or at least hope that the miscreant has mended hir ways.

In the case of young "what's his face" in NZ the located/admitted proceeds are suspiciously, unbelievably, low and the "I knew it was wrong but didn't think it was criminal" defence is utterly laughable (though apparently not to the 'professionally innocent' administrators of the law), it's the perfect little sociopath speaking. And the timing of a new flurry of celebatory(?) botnet recruiting (remembering the shaky isles are 14-17 hours 'ahead' of you guys) coincident(?) with him walking free.

Well, even botmasters have enemies (since their wares routinely eliminate pre-existing competitor infections) so he *could* have been set up by someone wanting it to seem he was recidivist. But, in the absence of any believable expression of contrition from this kinked Kiwi and, as your criminologist former associate would be well aware, the fact that the greater number of deliberate crimes are the work of prior offenders ... well, it all bodes ill for we denizens of the 'net.

Sun Tzu (The Art of War) supposedly advised keeping your enemies closer than your friends (I don't see that sentiment in the Project Gutenberg translation but it's a good myth and intriguing concept). But clearly that notion is of limited utility (putting it mildly) if the bugger is smarter/more adept than you are.

Never mind, we can take it. We have no option. "Worse things happen at sea," as folks would once say to each other in dubious consolation.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...