rsiles writes "When security professionals are dealing with huge amounts of information (and who isn't nowadays?), correlation and filtering is not the easiest path (and sometimes enough) to discern what is going on. The in-depth analysis of security data and logs is a time-consuming exercise, and security visualization (SecViz) extensively helps to focus on the relevant data and reduces the amount of work required to reach to the same conclusions. It is mandatory to add the tools and techniques associated to SecViz to your arsenal, as they are basically taking advantage of the capabilities we have as humans to visualize (and at the same time analyze) data. A clear example is the insider threat and related incidents, where tons of data sources are available. The best sentence (unfortunately it is not an image ;) that describes SecViz comes from the author: 'A picture is worth a thousand log entries.'" Read on for the rest of rsiles's review.

AcidAUS writes "Last week's bust of the largest spam operation in the world has had no measurable impact on global spam volumes. The spam gang, known by authorities and security experts as HerbalKing, was responsible for one-third of all spam, the non-profit antispam research group Spamhaus said." The article speculates that the operators of HerbalKing simply passed on to associates the keys to the automated, 35,000-strong botnet, and the spam flow didn't miss a beat.

smooth wombat writes "An international spam ring with ties to Australia, New Zealand, China, India, and the US is in the process of being shut down. Finances of members in the US are being frozen using the CAN-SPAM Act of 2003 while the FBI is pursuing criminal charges. The group sent spam advertising male enhancement herbs and other items using a botnet estimated at 35,000 computers, and able to send 10 billion emails per day. The Federal Trade Commission monitored the group's finances and found that they had cleared $400,000 in Visa charges in one month alone."

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review.

An anonymous reader writes "It has been a number of years since the fantasy that hackers will be offered a job by those who they hacked was even a potential reality, but this might still be the case in New Zealand. An 18-year-old hacker responsible for writing a number of applications used by an online group called 'the A-Team' that allowed the creation of a million-plus machine botnet and a range of credit card fraud activities to take place, has walked free from court sans conviction despite pleading guilty. And to top it all off, the NZ police force were interested in talking to the hacker about working for them, and 'several computer programming companies' were also chasing him for his skills."

An anonymous reader writes "As all hardcore Simpsons fans know, Chunkylover53@aol.com was revealed to be Homer Simpsons' email address in one particular episode, registered by one of the shows writers, who would reply to fans as Homer himself. After a flood of messages, 'Homer' signed off — seemingly forever. Well in the last few days, security company Facetime Communications reports that anyone who had Homer on their AIM buddy list would have noticed his sudden reappearance. Unfortunately for all, he appears to have been hacked and pushing malware links which deposit those unlucky enough to run the file into a Turkish Botnet. The message claims the file is a 'web exclusive' episode of the TV show — an interesting way of targeting a specific group of fans who would assume Homers return would only coincide with something special like (say) a TV episode just for them. What I want to know is, is Homer smart enough to run an AV scan?"

talkinsecurity writes "Researchers at IronPort today published a study which claims to have found the 'smoking gun' that links the rapid growth of the Storm botnet to spammers that sell prescription drugs illegally over the Internet. The study shows that more than 80 percent of Storm-generated spam is advertising online pharmacy brands, and further investigation showed that spam templates, credit card processing, product fulfillment and customer support are all being provided by a 'Russian criminal organization' that operates in conjunction with Storm. This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy Websites, which receive a 40 percent commission on sales orders. IronPort went as far as to do pharmacological testing on the products, and found that two-thirds of the drugs contained the wrong dosage of the active ingredient, and the rest were placebos."

Noah Shachtman on Wired.com's Danger Room reports that Monday, the Air Force Research Laboratory at Wright-Patterson AFB introduced a two-year, $11 million effort to put together hardware and software tools for 'Dominant Cyber Offensive Engagement.' 'Of interest are any and all techniques to enable user and/or root level access,' a request for proposals notes, 'to both fixed (PC) or mobile computing platforms ... any and all operating systems, patch levels, applications and hardware.' This isn't just some computer science study, mind you; 'research efforts under this program are expected to result in complete functional capabilities.' The Air Force has already announced their desire to manage an offensive BotNet, comprised of unwitting participatory computers. How long before they slip a root kit on you?

sowjetarschbajazzo writes "Air Force Col. Charles W. Williamson III believes that the United States military should maintain its own botnet, both as a deterrent towards those who would attempt to DDoS government networks, and an offensive weapon to be used against the networks of unfriendly nations, criminal groups, or terrorist organizations. "Some people would fear the possibility of botnet attacks on innocent parties. If the botnet is used in a strictly offensive manner, civilian computers may be attacked, but only if the enemy compels us. The U.S. will perform the same target preparation as for traditional targets and respect the law of armed conflict as Defense Department policy requires by analyzing necessity, proportionality and distinction among military, dual-use or civilian targets. But neither the law of armed conflict nor common sense would allow belligerents to hide behind the skirts of its civilians. If the enemy is using civilian computers in his country so as to cause us harm, then we may attack them." What does Slashdot think of this proposal?"

Esther Schindler writes "CSO has an annotated, zoomable map of real botnet topologies showing the interconnections between the compromised computers and the command-and-control systems that direct them. The map is based on work by security researcher David Voreland; it has interactive controls so you can zoom in and explore botnets' inner workings. Hackers use botnets for spamming, DDoS attacks and identity theft. One recent example is the Storm botnet, which may have comprised 1 million or more zombie systems at its peak. As with any networking challenge, there are good (resilient) designs and some not-so-good ones. In some cases the topology may be indicative of a particular botnet's purpose, or of a herder on the run."

N_burnsy points out an article in Computerworld which "profiles several youthful hackers, some still serving prison time, some free, who have been caught indulging in some fairly serious cybercrime, and looks at their crimes and the lessons they have (or have not yet) learned. Starting with Farid 'Diab10' Essebar, currently a guest of the Moroccan prison system, who wrote and distributed the Mytob, Rbot, and Zotob botnet Trojans. There's Ivan Maksakov, Alexander Petrov, and Denis Stepanov, all guests of the Russian penal system, sentenced to eight years at hard labor for creating a botnet to engage in DDoS (distributed denial-of-service) attacks to blackmail online gambling sites based in the UK, threatening to take the sites down during major sporting events. Then there's Shawn Nematbakhsh who was a little too eager to prove a point about the electronic balloting system that the University of California employed to hold student council elections, by writing a script that cast 800 votes for a fictitious candidate named American Ninja." Not everyone on the list is exactly youthful, and the range of offenses shows how lumpy this area is both to the law and in public perception.

distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."

Stony Stevenson points out an iTnews Australia story about the decline of the biggest botnet of recent times, excerpting "The Storm botnet decreased to just five percent of its original size during April, but overall web-based malware levels increased by 23.3 percent, new monitoring data reveals. MessageLabs' Intelligence Report for April 2008 said that new malicious software removal tools aimed at removing Storm infections were responsible for the sudden reduction in Storm-infected computers." According to their estimate, Storm-compromised computers are now down to about 100,000 rather than numbers closer to two million.

Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.

holy_calamity writes "New Scientist reports on a University of Washington project aiming to marshal swarms of 'good' computers to take on botnets. Their approach — called Phalanx — uses its distributed network to shield a server from DDoS attacks. Instead of that server being accessed directly, all information must pass through the swarm of 'mailbox' computers, which are swapped around randomly and only pass on information to the shielded server when it requests it. Initially the researchers propose using the servers in networks such as Akamai as mailboxes; ultimately they would like to piggyback the good-botnet functionality onto BitTorrent."

An anonymous reader writes "The USENIX LEET workshop held earlier this week in San Francisco offered neat insights into the Storm botnet, including two papers showing the difficulty of accurately measuring the botnet's size, and one on the way it conducts its spamming campaigns (down to the template language used). There was a bunch of other cool work too, so check out the papers."

Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day. While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"

ancientribe writes "Storm is no longer the world's largest botnet: Researchers at Damballa have discovered Kraken, a botnet of 400,000 zombies — twice the size of Storm. But even more disturbing is that it has infected machines at 50 of the Fortune 500, and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers."