Ezhenito noted some research pointing out the (maybe) surprising bit of research that 6 botnets are responsible for 85 percent of the world's spam. That seems a bit high to me, but the only aspect of spam I am an expert in is *getting* it.

alternative coup writes "eWEEK is running a story on the emergence of an anti-botnet market to fill a perceived need for software to deal with botnet-related malware (Trojans, keyloggers, rootkits, etc.). The article characterizes this as 'another black eye' for the existing anti-virus industry — asking consumers to pay twice for protection from things that anti-malware suites are missing. Venture capital money is flowing to these anti-bot products, an implicit statement that the AV giants are not doing their jobs. 'For companies such as Symantec, which sells the Sana-powered Norton AntiBot and anti-malware subscriptions, it's a nickel-and-dime situation. Symantec officials say Norton AntiBot is for a specialized, technical market segment looking for high-end tools to deal with botnets, but [Andrew Jaquith, an analyst with The Yankee Group] said it's a case of anti-malware companies double-dipping.'"

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

narramissic writes "In a recent ITworld article, Security researcher Brent Huston ponders how it is that versions of SQL worms dating back to 2002 represent nearly 70% of all malicious traffic on the Internet today. 'I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common botnet infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank "sa" passwords and other age-old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive."

coondoggie writes "Earlier this week researchers unveiled a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"

Stony Stevenson writes "The new Mega-D Botnet has overtaken the notorious Storm worm botnet as the largest single source of the world's spam according to security vendor Marshal. This botnet currently accounts for 32 percent of all spam, 11 percent more than the Storm botnet which peaked at 21 percent in September 2007. It started about 4 months ago but has been steadily increasing since then. It is also using news headlines to trick victims into opening the spam, a technique synonymous with the Storm worm."

Brother, Can You Spare a Dime? writes "Ars is reporting that the Ron Paul spam has been traced back to the Reactor botnet. According to the SecureWorks report, which originally identified the spammer, someone calling themselves nenastnyj was behind it and their botnet control server has been shut down. The Ron Paul campaign has previously denied any connection with this spam campaign."

coondoggie passed us another Network World link, this one discussing the FBI's newest offensive against botnets. They're calling it Operation Bot Roast II. Apparently it's already been quite successful, leading to indictments, search warrants, and the uncovering of some '$20 million in economic loss. writes "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets," said FBI Director Robert S. Mueller. "Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users." I can't help but think, though: how many more of these things are out there that this 'sting' didn't touch?

AceCaseOR writes "In Los Angeles criminal court, security consultant John Schiefer, 26, has admitted infecting the systems of his clients with viruses to form a botnet containing a maximum of 250,000 systems. Schiefer used his zombies to steal users' PayPal usernames and passwords to make unauthorized purchases, as well as to install adware on their computers without their consent. Schiefer agreed to plead guilty to four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. He will be sentenced Dec. 3 and faces up to 60 years in prison and a fine of $1.75 million."

ancientribe writes "There's a new peer-to-peer based botnet emerging that could blow the notorious Storm away in size and sophistication, according to researchers, and it's a direct result of how Storm has changed the botnet game, with more powerful and wily botnets on the horizon. This article provides a peek at the 'new Storm' and reveals the three biggest botnets in the world (including Storm) — and what makes them tick and what they are after."

eldavojohn writes "How do you identify Botnet traffic on your network? Well, the problem with current commercial technologies is that they generate too many false positives. But a new startup name Nemean Networks hopes to solve all that by building signatures of traffic at many different levels of the network stack. 'Finding the proper sensitivity threshold for NIDS sensors has always been a problem for network and security administrators. Lower the threshold and some attacks get through the signature screening; raise it too high and false positives flourish. Nemean attempts to find the proper balance by gathering traffic sent to a honeynet to build signatures based on weighted data. The numerical weights are entirely subjective and based on the creators' expertise. The data is then clustered and fed through an algorithm to determine threat levels and develop signatures.'"

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

Rumours of financial schemes surrounding the botnet aside, PC World has an article that should lower the blood pressure of some SysAdmins. The Storm Worm botnet is apparently shrinking. A researcher out of UC San Diego who has been tracking the network has published a report indicating it is now only 10% of its former size. "Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time. Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network."

Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."

WhaddayaMeanIHaveToLevelUpTheOldWay writes "A massive denial of service attack has disabled some of the world's largest virtual goods trading sites. The Korea-based sites hit by the attack are responsible for most of the country's estimated $1bn annual trade in virtual gold, weapons and other items for games like World of Warcraft. Local press reports are blaming Chinese botnet controllers for the attacks and claim that this is an extortion attempt. The sites affected have been offline for four days and reportedly handle more than 90 percent of Korea's online item trading — a business now worth more than $3m a day, according to Korean government statistics."

An anonymous reader writes "A reading of the Justice Department's 2008 budget justification to Congress for the FBI indicates the agency is dedicating about 5.5 percent of its field agents to combating cyber crime, the FBI's stated Number Three priority, The Washington Post reports. Take away the agents dedicated to catching child predators online — a program that accounts for the vast majority of the department's prosecutorial victories — and about 3.6 percent of the FBI's agents are dedicated to cyber crime, the report notes. From the story: 'If the FBI's third most-important priority claims just over 3.5 percent of its active agents, how many agents and FBI resources are dedicated to the remaining Top Ten priorities?'"

An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."

capnkr writes "It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet. Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well. Sounds like a massive, concerted effort against the folks who are fighting the good fight. Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

Stony Stevenson writes to mention that some security researchers are claiming that the Storm Worm has grown so massive that it could rival the world's top supercomputers in terms of raw power. "Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity. 'We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see,' he said, noting he suspects the botnet could be as large as 50 million computers. 'That means they can turn on the taps whenever they want to.'"

We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.