The one near the top is completely valid (click for ginormous image).
I don’t normally comment on things I see on TV… wait a minute, what am I talking about? I do that all the time. Anyhow, yesterday I was watching the show “How I Met Your Mother.” One of the main characters, Barney Stinson, has a scheme that uses in order to meet members of the opposite sex – he creates and impersonates a fictional character by the name of Lorenzo von Matterhorn. Here’s how it works: Barney walks into a bar and targets a single, attractive lady. The catch is that she has to have a fairly advanced phone. He walks up to her, kind of half-shrugs and says “That’s right, it’s me.”
The woman looks up at him and asks “Should I know you?”
Barney, acting surprised, says “Oh, really? You mean you don’t recognize me? That’s a relief! My name is Lorenzo von Matterhorn.” There is a bit of byplay, and Barney has to run off for a moment in order to attend to some business. The girl then takes the opportunity to look up, on the web, the name Lorenzo von Matterhorn (using the Bing search engine, no doubt). After all, that’s what smart phones are there for, to verify information.
Yet Barney has planned ahead. He has created several web sites in advance that reference the fictional Lorenzo von Matterhorn. One is a reference to Lorenzo as a world famous billionaire who has circumnavigated the globe in a hot air balloon, others are web sites to fake news articles about how rich, powerful and famous he is. In other words, he has engaged in a whole bunch of social engineering and used grey search engine optimization to make himself look like a superstar rich guy, all in an attempt to impress the girl. When he returns, the girl is very impressed with him. The plan has worked!
Of course, today, if you search for that name, you’ll get references to How I Met Your Mother. But Barney has taken a page from the spammer playbook and is using the web in order to create false impressions of himself, similar to how spammers will attempt to game Google’s most popular search phrases and then getting their spammy landing pages to the top of those search results (this is known as Black SEO). Indeed, the techniques utilized by the two are probably not all that different from each other. One could certainly argue that Barney’s shenanigans are unethical. Of course, there is certainly no question that black SEO is unethical.
But the point of my post is this – the Internet can be used for both good and evil, even if it is fictional.
This is another vignette that I am posting while I am out traveling.
The other day, I popped into Half Price Books to pick up a couple of novels by Michael Crichton. I don’t know if there’s a Half Price Books in your area, but the one in mine is awesome. I can get all sorts of used books in good condition for less than $5 a piece. Seriously, that’s fantastic! It’s completely worth it to me to spend a few dollars on a book I will only ever read once.
Anyhow, I picked up a bunch of books and went to the checkout counter. As I was paying, the clerk asked me “Would you like to sign up for our mailing list? We’ll be sending out an offer in a little while and <something, something, something, all of which I forget>.” I was hesitant. I don’t like giving out my information and signing up for stuff; I never even sign up for store credit cards even if it gets me 20% off that day. But this one had an offer that seemed pretty good to me. Obviously, it couldn’t be that good since I can’t remember what it was.
As I was debating it in my head, the clerk said “We won’t spam you, we’re not evil!” I looked up at that and tried to conceal a smile. Oh, if only she knew that I was a program manager of antispam, with over five years experience, in charge of protecting millions of inboxes which blocks a couple of billion spam messages daily. Stopping spam is my specialty.
“Oh, I believe you,” I said. I smirked to myself, thinking to myself “what would I do if I do get spammed?” Heh, I can think of a couple of things. And I bet you can, too.
I’m still out traveling, so below is a personal vignette about social engineering.
A couple of weeks ago, I headed off to a murder mystery free form game. If you’ve never been to one, it’s a ton of fun. The basic theme is that everyone plays a role in a wider story arc. This year’s theme was the American Old West. There are various sundry folks like the crooked doctor with a gambling addition (me), the competing developers of the railroads, the crooked judge, the sheriff, and so forth. As you start the game, you find out that somebody has been murdered (gasp!)! Your character’s goal in the story is to attain certain assignments and the over-arching goal is to figure out who the killer is. It takes about 2 and a half hours, and you stay in character the entire time. It’s fun.
But onto my story about social engineering.
Earlier in the day, I was talking to a friend of mine over the phone. He played a character known as Slick O’Hare. Part of my character was that I did some research on Slick and discovered that he was a notorious thug from out west who’s real name was Saul Jackson. Now, part of his character was that he wanted to keep that information a secret from everyone. So, while we were speaking on the phone, he mentioned that he was playing the character of Slick. Without really thinking about it, I said “Oh, you’re a thug!” I knew this from my character sheet but didn’t know his said to keep that a secret. I kind of blurted it out when I probably should have kept it to myself.
“What the? How’d you find that out? No one is supposed to know that!” he exclaimed.
In that instant, I realized that I may have made a mistake. I decided that I had to recover quickly by thinking fast. Now, this friend of mine knows that I am a magician and mentalist, and that I am good at deciphering body language. I played off that fact. “You just told me,” I said. “It was a lucky guess.”
He “realized” that he had been had. “Oh,” he groaned, “**** you and your lucky guesses!” He knew just then that I had been fishing around for information and that I had, by chance, figured out an important part of back story that he was supposed to conceal. “That’s unfair!” It is unfair, I suppose, that I use some of my abilities to my advantages.
Later on, while driving both him and another friend to the party, we talked about it again. He bemoaned the fact that I tricked him into revealing information. But on the way home, I explained what really went down. “So, remember earlier when I tricked you into revealing that information about yourself being a thug from back west?”
“Yes?” he responded.
“It turns out,” I explained, “that I already knew that information. What actually happened is that I tricked you into thinking that I tricked you into telling me.”
“Argh!” he exclaimed, realizing that he had been had a second time. “I can’t believe you did that… again!” The fact is that I recovered quickly from my earlier error and utilized my own reputation to my advantage to misdirect away from my error. I think that’s pretty clever. And I socially engineered him into believing that the error was his, not mine.
But, he still trusts me.
Did you ever wonder what it’s like to work at Microsoft? Click on the link below to check out a humorous parody of what we all go through every day.
Click here to watch the video (offsite).
While I am out, I am posting some random stuff from around the web. From AppleGeeks:
I’m currently on vacation in South America* so I thought I’d pre-write a few stories about how spam/malware relates to real life.
We all know that a big trend in recent years with malware is social engineering. Social engineering is an attempt to trick the end user into doing something by impersonating someone else or by playing on their emotions. This is usually a bad thing… but not always.
When someone nefarious gains access to your credentials, they don’t necessarily have to use it right away. They can sit on it for a while before making use of it. That adds another dimension of social engineering because something that you did several months ago (giving up your credentials) can come back to haunt you many weeks or months later. And then, when it happens, you can’t recall when you might have surrendered them.
But what if social engineering was used for the powers of good? Let me tell you a story.
Many of my readers will know that I am a magician, and this year my focus has shifted to mentalism. This branch of magic focuses on predictions, reading thoughts, and creating experiences in the minds of the audience. Well, this year, I was sitting on a couch preparing to depart from a local establishment. I was leaving, I overheard another lady talking to someone else. She was talking and said something like “Give me a call” and said her phone number. My brain flipped into action.
I pulled out a pen and notepad and wrote it down (I memorized as soon as I heard it). This might come in handy, I thought to myself. I started thinking about how I could use it.
And that time came a few months later. I decided to use it in a magic effect. I decided to test out something new. I walked up to her and said “Amanda” (not her real name), “I want you to think of a number. Make it a meaningful number… your phone number.” Keep in mind that I have never asked for it nor obtained it in any fashion. “Concentrate, now. Visualize it, floating in front of you,” I said as I waved my hand in front of her as if it were a few inches in front of her eyes such that only she could see it. I moved in closer, putting my hand on her shoulder while gesturing with my other hand. “Still seeing it now, I want you to silently recite the numbers in your head. Echo them one by one, clearly.” She looked up and to the right, saying the numbers.
I played it up a bit more. “10 digits,” I said. She nodded. I then said the numbers very slowly “1… 2… 3… 4, 5, 6… 7, 8, 9, 0.” Her eyes went wide and she smiled in disbelief. I had just performed a miracle. I smiled in return, thanked her for helping out and proceeded on my way out the door.
Now for some analysis on social engineering:
- The original leak of information is something that I overheard by accident. Sometimes people slip information without realizing it. They enter in their username and password over clear text (like a discussion forum) and then re-use that those credentials elsewhere. If a hacker breaks into those forums and obtains that information, they have revealed their info by accident to an eavesdropper.
- But it doesn’t stop there. In fact, it’s just the beginning, because my trick illustrates real social engineering using body language techniques. The first thing I said was to think of a number, but not just any number – a phone number. Getting someone to think of something related to them makes it about them. Once that happens, emotions start to kick in. When emotions kick in, it becomes more difficult to think logically.
- I put my hand on her shoulder. That breaks a psychological barrier of personal space invasion and again triggers an emotional response. It’s something I do a lot when I perform magic close-up. The sensation of touch makes it even more personal.
- At the same time, I waved my hand in front of her, at eye level, and my eyes followed it. Her eyes did the same. This wasn’t necessarily designed to do anything, however, I say to illustrate the fact that I was using a psychological technique to control (actually, influence) her gaze.
- Finally, when I got closer to the end, I leaned forward and moved in closer. Moving in towards a personal is a technique I picked up from Neuro-Linguistic Programming and general techniques of learning body language. When we lean in to someone, it means we are interested in them, or what they are saying. Whether or not she actually was interested in me (or more accurately, what I was saying and doing), I was using a psychological technique to suggest interest. It’s not particularly overt but at the same time it is not subtle.
So you see, I was using a lot of social engineering technique to generate an emotional response because when the number was revealed, I got a positive response. All I basically did was say “Think of a number”, but I spiced it up. And when you spice things up and get the person to start thinking more with their emotions, you can get away with a lot more.
But in this case, it made me look pretty suave and sophisticated, if I do say so myself.
I am going to be traveling in Peru for the next little while, but fear not! I shall still be blogging!
I have written a few posts in advance to entertain you all that shall become publically visible over the next few days. Enjoy.
This probably belongs in the “Well, no kidding” category but I thought I would post it anyhow.
Since near the beginning of this year, I have been tracking how much email our filters classify as malware. I then took those values, broke them down into a weekly chart and compared it to how many mails we received on a weekly basis that contained virus attachments. Is there any relationship between the two? If there is a new malware campaign, is that associated with an increase in spams with links to malware?
It’s hard to measure this because we block so much mail at the network edge (90%). So, all of the data that I have is for post-edge blocked mail. Below is a chart of the amount of mail we classify as malware vs how much mail has a virus attachment, on a weekly basis:
The result is pretty significant, 31% of the variance in the number of viruses in email is associated with the variance in the number of messages we classify as malware. In other words, there is a very strong malware spam/virus correlation (correlation = 0.55) since March of this year.
The problem is that I had to massage the data. There were 4 weeks of outliers that skewed the data set. If you include those, there is a weak relationship between the two of them, and it is negative (r = –0.12):
So on the one hand, I feel that removing the outliers results in an outcome that makes sense and fits the expectation. On the other hand, I feel bad about having to do some data-mining in order to return a result that I was expecting.
Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of spam e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. It is the largest spamming botnet that sends mail to our servers.
I decided to take a look at where its spamming IPs were located, geographically, for the date of November 12, 2009. Below is the chart:
In a surprising twist and departure from the norm, the United States is very under-represented in the above chart. South America is strongly over-represented. The top countries are below:
| Rank | Country | Distinct IPs |
| 1 | Brazil | 3274 |
| 2 | India | 2687 |
| 3 | Columbia | 1211 |
| 4 | Poland | 899 |
| 5 | United States | 836 |
| 6 | Argentina | 760 |
| 7 | Czech Republic | 745 |
| 8 | Romania | 731 |
| 9 | Thailand | 630 |
| 10 | Israel | 464 |
| 11 | Spain | 447 |
| 12 | Italy | 440 |
| 13 | South Korea | 419 |
| 14 | South Africa | 379 |
| 15 | Great Britain | 372 |
| 16 | Germany | 372 |
| 17 | Turkey | 368 |
| 18 | Peru | 363 |
| 19 | Vietnam | 361 |
| 20 | Ukraine | 332 |
Three of the top six countries are in South America. Only one is in Asia, and one is in Europe. This differs significantly from the total spamming IP distribution where the United States has 18% of the total IPs:
For this one day, South America’s representation has doubled compared to its global IP distribution for all spam, the United States is around 1/3, but Asia and Europe are about the same. For some odd reason, the United States seems to be more resistant to relaying spam from rustock than other countries. And for some reason, South America is more prone to relaying it. I’ll take some guesses in my next post as to why this is.
From the Register:
A botnet that was once responsible for an estimated third of the world's spam has been knocked out of commission thanks to researchers from security firm FireEye.
After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.
Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.
…
The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.
I decided to check this using our own statistics. While I don’t know if Mega-D was at one time responsible for 1/3 of all spam (my stats only go back to late July 2009), it certainly isn’t one of the big ones today. Those slots are reserved for Rustock, Bagle-cb, Cutwail, and sometimes DarkMailer. However, Mega-d certainly does register (no pun intended) on our radar. Below are the stats:
You can see that Mega-d does have a sawtooth-like sending pattern, but we definitely saw a big drop in spam from that botnet that appears to be generating a bit of a recovery today (11/13/2009). Also note that the numbers on the y-axis are not necessarily representative of the full set of spam we see from Mega-d but the general trend is representative.
The good news in all of this is yes, a relatively small company can make an impact into a major spam operation. The bad news is that these takedowns tend to be short lived. Earlier this year, when a Latvian ISP was disconnected due to its abusive practices, it made only a small dent in global spam volumes, and this small dent vanished a few days later. The spam operation is becoming more resilient to disruptions in its service.
One of the pieces of conventional wisdom that goes through my head is that if you install pirated versions of software, then your computer is more likely to be infected with malware. It makes sense; in order for spammers/malware authors to take control machine, they offer users cheap software. Yet this cheap software comes with a heavy price tag – you relinquish control of it to the whims and fancy of the spammer or malware writer to do nefarious things like spam, host phishing pages, host fast flux, serve as a command-and-control center, and so forth. Furthermore, individuals with pirated software are also much less likely to download security updates and therefore remain exposed and vulnerable for longer periods of time and, therefore, more prone to malware infection.
That’s the theory. But is it true?
To test this, I compared the data in the Microsoft Security and Intelligence Report and the Business Software Alliance Piracy Study. I used Microsoft’s metric of CCM, Computers Cleaned per thousand executions of the Malicious Software Removal Tool. I extracted the countries in common between the two reports and ran two correlation studies, one for 1H 2009 compared to the 2008 piracy rate, and another for 2H 2008 compared to the 2008 piracy rate.
Below are the top 10 countries for CCM in 1H 2009 and the change from 2H 2008 (green is good and represents a decrease, red is bad and represents and increase):
I have removed Serbia and Montenegro as it represented an outlier. Note that 4 of the top 6 countries (Turkey, Spain, Saudi Arabia and Taiwan) have all had substantial increases of malware infection (and removal) compared to the previous six months of the year. Below is a table of rates of piracy for the top ten countries:
For interest’s sake, here are the best countries with the lowest rates of piracy:
You can see that the US has the lowest rate of piracy which surprises me a little bit given that so much spam comes out of the US. Next, to determine if there is any relationship between the two of them, I calculated the statistical correlation between the two and plotted a scatter plot. I did this comparing the 1H 2009 CCM to the rate of 2008 software piracy, and then the 2H 2008 CCM to the rate of 2008 software piracy. Below are the results:
In 1H 2009, 0.8% of the variance of the rate of piracy is associated with the CCM, and in 2H 2008, 1.1% of the variance of the rate of piracy is associated with the CCM. In other words, there is no statistically significant relationship between the national rate of software piracy and the national rate of malware detection.*
* Update!
But is this really the best way to compare whether or not pirated software is more susceptible to malware? All I did was take the malware clean rate (CCM) and the country’s software piracy rate and compare them. But this study does not account for the following:
- In this calculation, pirated software is mixed in with legitimate software, lumps it together and then compares it to the CCM. But this cannot differentiate between the two of them. It could be that pirated software contains many more malware infections than legitimate software and by mixing the two pieces of data together, the statistical relationship will show no correlation. In other words, they could be cancelling each other out.
What would have to be checked is a pulling of the data that contains the CCM for legitimate software vs the CCM for pirated software, both within the country and then across countries. That would be a much more accurate comparison.
- This study of mine does not account for relationship that update frequency has on rates of malware infection. Does pirated software update less frequently? Or run fewer instances of the Malicious Software Removal Tool? If so, then it should have a higher rate of malware infection. The data in the SIR does have some data points surrounding the rate of update frequency. This should be accounted for in the malware/piracy study, and it is something that I did not include.
Therefore, I am retracting my earlier statement that there is no statistically significant relationship between the rate of software piracy and the rate of malware infection/detection. My earlier methodology is incomplete and right now I do not have enough of a complete data set to measure this with statistical certainty. The non-correlation is spurious.
The experiment I used above, while a good start, does not go far enough and account for enough of the variables that could have an impact on the conclusions.
All Spammed Up has a new post up referencing an article that security researchers have issued a report indicating that Spain is the country with the most infected computers, at 44.5%. The United States is second at 14.4%. The countries with the least infections are Sweden, The Netherlands and Peru.
The Microsoft Security and Intelligence Report, v7, doesn’t measure infection rates quite the same way. Instead, it has a metric called Computers Cleaned per Thousand machines scanned, or CCM (where M is the Latin word for thousand – mille). This is a measure of the number of computers cleaned per thousand executions of the Malicious Software Removal Tool (MSRT). Below is a heat map of the countries with the most infections, for a better image either click the image (as it will be cut off in this blog) below or download the full report and zoom in your Adobe pdf reader (it is on page 41):
Click here for ginormous image.
Going from the above, we can see that Spain is definitely one of the hotter countries. But, it is not the hottest. Below is a table of the countries with the worst rates of infection:
Spain is clearly one of the worst but it is actually only number 4 behind Serbia and Montenegro, Turkey and Brazil. There is no set pattern but in general, countries in the developed world (at the very least, the G7) are not found among the worst countries for malware infection. Of course, the very interesting thing is that even within different countries, the types of infections are different. Microsoft classifies the types of malware it removes and below is a table of what it looks like among various countries. Click on the picture to see the full image as it will be cut off partially in this blog:
Click here for full sized image.
From our table above, Brazil and Spain are the worst offenders for malware infected computers, coming in at 3 and 4 respectively. Yet the type of malware hitting them is different. Brazil is plagued by Password Stealers that target Brazilian banks (led Win32/Bancos), followed by Worms and Viruses. by contrast, Spain is hit hardest by Worms, then miscellaneous trojans and password stealers, which are substantially less than Brazil.
The United States was number 2 in the report that All Spammed Up referenced, but the most common malware affecting systems in the US are miscellaneous trojans, followed by trojan downloaders and droppers and then Adware (the pattern is similar in the United Kingdom). So, different regions of the world are more prone to certain types of attacks than others.
If we can make a generalization, then the countries with the highest malware infections rates as measured by the MSRT CCM metric are more prone to Worms. The United States is actually about average with regards to infection (8.6 CCM vs 8.7 global average). With regards to the lower countries, I am currently not seeing any discernable pattern and I would have to do a deeper statistical investigation.
For the very first time since I created this blog back in July of 2006, I am changing it’s title. It is no longer “Terry Zink’s Anti-spam Blog”, it is now “Terry Zink’s Anti-malware Blog”.
I have not moved out of spam. Instead, I have decided to broaden the focus of this blog to include malware as well as spam. The relationship between the two is tightly integrated and I believe that I need to touch a wider array of the security space to remain relevant. The only real change you will see will be that I will be writing about malware more than I have in the past, and other security topics in general. My sphere of interest has expanded from focusing on spam to focusing on the general security space.
Happy reading.
Setbacks and Triumphs
The domain registration task became exponentially more challenging on March 4, 2009, with the discovery of Worm:Win32/Conficker.D. Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs, beginning on April 1, 2009. Though this seemed at first like an impossible hurdle to overcome, CWG members immediately began working to counter the effects of the upcoming change. As security researchers continued to analyze the Conficker.D malware, ICANN staffers began contacting the registries responsible for each of the affected TLDs seeking cooperation in registering or blocking the domains, and the CWG compiled “go packs” of information for Internet service providers and enterprises about the steps they should take to help keep their customers and employees safe.
April 1, 2009, came and went, with the world outside the security community noticing little or no change. By that time, however, ICANN had secured the cooperation of all 110 TLDs used by Conficker, and the global DNS community was active and prepared to deal with the Conficker threat. Rapid, effective collaboration across borders and organizational lines had proven instrumental in containing what has been, and remains, a significant threat to the world’s computers and information.
The CWG Today
The CWG remains in place today, with more than 300 member organizations representing law enforcement, academia, and industry, and remains vigilant against new developments. In cooperation with ICANN and the DNS community, the CWG continues to block or register the 50,000 domain names generated each day by the Conficker algorithms. Each month the group supplies the 110 affected TLD operators with an updated list of generated domain names covering the next several months, so they can begin implementing countermeasures well in advance. Automated mechanisms verify that each domain name has been blocked before it is scheduled to be used and alert the CWG for any that have not, so activity for those domains can be closely monitored. Once in a while, a domain name generated by the algorithm happens to correspond to an existing domain owned by a legitimate party; in such cases, the CWG contacts the legitimate domain owner in advance and offers assistance managing the expected spike in traffic coming from infected computers.
In March, the group underwent a reorganization process to add structure and to segment its work by subject area to work more effectively. The group maintains a Web site at http://www.confickerworkinggroup.org with links to information in multiple languages about Conficker and resources that service providers and end users can use to determine if they are infected, and if so, what to do about it. The fight against Conficker is not over. The five identified variants continue to spread to new computers due to a lack of information or action on the part of some system administrators and end users. Even after Conficker recedes into insignificance, there will likely be other threats of similar magnitude to deal with in the future. As such threats appear, though, collaborative efforts, such as the CWG, can provide the global security community with unequaled tools for mitigation and resolution.
Conficker, Part 1
Conficker, Part 2
Conficker, Part 3
