Article on DDoS Tarpitting

I just wrote up an article about using tarpits to fight off HTTP-based DDoS attacks. Since I myself have been a victim of DDoS, I thought I’d throw out an idea to help those who might find themselves at the mercy of some anonymous attacker.

The full article can be found at:


What’s Behind the BBB Phishing Emails?

We’ve identified two different Better Business Bureau phishing scams circulating over the past few months. One has an attachment which downloads a bunch of other stuff, including the Bandok trojan. The other one links to a website that tries to entice you to download and run an executable – this one is a BHO which sends all of your posts to any site to the phisher’s repository. Not just bank or Paypal or ebay logins – all interactive data sent to every site you visit. Couple this with the fact that the emails are being targeted only at senior management at companies and you have a potentially very damaging scheme.

And it works – we were able to locate one cache of stolen data. In it were over 1000 individuals, almost all were senior management from companies all over, large and small, at VP level and above (yes, even a few CEOs), along with a record of every website they’ve visited, and every field from every form they’ve posted (regardless of SSL encryption).

Read the whole writeup here:


P2P-based Spam Trojan Installs Anti-Virus

Here’s something interesting I came across – the SpamThru trojan uses a peer-to-peer communication system to avoid the network being shut down. This was inevitable I suppose, but there was something else I didn’t expect – it downloads and installs an anti-virus engine (Kaspersky) in order to ensure other malware doesn’t steal precious resources from the spamming operation. (Of course, it skips any files that belong to itself). Although some malware has tried to remove its competitors before, I can’t recall seeing any using this technique. Of course, the malware authors know which AV has the best detection rates, which must be why they chose KAV. :)

My analysis can be found here:


Mocbot’s Spam Motive

Mocbot appears to be almost a non-event, as we predicted. I’m tracking only around 25 infected systems right now in the /8 netblock where I run my honeypot. Still, it takes time for these things to get inside the corporate firewall sometimes, so we may yet see a couple of large organizations hit hard. In the meantime, ever wonder why someone would go through the trouble and risk of releasing malware like this? The answer is simple… money. And it all traces back to spam.

Mocbot reports back to a command-and-control channel to receive further instructions. One of these instructions we’ve witnessed is a command to download a spam proxy trojan known as Ranky. This turns the victim into a spam relay for every kind of spam you can imagine. I’ve detailed how the operation works, and what the spam looks like in a followup to the previous analysis.

The point here is that you never know what other malware may find its way onto a system once something like Mocbot has gotten a foothold. As the guys and gals at SANS like to say, “better to nuke the system from high orbit.”


MS06-040 in Mocbot

So far I’ve picked up two different variants hitting my honeypot. It appears that the Mocbot author simply stripped out the old MS05-039 exploit it was using to spread, and substituted MS06-040.

So the question is, will it be even as impacting as Zotob, released almost exactly one year ago? I don’t think it will. The exploit won’t work on XP SP2. Its been two years since SP2 was released. If someone is still running an earlier XP/2000 version, they’re probably infested with all kinds of bots and trojans already.

If we look to DShield and see how many existing sources are scanning the net for port 445, we see it has decreased by over half since one year ago, to about 40,000. Compare that to the 8 million hosts estimated to have been infected by Blaster. The era of the massively-impacting Microsoft Networking worm appears to be all but over. Sure, some people are still going to get hit – but its hard to have sympathy for them after all the previous lessons and warnings.


BlackWorm network detection

As I write this entry, 692,023 hits are showing on the BlackWorm counter. The spread seems to have tapered off slightly since yesterday, but still a significant number of users are still clicking on the attachments.

You may be asking yourself, “What can I do, as a network admin, to ensure my less sophisticated users don’t fall prey to this worm and have important files overwritten on Feb 3?”

Well, first off, if you had your gateway and desktop anti-virus up to date since the 16th of January, you might not have a problem at all. Relatively speaking, it’s not that fast of a spreader, so you may have been able to dodge the bullet. Of course, there is always the chance that one got through. Hopefully you were already outright blocking attachment types of pif, scr, mim,uue, hqx, bhx, b64, and uu, in which case your AV isn’t your only defense.

If your network did get hit, you might notice a few things.

1) Certain users spewing email to the same email addresses over and over
2) Users reporting their AV/security software no longer has a valid license or fails in other ways
3) Users reporting their machines running out of virtual memory after only a few hours uptime
4) Users reporting their mouse/keyboard locking up until rebooted, but CTRL-ALT-DEL still works
5) HTTP requests from users to without a user-agent header
6) Files named WINZIP_TMP.exe popping up on open C shares

I’ve written a couple of Snort signatures to help you find some of the HTTP network traffic of BlackWorm, and you can find them at the SANS or LURHQ pages below.

Latest BlackWorm information:


BlackWorm stats

BlackWorm aka BlueWorm aka Nyxem aka Grew aka Kapser aka Blackmal aka Tearec aka MyWife is making some noise this week. It’s just another in a long line of relatively uninteresting VB worms – why are so many people clicking on it? How do we know how many people are actually clicking? BlackWorm logs each infection to a webstats counter. Last time I checked it was over 453,000 users infected. A variant from 2004 made it to 920,000 infections, so clearly plenty of people are still willing to click on whatever attachment they are sent.

The one thing that can stop these worms is user education. That’s certainly a point of contention with many people, who claim that users at a certain level simply can’t be educated. Probably because we’ve taken the wrong approach to user education. Providing information is not education. Education is sticking your bare hand on a hot stove. The problem with viruses is, there are plenty of users sticking their hands on a hot stove, but don’t realize it’s hot – so the education doesn’t occur.

We’ve all heard the anecdotal story about the BOFH network admin who periodically sends his users executable attachments, warns them not to click on it, and then some form of public humiliation/punishment ensues when the user clicks on it anyway. We need to be doing way more of that. For example, instead of blocking executable attachments at the gateway, strip and replace the attachment with one of your own making. Something suitably humiliating. Anyone doing anything like this already they’d like to share?