Bredolab Trojan Botnet Dismantled

After infecting what's estimated to be 30,000,000 computers, the Bredolab Trojan, one of the worst ones ever to see the light of day, has been dismantled.

According to the official press release about dismantling the Bredolab Trojan Botnet from the Dutch authorities,

At the request of the Dutch Public Prosecution Service, Armenian police arrested the probable mastermind behind the criminal Bredolab botnet network at the international airport in Yerevan today.

A piece at The Register about the Bredolab dismantling describes the outcome saying, Infected machines remain pox-ridden but the command system associated with the cybercrime network has been decapitated, following an operation led by hi-tech police in The Netherlands.

That's good news, and clearly, capturing this individual and dismantling Bredolab is a big deal. Both the size and and horrible effects of this trojan make its destruction an especially big deal.

The Register piece goes on to say, Bredolab allow[ed] criminals to capture bank login details and other sensitive information from compromised machines, has infected an estimated 30 million computers worldwide since its emergence in July 2009.

This means if your computer has an infection, you'll need to take action immediately, including:

  1. contact your bank(s)
  2. contact your credit card(s)
  3. run a full antivirus scan of your PC
Once Bredolab was taken apart, the authorities used the botnet to send Bredolab infection notifications to the infected PCs.

One last thought: if you find you've gotten a notification like the one above, you might be well served to contact your financial institutions by phone for the time being so you can be sure your personal and financial information is safe 'til you can be certain you've gotten complete virus removal and your computer is clean.


Scareware Sellers Facing Hefty Charges

We have good news to share today in the fight against scareware, scumware, and malware purveyors.

Robert McMillan of the IDG News Service writes in an article appearing at NetworkWorld about scareware sellers facing charges.

Three men are facing federal fraud charges for allegedly raking in more than US$100 million while running an illegal "scareware" business that tricked victims into installing bogus software.

The backstory on this is that the products offered by Innovative Marketing, a so-called antivirus company sold products including:

  • WinFixer
  • Antivirus 2008
  • Malware Alarm
  • VirusRemover 2008

were nothing but scams.

Here's how the scam worked:

Innovative Marketing is alleged to've setup phony ad agencies which purchased online ad space from legit companies. They'd then have these legit companies display ads and pop-ups, which to most folks, looked like genuine error error messages and antivirus scans.

We've all seen these ads; unfortunately, a lot of folks took the bait, becoming victims of the scams, and plonking down their hard earned cash to rid themselves of what they believed were genuine threats on their PCs.

The thing is, a lot of people didn't take the bait though, and in fact, the article says, The company's products generated so many consumer complaints that the FTC brought a civil action against Innovative Marketing and Byte Hosting in 2008, effectively putting them out of business.

On Wednesday, May 26th, a Chicago grand jury handed down criminal charges to the company for their actions. Because of that and if they're convicted, the three could face time in prison.

Worth mentioning though is that two of the three involved, the ones that operated Innovated Marketing, both live overseas. (Bjorn Sundin is believed to live in Sweden; Shaileshkumar Jain is believed to live in Ukraine.)

The one U.S. resident, James Reno, the man behind the company operating the call centers that handled customer calls with a company called, "Byte Hosting Internet Services," was expected to turn himself in for arraignment.

Where does that leave consumers who purchased their products?

As for getting money back, sadly, that seems to be a very slim possibility at this point--even if the Justice Department successfully seizes funds as part of the conviction; as for getting consumers' PCs cleaned-up and the process to remove malware these guys installed, to our knowledge all real antivirus software can quickly, safely rid PCs of it.


Mega-D Spam Botnet Disabled

Score 1 for the good guys!

PCWorld bring news of how security company FireEye brought down the Mega-D Botnet, one of the most notorious spam spewing botnets to date.

Atif Mushtaq, a FireEye researcher, spent two years working to keep their clients' networks free of the dreaded malware, and in doing so,

"...he learned how its controllers operated it.

"Last June, he began publishing his findings online.

"In November, he suddenly switched from defense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down."

Obviously, taking on something of this scope isn't a small task, and according to the piece at PCWorld, Mushtaq and two colleagues began their efforts by going after the Mega-D command infrastructure in an effort to prevent the botnet from getting--or issuing--further instructions to the PCs that had been infected with their malware.

The story of how these guys took on Mega-D really is pretty incredible. They began by contacting the ISPs that hosted the botnet servers. It's easy for some to blame the ISPs hosting the servers, but the reality is that in large ISPs and datacenters, the datacenters know little about what happens on their servers. How can they?

As far as most datacenter owners are concerned, their customers are good customers, hosting legitimate websites. Setting up a legitimate website--or many--is easy cover for the malware operators: show the datacenter staff the legit sites and then secretly also host your bad stuff at the same place.

It's not rocket science.

So, having contacted the ISPs, which Mushtaq's research showed were mostly based in the United States, with one in Turkey and another in Israel.

For unknown reasons the foreign ISPs declined to take down the servers, but those in the U.S. complied.

Given the lack of cooperation from the foreign ISPs, they took another approach and contacted the domain registrars, which agreed to point Mega-D's existing domain names to nowhere.

Given that most registrars remain neutral in things like this, this was quite a win, and it meant,

"By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down."

The last part was getting the rest of the domains that Mega-D had queued to use, which the registrars then pointed to FireEye's servers so the good guys could then assume control of the botnet's last-ditch command-and-control efforts.

According to logs setup on the FireEye servers, they estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

As for what this all means in the big picture, it means a few things:

  1. Botnets aren't impervious to being taken down
  2. Cooperation from ISPs, and ultimately domain registrars, too, can be a critial component in shutting down these botnets
  3. Wresting control from the malware operators is a tough job, and even given their diligent efforts, it was a long, hard task to do
  4. In addition to keeping your PC and your software patched, there's no substitute for having the best antivirus firewall software installed and running, since Internet security suites can prevent many infections in the first place and clean-up your computer if you're already infected.

And, as for what it means to've taken down Mega-D,

"MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had 'consistently been in the top 10 spam bots' for the previous year (find.pcworld.com/64165).

"The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.

"Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says."

All-in-all, it's good news--and a good day--for those of us who hate spam and for those of us who're trying to keep our PCs free of viruses, trojans, worms, and any other malware.


51 Month Prison Sentence for Spammer Ralsky

Few things get the ire of computer folks more than spammers. Even spammers hate getting spam.

What's even worse than spam though is when nefarious techniques including using zobmie PCs (those computers whose security has been compromised by a trojan, worm, or virus to do their bidding, typically without the owners knowledge) to send the spam.

According to the latest conviction, that's what spam "Godfather" Alan M. Ralsky did though.

Washington Post's Security Focus Blog brings us news of the Spam Godfather's Sentence saying,

"Ralsky, 64, of West Bloomfield, Mich., joined two co-conspirators in earning stiff prison sentences for long careers of blasting junk e-mail.

"Following more than four years in prison, Ralsky will be subject to five years of supervised release and will forfeit $250,000 the government seized from him in December 2007, the Justice Department said."

While it's great news for anyone in PC security when someone like finally gets caught, it's especially good news when the dragnet also ensnares cohorts as this one did, naming a total of 10 co-conspirators in the original federal grand jury indictment, including Ralsky and 10 others from China, Canada, Hong Kong and Russia in a 41-count indictment for wire fraud, mail fraud, money laundering and violations of the CAN-SPAM Act.

The three things that make the way they were spamming (at least the way they were spamming according to Spamhaus.org), especially egregious were,

  What they did... Why it was especially egregious...
1. Sent spam. Lots and lots and lots. And lots of spam. Does anyone like spam?
2. Used "zombie" PCs to send spam.
  1. Computer users had their resources, quite literally, stolen from them.
  2. While you're wondering why your PC has slowed down, Ralsky et al were using your PCs power and your Internet connection to send spam and make them millions.

    If your drive crashed or network card or modem died because of the extra use and had to be replaced, it's your expense to do so. It cost the group nothing for your trouble.
  3. Innocent PC users got in "trouble" with their ISPs because their PCs were then the sources of the spam coming from Ralsky's group
  4. Those same users then had to take steps to remove the viruses and get back in their ISP's good graces
3. Sent stock "pump-and-dump" spams. According to the government, Ralsky was a top promoter of so-called pump-and-dump scams...

"schemes in which fraudsters buy up a bunch of low-priced microcap stock, blast out millions of spam e-mails touting it as a hot buy and then dump their shares as soon as the share price ticks up from all of the spam respondents buying into the scam.

Now, we all should know better than to open spam to begin with, but for those many people who did and who bought any of the stocks touted by the group, many of these victims had very real financial losses.

It's anyone's guess as to how much.

It's because of groups like these that we all need antispam software and antivirus software to begin with.

We're glad to see yet another spam group get ensnared, making PC security--and the spam in our inboxes--a bit better for us all, and while it took a while, we're glad they finally got their just desserts.


Kaspersky Labs Wins Precedent-Setting Case Against Adware / Spyware

Late June brought a victory--and some delightful news--to those looking to put a little sanity into the adware / spyware front.

It should be no surprise to regular readers that we feel that labeling adware as spyware is a logical thing to do. While many adware purveyors take umbrage at the notion that they're spyware, since many don't report the visitor's activities back to a central server, we don't.

 That's splitting hairs as far as I'm concerned. 

Any software that records your actions and, no matter how loosly, takes action now or later based upon what your actions are/were, that software is spying on you--even if it's just serving ads.

What's important about the Kaspersky legal victory is that it deals with the adware/spyware Zango.

According to the Kaspersky press release about Zango, where Kaspersky Lab Americas President, Steve Orenberg says,

'"...we feel it’s our responsibility to warn a user when we classify an application as malicious, thus giving the user the choice to stop the application or let it run.

"We are thrilled with the outcome of this case because it supports the key message of the information security industry ‐‐ consumer protection comes first and that a legal suit cannot force a vendor to classify a potentially malicious program in a certain way."'

What Kaspersky was hoping for, and got, was so-called "Good Samaritan immunity."

 This means Kaspersky's users can be notified if this software is on their computers via the Kaspersky Antivirus spyware detection mechanism (which we rate highly). At that point it's up to the user to keep or block Zango. 

What the court decided, among other things, is that it's your choice.

This is a real victory for anyone--software vendor or consumer--who wants to keep crapware off their computers. Zango isn't a virus to be sure, but it may be spyware, and it's most definitely adware.

If you want Zango, and you're running Kaspersky antivirus software, keep it; if you don't block it. Seems logical to me.