Via www.antiphishing.org.

The second annual Counter-eCrime Operations Summit (CeCOS II) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year’s meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.

This is an important opportunity for stakeholders to meet, define common goals and to plan the harmonization of resources for the global counter-ecrime effort. If you are an information security professional, law enforcement officer, counter-ecrime technology developer, CISO/Security manager, (military or corporate) intelligence officer, policy analyst, technologist, legislator, legislative researcher, industrial standards author, corporate security manager, private investigator or academic/industrial researcher in ecrime you should attend this summit.

More details available here.

See you there!

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

It looks like the Storm botnet must, once again, defend its title as the “Biggest Zombie Network” against the recently “rediscovered” botnet, Kraken.

The botnet, as Dark Reading originally reported, is composed of over 400,000 infected systems, more tha twice the reported size of the Storm botnet, which has been getting (most of) all the press since last year.

Researchers are more concerned however of the fact that despite its size, the botnet has been able to evade detection from most anti-malware products.

Kraken reportedly arrives on systems as a file posed as an image (e.g. filename.jpg.exe) but is actually a malicious file that executes when clicked. It copies itself onto the affected system in a different format from the original. This file is later used to infect the system again once the original file has been detected by the user’s anti-malware product.

Much like the Storm, spam runs are the top agenda for this botnet sending advertisements for high-interest loans and male-enhancement products, among others.

Although “recently discovered”, this botnet that is detected by Trend Micro as TROJ_SPAMBOT.AF may not be so new after all. Trend Micro researchers as well as other security researchers that have examined Kraken’s behavior are led to believe that it is probably a variant of the BOBAX malware family.

“In theory, it looks like BOBAX has been re-purposed as a base code for this ‘Kraken’ attack,” Threat Research Analyst Jamz Yaneza said.

It seems that Storm isn’t going down without a fight though with its recent attack, recently reemerging as a fake video codec. But then again, it doesn’t really matter who wins in the battle of botnets — there really are no winners excecpt for the cyber criminals preying on unwitting victims.

With all of the fanfare Senator Barack Obama has been receiving — the race for the in the U.S. Democratic presidential nomination is becoming ever more close — it was only a matter of time until spammers and cyber criminals began to employ his popularity to leverage their malicious activities.

A new spam run that TrendLabs Content Security has recently come across features spammed email messages that entice readers to click a link, which supposedly has a video of Obama’s confessions regarding his “transsexual affairs.” The links lead to the download of the file Barack_Obama-videostream.v182.exe, which Trend Micro detects as BKDR_AGENT.ABTQ.

The upcoming U.S. elections have been targeted by spammers before.

Senator Hillary Clinton, Obama’s main rival in the Democratic presidential nomination race, also became the subject of spamming activities last February, while another candidate, Congressman Ron Paul, had been featured in 2008 U.S. election spam’s first salvo back in November. The two early spam runs, however, sounded in favor of the presidential hopefuls (despite installing malware onto systems). On the other hand, Barack Obama does not seem to have the spammers’ support in this spam run, which alludes to scandalous affairs in an effort to socially-engineer users to peruse salacious content.

Trend Micro users are already protected from this threat, as TrendLabs Content Security already blocks the emails.

Although it has existed for quite a while, a recent example of “backscatter spam” is depicted below from earlier this month:

In the above example, notice that the quoted text –and the associated attachment — is a portion of the original spammed email message.

Backscatter is a term coined to refer to the intended effect of sending spam using forged sender addresses. Spammers who send email messages with different sender names in the From field are in fact counting on certain types of mail transfer agent (MTA) programs that return the entire text or message to the forged sender (as in Message Sending Failure messages or bounced email notifications) instead of truncating the messages. MTAs that are configured like this inadvertently cause a spam run, because they “send back” message to users who did not send these messages in the first place.

Similar to malware attacks that reuse old exploits, this recycled technique is just as effective as it was when it first appeared, as long as the conditions that allow it still persist. Mail server administrators should therefore be aware of this to avoid contributing additional volume to the already burgeoning problem of bulk mail.

Trend Micro spam filters are, of course, able to detect backscatter, and effectively deal with it.