The findings were published in Symantec’s MessageLabs Intelligence Report for April, published on Friday. The company used a technique called ‘passive fingerprinting’ to identify the operating system of a spam-sending machine, then calculated the ratio of spam from a given operating system compared with its market share.

Linux systems originated 5.14 percent of spam, compared with 92.65 percent for Microsoft Windows systems. But Linux only has 1.03 percent of the operating system market share, as opposed to 91.58 percent for Windows, according to Symantec. (For the market share figures, Symantec used research from Net Applications.)

“By calculating a ratio of spam from a given operating system compared to the market share, we can get a ‘spam index’, which shows — relative to its market share — the likelihood that a particular computer is sending spam, based on its operating system,” Symantec said in the report.

The resulting calculation gave Linux a “spam index” of 4.99, compared with an index of 1.01 for Windows.

“In the current spam climate, this index shows that relative to its market share, any given Linux machine is five times more likely to be sending spam than any given Windows machine,” the company said.

The figures do not necessarily show that Linux is being disproportionately targeted by spammers, or that it is less secure than Windows, but rather seem to be related to the fact that Linux is disporportionately used to run email relay systems, according to Symantec.

In some cases, the problem seems to be that such relays have been set up without following basic anti-spam precautions, according to Mat Nisbet, a malware data analyst with Symantec.

Nisbet said he investigated the originating IP addresses of a random selection of spam from Linux systems. In most cases, he found the spam came from a machine running an open-source mail transfer agent such as Postfix or Sendmail that had been left open to relaying email from third parties.

“This suggests that one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers and are using open-source software to keep down costs have not realised that leaving port 25 open to the internet also leaves them open to abuse,” Nisbet said in a Friday blog post.

Organisations looking to use Linux as a mail server need to make sure they know how to set it up securely, he added.

“Make sure that the systems are correctly set up to restrict access on port 25 to only authorised users (for example, attached to the local network, or through VPN),” he wrote.

Another factor that could be skewing the statistics is that some ISPs force all their users’ mail to go through their own hosts, which are often run on Linux systems, Nisbet said.

“This means that a lot of botnet traffic which we would normally identify as something else, instead appears to be coming from Linux,” he wrote.

source: www.scmagazineuk.com

This is the first prosecution of a hacker for this type of activity, according to the US Attorney’s Office for the Central District of California. The Federal Bureau of Investigation pursued the case.

Schiefer says he also found Paypal usernames and passwords using malware that could access usernames filed in a secure storage area on the computers. The malware would send that information to Schiefer, who used it to access the accounts.

Schiefer also acknowledged fraudulently earning more than $19,000 from a Dutch internet advertising agency that hired him as a consultant. He was supposed to install the company’s programs on computers after receiving consent from computer owners. Instead, he and his associates installed it on 150,000 computers that were infected with his malware.

Schiefer is scheduled to appear in the US District Court in Los Angeles on November 28 and be arraigned on December 3.

When such PDF files are viewed on vulnerable machines, they start downloading software from servers in Malaysia or Sweden, which are now being cleaned, he said. “There will be more such attacks.”

“We are worried about this case, as PDF attachments are typically not filtered at email gateways.”

A security update for Adobe Reader and Acrobat was made available a few days ago, but many users have not updated the program yet, Hypponen said.

Storm is not really a computer worm. It’s a network of computers that have been infected via malicious email messages, and are centrally controlled via the Overnet P-to-P protocol. Enright said he has developed software that crawls through the Storm network and he thinks that he has a pretty accurate estimate of how big Storm really is.

Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world’s most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time.

Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network.

Since July, it’s been downhill for Storm. That’s when antivirus vendors began stepping up their tracking of Storm variants and got a lot better at identifying and cleaning up infected computers, Enright said.

Then on September 11, Microsoft [added] Storm detection (Microsoft’s name for Storm’s components is Win32/Nuwar) into its Malicious Software Removal tool, which ships with every Windows system. Overnight, Storm infections dropped by another 20 per cent.

Today, Enright said that Storm is about one-tenth of its former size. His most recent data counts 20,000 infected PCs available at any one time, out of a total network of about 160,000 computers. “The size of the network has been falling pretty rapidly and pretty consistently,” he said.

Still, Storm has had a remarkably successful run. It’s called Storm because it first popped up in mid-January in spam emails that offered late-breaking information on powerful storms that had been battering Europe. Users who clicked on the “Full Story.exe” or “Video.exe” attachments that accompanied the spam were infected by malicious software, making them part of the Storm network.

These machines were then used to send out more spam and launch attacks against other computers. The recent MP3 stock spam that was first spotted earlier this week was sent out by the Storm network, Enright said.

Storm was effective because its creators were really good at creating messages that victims would feel compelled to click, Enright said. In its first few days, it managed to infect more than 300,000 computers, making it the worst malware outbreak since 2005. Its creators have since been masters at creating timely messages for their spam and have also had success getting victims to click on fake e-greeting cards.

The Storm network itself is constantly changing, and has used a variety of technologies that have made it an interesting phenomenon to study. In addition to the peer to peer network, it has used rootkit software to disguise its presence on the PC and a server-switching technique called “fast-flux,” which makes the Storm servers harder to find on the network.

It’s also developed some interesting ways of keeping researchers like Enright at bay. “If you’re a researcher and you hit the pages hosting the malware too much… there is an automated process that automatically launches a denial of service [attack] against you,” he said. This attack, which floods the victim’s computer with a deluge of Internet traffic, knocked part of the UC San Diego network offline when it first struck.

Lately Storm has been responsible for a large quantity of “pump and dump” spam, which tries to temporarily boost the price of penny stocks. But one area that does not seem to be of interest to Storm’s creators is identity theft. “Believe it or not, credit card numbers aren’t worth that much money,” Enright said. “It’s much better to make money… via pump and dump.”

Anti-spam outfits reported Storm Worm-driven MP3 spam runs of about 10,000 per hour, accounting for roughly seven to 10 per cent of all unwanted mail in the past 18 hours.

“It was almost expected in the natural order of spam,” Paul Wood, a senior researcher for MessageLabs, said. “They’re just looking for the next big thing, and they’ve probably found it.”

In most cases, the junk mail arrives without text in the body or subject line, and includes an MP3 attachment that employs social engineering to appear like a trusted file. Depending on the message, the file name might be “bspears,” “smashingpumpkins,” “weddingsong” or “coolringtone.”

In actuality, the files contain a recorded 30-second synthetic voice message from a woman who tries to persuade listeners to purchase stock in Exit Only Inc., which does business as Text4Cars.com.

The company, whose customers mostly live in Canada, is a thinly-traded stock that is listed as EXTO on the Pink Sheets. This type of business is commonly used in pump-and-dump scams, where even small volumes can move a stock several percentage points.

Text4Cars.com tries to match car buyers and sellers through text messaging, CEO David Dion said. He said he runs a legitimate company and is not trying to get rich quick off a spam scam.

“Why someone is targeting me, I have no idea,” he said. “I wish they’d leave my company alone.”

PayPal was spoofed in 31,719 emails, while the eBay name was faked in just one fewer email, according to the report from PhishTank, a community-based anti-phishing service.

Barclays Bank came in third, with 6,515 verified phishes spoofing the brand. Bank of America (5,727) and Fifth Third Bank (4,191) rounded out the top five.

The report also revealed that the US hosts the most phishing attacks, tallying about 30 per cent of the total. South Korea and China ranked second and third, respectively.

“Most of the phishes that we get submitted tend to be hosted in the US, even if the domain names end in different country codes,” David Ulevitch, chief executive officer of OpenDNS, which operates PhishTank, said. “The phishing site is typically hosted by a residential cable or DSL company based in America.”

However, PDF spam, which saw a surge in August, dipped last month. Image and e-card spam volumes also fell. Image spam went from 10 percent of total spam in August to seven percent in September.

While PDF, image and e-card spam has gone down in volume, text and HTML-based attacks “are still very much in the wild”, the report noted.

To evade spam catchers, spammers are increasingly using JavaScript to hide URLs from spam filters.

According to Symantec, 400,000 JavaScript-embedded spam messages were observed in a one-week period in September.

Anstis said the attack is largely US-based and is making up about one per cent of all spam collected by Marshal. The company studies roughly 15 million spam messages each day delievered to its 40 honeypot accounts across the world.

The fraudsters place their spam messages in the form field meant for the sender to include a personal note for their friend, Graham Cluley, senior technology consultant for Sophos, said.

The junk messages try to lure recipients to visit either a singles website or a site to retrieve a free copy of “Halo 3″, an Xbox 360 video game, according to Marshal and Sophos.

Cluley said the campaign, which so far has been limited in scope, is unique.

“They’re not using a zombie computer,” he said. “They’re not forging the entire email. In fact, they’re not actually sending the email. YouTube is sending the email. [Spammers] are always looking for new ways to get their messages out.”

The attack could be successful because the spam comes from a normally trusted source, experts said.

“The key purpose of attacking YouTube is to defeat spam filters and to lower the recipient’s guard,” according to Marshal. “The spam comes from a big-name company, from an email address which may already be excluded from spam filtering.”

YouTube, in its help section, actually encourages users who are not receiving shared videos from friends to make sure the “service@youtube.com” address is removed from their spam filters. All shared videos originate from that address.

Still, Cluley said he doubts the assault will result in a cash cow for spammers.

“It’s not a convincing way to sell someone something,” he said. “If you look at the screenshot [of the attack], it’s not a clickable link. You have to type it in manually. I can’t believe that many people who receive it will act on it. Of course, there are always people who will respond to spam campaigns.”

The company has warned email users to be wary of messages carrying YouTube invites which appear to derive from the video-sharing site’s ‘Invite Your Friends’ feature, claiming the compromised servers are sending out spam messages from the service@youtube.com address.

“YouTube users have a facility where they can invite their friends to view videos that they are looking at or have posted. This effectively allows them to email to any address from their YouTube account. This is the functionality that the spammers are exploiting,” said Bradley Anstis, Marshal’s director of product management.

Marshal said the emails have the same appearance as a legitimate YouTube invite, except they include typical spam content and links to spam websites.

“Spammers are doing this to defeat spam filters and to lower the recipient’s guard by making it look as though the messages are coming from a perfectly innocuous email address. YouTube’s own Help Centre suggests that you exclude the service@youtube.com email address from spam filtering. The spammers are keenly aware of this.”

The junk messages claimed to “provide” gift cards for a range of products and services, including History Channel magazine subscriptions and Dominos Pizza, if the recipient completes a survey, the security company said.

The report also shows that text- and HTML-based attacks are on the up – with 100 million emails sent during one attack in September – even though image spam levels have dropped to seven per cent of junk messages sent in the same period.

Overall spam levels increased slightly to an average of 70 per cent of all emails sent last month, compared to 69 per cent in August.

According to Symantec, spammers exploited the interest surrounding the uncertainty in the US housing market in their attacks in September. They used emails containing details about the recent housing slump and interest rate cut, using subject lines such as “Looking to sell your house fast?” and “Equity in your house being used?”, to entice users to disclose personal information.