Lost in the Noise (Archive)

Spam levels are heading back up after dropping dramatically following the shutdown of Web hosting company McColo. According to Symantec security research, some notorious botnets are back in action.

Spam levels appear to be rising again after a steep decline.

According to researchers at MessageLabs, now part of Symantec, spam volumes have doubled since last week. Spam levels dropped off dramatically with the shutdown of Web hosting company McColo on Nov. 11. Though the firm briefly gained new life the weekend of Nov. 15, it was quickly shut down again, and spam at first remained at relatively low levels.

McColo played host to a number of major botnets, including Rustock and Asprox. According to Matt Sergeant, senior anti-spam technologist at MessageLabs, the lag between the initial decline and the subsequent rise was due to the time it took for the botnet owners to find a new ISP and bandwidth provider.

"The Asprox and Rustock botnets are back with a vengeance after having found new command and control," Sergeant said in an e-mail. "Cutwail never went away and it seems its owners have used the opportunity to increase output. Mega-D is also on the rise again," he said. "Srizbi, having once been responsible for 50 percent of all spam, is now completely defunct. Without this botnet, spam levels won't return to what they had been."

In a blog post, Symantec Security Response noted that in addition to overall spam volumes being up, the percentage of spam messages containing the text/HTML content type mime part have jumped to 55 percent of all spam. Since the McColo takedown, that percentage has been around 34 percent; prior to the shutdown it was more than 55 percent. This change indicates that a return to normal spam activity could be in the works, according to the blog.

"When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML," the blog post said. "The spam messages were typical 'Canadian Pharmacy' spam messages that were using short HTML messages with a varying set of domains in the URLs. The spam messages were being sent from compromised hosts around the globe."

From an enterprise security perspective, the same threat of spam exists as always did, Sergeant said.

"Even while levels were down, organizations should have maintained the same levels of vigilance as they had when spam was at its highest," he said. "Organizations should continue to keep spam filters and anti-virus engines updated as always."

The 'malware' strike, thought to be from inside Russia, hit combat zone computers and the U.S. Central Command overseeing Iraq and Afghanistan. The attack underscores concerns about computer warfare.

Reporting from Washington -- Senior military leaders took the exceptional step of briefing President Bush this week on a severe and widespread electronic attack on Defense Department computers that may have originated in Russia -- an incursion that posed unusual concern among commanders and raised potential implications for national security.

Defense officials would not describe the extent of damage inflicted on military networks. But they said that the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network.

Military computers are regularly beset by outside hackers, computer viruses and worms. But defense officials said the most recent attack involved an intrusive piece of malicious software, or "malware," apparently designed specifically to target military networks.

"This one was significant; this one got our attention," said one defense official, speaking on condition of anonymity when discussing internal assessments.

Although officials are withholding many details, the attack underscores the increasing danger and potential significance of computer warfare, which defense experts say could one day be used by combatants to undermine even a militarily superior adversary.

Bush was briefed on the threat by Navy Adm. Michael G. Mullen, chairman of the Joint Chiefs of Staff. Mullen also briefed Defense Secretary Robert M. Gates.

Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement. Defense experts may never be able to answer such questions, officials said.

The defense official said the military also had not learned whether the software's designers may have been specifically targeting computers used by troops in Afghanistan and Iraq.

However, suspicions of Russian involvement come at an especially delicate time because of sagging relations between Washington and Moscow and growing tension over U.S. plans to develop a missile defense system in Eastern Europe. The two governments also have traded charges of regional meddling after U.S. support for democratic elections in former Soviet states and recent Russian overtures in Latin America.

U.S. officials have worried in recent years about the possibility of cyber-attacks from other countries, especially China and Russia, whether sponsored by governments of those countries or launched by individual computer experts.

An electronic attack from Russia shut down government computers in Estonia in 2007. And officials believe that a series of electronic attacks were launched against Georgia at the same time that hostilities erupted between Moscow and Tbilisi last summer. Russia has denied official involvement in the Georgia attacks.

The first indication that the Pentagon was dealing with a computer problem came last week, when officials banned the use of external computer flash drives. At the time, officials did not indicate the extent of the attack or the fact that it may have targeted defense systems or posed national security concerns.

The invasive software, known as agent.btz, has circulated among nongovernmental U.S. computers for months. But only recently has it affected the Pentagon's networks. It is not clear whether the version responsible for the cyber-intrusion of classified networks is the same as the one affecting other computer systems.

The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the drives.

Defense officials acknowledged that the worldwide ban on external drives was a drastic move. Flash drives are used constantly in Iraq and Afghanistan, and many officers keep them loaded with crucial information on lanyards around their necks.

Banning their use made sharing information in the war theaters more difficult and reflected the severity of the intrusion and the threat from agent.btz, a second official said.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

In response to the attack, the U.S. Strategic Command, which oversees the military's cyberspace defenses, has raised the security level for its so-called information operations condition, or "INFOCON," initiating enhanced security measures on military networks.

The growing possibility of future electronic conflicts has touched off debates among U.S. defense experts over how to train and utilize American computer warfare specialists. Some have advocated creating offensive capabilities, allowing the U.S. to develop the ability to intrude into the networks of other countries.

But most top leaders believe the U.S. emphasis in cyberspace should be on improving defenses and gathering intelligence, particularly about potential threats.

On Tuesday, Gen. Norton A. Schwartz, Air Force chief of staff, received a specialized briefing about the malware attack. Officers from the Air Force Network Operations Center at Barksdale Air Force Base in Louisiana outlined their efforts to halt the spread of the malware and to protect military computers from further attack.

Schwartz, praising those efforts, said that the attack and the military's response were being closely monitored by senior military leaders.

The offending program has been cleansed from a number of military networks. But officials said they did not believe they had removed every bit of infection from all Defense Department computers.

"There are lots of people working hard to remove the threat and put in preventive measures to protect the grid," said the defense official. "We have taken a number of corrective measures, but I would be overstating it if I said we were through this."

Security software built into a stolen laptop computer led police to a Hoisington residence on Tuesday. Authorities not only found the computer, but they also uncovered what appears to be a methamphetamine lab.

Detective Denton Doze at the Great Bend Police Department said the $9,000 computer, along with hand tools and power tools, was stolen during a burglary reported last Friday at the My Town project, 1419 Main Street.

The first time someone went online with the missing laptop, the manufacturer tracked it through the e-mail and notified police. Detective Doze got a search warrant for the residence of Dennis L. Price at 413 Maple Street in Hoisington. The Hoisington Police Department, including Chief Kenton Doze (the Great Bend detective's brother), and the Barton County Sheriff's Office were involved in executing the warrant. Their search began around 11 a.m. Tuesday.

"The computer was on the living room floor," Detective. Doze said. During the search for the missing hand tools, suspected drugs were found and it was Hoisington Police Chief Kenton Doze's turn to get a search warrant.

"We found what we suspected to be methamphetamine," Chief Doze said. Hoisington got a third search warrant when officers found "what looks like the components of a meth lab."

Price was booked into the Barton County Jail on charges of possession of ephedrine, drug manufacturing equipment and marijuana. He is being held in lieu of $300,000 bond.

As of Wednesday evening, the missing tools had not been accounted for.

A COMPUTER expert has been executed in Iran after he confessed to working for Mossad, the Israeli intelligence service. This provides a rare insight into the intense espionage activity inside the Islamic republic.

Ali Ashtari, 43, a computer and hi-tech equipment buyer for Iran’s defence industry and nuclear programme, was hanged after admitting he worked for Israel. It is the first known conviction of an alleged Israeli agent in Iran for almost 10 years.

Ashtari was trusted by senior officials to travel overseas to buy the advanced computers and other electronic equipment needed for the regime’s nuclear programme, which is reported to have already produced enough enriched uranium to make an atomic bomb.

Behind their backs he allowed the software he bought to be subtly doctored by Israeli computer engineers before it was imported to Iran. Ashtari confessed: “Mossad’s goal was to sell specialised computer equipment through me to Iranian intelligence organisations.”

According to surveillance experts, this allowed Israel to monitor computer systems bought by Ashtari, and insert bugs that could slow down Tehran’s weapons development or even sabotage it altogether.

Ashtari revealed how he communicated with his Israeli controllers: “I received a laptop with encrypted software for fast e-mail communication,” he said. “They asked me to install bugging devices in the communications equipment I provided to my clients.”

One computer expert said: “Israel’s well-known technological skills can make its enemies’ systems highly transparent.”

The Iranians were determined to make a public example of Ashtari. The head of the counterespionage department of Iran’s intelligence ministry said: “We want to show that a new battle with the enemy’s intelligence services has begun.” Israel has denied that Ashtari was one of its spies.

Ashtari said he was recruited by Mossad agents in Europe while on a business trip. According to his testimony, he was offered expensive medical treatment in Switzerland. He is understood to have spied for Israel for at least three years.

After the execution, the chief prosecutor, Saeed Mortazavi, said Iran had broken another Mossad spy ring, and will seek the death penalty for three suspects held in custody.

“The intelligence war is a crucial part of our efforts to delay Iran’s nuclear programme,” an Israeli defence source said. “I wish our intelligence capabilities were sufficient to set it back, but this is by no means certain.”