[Intrusions] New SPAM Technique?

[Gadi Evron]

Carey, Steve T GARRISON wrote:

> Overnight we have seen an increase from 16 IP addresses to around 230 IP
> addresses sending out the same pop-up message.  
> 
> Any chance that a spammer has a 'new' worm that propagates their pop-up, along
> with a compromise.
> 
> Steve

Well, as all we see are more IP addresses, my bet would be that however 
these machines were compromised, they _are_ indeed compromised. I don't 
think there is another answer.

The spammer(s) got him/herself a brand new drone army! WooHoo!

These past few years we're seeing an increase in malware writing as well 
as in sophistication. Organized crime and spammers both understand the 
potential of drone armies and are making a move on the field. We are not 
dealing with bored kids anymore.

Just a couple of weeks ago a drone army constructed of *nix boxes was 
brought to my attention (this still happens at times, although not as 
often as prior to 1996, it's mostly Windows boxes nowadays). The 
interesting thing was that instead of mostly broadband users, most 
compromised machines had "secure" in their hosts, as in domains with a 
name the sort of: secureserver.whatever or securedhost.whatever. Secure 
hosting providers, and similar.

I moved it along to a CERT/CC contact at the time, but heck, there are 
millions of drones out there at any given moment. Some armies cease to 
exist due to some good work by a select few, but the point is, more 
always show up.

If anything, I expect this trend to grow even further in coming years.

     Gadi Evron.

-- 
Email: ge at linuxbox.org.  Work: gadie at cbs.gov.il. Backup: ge at warp.mx.dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: 
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450