Archive for RB

| August 16, 2010
Comments Off on 2009 SPAM results

2009 SPAM results

2009 SPAM results PC World chronicles how analysts at the a California-based security company FireEye executed a plan to shut down the Mega-D (or Ozdok) botnet in early November 2009. At one point the Mega-D botnet reportedly accounted for 32 percent of all spam. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.

According to the article, the botnet’s command infrastructure was its weak point. The Mega-D owned bots infesting PCs were directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of destinations to try if it couldn’t reach its primary command server.  Taking down Mega-D would need a carefully coordinated attack.

To coordinate the attach the FireEye team contacted the Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research showed that most of the Mega-D C&C servers were based in the United States, with others in Turkey and Israel. The FireEye team received cooperation for the U.S.-based IPS’s but not the overseas ISPs. The FireEye team took down the U.S.-based C&C servers.

Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to no­­where. This cut off the botnet’s pool of domain names that the bots would use to reach the overseas ISP-based Mega-D C&C servers.

As the last step, PC World says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check-in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

MessageLabs reports that Mega-D had “consistently been in the top 10 spam bots” for the earlier year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days after FireEye’s operation, Mega-D’s share of Internet spam to less than 0.1 percent, MessageLabs states.

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks in the PC World article, “The question is, will it have a long-term impact?”

Mushtaq says that FireEye is sharing its method with domestic and international law enforcement,  “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

rb-

The takedown of Mega-D by FireEye has had a noted decrease in the level of SPAM I observed. During the 10 months before the Mega-D takedown, the daily average of SPAM messages (DASM) received 49. After the November 2009 takedown, the DASM rate dropped to 33. A step down into the numbers reveals that the November 2009 DASM was 35 and the December DASM was 29.


The overall DASM trend line for 2009 was down. In order to keep the trend going down, firms should investigate the ShadowserverASN & Netblock Alerting & Reporting Service. This free reporting service is designed for organizations that directly own or control network space. The service provides reports detailing detected malicious activity to aid in their detection and mitigation program.  Shadowserver has provided this service for over two years and now generates over 4,000 reports nightly.  The reporting service monitors and alerts the following activity:

  • Detected Botnet Command and Control servers
  • Infected systems (drones)
  • DDoS attacks (source and victim)
  • Scans
  • Clickfraud
  • Compromised hosts
  • Proxies
  • Spam relays
  • Malicious software droppers and other related information.

Detected malicious activity on a subscriber’s network is flagged and included in daily summary reports detailing the previous 24 hours of activity. These customized reports are made freely available to the responsible network operators as a subscription service.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| August 14, 2010
Comments Off on The Internet as a Subway Map

The Internet as a Subway Map

The good folks over at Simply Zesty released this cool map of the inner-web tube thing.

The Internet Super Subway map

rb-

Check out their site and give them a thumbs-up. A good network diagram is always a helpful tool.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| August 13, 2010
Comments Off on Another Tech Loss for Michigan?

Another Tech Loss for Michigan?

Another Tech Loss for Michigan?Earlier this week Texas-based Tektronix Communications announced it had acquired Arbor Networks, which makes software for network security and management. Arbor Networks employs about 90 people in Ann Arbor and 270 worldwide. According to Xconomy-Boston. Farnam Jahanian, who is chair of computer science and engineering at the University of Michigan, formed Arbor Networks in 2000 with Rob Malan, who was Jahanian’s Ph.D. student at the U-M and is now Arbor’s chief technology officer (he will stay on as CTO).

Arbor Network’s core technology, based on Malan’s and Jahanian’s research, involves software that monitors entire computer networks, from data centers and Internet service providers to broadband customers and mobile interfaces. According to the article, the firm’s products protect its customers against all manner of security threats, most notably, denial-of-service attacks that can shut down big networks and popular websites. Jahanian and Malan’s team raised a Series A venture round in 2000, led by Battery Ventures and Cisco Systems, and then a Series B round in 2002, led by Thomas Weisel Venture Partners. Those two rounds, the only outside funding taken by the company, were worth about $33 million.

Arbor CEO, Colin Doherty, told Xconomy-Boston that Danaher (NYSE: DHR), a Washington D.C.-based technology conglomerate, owns Tektronix Communications. According to Doherty, Arbor will stay “whole and intact as an operating unit under the Danaher brand.” The company will become part of Danaher’s communications and enterprise group which comprises a half-dozen companies, including Tektronix Communications, Fluke Networks, and AirMagnet.

Arbor will give its new parent company deep Internet security knowledge, what Doherty calls a “security beachhead.” Now “they can detect, secure, and mitigate network security. It was a really good fit for them,” he says. Doherty told xconomy.com that with Danaher’s size and influence, “it’s a unique opportunity for us to change our model…and be part of a larger public vehicle.” Financial terms of the deal weren’t disclosed, and the principals at Arbor and Danaher weren’t saying much beyond the platitudes that typically follow such a merger.

For his part, Jahanian who is exiting the company calls the Danaher acquisition a natural next step in Arbor’s broader evolution. “It’s another inflection point,” he said in the article, and it will help the firm “expand into a new emerging market.” David Munson, the dean of engineering at the University of Michigan, says he is “heartened that the acquisition of Arbor Networks calls for Arbor’s research and development activity to remain in Ann Arbor. This is a cornerstone for Ann Arbor’s rapidly developing software and networking industry” in the article.

Doherty did not offer Xconomy.com many specifics on the new firm’s commitment to Michigan, other than the usual corporate platitudes that Arbor will “continue to grow our presence in Ann Arbor and in Chelmsford (MA).” However, even the U-M professor admits Michigan does not cut it for big-time Tech. “We knew we could build a phenomenal R&D team in Ann Arbor,” Jahanian says. “But to recruit the quality of executives [we wanted], we had to be either on the East or West Coast.” The combination of Battery Ventures being in the Boston area, the strong local business talent, and proximity to the East Coast’s big wireless carriers and Internet service providers swung the decision in Boston’s favor, he told Xconomy.com.

rb-

From where I sit, the DHR product lines seem to be a good match for Arbor’s, but it is only a matter of time before the bean-counters in charge at DHR decide that even a “phenomenal R&D team in Ann Arbor” is too expensive and Michigan (and the US) will lose 90 more leading-edge, well-paying jobs.  Another example of how tech unaware Michigan is that Xconomy-Detroit did not cover this, the article came from Boston.

Related articles
  • Arbor Networks Partners With Ingram Micro in Asia Pacific to Help Enterprises Mitigate DDoS Threats to Their Businesses (prweb.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| August 7, 2010
Comments Off on Zombie Cookies

Zombie Cookies

Zombie CookiesIf you are a frequent visitor to YouTube or just stopped by Scribid to check it out just once, or any other Flash site the odds are you have zombie cookies lurking on the computer that you thought were long gone according to an article at Helium. A lawsuit has been filed against major web properties for installing zombie cookies on computers. The suit alleges that the Quantcast cookies violate eavesdropping, hacking, fair trade laws, and have a pattern of covert online surveillance. The firms named in the suit include:

  • Zombie CookiesABC
  • ESPN
  • HULU
  • MySpace
  • MTV
  • NBC
  • Scribid
  • YouTube
  • Most other sites utilizing Flash

Adobe Flash logoWhen you visit a website they generally place a cookie on your computer, which you can delete. But you delete a zombie cookie it comes back to life in a sense – hence the cool name. The problem was first identified at UC Berkley. They noticed that they were deleting cookies, but they kept coming back over and over. No amount of deleting them would kill the nasty little buggers off. After tracking down their location the only fix that was easily available at that time was deleting the cookies and Adobe Flash Player (ADBE).

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| August 5, 2010
Comments Off on Wall Street Up Jobs Down

Wall Street Up Jobs Down

Wall Street Up Jobs Down

The Economic Policy Institute (EPI) recently pointed out that while Wall Street has already made up all the profits lost in the depression, recession, economic slump, the job market remains stalled. The country’s labor market still has far fewer jobs than it did at the start of the recession in December 2007.

Corporate profits have recovered, but job market still depressed

The chart from EPI shows trends in both corporate profits (both privately and publicly owned) and employment since the start of the recession. The chart indexes both to 100 at the start of the recession so the lines show how far profits and employment have recovered. Although corporate profits suffered in the early part of the recession, they have been steadily growing for more than a year and are now 5.7% greater than they were at the start of the recession.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
« Older Entries   Recent Entries »