Saturday, 15 March 2008

Three dollars a day to solve CAPTCHAs

Source: The Register

There have been suggestions of late that miscreants have found an automated way to solve GMail's CAPTCHA protection during the sign-up process. Brad Taylor, a Google software engineer, claims that it is more likely to be done manually as a paid service. Certain Russian-language documents have been found containing instructions on CAPTCHA-solving, and stating that workers are paid upwards of three dollars per day.

Friday, 14 March 2008

Another mass website compromise

Source: McAfee Avert Labs Blog

McAfee breaks the news of another mass website compromise being used to disseminate malware (similar to this earlier incident), which includes many reputable sites. "More than ten thousand" sites have been maliciously altered to include a Javascript file which triggers a cascade of attempts to install a mixed bag of malware. Frequency X suggests that the compromise vector was a combination of IIS+ASP+SQL.

Tuesday, 11 March 2008 active under new domain

Source: Sunbelt BLOG is a malware gang which sells zombies (compromised hosts). Last year, PC World published an article which claimed that the going rate for compromising a typical Windows-based host was twenty cents. was taken offline in late January this year after suffering a DDoS attack launched by a rival gang which utilised Barracuda anti-spam appliances. The gang is now back under a new domain name, and is currently disseminating malware through 3D screensaver Trojan horses.

Saturday, 1 March 2008

Botnets and their spam output

Source: Marshal TRACE Blog

Marshal has released spam statistics for February 2008, showing a breakdown by source botnet. Of note is the fact that botnet size and spam quantity output are not closely related. Although the Storm botnet is renowned for being quite large, it was responsible for only 2% of spam for the month. Contrast this with the Srizbi botnet, which was responsible for nearly 40%.

On the worth of EV SSL

Source: The Register

The Register has a brief but useful analysis of Extended Verification SSL and its efficacy as an anti-phishing mechanism. Problems with the technology include user ignorance (in relation to the convention of turning the address bar green when verified by EV SSL), and the vulnerability of such verified sites to compromise of various sorts (which EV SSL can not prevent, and which is made more serious by the presence of the trust seal).