The following article was originally published by The Spamhaus Project, October 2018.

Haus Bot saying Exploits Block List increases by 50%After somewhat of a ‘lull’ in botnet activity over the past year  there has been a significant upswing in the number of listings on the Spamhaus Exploits Block List (XBL). The past few weeks have seen a lift from approximately 10 million to 16 million listings. The obvious question to be asking is why? The Spamhaus Project’s botnet specialist explains:

What is the XBL?

The XBL is Spamhaus’s block list which lists IP addresses that host bots and malware-infected computers.

Why the huge upswing in listings?

Approximately half of this increase is due to a new spambot sending out vast quantities of spam for Chinese porn web sites. We believe that this may be due to proxy software, popular in China, having a security issue. Meanwhile the rest is from the rising number of IP addresses that are being reported as infected with the Avalanche/Gamarue botnet.

For those of you with knowledge of the botnet landscape you’re probably thinking “But the Avalanche botnet was taken down?” You are indeed correct, however the machines infected by Avalanche are still out there spreading the infection to new machines. The difference being now is that these machines can no longer be controlled by the current set of bad guys. But, it’s worth noting that these machines are still insecure and open to abuse by other spammers.

When will these bots die out?

Even if all the botnet gangs were taken down the malware they created would continue to spread without their controller. This is a spectre we’re going to have to live with for a long time. The Conficker bot is still out there, and its control network died years ago!

What about the new spambot?

There’s one last question: what (or who) is responsible for sending the copious quantities of Chinese porn-related spam? To date the research team at the Project don’t have an answer, but we’ll let you know as soon as they find out more.

(The original article can be viewed here.)

 

High-speed and high-volume: Hailstorm spam is one method cyber criminals are using to overwhelm target organizations’ defenses, but Spamhaus is leading the fight back with threat intelligence delivered at high-speed.

Dynamic Updates from Spamhaus protect by alerting you to hailstorm attacks within seconds of them starting, giving you the unique capability to block this type of spam.

Powerful intelligence delivered at high speed

Hailstorm attacks can be over in a matter of minutes and every second counts.

At the first indication of a hailstorm attack, automatic incremental updates are made available. Instead of downloading a full set of IP and Domain-based threat intelligence periodically, Dynamic Updates allow you to receive data as soon as it is available.

Hailstorm spam attack timeline

Graph of a hailstorm attack

  • Before 0 sec: No info
  • 0 sec: Hailstorm attackstarts, traffic spikes to more than 800 emails sent every 10 seconds.
  • 16 sec: Domain used identified,published to Zero ReputationDomain list. Dynamic Updates subscribers can start blocking malicious domain.
  • 28 sec: Domain published to Spamhaus Zen and DomainBlocklist. Spam rate still running at over 800 emails every 10 seconds.
  • 90 sec: Domain generally accessible for rsync subscribers based on a standard 60 second rsync period. Spam rate starts to drop off.
  • 120 sec: Spam rate drops to negligible.

In three minutes, more than 15,000 spam messages sent –85% blocked by DynamicUpdates service at start of attack. Indicative real case example– individual attack profiles will vary.

The Dynamic Updates advantage

Table showing how dynamic updates compares to DQSIncluded is Spamhaus’ Zero Reputation Domain (ZRD) service, designed to stop cyber criminals who use newly registered domains.  This is a favoured method to send hailstorm spam; driving traffic to websites in the hope that users will fall victim before a domain has been analyzed for its reputation.

Legitimate organizations will rarely activate a domain and start using it immediately after registration so the ZRD automatically adds newly-registered and previously dormant domains to a block list for 24 hours.

Configuration

Picture showing how dynamic updates is configuredDeploy Dynamics Updates in minutes following these easy steps:

  1. Generate your own authentication certificate (including self-signed)
  2. Submit certificate to Spamhaus via our user portal
  3. Connect! You will be informed via our portal

If you are not already a Spamhaus user, then sign up here and get access to our user portal.

GovWare 2018 in Singapore will see the launch of a new detection tool developed by Deteque, a division of Spamhaus, that uncovers patterns of malicious activity from networks across the world.

Using billions of records from across the internet, the new Passive DNS user tool allows security teams and researchers to investigate connections between suspicious domains and IP addresses in an instant.

Simon Forster, CEO of Spamhaus Technology said: “It’s a powerful tool for security investigators as well as companies wanting to see who might be abusing their brand online.”

Deteque’s Passive DNS is in beta test phase and GovWare 2018 is the first opportunity for a wider public to see the easy to use web portal which draws on data from the global network of contributors to The Spamhaus Project, a trusted third party collating DNS related data in real time.

Our team will be on-site at the UK Pavilion at GovWare to discuss the latest threat trends as they happen including:

• Global trends in spam and email borne threats. See the threat dashboard at www.spamteq.com

• Botnet tends and activities globally, what impact they have and what security professionals can do to protect their networks. https://www.deteque.com/live-threat-map/ .

Spamhaus has a 20 year track record of collating IP and Domain based threat intelligence used to protect against spam, email borne threats and prevent connections to malicious domains.

Spamhaus data is used by the majority of the Internet’s ISPs, email service providers, corporations, universities, governments and military networks, protecting three billion mailboxes globally.

Spam makes up 95% of all email traffic and email is the most common threat vector to insert malware and gain network access¹. Spamhaus data sets act as a first line of defence in multi- layered security.

¹UK’s National Cyber Security Centre, April 2017

The Spamhaus team are looking forward to being part of VB2018, in Montreal.

VB2018 logo for montreal conferenceThe world’s leading IT security experts, from academia and vendors to non-profits and mega corporations, will gather to share their expertise, ideas, research and predictions.

Date: 3-5th October

Venue: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

One of the Spamhaus Project’s leading threat intelligence research experts will be featuring in VB2018’s ‘Small Talks’: The botnet landscape – live threats and steps for mitigation.  From botnets to bonnet command and controllers you will discover up-to-date trends in the botnet threat landscape and recommendations for network security managers, data protection practitioners and CISO/CIOs.

Register for VB2018 here

 

Spamhaus Technology is delighted to be part of GovWare 2018, at Singapore International Cyber Week.

Logos of GovWare 2018 & Singapore International Cyber WeekGovWare is focused on “Forging a Trusted and Open Cyberspace in 2018″.  Attendees will have the opportunity to see the latest trends in technology, implementation and hear real-life stories from users in the market place.

DATE: 18 – 20 Sept

VENUE: Suntec Singapore Convention & Exhibition Centre, Singapore

Spamhaus Technology will be showcasing Deteque’s Passive DNS, which is currently in beta testing.  This tool uncovers patterns of malicious activity across global networks and can assist multiple roles within the cyber security industry, including Penetration Testers, Security Researchers and Brand Protection Specialists.

Connect with us and our reseller, Pipeline Security, at the event to discover how you can protect both your email and networks utilising threat intelligence that has been trusted by the industry for more than 20 years.

Register for GovWare 2018 here