[project Honey Pot] 1 Billion Spammers Served

[george]

Got an email from our friends at Project Honey Pot. Some interesting facts I'd like to share with you:

from Project Honey Pot Team <[email protected]>

to George

date Tue, Dec 15, 2009 at 22:09

subject [Project Honey Pot] 1 Billion Spammers Served

Dear George:

On Wednesday, December 9, 2009 at 06:20 (GMT), Project Honey Pot achieved a

milestone: receiving its 1 billionth spam message.

The billionth message was an United States Internal Revenue Service phishing scam sent to an email

address that had been harvested more than two years ago. More than just a

single spam email, the billionth message represents the collective work of

you and tens of thousands of other web and email administrators like you in

more than 170 countries around the world. Together we have built Project

Honey Pot into the largest community tracking online fraud and abuse.

To celebrate this milestone, we sifted through five years of data to learn

more about spam and the spammers who send it. As a small token of thanks for

your help, we wanted to share some of our more interesting preliminary

findings. Click the following link for the Full Report:

http://www.projecthoneypot.org/1_billionth...ssage_stats.php

Highlights include:

- Monday is the busiest day of the week for email spam, Saturday is the

quietest

- 12:00 (GMT) is the busiest hour of the day for spam, 23:00 (GMT) is the

quietest

- Malicious bots have increased at a compound annual growth rate (CAGR) of

378% since Project Honey Pot started

- Over the last five years, you'd have been 9 times more likely to get a

phishing message for Chase Bank than Bank of America, however Facebook is

rapidly becoming the most phished organization online

- Finland has some of the best computer security in the world, China some

of the worst

- It takes the average spammer 2 and a half weeks from when they first

harvest your email address to when they send you your first spam message,

but that's twice as fast as they were five years ago

- Every time your email address is harvested from a website, you can expect

to receive more than 850 spam messages

- Spammers take holidays too: spam volumes drop nearly 21% on Christmas Day

and 32% on New Year's Day

- And much more.....

We have published it under the Creative Commons Attribution license, so

don't hesitate to share anything you find interesting. In the end, we

couldn't have gathered this data without you.

Thank you for all your help over the last five years. Here's to wishing you

happy holidays and a relatively spam-free New Year.

Sincerely,

The Project Honey Pot Team

[elcent]

got that too ... I'm a member there for 2 years now

One more thing besides honeypot

Watch out for this Chinese IP address. It's not a false positive.

Security attacks stopped

Total impact: 36

Affected tags: xss, csrf, id, rfe, lfi

Variable: REQUEST.DescriptionMe.0 | Value: SEC1T7 <a href=\"http://itvpcrociwey.com/\">itvpcrociwey</a>, glxqgejjgcxz, [link=http://nirgnsddrhrk.com/]nirgnsddrhrk[/link], http://pfsjgoakvpfi.com/

Impact: 9 | Tags: xss, csrf, id, rfe, lfi

Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20

Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61

Variable: REQUEST.DescriptionMe.1 | Value: SEC1T7 <a href=\"http://itvpcrociwey.com/\">itvpcrociwey</a>, glxqgejjgcxz, [link=http://nirgnsddrhrk.com/]nirgnsddrhrk[/link], http://pfsjgoakvpfi.com/

Impact: 9 | Tags: xss, csrf, id, rfe, lfi

Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20

Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61

Variable: POST.DescriptionMe.0 | Value: SEC1T7 <a href=\"http://itvpcrociwey.com/\">itvpcrociwey</a>, glxqgejjgcxz, [link=http://nirgnsddrhrk.com/]nirgnsddrhrk[/link], http://pfsjgoakvpfi.com/

Impact: 9 | Tags: xss, csrf, id, rfe, lfi

Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20

Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61

Variable: POST.DescriptionMe.1 | Value: SEC1T7 <a href=\"http://itvpcrociwey.com/\">itvpcrociwey</a>, glxqgejjgcxz, [link=http://nirgnsddrhrk.com/]nirgnsddrhrk[/link], http://pfsjgoakvpfi.com/

Impact: 9 | Tags: xss, csrf, id, rfe, lfi

Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20

Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61

REMOTE_ADDR: 123.124.209.65

HTTP_X_FORWARDED_FOR:

HTTP_CLIENT_IP:

SCRIPT_FILENAME: /home/xxxxxxx/public_html/xxxxx.com/join.php

QUERY_STRING:

REQUEST_URI: /join.php

QUERY_STRING:

SCRIPT_NAME: /join.php

PHP_SELF: /join.php

... this security attack finding has nothing to do with honeypot.

[elcent]

Another threat coming up.

Source http://blogs.zdnet.com/security/?p=5119&tag=nl.e58

Adobe confirms PDF zero-day attacks. Disable JavaScript now

Posted by Ryan Naraine @ 9:08 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Exploit code...

Tags: Adobe Systems Inc., Adobe PDF, JavaScript, Exploit, Zero-day Bug...

12 TalkBacks

PrintEmailThumbs UpThumbs Down+10

10

Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe’s ever-present PDF Reader/Acrobat software to hijack data from compromised computers.

According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions. It is being exploited in the wild.

The company has activated its security response process but declined to offer any more details until an investigation is complete.

Unfortunately, the company did not provide any mitigation guidance for customers.

The folks at ShadowServer describe the situation as “very bad.”

We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad.

Here’s what we know so far:

We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons:

There currently is no patch or update available that completely protects against this exploit.

There is little to no detection of these malicious PDF files from most of the major Antivirus vendors.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult.

In the interim, Adobe PDF Reader/Acrobat users are urged to immediately disable java script:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Or, better yet, use an alternative PDF Reader software program.

ALSO SEE:

[elcent]

NOW BACK TO PROJECTHONEYPOT

WHEN YOU OPEN THEIR STAT LINK IT SAYS RIGHT ON THE FIRST PARAGRAPH

On Wednesday, December 9, 2009 at 06:20 (GMT) Project Honey Pot received its billionth email spam message. The message, a picture of which is displayed below, was a United States Internal Revenue Service (IRS) phishing scam. The spam email was sent by a bot running on a compromised machine in India (122.167.68.1). The spamtrap address to which the message was sent was originally harvested on November 4, 2007 by a particularly nasty harvester (74.53.249.34) that is responsible for 53,022,293 other spam messages that have been received by Project Honey Pot.

FROM THE SAME HOST AS 74.53 MY SECURITY SCRIPT RANG THE ALARM BELLS. IT SEEMS AS IF THEY SWITCHED FROM HARVESTING AND SPAMMING INTO BREAKING INTO YOUR DB. I wouldn't even know if our developers wouldn't have integrated a security script recently. Thanks G-D for the security script writer, which scripts' identified the attacks.

Here some info from the attacks that get automatically reported, and I had hundreds of them within half an hour, and which is not connected with project honey pot:

Total impact: 36

Affected tags: xss, csrf, id, rfe, sqli, lfi

Variable: REQUEST.CFGLOBALS | Value: urltoken=CFID#=3548901&CFTOKEN#=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908&jsessionid#=6e307f32aed41b75522c#lastvisit={ts \'2009-12-06 13:01:46\'}#timecreated={ts \'2009-12-06 12:54:46\'}#hitcount=16#cftoken=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908#cfid=3548901#

Impact: 18 | Tags: xss, csrf, id, rfe, sqli, lfi

Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23

Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31

Description: Detects common comment types | Tags: xss, csrf, id | ID: 35

Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Variable: COOKIE.CFGLOBALS | Value: urltoken=CFID#=3548901&CFTOKEN#=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908&jsessionid#=6e307f32aed41b75522c#lastvisit={ts \'2009-12-06 13:01:46\'}#timecreated={ts \'2009-12-06 12:54:46\'}#hitcount=16#cftoken=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908#cfid=3548901#

Impact: 18 | Tags: xss, csrf, id, rfe, sqli, lfi

Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23

Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31

Description: Detects common comment types | Tags: xss, csrf, id | ID: 35

Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Centrifuge detection data Threshold: 3.49 Ratio: 3.2307692307692

REMOTE_ADDR: 74.53.3.132

HTTP_X_FORWARDED_FOR:

HTTP_CLIENT_IP:

SCRIPT_FILENAME: /home/xxxxxco/public_html/xxxx.com/index.php

QUERY_STRING: bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page}

REQUEST_URI: /index.php?bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page}

QUERY_STRING: bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page}

SCRIPT_NAME: /index.php

PHP_SELF: /index.php

when I reported to the host, the abuse department said that they will investigate. Now the question is, and since they are seemingly cleared from harvesting and spamming, are they into more serious breaches of law and how can that happen for such a long period of time, even now with continued and altered attacks coming from the same IPs ranges? There are millions out there with basic or no protection of their sites and systems. Now one can figure out the damage.

[nikster]

It's baffling that Adobe has JavaScript (??!!?!) enabled in PDF files. The mind boggles. &lt;deleted&gt; are they thinking?

I sure hope it doesn't work in Preview (mac PDF viewer)...