STE WILLIAMS

Hosting providers are reporting a major upsurge in attempts to hack into blogs and content management systems late last week, with WordPress installations bearing the brunt of the hackers’ offensive.

WordPress installations across the world were hit by a brute force botnet attack, featuring attempts to hack into installations using a combination of popular usernames (eg, “admin” and “user”) and an array of common passwords. Attacks of this type are commonplace; it is the sharp rise in volume late last week to around three times the normal volume rather than anything technically cunning or devious that has set alarm bells ringing (example here).

The primary target appears to be WordPress installations but Joomla users also reportedly took a bit of a hammering.

A list of sample WordPress usernames and passwords that have featured in the attack, put together by malware monitoring and cleanup company Sucuri, can be found here).

Early suggestions are that hackers are looking to harvest “low-hanging fruit” as quickly as possible in order to gain access to a bank of compromised sites for follow-up malfeasance, which could be anything from hosting malware to publishing phishing pages or running some sort of denial of service attack. “It’s doorknob rattling, but on an industrial and international scale,” notes Paul Ducklin, Sophos’s head of technology for Asia Pacific.

WordPress founder Matt Mullenweg said that the attack illustrates the need to use a distinct username and a hard-to-guess password, common-sense advice that applies to using web services in general, not just for blog administration.

If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

Olli-Pekka Niemi, vulnerability expert at firewall firm Stonesoft, outlined the range of possible motives behind the attack.

“A concern of this attack is that by compromising WordPress blogs attackers may be able to upload malicious content and embed this into the blog,” Niemi said. “When readers visit the blogs in question they would be then be subject to attack, come under compromise and develop into botnets. The attacks against the word press blogs seem to be distributed, with automated attacks coming from multiple sources.”

Matt Middleton-Leal, UK Ireland regional director of corporate security dashboard firm Cyber-Ark, said hacks on corporate blogs might be used as an access point to hack into other (more sensitive) enterprise systems. Weak passwords need to be changed pronto, he argues.

“Common usernames and weak passwords are extremely risky online, however, the dangers are compounded if users re-use the same login credentials for other sites. Once the bad guys have cracked a username and password, it’s extremely common that they’ll attempt to use the same combination for additional sites in the attempt to fraudulently use accounts, or access information such as credit card details or corporate data.

“If WordPress users have been targeted in this attack, they should immediately seek to change their username and password details for their WordPress account, but also for any other accounts for which they use the same credentials,” he added. ®

Bootnote

Denial of service attack against US banks in January were powered from compromised WordPress sites rather than malware-infected zombie PCs. The upsurge in attempts to hack into WordPress sites last week could be a prelude to something similar.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/16/wordpress_zombie_offensive/

Security researchers have published a more complete rundown of a recently patched SQL injection flaw on PayPal’s website.

The Vulnerability Laboratory research team received a $3,000 reward after discovering a remote SQL injection web vulnerability in the official PayPal GP+ Web Application Service. The critical flaw, which could have been remotely exploitable, allowed hackers to inject commands through the vulnerable web app into the backend databases, potentially tricking them into coughing up sensitive data in the process.

The Polish security researchers reported the vulnerability to the eBay subsidiary in early January. Vulnerability Laboratory produced a proof-of-concept demo to illustrate its concerns when it reported the vulnerability to PayPal. The payment-processing outfit patched the flaw in late January.

There’s no evidence that the flaw was ever abused, which is just as well since its potential impact was grave, as an advisory by Vulnerability Laboratory (extract below) explains:

The vulnerability is located in the analysis all review module with the bound vulnerable page id parameter listing. When a customer is processing to request the link to, for example, page 7 the server will include the integer value not encoded or parsed in the URL path. Attackers can exchange the integer page with their own SQL statements to compromise the application DBMS and all PayPal accounts.

The second problem is the server is bound to the main site auth which allows after a SQL and DBMS compromise via inject to exploit the bound PayPal inc services. Attackers can access all database tables and columns to steal the GP+ database content and disclose information, deface the website phish account or extract database password/username information.

The vulnerability can be exploited without user inter action but with low privileged application user account to visit the restricted webpage with a not expired session. Successful exploitation of the vulnerability results in web application context manipulation via DBMS injection, website defacement, hijack of database accounts via DBMS extract, information disclosure of database content, data lost or full DBMS compromise.

Benjamin Kunz Mejri of Vulnerability Laboratory led the research into the flaw. An advisory by the Polish researchers suggests that the vulnerability could be patched by a “secure parse of the page parameter request when processing to list via GET method” combined with changes to prevent the display of errors. It’s unclear if PayPal followed this approach or identified a different way to nuke the flaw.

PayPal issued a brief and bland statement confirming that the flaw was “not impacting our website” at the time the payout for the vulnerability became public in late January. PayPal declined El Reg‘s invitation this week to comment on Vulnerability Laboratory’s updated advisory. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/15/paypal_sql_injection/

Aviation officials have taken a skeptical view of claims that it’s possible to hijack a commercial aircraft using a smartphone, with both the US Federal Aviation Administration (FAA) and the European Aviation Safety Administration (EASA) issuing statements to the effect that it simply couldn’t happen.

On Wednesday, Spanish security researcher Hugo Teso gave a presentation at the Hack in the Box conference in Amsterdam in which he claimed he had developed an Android app that could allow him take control of an airplane by feeding misinformation into its in-flight communications systems.

Hardly, said the FAA in a statement to news agencies on Thursday.

“The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer,” the agency wrote, making something of a muddle of the facts.

The statement went on to explain that although Teso may have been able to exploit aviation software running on a simulator, as he described in his presentation, the same approach wouldn’t work on software running on certified flight hardware.

“The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot,” the FAA’s statement explained. “Therefore, a hacker cannot obtain ‘full control of an aircraft’ as the technology consultant has claimed.”

Iowa-based Rockwell Collins is one of the companies that makes the kind of aviation systems that Teso alleged to have pwned in his research, and in a statement obtained by Forbes, it concurred with the FAA’s conclusions.

“Today’s certified avionics systems are designed and built with high levels of redundancy and security,” a company spokesman said. “The research by Hugo Teso involves testing with virtual aircraft in a lab environment, which is not analogous to certified aircraft and systems operating in regulated airspace.”

The EASA chimed in with a statement of its own, saying, “For more than 30 years now, the development of certifiable embedded software has been following strict guidance and best practices that include in particular robustness that is not present on ground-based simulation software.”

Doubtless there will still be some Reg readers thinking, “Ah, but they would say that, wouldn’t they?” So take it from writer and airline pilot Patrick Smith, author of the Ask the Pilot blog, who explains that even if it were possible to override an aircraft’s systems remotely, it probably wouldn’t matter:

The problem is, the FMS … does not directly control an airplane the way people think it does, and the way, with respect to this story, media reports are implying. Neither the FMS nor the autopilot flies the plane. The crew flies the plane through these components. We tell it what to do, when to do it, and how to do it. Whatever data finds its way into the FMS, and regardless of where it’s coming from, it still needs to make sense to the crew. If it doesn’t, we’re not going to allow the plane, or ourselves, to follow it.

Incidentally, Smith has spent much of his writing career debunking scare stories about aircraft and aviation, which he says crop up far too often.

“Commercial aviation is a breeding ground of bad information,” Smith writes in his blog’s About page, “and the extent to which different myths, fallacies, wives’ tales and conspiracy theories have become embedded in the prevailing wisdom is startling.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/13/faa_debunks_android_hijack_claim/

Watch out, crooks! The New York Police Department is trying out a new weapon in the war on crime – namely, putting its own intelligence in the hands of patrol officers.

As The New York Times reports, the NYPD has issued around 400 specialized Android smartphones to officers as part of a pilot program begun last summer.

The phones – somewhat inaptly named, since they can’t actually make phone calls – give beat cops instant access to a variety of law enforcement databases, arming them with an array of information that you probably thought they had already.

Example? Let’s suppose an officer detains a suspicious character. You’d imagine that the suspect’s past criminal record would be useful information to have, no? Sorry – with the traditional radio-based system, that kind of data just isn’t available.

“Our dispatcher will tell us if they have a warrant or not but it’s a simple yes or no answer,” Officer Tom Donaldson told the NYT. “I don’t know if the guy is wanted for murder or for not paying a parking summons. We rarely know.”

All of that changes with the NYPD’s new smartphone app. For the first time, patrol officers have wireless access to suspects’ criminal histories, mug shots, Department of Motor Vehicles records, and more.

In one case, Officer Donaldson said, an officer was able to call up a memo explaining that a particular suspect was known to police to carry crack cocaine “in his left sock.”

The app can even cross-reference evidence databases – letting officers know whether an individual has been a victim of a crime, for example, or has been in a car accident.

“They can’t tell me a lie because I know everything,” Officer Donaldson said.

And that’s just the information that’s available on one person. When officers enter a street address, a veritable cornucopia of data becomes available.

For a single apartment building, the app will tell officers which residents have criminal records, which have open warrants, which are on parole, which are registered gun owners, and which have been involved in domestic violence calls – all with photos, when available.

It will tell them how many arrests have taken place in the building recently, for which crimes, and on which floors. It will even tell them the locations of any surveillance cameras in the area, whether they are located in the building itself or at a business across the street.

“You can see that in this one 14-story building there are thousands and thousands of records,” Officer Donaldson said.

Officers already had access to some of this information via laptops mounted in their patrol cars. But those devices get their connectivity from New York City’s government-dedicated wireless network, which can be slow and spotty compared to modern, public mobile data networks.

What’s more, the in-car systems can’t cross-reference multiple databases, the way the smartphone app does. Officers must login and query each database separately.

The NYPD isn’t the only police department looking to modernize its information infrastructure. In June 2012, San Francisco Mayor Ed Lee and San Francisco Police Chief Greg Suhr announced a similar project aimed at creating a mobile version of the SFPD’s Crime Data Warehouse, in partnership with HP and app development studio ArcTouch.

But while such systems show great promise for law enforcement, they also bring new worries. Donna Lieberman of the New York Civil Liberties Union told the NYT that she was concerned that the NYPD’s new app might “become a vehicle to round up the usual suspects, to harass people.”

Here at El Reg we had another thought: Just what happens when one of these devices is lost or stolen? Or, what might one cost to buy? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/12/nypd_android_app/

A British animator who used tracking software to trace his stolen laptop to Iran has apologised to its “innocent new owners” after pictures of them were splashed all over the internet.

Dom Del Torto’s Macbook Pro was nicked from his London flat in February and he was able to watch its 3,000 mile odyssey to the Islamic Republic using a program called Hidden App, which beams the laptop’s location back to its owner along with desktop screenshots and pictures from the built-in camera.

In March, he began posting details of the laptop’s journey onto his tumblr account, titled “Dom’s Laptop is in Iran” along with snapshots taken by the laptop’s camera – some of which included pictures of its new owners.

But they have now been in touch with him asking him to take the pictures down from his site, which he has duly done. However, the many other websites and news outlets which published the snaps might not be so forthcoming.

Dom has now taken down all pictures of the new owners, who were shown in a rather squalid-looking flat with no windows, and said they can keep the laptop by way of apology.

In a blog post today, he wrote: “The innocent new owners of my laptop have been in touch and are mortified about the story and are keen to return the laptop.

“Given the huge error of judgment on my part in sharing the story and failing to respect their privacy I have asked them to keep it by means of an apology.”

Dom decided to blog about the travails of his Macbook after police dusted his house for fingerprints and drew a blank. He decided that the only way to get it back was to take vigilante action using Hidden App. But he didn’t realise how popular the story would become.

He added: “I decided to share the data the laptop recovered on this Tumblr blog as an amusing story for my friends to enjoy.

“It seemed to me that a laptop that went missing from London and turned up in Iran was like a space probe landing on a distant planet and beaming back proof of intelligent life.

“As the story circulated, I started to receive messages from concerned individuals warning of privacy concerns and the possible harm and distress the blog may cause the people in the photos.

“I hadn’t really considered any of this, as I hadn’t expected the story to get so much attention. So I hid the identity of the people in the photos.

“Then one of the people in the photos contacted me and asked me to remove the pictures. They were very upset. I could understand why.

He concluded: “The people shown on the blog site are not thieves.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/12/stolen_laptop_iran/

Windows 7 users should uninstall a security patch Microsoft issued on Tuesday because some PCs failed to restart after applying the update.

The software giant advised users of Win 7 and Windows Server 2008 R2* to roll-back a patch within MS13-036, a security update that closed two vulnerabilities in the Windows file system kernel-mode driver. Exactly how one nukes the wobbly patch is explained here.

The advice follows complaints that after applying the update computers would either fail to restart or applications would not load. Users who experienced problems were sometimes confronted by “fatal system error” warnings on start up, as illustrated by Sophos here.

In a post on Microsoft’s Security Response blog, Redmond blamed the glitch on conflicts with third-party software:

We are aware that some of our customers may be experiencing difficulties after applying security update 2823324, which we provided in security bulletin MS13-036 on Tuesday, April 9. We’ve determined that the update, when paired with certain third-party software, can cause system errors. As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports, and have since removed it from the download centre.

Contrary to some reports, the system errors do not result in any data loss nor affect all Windows customers. However, all customers should follow the guidance that we have provided in KB2839011 to uninstall security update 2823324 if it is already installed.

The buggy patch causes, among other headaches, Kaspersky Anti-Virus for Windows to display a message claiming its user licence is invalid, implying that the PC is unprotected from malware nasties. Other reports suggest that some machines have been thrown into a continuous reboot cycle: Win 7 PCs in Samba-loving Brazil are apparently hardest hit.

Problems of this type of rare but not unprecedented. Redmond has withdrawn patches before. Microsoft’s security gnomes also deserve credit for quickly determining there was a problem before the vast majority of corporates rolled out the problematic patch.

The dodgy fix, numbered 2823324, addresses a “moderate” privilege elevation flaw. Redmond has removed it from the MS13-036 update, which just leaves security update 2778344, also a privilege elevation fix that is rated as important. ®

* Both OSes are related, code-wise.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/12/ms_buggy_fix_roll_back/

Security researchers have discovered an active cyber-crime campaign that targets online gaming companies worldwide.

According to Kaspersky Lab, the Winnti crew has been attacking companies in the online gaming industry since 2009, stealing digital certificates signed by legitimate software vendors in addition to intellectual property, including the source code of online game projects.

The whole caper is arguably the best large-scale example of traditional profit-motivated cybercrooks using techniques first developed and refined by state-sponsored cyber-espionage groups. The same techniques have been used by government-sponsored cyberspook attacks against military contractors, IT firms such as Google and Apple, human right activists, smart-grid tech providers, governments and the rest.

Kaspersky researchers first came across Winnti malicious activities in the autumn of 2011, when a malicious Trojan was detected on a large number of end-user computers worldwide. Infected computers were linked by the fact that victims were fans of a popular (unnamed) online game.

Soon afterwards it emerged that the malware used in the attack was spread as part of a regular update from the gaming company’s official server.

After the dust settled, it later emerged that malware was installed on the players’ computers by accident, and the cybercriminals were actually targeting the video game company. Kaspersky Lab researchers were called in to investigate the outbreak.

The Trojan turned out to be a DLL library compiled for a 64-bit Windows environments and signed with a digital certificate. The malware – which gave its controllers backdoor access to and control of the infected machines – was the first of its type to incorporate use of a valid digital signature.

And the digital signature involved belonged to another video game vendor – a private company known as KOG, based in South Korea – and not the primary victim of the attack.

Subsequent analysis over many months by Kaspersky Lab’s experts unearthed evidence that the Winnti group had hit more than 30 companies in the video games industry. The majority of victims were located in South East Asia. However, online gaming companies located in Germany, the US, Japan, China, Russia, Brazil, Peru, and Belarus were also paned by the Winnti group.

The group’s main modus operandi involved stealing digital certificates which it then used to sign malware in future attacks against other targets.

These digital certificates appeared to have been used in attacks organised by other hacking groups, presumably located in China, according to Kaspersky Lab researchers.

For example, in an attack against South Korean social networks Cyworld and Nate in 2011 the attackers used a Trojan that was digitally signed using a certificate from YNK Japan, a video game outfit.

Another YNK-signed digital certificate was abused recently last month in Trojans deployed against Tibetan and Uyghur activists.

The Winnti group turns a dishonest profit by selling stolen certificates to other groups and looting in-game currencies and selling them for real money. This activity was facilitated by the use of “stolen source code from online game servers to search for vulnerabilities inside games to augment and accelerate the manipulation of in-game currency and its accumulation without suspicion”. The crooks even used stolen source code to run versions of the games from their own pirated servers, according to Kaspersky Lab.

The Winnti group remains active and Kaspersky Lab’s investigation is ongoing. Experts from the Russian security firm are working with the IT security community, online gaming industry and certificate authorities to identify additional infected servers. Meanwhile stolen digital certificates are being identified and revoked. In addition, Kaspersky Lab has added detection for strains of Trojans and rootkits associated with the Winnti crew’s villainy in its security software.

A blog post by explaining its investigation into the Winnti crew can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/11/video_game_cyberespionage/

Check Point is baking in cyber-espionage defences to its enterprise firewall and gateway security products with the incorporation of sandbox-style technology.

“Threat emulation” software blades for Check Point firewalls will be available later in Q2 2013 and will add to other threat prevention layers, such as anti-virus and anti-bot technology launched last year. All of these technologies were developed in-house.

The latest strains of malware are designed to “switch off” if they detect that they are running in a virtual machine, as a means to thwart security analysis. Tomer Teller, a security strategist at Check Point, said that the emulator technology it’s developing is much harder to detect than a virtual machine.

The threat emulation technology carries out both static and dynamic analysis to figure out if a file is changing registry settings, altering other files or attempting to connect with blacklisted servers, among other things, before deciding if it ought to be blocked and quarantined.

Prior to putting the technology into its security appliances, Check Point has set up a microsite where files can be uploaded for emulating and checking.

Corporate defenders might appear to be hopelessly outfoxed by the latest generation of cyber-attacks, featuring custom malware and spear-phishing. However, Teller was bullish that IT vendors such as Check Point were coming up with technology capable of “detecting and mitigating” advanced malware attacks.

Even if the initial infection occurs, it might be possible to isolate compromised systems, prevent an attacker accessing corporate resources or extracting sensitive information.

“If you can break one of the layers of an attack then the whole attack fails,” Teller told El Reg.

Check Point also owns the Zone Labs line of personal firewall and security suite products but Gabi Reish, head of product, said the only safe assumption in corporate security was to assume that an end-point might be compromised and to design corporate defences appropriately. The anti-bot blade incorporated in Check Point’s gateways is designed to block malware-infected zombies from phoning home.

The forthcoming theta emulation and existing anti-bot and anti-virus blades fit in with the “razor-and-blade” model introduced by Check Point in 2009. The Israeli firm’s security appliances and gateways are the “razors”, while the “blades” are the software that customers buy and use to deliver different types of network protection. For example, the App Control Blade controls social media apps, while the Mobile Access Blade secures employees’ smartphones and tablets.

Check Point is pushing this technology and approach down to SMEs with the launch of its new 1100 Appliances. The kit, designed for branch and remote offices with up to 100 users, offers 1.5 Gbps of max firewall throughput and 220 Mbps of max VPN throughput.

Check Point are also offering the Software Blade Architecture on low-end kit for the first time. 1100 Appliances, launched at Check Point’s (CPX) user conference in Barcelona earlier this week, start at $599.

Multi-layered protection options include: Firewall, VPN, IPS (intrusion prevention system), application control, mobile access, Data Loss Prevention, anti-bot, identity awareness, URL filtering, anti-spam and anti-virus.

All but standard components cost extra but customers benefit from flexibility while Check Point resellers gain a better opportunity to sell extra add-ons. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/12/check_point_threat_emulation/

A new cross-platform security product that covers desktops, smartphones and tablets is likely to be a key area of development for desktop freebie virus-scanner firm AVG during 2013.

AVG is best known for its free anti-virus scanner for Windows PCs, but over the years it has broadened its range to include more functional PC security software suites for consumers as well as paid-for and freebie security products for smartphones.

Separately, AVG released research on Thursday that AVG found 90 per cent of game hacks are infected with malware. World of Warcraft, League of Legends, Runescape, World of Tanks and Minecraft gamers are also targeted by cybercrooks pushing malware posing as game hacks, such as easy access to advanced in-game weaponry and other premium items. It warned punters: “Next time you are sick of grinding on Azeroth and thought about downloading gold hacks to save time or if you’ve been tempted to download the latest title from a torrent or file sharing site to save money, think again.”

Free Windows Phone ‘Family Safety’ scanner

The canny AV firm now appears to be following its users from PC onto mobile. AVG launched a Family Safety mobile application for Microsoft Windows Phone 8 devices on Thursday. The application uses data from AVG’s Linkscanner technology to block blacklisted websites. By using URL filters the suite prevents access to inappropriate content, such as pages featuring violence, drugs or pornography.

The software – aimed at protecting children while they surf the web – was released through the Windows Phone marketplace and comes at no charge – in common with security products from AVG previously only available for Apple devices and Windows Phone 7.5.

John Giametteo, chief operating officer at AVG, said that mobile has become the biggest growth driver for the firm. AVG had 26 million active users on mobile by the end of 2012 out of a total user base of 146 million active users. Giametteo said AVG wanted to give customers a “common user experience” across PC, tablet and smartphone.

One way to deliver this might be through a cross-platform product that offers a mix-and-match approach, so that users would be able to select AVG for Android and PC, or the equivalent product for Apple Mac and iPhone, all through the same portal and myAVG account.

The idea, an extension of existing offers to AVG users to try its latest mobile security products, is still in the early stages of development – and thus subject to change or cancellation. What isn’t in doubt is AVG’s interest in offering products that defend against the growing wave of Android malware.

Giametteo said that as an open-source platform Android was “particularly susceptible” to malware, while arguing that privacy concerns and safe web browsing were an issue for any smartphone use. Hence AVG’s decision to develop mobile security products for iPhones and Windows Phone 8.

Even Android users, who are on the frontline of mobile malfeasance, are often unaware about mobile security and privacy threats, according to Giametteo. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/12/avg_unified_security/

Anti-spam tools have evolved to a degree where many of us hardly see much spam anymore. But when we do, the threat posed by those messages is greater than it has ever been, according to a new report from independent security firm AV-Test.

The report, entitled “Spam – More Dangerous than Ever Before,” was based on an 18-month study conducted between August 2011 and February 2013, in which AV-Test harvested and analyzed some 550,000 spam emails.

As in the past, the vast majority of those messages contained fraudulent offers for counterfeit products, such as bogus pharmaceuticals. Being ripped off is the main risk there, not to mention phishing.

But around 2.5 per cent of the spam being sent today serves a different, darker purpose, the report claims – namely, spreading malware.

Certain types of spam emails are especially dangerous. Of the 30,000 spam messages AV-Test analyzed that contained attachments, over 10,000 of them – nearly a third – were infected with malware.

The file formats used to deliver the payloads were mostly the usual suspects. ZIP attachments and executable formats such as EXE and PIF were almost always infected, as were 80 per cent of HTML documents sent as attachments. PDF and image attachments were occasionally found to contain exploits, too.

Less prevalent, but much harder to spot, were messages containing links to websites that spread malware. Only around 1 per cent of the spam that included URLs contained such links, but such messages are often indistinguishable from those containing more benign links.

But not all spam is created equal. In particular, country of origin matters when determining whether a message is likely to contain malware.

As with other studies, AV-Test found that the majority of all spam sent originates in the United States, including spam messages containing attachments. But only 15 per cent of spam attachments sent from the US were actually malware, compared to 30 per cent globally.

On the other hand, spam attachments sent from India were infected 78 per cent of the time, while runner-up Vietnam sent attachments that were infected 77 per cent of the time.

Predictably, nearly all of the spam analyzed was sent by PCs that were remotely controlled by botnets. What may be surprising, however, is that some 25 per cent of these spambots only operated Monday through Friday.

According to AV-Test, that indicates they were located in offices, where PCs were switched off over the weekend – “even in Germany!” the German firm breathlessly reports, though it hastens to add that Teutonic spam was less likely to contain malware.

So what’s to be done about all this? The usual cautions apply. Incoming email should be filtered for spam, and PCs should have good antivirus software installed to prevent infection by Trojans and rootkits, should an infected message happen to get through.

In addition, the AV-Test report notes that the German government and an association of local businesses have created a website containing links to tools that can help users check whether their PCs belong to a botnet. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/11/spam_more_dangerous_than_ever/