"Ed," a retired spammer, built a considerable fortune sending e-mails that promoted pills, porn and casinos. At the peak of his power, Ed says he pulled in US$10,000 to $15,000 a week, storing the money in $20 bills in stacks of boxes.

It was a life of greed and excess, one that preyed especially on vulnerable people hoping to score drugs or win money gambling on the Internet. From when he was expelled from high school at 17 until he quit his spam career at 22, Ed -- who does not reveal his full name but sometimes goes by SpammerX -- was part of an electronic underworld profiting from the Internet via spam.

"Yes, I know I'm going to hell," said Ed, who spoke in London on Wednesday at an event hosted by IronPort Systems Inc., a security vendor now owned by Cisco Systems Inc. "I'm actually a really nice guy. Trust me."

A quick-witted and affable guy who wears an earring and casual clothes, there was a time when Ed wasn't so nice. He sent spam to recovering gambling addicts enticing them to gambling Web sites. He used e-mail addresses of people known to have bought antianxiety medication or antidepressants and targeted them with pharmaceutical spam.

In short, Ed said he was "basically what people hate about the Internet."

He spent 10 hours a day, seven days a week studying how to send spam and avoid filtering technologies in security software designed to weed out garbage e-mail. Most spam filters are effective 99 percent of the time; he aimed for that remaining window, using tricks such as including slightly different images in his spam, which can fool filters into thinking the e-mail is legitimate.

"The better I got at spam, the more money I made," Ed said.

He would start a spam run by finding an online merchant who wanted to sell a product. Then he'd acquire a list of e-mail addresses -- another commodity that has spawned its own market in the world of spam. He'd also set up a domain name, included as a link in a spam message, that, if clicked, would redirect the recipient to the merchant's Web site, enabling Ed to get credit for the referral.

The spam would then be sent from a network of hacker-controlled computers, called botnets. Those machines are often consumer PCs infected with malicious software that a hacker can control. Ed would "rent" time on those computers from another group of hackers that specialized in creating botnets.

If one of the spam recipients bought something, Ed would get a percentage of the sale. For pharmaceuticals the commission was around 50 percent, he said.

Response rates to spam tend to be a fraction of 1 percent. But Ed said he once got a 30 percent response rate for a campaign. The product? A niche type of adult entertainment: photos of fully clothed women popping balloons.

To track the money, merchants set up a "referral sales page" where spammers can see how much they make from a spam run. Ed would log in frequently, watching the money increase. He was paid into electronic payment transfer accounts, such as e-gold or PayPal, or into his debit card account, which he could cash out in $20 bills.

That became problematic when the cash became voluminous. He says he made $480,000 his last year of spamming. But the lifestyle of being a spammer was taking a toll. In essence, he had no life.

It's hard to go into a bar and explain your job to a woman by saying "I advertise penis enlargement pills online," Ed said. "It doesn't go down very well."

He rationalized his actions by saying spamming is not like robbing someone, although the lurid impact of spam was clear. Some nine million Americans have some dependence on prescription drugs, Ed said, and he noticed that the same people were buying different drugs each month. "These were addicts," he said.

Additionally, "the product is always counterfeit to some degree. If you're lucky, sometimes it's a diluted version of the real thing," he said. Viagra is cut with amphetamines, and homemade pills are common from sketchy labs in countries such as China, India and Fiji, Ed said.

So Ed got out of the business. He's written a book, "Inside the Spam Cartel: Trade Secrets from the Dark Side," which he said has had some take-up in law enforcement circles eager to learn more about the spam business, which he projects will only get worse.

As broadband speeds increase, spammers will increasingly look to market goods by making VOIP (voice over Internet Protocol) calls or sending out videos, Ed said. The ultimate unsolvable problem is users, who continue to buy products marketed by spam, making the industry possible.

"I think in 10 years we'll still get spam," Ed said. "Be prepared to be bombarded."

http://www.pcworld.com/article/id,134721-page,1/article.html

Hackers Use Brazilian Tragedy to Push Malware

Spam exploiting the deadly airplane crash in Sao Paulo lures readers to a malicious Web site.

Gregg Keizer, Computerworld

For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved

http://www.pcworld.com/article/id,134751-page,1/article.html

If Las Vegas is a place to expose all, then that notion worked for the security experts who spent two days here at the Black Hat Conference laying bare the security weaknesses of everything from VOIP, to rootkits, and cell phones.

For the roughly 3,700 attendees who packed the conference held at Caesar's Palace, it was a walk on the wild side as some security practitioners shed their reserve and gloried in the naked truth that the computer systems in use today are pretty much just putty in the hands of a good hacker. At one session, speaker Nick Barbour, senior consultant at security services firm Mandiant, went so far as to educate his audience on how to write better malware.

"Being able to find more clever malware that can evade forensics will "make my job more interesting," said Barbour, who gave a presentation titled "Stealth Secrets of the Malware Ninjashe." Barbour went on to describe in detail techniques for Live System Anti-Forensics, Windows hook injection mechanisms, Library Injections and more that he assured his listeners could take evasive malware to a new level. "This talk is mostly about evil."

Much in keeping with the theme of Black Hat, where honesty is not the best policy but the only policy, iSec Partners security experts Himanshu Dwivedi and Zane Lackey took the stage to deliver the bad news: VOIP systems based on H.323 and the Inter Asterisk eXchange (IAX) protocols can be fairly easily compromised and brought down.

"There are a lot of known problems with SIP," said Dwivedi, principal partner at iSec, referring to the VOIP Session Initiation Protocol. "But we are here to say H.323 and IAX are just as bad."

In case anyone doubts their revelations about how weak authentication and authorization design in H.323 and IAX can let attackers compromise VOIP systems and launch denial-of-service (DoS) attacks, they have made available exploit tools on the iSec Partners Web site to prove their claims.

Returning to Black Hat to take up the theme of virtualization rootkits, Joanna Rutkowska, the noted expert who brought the topic to worldwide attention last year with her virtualization rootkit malware called "Blue Pill," acknowledged that researchers are getting closer to detecting her creation. At the end of her technical presentation, she announced she was posting Blue Pill --and its nested hypervisor variant New Blue Pill -- for general download.

That evoked some concern at Symantec, which had been begging her to share a Blue Pill sample prior to the conference because Symantec, Matasano Security and Root Labs are teaming on a project to detect virtualization malware, and the only virtualized malware they had tested was on something they already had in hand, Vitriol, created by researcher Dino Dai Zovi.

"We think it's actually quite dangerous to release code like that to the public," said Oliver Friedrichs, director of Symantec's Security Response division, about the release of Blue Pill. While the stealthy Blue Pill is intended for research purposes only, Symantec anticipates it could quickly become a new attack vector. He said there were no plans to release Vitriol, a similar type of virtualization rootkit.

Hacker techniques for DoS and botnet attacks are making their way into social conflicts, such as the cyber attacks that occurred earlier this year against Estonia, a small nation of 1.3 million people with a well-developed Internet-based e-commerce and Web infrastructure.

Estonia saw its banking and government Web sites electronically fired on in late April and May. The electronic DoS attacks, coupled with what one investigator says was a custom-built botnet designed to disrupt Estonian home and business networks, came as tensions between Russian nationalists and Estonians spilled over into street riots in the nation's capital.

"I tried to understand both sides," said Gadi Evron, the well-known botnet hunter who works for Beyond Security and also the Israeli Computer Emergency Response Team (CERT), who says he was invited by the Estonian CERT to help with defense and analyzing the aftermath of the event, which some are calling the "first Internet war."

Evron, who said during his Black Hat presentation that he wouldn't use that term but it was a cyber-conflict, said the current analysis done with Estonian officials indicates the first wave of DoS attacks against specific Web sites may have been triggered by the "Russian blogosphere" where angry Russian speakers urged use of attack tools to Ping Web sites. "They provided a tool for the entire population to use," Evron said.

The second phase of the attacks a few weeks later saw something more sinister. "One attack was launched by specifically crafted bots," Evron said. "The attack target was hard-coded into the source."

These hard-coded bots, designed to attack specific Estonia Web sites, were dropped onto home computers in Estonia, basically making Estonian home computers the source of attacks on their own country's infrastructure. In the aftermath, analysts are now trying to figure out whether the attack was simply energetic hacktivists, or something even darker, like a coordinated attack by the Moscow Kremlin, something the Russian government has fiercely denied.

"Who is behind the attacks" Evron said, answering with some wry humor, "The KGB. But that doesn't exist anymore."

While the old Soviet Union's KGB secret security service technically no longer exists, it's hard to forget its style. "OK, the KGB no longer exists," Evron said. "I can't tell if it was something random from the blogosphere or a planned attack." But he added: "I find it hard to believe it was a mere epidemic."

Several signs point to a well-organized plan with attack events commencing at virtually the same time. "The Russian-language blogosphere was updated periodically with new attack instructions," he noted. "It was adjusting and responding to the defensive actions of Estonia."

Evron noted that this style of Internet-based information battles are likely to be part and parcel of future conflicts, where adversaries turn the citizens' computers and networks against them.

Not all the news was bad at Black Hat.

For instance, at least we can take comfort in the fact that cell-phone and smartphone viruses still constitute a minute proportion of the hundreds of thousands of overall computer viruses, with only 373 distinct phone-based specimens to worry about so far.

That's according to Mikko Hypponen, chief research officer at F-Secure, whose Black Hat presentation vividly demonstrated how some of those phone viruses can attack phones via Bluetooth wireless and other means.

Most phone-based viruses are targeting Symbian platform phones today, said Hypponen, though he guessed that would shift more toward Windows Mobile and the iPhone. Cell-phone virus writers today largely just remain malicious pranksters who write malware to disrupt phone use, he pointed out.

So far there's little indication that these virus writers are turning into the kind of money-loving types who write malware for PCs today mainly to make a buck. Nor has the type of malware hitting PCs these days, such as rootkits or viruses that replicate over e-mail, yet been seen, "and we haven't seen anything that we couldn't clean and get out of a phone," Hypponen concluded.