Gozi Trojan Antispam String

I posted to my work blog a little ditty about detecting the Gozi stuff circulating now, after noticing that only one variation of the PDF was hitting a more general detection mechanism, over and over again. This is further proof, at least to me, that the run-of-the-mill mass attacker still doesn't give a whit about evasion -- they're after people with no security mechanisms in place, so having merely okay security is usually enough to cut out the malicious background noise.

The hypothetical (and sometimes real) "dedicated" or "focused" attacker is another story entirely, of course. But the people behind Gozi aren't in that category, and they won't be until an overwhelming fraction of everyone has some kind of inspection (antispam, IPS, filtering proxy, network AV, etc) in place.

Storm Bandwidth Resale

CNET is running a surprisingly insightful article about the current state of the global malware/spam delivery system known as the Storm Worm Botnet. I don't want to spoil the ending or anything, but the Storm network is really pretty advanced. If you haven't read Shockwave Rider by now, you probably ought to in order to appreciate what the global network is going to look like when Storm and its decedent applications control everything.