Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
News

Spamming Trojan "Proxy Guzu" 251

A user writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."
This discussion has been archived. No new comments can be posted.

Spamming Trojan "Proxy Guzu"

Comments Filter:
  • Uhh (Score:4, Insightful)

    by cscx ( 541332 ) on Sunday April 27, 2003 @11:12AM (#5819477) Homepage
    Hotmail disables said account. Case closed...?
    • Re:Uhh (Score:4, Insightful)

      by fidget42 ( 538823 ) on Sunday April 27, 2003 @11:14AM (#5819484)
      After the spammer harvests IP addresses of newly opened relays. Case is still open...
      • by cscx ( 541332 )
        Assume they're a limited number of users. If they have a virus scanner it will be rounded up in the next batch of scans, hopefully.
        • "Assume they're a limited number of users. If they have a virus scanner it will be rounded up in the next batch of scans, hopefully."

          Assume some of those billions of dollars of homeland security money is actually being spent at the FBI, instead of squandered on kickbacks, the spammers will hopefully be rounded up in the next bunch of scans and executed.

          When the direct marketing industry resorts to cracking computers, these people need to be taken out of contact with the internet. If only the FBI spent as
    • Re:Uhh (Score:2, Interesting)

      by Anonymous Coward
      If I were going to design this, I would make it look up freshly posted email addresses on some public forum that I had cleverly and anonymously posted, rather than some single fixed address. That way when the first one gets closed, I could post another. Or some other scheme along those lines.

      • Re:Uhh (Score:2, Funny)

        by Anonymous Coward
        Err, I'd have it post to somebody else's slashdot journal.
    • Re:Uhh (Score:5, Insightful)

      by sinergy ( 88242 ) on Sunday April 27, 2003 @11:20AM (#5819516) Homepage
      The virus writer would have been smarter to send notices to IRC, or muliple email addresses. Or use broadcasts a la the SQL worm.

      More clever thought behind things like these would make them much more devistating.
      • Re:Uhh (Score:5, Funny)

        by pohl ( 872 ) on Sunday April 27, 2003 @11:43AM (#5819637) Homepage
        Somewhere in the world, a virus author adds a couple of bullet points to his TODO file.
        • Other Methods (Score:5, Interesting)

          by NetGyver ( 201322 ) on Sunday April 27, 2003 @03:47PM (#5820687) Journal
          I've had a weird instance with email going out my mail client (Outlook, but I switched to Mozilla Mail now) without knowing it. Here's the story:

          1. Just opened up outlook and looked in the "sent" folder to re-read an email i sent to a friend.

          2. I find 4-5 emails that were mailed to addresses I never heard of, with the messages saying something to the effect of: "please remove me from your mailing list." (The messages were all identical to each other).

          3. This has only happened twice, and then stopped.
          I haven't found any more suspicious sent email in my "sent" folder.

          FYI: This is a personal computer, no one else uses it but me.

          Now, i don't send alot of email, and when I do I know who i sent it to. I also know not to write emails back to spammers even with a "remove from list" message enclosed, because it just sends the spammers the signal that my email account exists and is active, which results in even more spam. (so i've heard at least)

          Any idea what caused this?

          I've also heard that the main reasons one gets an email trojan is by clicking on a link in a email, or downloading/running an email attachment.

          I also know about "drive-by downloading" that happens while visiting websites. The next thing you know you got spyware coming out the ass because of this. (and of course certian programs sneakily install them as well.)

          My second question is, could it be possible for a website to install this trojan on your computer without you knowing it? I mean, they do it with spyware, I don't see why they couldn't do this with email trojans as well.
      • Re:Uhh (Score:3, Insightful)

        by Guppy06 ( 410832 )
        "The virus writer would have been smarter to send notices to IRC, or muliple email addresses. Or use broadcasts a la the SQL worm."

        If the spammer had two braincells to rub together to figure that one out, would they be in the spam business to begin with?
        • Re:Uhh (Score:5, Insightful)

          by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Sunday April 27, 2003 @01:56PM (#5820232) Homepage
          If the spammer had two braincells to rub together to figure that one out, would they be in the spam business to begin with?
          Possibly. Spammers do seem to make money, don't they? And there are many intelligent people out there who like money. Smart people do morally wrong things to make money just like dumb people do.

          The way to stop spam is to remove the profit motive. PEOPLE NEED TO STOP BUYING STUFF THAT THEY GET SPAMMED ABOUT! Once they stop, people will stop paying spammers to advertise their wares, and the spammers will then stop spamming.

          Yes, most spammers do seem pretty stupid. But if it makes money, and it's not illegal, many people, even smart people, have no problems with doing it even if it's morally reprehensible.

          • PEOPLE NEED TO STOP BUYING STUFF THAT THEY GET SPAMMED ABOUT!

            Correct. That is the reasom I have cancelled all Amex accounts in my household, do not buy anymore from play.com, etc. But IMO what I have done is an exemption, not the rule. After all there are still people who believe in Nigerian SCAMs out there ;-)

          • >>If the spammer had two braincells to rub together to figure that one out, would they be in the spam business to begin with?

            Possibly. Spammers do seem to make money, don't they?

            Unclear. People participate enthusiastically in pyramid schemes that will never make money, even if the participants don't realize it. I would guess that at least some spammers make money. But I would also guess that a lot of spammers are people with free or very-low-cost internet access and lots of free time (e.g., unive

            • Re:Uhh (Score:4, Interesting)

              by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Sunday April 27, 2003 @05:00PM (#5821025) Homepage
              Unclear. People participate enthusiastically in pyramid schemes that will never make money, even if the participants don't realize it. I would guess that at least some spammers make money.
              Remember a few years back when Rodona Garst [freewebsites.com]'s (a notorious spammer) computer was broken into? ICQ logs and such were taken from her computer, and they were very interesting reading -- and she seemed to make pretty good money spamming, and even had a team of people spamming for her.

              I suspect that it's pretty easy to make money spamming if you've got half a brain and some programming experience. You could write your own simple address-collection and spam-blasting programs in under a day, and then all you need is to find some customers -- and apparantly they're out there.

              If you're clueless and you spend a few hundred on somebody's CD of email addresses, and a few more hundred on a CD of spam software and don't know anything more about your computer than how to click on things, then you're right -- you're just going to make other spammers rich and not yourself -- and it's obvious that spammers are perfectly happy to prey upon other would-be spammers.

              There's definately a lot of `spam MLM' (MLM = Multi Level Marketing) going on -- but unlike your traditional MLM, there is money to be made outside of the MLM. Kind of like Amway -- yes, it's a MLM but they do sell a real product.

              • Re:Uhh (Score:3, Insightful)

                by jafuser ( 112236 )
                This is a good page. I especially learned a lot from reading the ICQ Chat Logs [freewebsites.com].

                Sometimes I wonder if the companies who finally benefit from the spam even know just how scummy their sources are. If you read this chat log [freewebsites.com], you will see a guy, Jeff, is gathering leads for mortgage loans from a "very professional company".

                In situations like this, I wonder how effective it would be to subvert the spam network by using decoy identities to make contact with these companies and hold them liable for their source
    • Mind you this is only the first step. Jus wait for the unholy alliance between spammers and vrius writers. You rember how bad nimda was? Its not going to be hard to make these thigns that report the IP via irc/http/email. Hell you could even setup a listener and just see how makes bad pop3 connections. This is gonna get really ugly. And just think.. these are gonna be zombies we know are being used. Zombies that spread at the speed of spam. Zombies that may be hijacked to do more than spam.
    • Why not have Hotmail just disable all OutLook send e-mails. That way Microsft doesnt have to worry about getting Spamed thew their servers. By those virus prone MS Outlook application. With Microsoft backing up blocking Outlook sent email it could help change the directon of e-mail clients to the more efficient and virus free ones.
      • What incentive would Microsoft have to block e-mails coming from their own e-mail program?!?!

        Your proposed solution would be like making Microsoft Office stop working with Microsoft Windows... hardly good for business!
  • Virus...? (Score:3, Insightful)

    by MrNemesis ( 587188 ) on Sunday April 27, 2003 @11:14AM (#5819485) Homepage Journal
    Are there any AV vendors out there with fixes for this yet? I didn't see any in the article.
    • Re:Virus...? (Score:2, Informative)

      by Anonymous Coward
      well here's [mcafeeasap.com] at least one that seems to have sorted it
  • by Anonymous Coward on Sunday April 27, 2003 @11:19AM (#5819511)
    I am shocked! They seemed like such good upstanding members of society.
  • by greyrax ( 544575 ) on Sunday April 27, 2003 @11:19AM (#5819512)
    Great. First we have the trojan that downloads kiddie porn [slashdot.org] (has anyone else ever heard of this one?) and now this.

    Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?

    I'm not talking about some of the (innovative) kludges that people have come up with for SMTP, I'm talking about a bare-metal rebuild of the entire system. Sure it will be a pain, but when you move to a new place, you have to give your friends the new phone number and address -- giving a new e-mail address (on the new e-mail system) won't be all that bad will it?
    • by 42forty-two42 ( 532340 ) <bdonlan AT gmail DOT com> on Sunday April 27, 2003 @11:49AM (#5819664) Homepage Journal
      Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?

      There is - it's called PGP. SMTP is only intended to transport mail, not to authenticate it. It's the client's job to determine if it should be accepted.
    • Sure it will be a pain, but when you move to a new place, you have to give your friends the new phone number and address -- giving a new e-mail address (on the new e-mail system) won't be all that bad will it?

      Hell no, it's easier. I will just set up a script to send thousands of emails with my new address to everyone. I might even include a few pointers on male enhancement products at the same time so I don't clog up the system with a second mail.
    • by dasunt ( 249686 ) on Sunday April 27, 2003 @12:36PM (#5819887)

      SMTP is broken? Maybe, but lets look at this logic.

      1. An email attachment pretends to be something it isn't, people click on it.
      2. The email attachment opens up a relay, sends email back to an hotmail account.
      3. Spammer uses email account to spam other email accounts.

      Now lets look at this with $SMTP+1 (With spiffy authentication).

      1. An email attachment arrives from a trusted source/new source. People click on it.
      2. The email attachment opens up a backdoor, sends email back to hotmail.
      3. Spammer uses email software on that machine to spam other machines. Since we have email authentication now, the other users either get "from a trusted source" (if they already knew the person) or "from a new source (Key matches Joe Outlook Idiot)".

      Yep, that sure fixed the problem.

      • Now lets look at this with $SMTP+1 (With spiffy authentication).

        Spammer uses email software on that machine to spam other machines. Since we have email authentication now, the other users either get "from a trusted source" (if they already knew the person) or "from a new source (Key matches Joe Outlook Idiot)".


        One of the key things to fix if you redo SMTP is fakemail. In other words, you'll not be able to send email unless you a) either have a real domain that you can send email from (like with MX server
    • Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?

      SMTP is not broken and does not need to be fixed. For example, this virus would never succeed on my windows system. First, my IP address, 10.0.0.11, would not be of much use to the spammer. (And if you know anything about networks, you know why, and why I can post it and not worry.)

      Second, in between my windows machine and the rest of the internet I have a firewall.

      • SMTP is not broken and does not need to be fixed. For example, this virus would never succeed on my windows system. First, my IP address, 10.0.0.11, would not be of much use to the spammer. (And if you know anything about networks, you know why, and why I can post it and not worry.)

        Second, in between my windows machine and the rest of the internet I have a firewall. THAT'S what really renders the virus moot. Nobody connects to any machine I have from the outside, period, ever. (Now of course there's ways t
        • by satch89450 ( 186046 ) on Sunday April 27, 2003 @02:56PM (#5820496) Homepage
          Secondly, you can have the best firewall in the world, but if a trusted host behind it is compromised then it's "game over". The attacker doesn't have to connect to your machine through your firewall. The compromised machine can connect out and initiate a backchannel - literally punching a hole through the firewall. This would normally be to an IRC server, but could be anywhere really, using any protocol allowed out by the firewall.

          You are right, the spam-virus can try to initiate a connection to something on the other side. Of course, I don't forward smtp traffic, so a spam virus would find little happiness running on any of my computers, because it will find itself in a little jail -- and the discussion was a spamming SMTP zombie.

          No host behind my firewall is "trusted". One of the beauties of my firewall implementation is that perimeter protection is both ways: protect my computers from bad-boy Internet packets, and protect the Internet from any nastiness that might creep into my computer.

          That's the power provided by IPTABLES under Linux. I can filter traffic independently in both directions, using the stateful capabilities of IPTABLES, so that my sieve can handle in-bound SMTP separately from out-bound SMTP, passing one and blocking the other. And I do, because I can.

          (N.B.: that's not to take anything away from firewall products for Windows, Macintosh, BeOS, and other systems that implement stateful filtering. There are $50 software packages that afford the same protection, if you elect to use it. The problem, of course, is that a computer virus may be able to "sneak around" a same-system firewall implementation. That's why I like separate firewall computers, and firewall appliances such as the SonicWall. A virus would have to work very hard indeed then to get past the protection.)

          In short, my firewall does protect other machines on the Internet from a stupid user opening a virus on a local machine.

      • First, my IP address, 10.0.0.11, would not be of much use to the spammer

        The executable might report your inside IP address, but the routable source IP would be visible within the headers the smtp server it connects to prepends to the message. Knowing this wouldn't get them thru your firewall, but they'd be one step closer.
    • The trojan relies on the "added features" of certain SMTP clients to install itself. So it seems the problem isn't with SMTP itself so much as any e-mail client that does anything more than display text messages.

      Turn off HTML, turn off references to external files, turn off scripting, and don't click on suspicious-looking files. Much easier than trying to redefine SMTP if you ask me...
    • Great. First we have the trojan that

      downloads kiddie porn [slashdot.org] (has anyone else ever heard of this one?)

      I suspect that we weren't given the whole story.

      What seems much more likely is that some trojan was installed on this person's computer that allowed an attacker to take control -- nothing more (and there's a lot of such trojans out there.) Then the attacker took control and put the porn onto the computer, perhaps so it could be distributed, or perhaps just to see if he could get this guy in trouble,

      • Hell. It's possible that the `trojan' installed merely pulls images off of Usenet and saves them to the hard disk for the attacker to collect later, and it just happened that somebody had posted some kiddie porn to Usenet so this program captured it -- so there's six thousand `normal porn' images, and three `kiddie porn' images on the disk. Who knows?

        That could quite possibly be the case. The more porn volume on your HDD, the more chances you could have 2-3+ `kiddie porn' pictures on you're system as wel
  • by RT Alec ( 608475 ) * <{moc.elkcuhc.todhsals} {ta} {cela}> on Sunday April 27, 2003 @11:19AM (#5819513) Homepage Journal

    If you are running a network, it behooves you to filter outgoing port 25. SMTP is a lousy protocol, and there is no successor to replace it (anytime soon).

    E-mail server admins: Please lock down your servers! Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25. It's not that tough, and it's your job. Do it.

    There, no excuses.

    • Why would it matter whether users submit their email on the standard SMTP port?

      I can see why you'd want to block port 25 outgoing on your firewall so no one can bypass your SMTP server, but configuring your SMTP server to accept mail on port 8025 or something... what's the point?
    • The sad part is that the number of servers just went from low millions to hundred of millions and your suggestion will not help out on the huge number of servers that will be coming down the pipe line.
      BTW, I would love to find a stat that shows which systems (hardware, OS, server) is allowing the bulk to occur. I routinely check where my spam comes from and I routinely find exchange as the entry point (not always). I would much rather focus on getting the bulk done as opposed to simply shutting down everyt
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Sunday April 27, 2003 @11:46AM (#5819647)
      Comment removed based on user account deletion
      • My suggestion is to leave port 25 open, but only to allow incoming mail from other SMTP servers-- and only for your local users (by definition, it will not relay mail). So how does a user relay mail (i.e. initial mail submission)? The responsible admin of the user's SMTP server has set up SMTP + AUTH + SSL on that server (or perhaps a different server altogether-- an even better idea). Now this user can send mail (i.e. relay mail, or use the server for initial mail submission-- different terms for the same

    • The major innovation that sets the Internet apart from other networks is that it is a peer to peer network! Every IP is equally important, and everyone is client and server.

      NAT and proxy-only access are already threatening that. Don't give up the non-centralized nature advantage of IP or the future looks bleak!

      Sending email through my ISPs relay has several important disadvantages. First and foremost, I cannot see whether the mail was already delivered to the recipient's SMTP server or whether it still
      • Sending email through my ISPs relay has several important disadvantages. First and foremost, I cannot see whether the mail was already delivered to the recipient's SMTP server or whether it still is rotting in my ISP's queue. Also, my ISP might have a disk crash and lose my mail in his queue.

        You also have no idea how big a queue your ISP's third party relay or if someone has just uploaded some spam to that relay. Even if an ISP restricts their relay to the IPs of their customers this isn't much good unles
  • Why not (Score:2, Interesting)

    by shades66 ( 571498 )
    find out the hotmail address and send it loads of dummy IP addresses...
    • Actually, if it's a single Hotmail address they're using, it should be easy to simply get MS to shut the address OFF! Then all their work is for nothing!

      But like a previous reply said, reporting to the FBI might also be a good idea.
  • by acehole ( 174372 ) on Sunday April 27, 2003 @11:24AM (#5819534) Homepage
    Desperation is when they start selling the penis enlargers door to door.

    Seriously, has anyone actually *seen* one?

  • by Saint Aardvark ( 159009 ) * on Sunday April 27, 2003 @11:24AM (#5819535) Homepage Journal
    I think I might have seen something like this. In my previous life as helpdesk/abuse guy at a small ISP, I was in charge of locking accounts for spamming. (Fortunately, it never happened very often.) So one day I get this complaint from SpamCop about a dialup customer of ours -- typical pr0n spam. Check the logs, find the account and lock it -- nothing that unusual, except for what happened next: the customer called in.

    See, almost any time we've had people spam before, it's been someone who has signed up for an unlimited dialup account, then goes and spams right away before they get cut off. It got to the point where I was able to guess that someone was going to do this when I was taking down their details for an account; this happened with someone signing up for this guy [google.ca], and I locked the account before it was even active. This person, like every other spammer I'd dealt with, never called back: they knew exactly what they were doing, and what I would tell them. But this customer did.

    Furthermore, she was extremely convincing when she told me she knew nothing about spam. To all appearances she was nearly clueless about computers (no offense to her -- I'm sure I couldn't do her job), could not believe her computer had done anything wrong, and was offended by the spam her computer had sent when she saw the complaint from SpamCop. She didn't argue that it wasn't really spam, or say that she didn't know that it was wrong, or that everyone had opted in, or that it was just an experiment, or anything: she didn't know what she had done, and was confused and astounded when I told her. I ended up letting her back on, against my better judgement, with a warning that if it happened again I'd close her account and that would be that. We changed her password just to be sure that no one else was using her account; unfortunately, the modem she'd dialed in on didn't have caller ID, but she swore blind that no one else knew her password or used her computer.

    So a month goes by and I get another complaint from SpamCop -- and it turns out to be the same customer. "Teach me to be nice," I thought, and locked her account. Caller-ID was recorded this time, and it was her number. I told the guy at the branch office where she lived that I'd locked this customer's account -- he had dealt with her the last time -- and he gave her a call. Again, he was convinced that she couldn't be spamming, and he convinced me that we should at least look at her computer. We brought it in to the branch office for a look.

    Unfortunately, neither one of us really knew what to do beyond the obvious. It was running Windows 98, no updates; the guy at the office knew Windows, and I know Unix, but neither one of us had experience with this sort of thing. I did a portscan and found one port open (1234), but it the banner said "Express Search"; eventually found this link, which didn't seem to offer much. Meanwhile, the guy in the office ran Trend Micro's HouseCall and Panda's online virus scanner, and didn't find much of interest.

    He ended up reinstalling Windows on her computer, adding a firewall, doing all the updates, and letting her back on; we didn't know what else to do. We kept looking around for some mention of a virus or trojan with an SMTP engine (beyond something like Klez, I mean), but couldn't really find anything -- just lots of "This is weird, anyone seen anything like this?".

    Sorry to be so vague on the details, but like I said, I really don't know Windows and I'm really not a security guy. But I'm still fairly sure that either she was a wonderful actress, or some 133t haX0r had rooted her box to send spam. Needless to say, this is going to wreak havoc with anyone who has to be the abuse guy -- "Innocent victim of a virus or spammer scum? Hm..."

    ObRant: Fucking goddamned spammers anyway. Fuckwads.

    • Sorry, express search link here:

      http://archives.neohapsis.com/archives/bugtraq/199 9-q4/0317.html [neohapsis.com]

      And I meant to mention that the first incident was at the beginning of March this year, and the second at the beginning of April.

    • by Caveman Og ( 653107 ) on Sunday April 27, 2003 @03:56PM (#5820739) Homepage Journal
      Well, since I'm not only an abuse guy in a previous life, but also a present and future abuse guy (for big networks, even), I can give some further insight into this sort of thing.

      1234 seems appallingly close to one of the ports sub-7 uses (1243). I would suspect some sort of back-door root-shell, and BEHOLD (through the power of Google):

      http://www.itsecurity.com/asktecs/jun1901.htm
      h ttp://www.iss.net/security_center/advice/Exploits /Ports/1234/default.htm

      There are MANY trojans which use this port. "Ultors Trojan", is perhaps best known. There's also "SubSevenJavaclient". Nasty, nasty.

      UDP traffic on port 1234 is indicative of "Infoseek Search Agent", which is the legit use for this port. The trojans do not produce UDP traffic.

      Check out http://www.neohapsis.com/neolabs/neo-ports/

      I would think that your experience predates the current round of spammer-specific trojans. This is, however, only the tip of the iceberg. Spammers are now creating entire zombie IP address allocations from abandoned or otherwise unused network space. A spammer with his own ASN and spammer-controlled BGP can create ENDLESS havok.

      Zombies on the Register of Known Spam Operations:

      http://www.spamhaus.org/rokso/search.lasso?evide nc efile=2493

      Below are the lists of DIRECT ASNs owned or pirated by spammers, including many of the zombie netblocks:

      APNIC zombies
      http://spamhaus.org/sbl/listings.lasso?is p=apnic

      ARIN zombies and spammer allocations
      http://spamhaus.org/sbl/listings.lass o?isp=arin

      RIPE zombies and spammer allocations
      http://spamhaus.org/sbl/listings.lass o?isp=ripe

      --Og
  • by sogoodsofarsowhat ( 662830 ) on Sunday April 27, 2003 @11:26AM (#5819540)
    (sees seens from commercial of guy getting on plane to go visit telemarketer in person) to a brutal beat down :) (one must also be careful of the submit button early on a sunday morning ... doh)
  • Untraceable? (Score:5, Informative)

    by Old Uncle Bill ( 574524 ) on Sunday April 27, 2003 @11:26AM (#5819544) Journal
    "It's untraceable. I hate to put that in print, but it's the truth."

    So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source? I musta missed something in IP 101.
    • No -- you'll just find the next proxy down the chain. And unless *they*'re running logging, that's no help

      rOD.
    • Re:Untraceable? (Score:4, Informative)

      by Mike1024 ( 184871 ) on Sunday April 27, 2003 @01:32PM (#5820130)
      Hey,

      So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source?

      They could put a proxy function in. The spammer contacts one computer, and that computer contacts another. Thus the second computer couldn't locate the spammer, but any e-mail messages would only have the second computer's IP address.

      If they were really crafty, they could have a web-like feature. Each infecteed system could scrape web pages for, say, 15 e-mail addresses (Could use IE's cache), and port scan computers for 5 different computers with the virus. The spammer injects one message into the network, and the infected computer forwards it to all 5 on the list, which forward it to all the systems on it's list, and so on. One day later, the network switches to 'send' mode, and each node sends out the message to it's 15 e-mail addresses.

      A sort of Gnutella network + Code red port scanning + web page scraper + mail program virus.

      Of course, such a program would get zapped by port blockers and virus scanners pretty fast.

      Just my $0.02,

      Michael
  • by WegianWarrior ( 649800 ) on Sunday April 27, 2003 @11:29AM (#5819565) Journal

    ...beats a pound of medication (or something like that - I'm not to good at english proverbs).

    Don't run attachments from mails if you don't trust the sender. Do get a firewall that lets you block both ways (ZoneAlarm [zonelabs.com] from ZoneLabs [zonelabs.com] is my free favorite).The result? You won't get caught by this trojan, and if you should break the first rule of thumb, the second won't turn your PC into a spam-factory.

    • Don't run attachments from mails if you don't trust the sender...



      And don't run strange attachments from emails if you DO trust the sender. After all, unless you're both using gpg (I've got only one person I talk with that does), the email address could be faked. Then there are the trojans...

    • There's trojans out there now that disable anti-virus protection, and disable/reconfigure zone alarm to let themselves in and out.

      Cheap, mass-market software firewalls will not protect you.

      Only common sense and not opening mails/attachments and downloading files from untrusted sources will.

      Unfortunately, far too many users are lacking in the common sense part.
  • Seriously, your honor, it wasn't me - it was the virus [slashdot.org]!
  • by Crashmarik ( 635988 ) on Sunday April 27, 2003 @11:47AM (#5819650)
    Every Spam is selling something. Someone is paying to have it sent out. Don't trace the spammers. Hit the advertisers. Subpoena for who they are paying to send out the stuff, and then go after them criminally.

    The people that actually have their capitol tied up in penis and breast enlargers, sure as heck don't want it seized.
  • hardware firewall? (Score:4, Interesting)

    by AssFace ( 118098 ) <stenz77.gmail@com> on Sunday April 27, 2003 @11:53AM (#5819675) Homepage Journal
    I have a Netgear router/firewall sitting in between my home computers and my cable modem connection.

    I personally always use Pine to check e-mail, but my fiancee uses Outlook (Express I think). She is of the type (as is my mom and 90% of the people I've ever worked with) that no matter how many times I tell her not to open random attachments - she still does.

    So were she to get this thing in her computer - in this case, the firewall that blocks all incoming attempts would block it (doesn't do much to stop her computer from tranmitting out though if I don't know what port it is doing it on).

    On a side note, I don't have a huge problem with Windows - I have it on this laptop that I'm typing on and it is fine for me. But one of my biggest pet peeves with it is that it comes as a default setting to have no file extensions show up on files.
    So if I sent you an attachment that was called "CuteBunnies.jpg.exe" - the last ".exe" part wouldn't show up - and people don't tend to notice the .jpg extention (and as an exe you can set it up to have the default windows jpg icon as its logo). People then click on it and... the rest should be obvious.
    This happened at a company I used to work at and it was annoying as hell to keep seeing the viruses spreading.
    • by Lumpish Scholar ( 17107 ) on Sunday April 27, 2003 @12:15PM (#5819775) Homepage Journal
      ... were she to get this thing in her computer - in this case, the firewall that blocks all incoming attempts would block it (doesn't do much to stop her computer from tranmitting out though if I don't know what port it is doing it on).
      This is exactly the kind of problem a hardware firewall can't help with.

      Her computer will be connecting out via port 25, whether she's trying to send a message, or the virus is. (This is why firewalls need to be part of a layered defense; once a hostile agent is inside the firewall, you're in trouble.)

      A software firewall, on the other hand, hooks into the OS, and can tell which programs are acting as IP clients and servers. You're not blocking ports or addresses; you're blocking programs, which is what you want. Even that's not perfect. If your e-mail client or web browser runs a rougue script, the software firewall won't be able to distinguish between good and bad requests.

      Having said all that, run don't walk to Zone Labs [zonelabs.com] and download ZoneAlarm. The free version may do all you need.
      • What you say about having a software firewall is correct.

        However, I think the point the original poster was trying to make is that, with a hardware firewall, the spammer's software won't be able to connect (incoming) to his wife's machine to tell it to forward spam messages. Sure, outgoing port 25 is open from his network, so they can send emails on the way out, but if nothing incoming is routed to her machine, the relay is effectively closed.

        I'm not saying that it's a perfect solution (software firewall
  • by www.sorehands.com ( 142825 ) on Sunday April 27, 2003 @11:55AM (#5819688) Homepage
    Say it ain't so!


    Spamming is illegal per se in most states. Using deception in the headers is illegal in the entire USA and many places in the world. Using open proxies is also illegal (in most cases).

  • Lots of this (Score:2, Interesting)

    by ManuelKelly ( 446655 )
    I have received a lot of spam that appears to be generated from this source. I traced back the source, and it is usually running a MS Windows proxy server.

    Several of the sites that produce these servers have warnings that they have received notification about trojan installs of their software. I suppose it could be other software mimicing the signatures, but that would be a lot of effort I would not think the spammer would want to go thru if it can b edone with off the net software.

    FWIW a lot of the spa
  • No, actually.. (Score:3, Insightful)

    by Lord Bitman ( 95493 ) on Sunday April 27, 2003 @12:05PM (#5819723)
    This is more to say "Not everyone who gets blocked deserves it"
    Prove me wrong.
  • by Anonymous Coward
    Is AnalogX Proxy [analogx.com], which is quite popular [google.com] with spammers.

    As for the not traceable, well I wouldn't count that out. What if someone really knew what was happening, deiced to download, and isolate the program with the intent of finding them?

    Yes I know they could use anon proxys, but then there is the chance that the anon proxy is not an anon proxy. I wouldn't be surprised if just like honeypots fake anon proxys start popping up with the intent of catching their real ip.

    Only problem I see is that the spamme
  • by Animats ( 122034 ) on Sunday April 27, 2003 @12:31PM (#5819862) Homepage
    The "girslwhocry" spammer I mentioned yesterday [slashdot.org] makes heavy use of proxy servers. The spams come from a large number of different IP addresses. Some of the IP addresses from which they send spam are running Telnet proxy servers which answer ordinary Telnet requests. Others, though, are DSL ports from all over the world. Here are some typical "received" lines:
    • Received: from cpe-203-51-210-143.qld.bigpond.net.au ([203.51.210.143] helo=downside.com)
    • Received: from dsl-200-78-25-58.prodigy.net.mx ([200.78.25.58] helo=downside.com)
    • Received: from kawij-aw-5452.mxs.adsl.euronet.nl ([212.129.212.82] helo=downside.com)
    • Received: from 80-24-219-243.uc.nombres.ttd.es ([80.24.219.243] helo=downside.com)
    • Received: from abn134-41.interaktif.net.tr ([195.174.134.41] helo=downside.com)
    • Received: from wd-c-68dd.mxs.adsl.euronet.nl ([62.234.136.221] helo=downside.com)
    • Received: from host-148-244-79-22.block.alestra.net.mx (HELO downside.com) (148.244.79.22)
    • Received: from elog-lab.ret.forthnet.gr (HELO downside.com) (193.92.145.218)

    Those are all from a sequential block of spam bounces that we received. Look at the locations: Spain, Greece, the Netherlands, Maylasia, Turkey. That has to be some kind of distributed attack.

    They're using our name. I operate Downside [downside.com], a respected financial information site, and own "Downside" as a registered US trademark. I want to find out who's behind this. They're making us look bad. I get hate mail, because this spammer is advertising "extreme rape" sites.

    Insights on how they're doing this would be appreciated. If this spammer can be clearly tied to felony computer intrusions, that would give me something solid to give my attorney.

  • or other Oulook like unix mail programs
  • Try connecting to 192.168.1.102:25 and see how far that gets you.
  • by Nogami_Saeko ( 466595 ) on Sunday April 27, 2003 @02:54PM (#5820487)
    Would it be possible to set an ISP's router to automatically re-direct any TCP packet with a port-25 destination through a spamassasin-type filter to check it before it continues it's journey?

    Basically having a router that intercepts anything going out to port 25 from any port and pre-check it before allowing it to continue on?

    N.
  • Untraceable (Score:2, Informative)

    by httptech ( 5553 )
    "It's untraceable. I hate to put that in print, but it's the truth."

    If the spammer uses the proxy/trojan installed by Sobig.a which listens on port 1180 (socks) and 1182 (http), it's very traceable. You need only the password to the proxy management station (it's "zaq123") and you can watch the traffic or shut it down altogether.

    See this analysis of Sobig and Spam [lurhq.com] for more details.

    Of course, this MBIWYL (may be illegal where you live)

  • This IS traceable (Score:2, Insightful)

    by Anonymous Coward
    1. The spammers are doing this because they get paid to do it.
    2. Someone is paying them; paying them to advertise a product and contact the payer (somehow) to sell a product.
    3. The person paying them knows who they paid to email this crap.
    4. If the email was sent via this trojan, just follow the trail from the email sent to the payer and, from there, to the spammer.

    Even if the spammer claims that someone else (riiiight) must have sent the trojans on their way, he got paid for it and should be levied with f

The most difficult thing in the world is to know how to do a thing and to watch someone else doing it wrong, without commenting. -- T.H. White

Working...