Slashdot Mirror
Spamming Trojan "Proxy Guzu"
squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."
Hotmail disables said account. Case closed...?
Are there any AV vendors out there with fixes for this yet? I didn't see any in the article.
Moderation Total: -1 Troll, +3 Goat
I am shocked! They seemed like such good upstanding members of society.
Great. First we have the trojan that downloads kiddie porn (has anyone else ever heard of this one?) and now this.
Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?
I'm not talking about some of the (innovative) kludges that people have come up with for SMTP, I'm talking about a bare-metal rebuild of the entire system. Sure it will be a pain, but when you move to a new place, you have to give your friends the new phone number and address -- giving a new e-mail address (on the new e-mail system) won't be all that bad will it?
If you are running a network, it behooves you to filter outgoing port 25. SMTP is a lousy protocol, and there is no successor to replace it (anytime soon).
E-mail server admins: Please lock down your servers! Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25. It's not that tough, and it's your job. Do it.
There, no excuses.
find out the hotmail address and send it loads of dummy IP addresses...
---- There are 10 types of people in the world. Those that understand binary and those that don't
The virus writers write a virus that installs linux. My linux system dosen't get viruses or spam. Emerge the power!
Desperation is when they start selling the penis enlargers door to door.
Seriously, has anyone actually *seen* one?
Be you Admins? nay, we are but lusers!
See, almost any time we've had people spam before, it's been someone who has signed up for an unlimited dialup account, then goes and spams right away before they get cut off. It got to the point where I was able to guess that someone was going to do this when I was taking down their details for an account; this happened with someone signing up for this guy, and I locked the account before it was even active. This person, like every other spammer I'd dealt with, never called back: they knew exactly what they were doing, and what I would tell them. But this customer did.
Furthermore, she was extremely convincing when she told me she knew nothing about spam. To all appearances she was nearly clueless about computers (no offense to her -- I'm sure I couldn't do her job), could not believe her computer had done anything wrong, and was offended by the spam her computer had sent when she saw the complaint from SpamCop. She didn't argue that it wasn't really spam, or say that she didn't know that it was wrong, or that everyone had opted in, or that it was just an experiment, or anything: she didn't know what she had done, and was confused and astounded when I told her. I ended up letting her back on, against my better judgement, with a warning that if it happened again I'd close her account and that would be that. We changed her password just to be sure that no one else was using her account; unfortunately, the modem she'd dialed in on didn't have caller ID, but she swore blind that no one else knew her password or used her computer.
So a month goes by and I get another complaint from SpamCop -- and it turns out to be the same customer. "Teach me to be nice," I thought, and locked her account. Caller-ID was recorded this time, and it was her number. I told the guy at the branch office where she lived that I'd locked this customer's account -- he had dealt with her the last time -- and he gave her a call. Again, he was convinced that she couldn't be spamming, and he convinced me that we should at least look at her computer. We brought it in to the branch office for a look.
Unfortunately, neither one of us really knew what to do beyond the obvious. It was running Windows 98, no updates; the guy at the office knew Windows, and I know Unix, but neither one of us had experience with this sort of thing. I did a portscan and found one port open (1234), but it the banner said "Express Search"; eventually found this link, which didn't seem to offer much. Meanwhile, the guy in the office ran Trend Micro's HouseCall and Panda's online virus scanner, and didn't find much of interest.
He ended up reinstalling Windows on her computer, adding a firewall, doing all the updates, and letting her back on; we didn't know what else to do. We kept looking around for some mention of a virus or trojan with an SMTP engine (beyond something like Klez, I mean), but couldn't really find anything -- just lots of "This is weird, anyone seen anything like this?".
Sorry to be so vague on the details, but like I said, I really don't know Windows and I'm really not a security guy. But I'm still fairly sure that either she was a wonderful actress, or some 133t haX0r had rooted her box to send spam. Needless to say, this is going to wreak havoc with anyone who has to be the abuse guy -- "Innocent victim of a virus or spammer scum? Hm..."
ObRant: Fucking goddamned spammers anyway. Fuckwads.
Carousel is a lie!
(sees seens from commercial of guy getting on plane to go visit telemarketer in person) to a brutal beat down :)
(one must also be careful of the submit button early on a sunday morning ... doh)
. I love the sound of burning women and screaming rubber....
"It's untraceable. I hate to put that in print, but it's the truth."
So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source? I musta missed something in IP 101.
Yes, I am an agent of Satan, but my duties are largely ceremonial.
We were to say an entire nation was to *move* to a new place.
There's nothing to say though, that a few people can't set up a secure protocol and start using it. If it catches on, then there you go.
But things like that are gradual.
...beats a pound of medication (or something like that - I'm not to good at english proverbs).
Don't run attachments from mails if you don't trust the sender. Do get a firewall that lets you block both ways (ZoneAlarm from ZoneLabs is my free favorite).The result? You won't get caught by this trojan, and if you should break the first rule of thumb, the second won't turn your PC into a spam-factory.
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
"...has the scoop..."
Um, no, there wasn't any info in the article that was of any use. It would be nice to know a bit more detail, or at least the article could have pointed some links at a technical site with more info. The Slashdot intro. paragraph had just about as much detail as the entire article.
Doesn't have to be logical.
Just confusing.
in Visual Basic, too, like most trojans seem to be. It's a very easy thing to make... that's not even counting that there is an abundance of source code for trojans and smtp examples. After all, it's 15 year olds that use trojans, 16 year olds that make them, and 22 year olds that make viruses.
.VBS script is easy. (After all, trojans just open up a winsock connection and scripts can be based on previous scripts, either.) They think it's something hard when it's something lame.
.. ..
Then funny thing is, after every mass-media-hyped outbreak, people are always surprised when computer experts say in an interview how making a basic trojan or
Okay I will have to end this rant without getting to the point, due to an incident. As I paused to help someone, they saw the "it's 15 year olds that use trojans," line and probably misunderstood as they were leaving. Geez.
Fine, I'll finish the point: If you are unemployed, get cracking on trojans! Windows trojans! Employers will love to see that you are smart enough to make one. JUST KIDDING! Although, probably true.....
Cover your eyes and click this link!
I can arrange a rep to pop around and give you a personal demonstration :p
...if the trojan started sending out copies of itself, probably giving the spammer an exponential amount of IPs.
Seriously, your honor, it wasn't me - it was the virus!
It looks like they have "the scoop", but really they just cut and paste the original Security Focus article two days after the fact. Why don't they bother mentioning that? Do they have a partnership? Am I supposed to just know?
If you are running a network, it behooves you to filter outgoing port 25.
Why? So that I can't test to see if the spam I received came from an open relay? So that I am forced to answer confidential e-mail from client A through client Y's SMTP server when I am at client's Y's site?
I agree that port 25 should be, by default, locked down on residential dial-up accounts (which spammers use as throwaway accounts), but don't lock it down everywhere. It breaks too many things.
Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25.
At the HELO/EHLO, an SMTP server doesn't know if the mail coming into it is "an initial mail submission" or just a message destined for an address served by that user.
If you set up an SMTP server on a non-standard port, then no one's mail gets there. AOL is not going to talk to your server on port 20025.
What happens when lots of mail servers are available on non-standard ports? Suddenly your port 25 block does not work any longer. Then the spammers will look for open relays on non-standard ports. You know that there will be a lot of them because there will be the "security through obscurity" crowd who believes that, because their SMTP server is running on port 31172, they can safely leave it open.
You're headed in the right direction, but leave port 25 alone. My SMTP server is configured to require identification and authentication to send e-mail outside of my domain. All mail servers should be configured that way. This crap of allowing anyone to send e-mail without a username and password is ridiculous.
Every Spam is selling something. Someone is paying to have it sent out. Don't trace the spammers. Hit the advertisers. Subpoena for who they are paying to send out the stuff, and then go after them criminally.
The people that actually have their capitol tied up in penis and breast enlargers, sure as heck don't want it seized.
This is more to say "Not everyone who gets blocked deserves it"
Prove me wrong.
-- 'The' Lord and Master Bitman On High, Master Of All
Next up: Distributed Spamming
www.lashen.com
...if the trojan starting sending itself out, giving an exponential supply of infected machines.
hotmail accounts only have 2-3 megs of storage and they get canned every month. The spammer is gonna get a lot of mail... and have his account overflow. hmm one could even see that as him being spammed....
Is AnalogX Proxy, which is quite popular with spammers.
As for the not traceable, well I wouldn't count that out. What if someone really knew what was happening, deiced to download, and isolate the program with the intent of finding them?
Yes I know they could use anon proxys, but then there is the chance that the anon proxy is not an anon proxy. I wouldn't be surprised if just like honeypots fake anon proxys start popping up with the intent of catching their real ip.
Only problem I see is that the spammers are willing to take the risk and also start using chains of proxys. But wouldn't doning that make things too slow?
Run by someone who will gladly have his server foward any message you send.
There are 2 kinds of people in this world: Those who write in decimal and those who don't
And what they're doing is illegal and opens them up for prosecution. Hello, FBI? Come take my computer away as evidence for months/years/eternity while you conduct an investigation into this trojan email spam thingy. What? Illegal porn and warez on my computer? Suspicious letters in My Documents? Hey, why are you arresting me?!?
Easy way to do this is with VMware. Setup a firewall on your test computer which logs all IP traffic going in or out. Then install VMware on it. Setup a virtual machine and install Windows on it. Set the virtual machine's file system so that changes are lost when it is powered off. Start it up and launch the virus inside the virtual machine. All network traffic from the virtual machine will be in your firewall's logs. SMTP (and IRC too, btw) is plain text. Just look for an unfamiliar hotmail address.
This works well for tracking down IRC trojans too.
Ok, so it isn't hacking but it gets the job done.
Those are all from a sequential block of spam bounces that we received. Look at the locations: Spain, Greece, the Netherlands, Maylasia, Turkey. That has to be some kind of distributed attack.
They're using our name. I operate Downside, a respected financial information site, and own "Downside" as a registered US trademark. I want to find out who's behind this. They're making us look bad. I get hate mail, because this spammer is advertising "extreme rape" sites.
Insights on how they're doing this would be appreciated. If this spammer can be clearly tied to felony computer intrusions, that would give me something solid to give my attorney.
That's why they call them trojan horses. The recipient is told that the program will enable access to unlimited free prawns or a faster internet connection or some other crap along those lines.
or other Oulook like unix mail programs
I just wish there was a way to get them to stop trying to sell me those damn Iraqi playing cards.
Maybe everyone is anti-spam. Probably even.
The "anti-spam crowd" are those that firmly believe that email is for their personal communications only. Any commercial use violates the terms of how the Internet was created and that is exclusively for the benefit of the user community. After all, the US taxpayers (and Al Gore) created it - it should be free of all commercial interests.
So, if a company sends an email newsletter they are spamming. If it has an advertisement in it, it is evil spam and must be stopped.
The recipient is told that the program will enable access to unlimited free prawns
How extremely shelfish of them..
*ducks*
... might be something that can be used to catch the spammer. Set up a box on some dialup disguised as a compromised box and study the behavior of the spammer and then track down the slimebag.
The major innovation that sets the Internet apart from other networks is that it is a peer to peer network! Every IP is equally important, and everyone is client and server.
;-)
NAT and proxy-only access are already threatening that. Don't give up the non-centralized nature advantage of IP or the future looks bleak!
Sending email through my ISPs relay has several important disadvantages. First and foremost, I cannot see whether the mail was already delivered to the recipient's SMTP server or whether it still is rotting in my ISP's queue. Also, my ISP might have a disk crash and lose my mail in his queue. This danger is completely eliminated if I send my emails directly. And why wouldn't I? It is faster and my ISP has less cost to burden and consequently less money to charge me.
In the grand tradition of Slashdot, also consider the "free speech" aspects of this
I'm running t3h Lunix! Suck on dat, bizn0tch35!!!!
The slashdot editors' 'puters have almost all been infected. A source who agreed to comment on the grounds of anonyminity said: "yeah, they got Taco a while ago, but now Timothy and a few others are competing for most Dupes posted to the front page..." He went on to say: "Taco has really been hurt by this. He has admitted in private he can't tell the difference between news and news that was already reported [on his site]."
This has been confirmed by another source: "yeah, they got Taco a while ago, but now Timothy and a few others are competing for most Dupes posted to the front page..." He went on to say: Taco has really been hurt by this. He has admitted in private he can't tell the difference between news and news that was already reported [on his site].
For proof, please reference these links: Catching up with Wine,World of Ends Public Draft, TarProxy Creates Tar Pit... For Spammers , Toms Hardware Reviews 65 CPU's, Past & Present , Linux on the iPod , Why VHS Was Better Than Betamax , Environmental Impact of the Ubiquitous Microchip , Toner Cartridges new DMCA victim , Ogg Vorbis in Quicktime 6.0.2 , Sony, Matsushita Back Linux For Consumer Goods , When Personalization Runs Amuck , Spam King Lives Large off Others' E-Mail Troubles , Ogg Vorbis For Hardware Makers , When Spun Really Fast, CDs Explode.
Or just check this site: SlashDupes.com
Or just check the home page of www.slashdot.org on at any given moment, and there is a 63% chance you will see a dupe in the active stories, and a 79% chance there will be a dupe in the current and older stuff links.
Taco could not be reached for comment, apparently having made a 'run for the border'
Silly Rabbit: tricks are for kids.
Linux Online didn't look very hard. Their big problem is with "Casino of the Sun", which is operated by Grafix Softech in San Juan, Puerto Rico. They're a real company with real assets, run by Tej Kohli and Juan Bonilla. They're even hiring sysadmins.
Is it the writing of viruses or sending the spam that is illegal and opens them up for prosecution? Either way writing a virus that says 'Hey the writers has some link with that web page over there!!!!!' does not sound like an act of desperation more like stupidity
<conspiricy>
Unless the virus was written by one of the more rabid Anti-Spam types as a method of harrising an 'innocent' spammer/dodgy webpage
</conspiricy>
Why don't you have your attorney sue the proprietors of the 'extreme rape' sites, as well as parties unknown who act as their mass-mailing advertisers?
Then, you can force the site admins to turn over their records during discovery, find out who exactly the spammers are, and go after them directly as well.
ABW
All employees must wash hands before seeking equitable relief.
Try connecting to 192.168.1.102:25 and see how far that gets you.
Would it be possible to set an ISP's router to automatically re-direct any TCP packet with a port-25 destination through a spamassasin-type filter to check it before it continues it's journey?
Basically having a router that intercepts anything going out to port 25 from any port and pre-check it before allowing it to continue on?
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
If the spammer uses the proxy/trojan installed by Sobig.a which listens on port 1180 (socks) and 1182 (http), it's very traceable. You need only the password to the proxy management station (it's "zaq123") and you can watch the traffic or shut it down altogether.
See this analysis of Sobig and Spam for more details.
Of course, this MBIWYL (may be illegal where you live)
I've had a weird instance with email going out my mail client (Outlook, but I switched to Mozilla Mail now) without knowing it. Here's the story:
1. Just opened up outlook and looked in the "sent" folder to re-read an email i sent to a friend.
2. I find 4-5 emails that were mailed to addresses I never heard of, with the messages saying something to the effect of: "please remove me from your mailing list." (The messages were all identical to each other).
3. This has only happened twice, and then stopped.
I haven't found any more suspicious sent email in my "sent" folder.
FYI: This is a personal computer, no one else uses it but me.
Now, i don't send alot of email, and when I do I know who i sent it to. I also know not to write emails back to spammers even with a "remove from list" message enclosed, because it just sends the spammers the signal that my email account exists and is active, which results in even more spam. (so i've heard at least)
Any idea what caused this?
I've also heard that the main reasons one gets an email trojan is by clicking on a link in a email, or downloading/running an email attachment.
I also know about "drive-by downloading" that happens while visiting websites. The next thing you know you got spyware coming out the ass because of this. (and of course certian programs sneakily install them as well.)
My second question is, could it be possible for a website to install this trojan on your computer without you knowing it? I mean, they do it with spyware, I don't see why they couldn't do this with email trojans as well.
A Penny for my thoughts? Here's my two cents. I got ripped off!
1. The spammers are doing this because they get paid to do it.
2. Someone is paying them; paying them to advertise a product and contact the payer (somehow) to sell a product.
3. The person paying them knows who they paid to email this crap.
4. If the email was sent via this trojan, just follow the trail from the email sent to the payer and, from there, to the spammer.
Even if the spammer claims that someone else (riiiight) must have sent the trojans on their way, he got paid for it and should be levied with fines equal to (or greater than) the payment. A few cases of this should stop the use of this trojan.
Actually, given that spammers would not be doing this unless they made money, why aren't the people who pay for spam to be delivered being held responsible for spam? They do it with drugs and prostitution.
Sending email through my ISPs relay has several important disadvantages. First and foremost, I cannot see whether the mail was already delivered to the recipient's SMTP server or whether it still is rotting in my ISP's queue. Also, my ISP might have a disk crash and lose my mail in his queue.
You also have no idea how big a queue your ISP's third party relay or if someone has just uploaded some spam to that relay. Even if an ISP restricts their relay to the IPs of their customers this isn't much good unless they only allow access after verifying the identity of every customer
This danger is completely eliminated if I send my emails directly. And why wouldn't I? It is faster and my ISP has less cost to burden and consequently less money to charge me.
The only situation where using a third party relay does help is sending the same email to lots of people... The really interesting thing is that the SMTP spec dosn't require any support for third party relays.
Now lets look at this with $SMTP+1 (With spiffy authentication).
Spammer uses email software on that machine to spam other machines. Since we have email authentication now, the other users either get "from a trusted source" (if they already knew the person) or "from a new source (Key matches Joe Outlook Idiot)".
One of the key things to fix if you redo SMTP is fakemail. In other words, you'll not be able to send email unless you a) either have a real domain that you can send email from (like with MX server etc.), or b) use the JoeOutlookIdiot@hisisp.com account. In the first case you'll know who the company is since they use their own domain, in the second case you'll know exactly who was hacked and can take countermeasures. Unlike now, where most of the SPAM I get is from an invalid address, and the company will likely claim not knowing about the spammer.
Your idea of a "trusted source" won't work. It's simply not feasible for me to hold a whitelist (or blacklist) of all the spammers out there. You need to stop relaying and fakemail.
Kjella
Live today, because you never know what tomorrow brings
http://www.martiansoftware.com/tarproxy/
Every day I get a spam with a poorly worded subject line (with offensive words intentionally misspelled) and a single URL in the body. Since mozilla was having a hard time identifying these messages as spam, I eventually began looking at the IP addresses of these messages and found that they were all different and didn't seem to relate to one another at all. At this point I realized that there was some kind of distributed spam attack going on and I was the recipient. Just for the heck of it, here are some of the URL's that it is advertising:
u s.lewdmother.biz . stopspy.infot tp://heevavam.lewdmother.biz/o ral-moms.biz/t p://qeimeileig.incestuals.com/
http://coorourav.homethrill.biz
http://veemeem
http://xaboasot.incestuals.com/
http://loufagaw.scaredgirls.com
http://peehuqov
http://zeagiseit.incestuals.com/
h
http://xoohouc.imm
http://toobabat.homethrill.biz
ht
So there are some repeats in there. Man I'd love to see the person sending me this crap thrown in jail for 12 months to ponder their wretched existence.
Ever sign up ever "opt-in", "permission-based" marketer or "submission-based" marketing junk, garbage?
I didn't think so.
I'm attempting to set up a feedback loop with "opt-in" by signing each "opt-in" marketer with other "opt-in" marketers.
I'm also trying to P.O. their access points by signing signing them up to their customers "opt-in" list.
"profitabill.com" is currently refusing connections from some IP addresses, but it's not down.
Ahem, what's new about this? Since day one, there's almost always been an illegal component to most spammer's activities, the most obvious of which has been the hijacking of third party mail relays.
Another nasty trick spammers are now using involves the exploitation of form mailing scripts on web servers. If you see references in web server logs to files such as "formmail.*", these are spammers probing for vulnerable versions of the Matt's Script Archive form mailing script that could be repurposed to overload the headers and effectively turn your web site into a spamming machine.
While spam continues to become an ever-increasing problem, the solution, in my opinion, has always been the same: vigoriously prosecute the criminal aspects of the spammer's activities which include breaking into computers, networks, and exploiting third-party relays. The sad truth is that there are laws already on the books criminalizing the activity of 99% of spammers, but the various governments consistently refuse to enforce these laws. We don't need more anti-spam legislation; we don't need more elaborate filtering. We need people to rally the government to crack down on the spammers by enforcing laws already on the books, and not put a requirement of a certain amount of monetary (or publicity) damage before they'll decide to take action against someone who has broken the law.
There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens.
Maybe I'm being overly cynical, but I think the reason spammers are doing this is only because it's more profitable than not doing it. I mean, they're using other people's bandwidth, and bandwidth is really the only variable cost associated with spamming. Whether or not they're desperate is an independant and unrelated issue.
I'm all for research and cool uses of computers...
but when we know who's doing it, where they can be reached, and who's employing them...the next step isn't "more research", its "legal action".
The parent is very usefull information
But where will I get my penis and breast enlargement supplements?!
Spammers scrape e-mails from posts. Post emails with billions of bogus email addresses. Then the valid email addresses will be sparse. Spammers will waste time sending to bogus addresses.
Comment removed based on user account deletion
For the past week, I've been swamped with junk mail. I can't say for sure, but I wouldn't be surprised if it's coming from machines infected by a spam relaying trojan. Many other Demon Internet users are receiving similar junk. The even more annoying part is that the mail is being sent to random user names @myhostname.demon.co.uk, so I'm getting dozens of copies of each message. As I'm on dial-up at the moment, this is a major problem.
Many - but not all - of the messages are originating from AT&T broadband users. A few days ago, I received a message from another AT&T machine, with a 200kb executable attached, pretending to be a security patch sent directly from Microsoft.
Could this be the trojan sending out copies of itself, to create new relays? Maybe not, but I wouldn't be overly surprised.
On the bright side, every scan I get closes one more proxy as I report them all to their ISPs, universities, small companies, etc.
Has anyone else noticed that Texas has surpassed China lately as the number one SSH and FormMail scanning origin? Is that because Texas is the most infected? Or home to the most cracker wanna-bes?
A VERY significant percentage of my spam (90% plus) actually comes from legit addresses from various "opt-in" companies. Like Azoogle.
Having a fake return address means that you can't verify the existence of the destination address.
I do domain-based blocking on 4-5 different header fields. It's pretty effective, but I average 4-5 new spammer domains per week. Once a new one crops up, I'll see many messages from the same domain until I block it.
retrorocket.o not found, launch anyway?
For the past five days I have been dealing with my local ISP to resolve connection issues. My DSL using static IP's had been working great for six months. They tried everything to resolve the issues and recommended I use a packet sniffer to determine why I was having so much traffic. It would appear that my machine was sending out massive amounts of spam. If I removed services and dll files and rebooted they would return. If I killed the spool task in XP it would reboot the machine.
These problems did not appear to be stemming from Outlook but rather some sort of service on my machine. I am also positive I didn't click any applications from any emails as I am very weary of this type of activity. I also have Cloudmark and it is very good at removing unwanted emails.
I can only imagine they got into my machine because I was not current on my XP updates and I hade my firewall setup on it's lowest setting for AIM. In the process of trying to eliminate the problem I ended up corrupting my XP install and have reverted to 2k.
I just wanted to share my experience with everyone as these folks are very malicious and a warning to all to update your OS.