Slashdot Mirror
Spamming Trojan "Proxy Guzu"
squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."
If you are running a network, it behooves you to filter outgoing port 25. SMTP is a lousy protocol, and there is no successor to replace it (anytime soon).
E-mail server admins: Please lock down your servers! Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25. It's not that tough, and it's your job. Do it.
There, no excuses.
"It's untraceable. I hate to put that in print, but it's the truth."
So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source? I musta missed something in IP 101.
Yes, I am an agent of Satan, but my duties are largely ceremonial.
...beats a pound of medication (or something like that - I'm not to good at english proverbs).
Don't run attachments from mails if you don't trust the sender. Do get a firewall that lets you block both ways (ZoneAlarm from ZoneLabs is my free favorite).The result? You won't get caught by this trojan, and if you should break the first rule of thumb, the second won't turn your PC into a spam-factory.
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
well here's at least one that seems to have sorted it
http://archives.neohapsis.com/archives/bugtraq/199 9-q4/0317.html
And I meant to mention that the first incident was at the beginning of March this year, and the second at the beginning of April.
Carousel is a lie!
Is AnalogX Proxy, which is quite popular with spammers.
As for the not traceable, well I wouldn't count that out. What if someone really knew what was happening, deiced to download, and isolate the program with the intent of finding them?
Yes I know they could use anon proxys, but then there is the chance that the anon proxy is not an anon proxy. I wouldn't be surprised if just like honeypots fake anon proxys start popping up with the intent of catching their real ip.
Only problem I see is that the spammers are willing to take the risk and also start using chains of proxys. But wouldn't doning that make things too slow?
That's why they call them trojan horses. The recipient is told that the program will enable access to unlimited free prawns or a faster internet connection or some other crap along those lines.
They do mention it. At the top, where it says "By Kevin Poulsen, SecurityFocus", and at the bottom with "© [SecurityFocus logo]" as a link to www.securityfocus.com. Clearly you did read it, so how did you manage to miss that?
I've been swashdotted -- Elmer Fudd
SMTP is not broken and does not need to be fixed. For example, this virus would never succeed on my windows system. First, my IP address, 10.0.0.11, would not be of much use to the spammer. (And if you know anything about networks, you know why, and why I can post it and not worry.)
Second, in between my windows machine and the rest of the internet I have a firewall. THAT'S what really renders the virus moot. Nobody connects to any machine I have from the outside, period, ever. (Now of course there's ways to defeat a firewall, but that's also a much more difficult task.)
I'm sorry, but you're so unbelievably wrong here, it's difficult to know where to begin...
Firstly, it doesn't matter what your machine's IP is on your local network; 10.x.x.x, 192.168.x.x or anything else. If your machine can reach the net, then (obviously) so can a piece of software running on your machine (ie, a virus).
Secondly, you can have the best firewall in the world, but if a trusted host behind it is compromised then it's "game over". The attacker doesn't have to connect to your machine through your firewall. The compromised machine can connect out and initiate a backchannel - literally punching a hole through the firewall. This would normally be to an IRC server, but could be anywhere really, using any protocol allowed out by the firewall.
So, to sum up; a firewall and local network is not going to protect a machine from a stupid user opening a virus on the machine.
Code, Hardware, stuff like that.
The executable might report your inside IP address, but the routable source IP would be visible within the headers the smtp server it connects to prepends to the message. Knowing this wouldn't get them thru your firewall, but they'd be one step closer.
You are right, the spam-virus can try to initiate a connection to something on the other side. Of course, I don't forward smtp traffic, so a spam virus would find little happiness running on any of my computers, because it will find itself in a little jail -- and the discussion was a spamming SMTP zombie.
No host behind my firewall is "trusted". One of the beauties of my firewall implementation is that perimeter protection is both ways: protect my computers from bad-boy Internet packets, and protect the Internet from any nastiness that might creep into my computer.
That's the power provided by IPTABLES under Linux. I can filter traffic independently in both directions, using the stateful capabilities of IPTABLES, so that my sieve can handle in-bound SMTP separately from out-bound SMTP, passing one and blocking the other. And I do, because I can.
(N.B.: that's not to take anything away from firewall products for Windows, Macintosh, BeOS, and other systems that implement stateful filtering. There are $50 software packages that afford the same protection, if you elect to use it. The problem, of course, is that a computer virus may be able to "sneak around" a same-system firewall implementation. That's why I like separate firewall computers, and firewall appliances such as the SonicWall. A virus would have to work very hard indeed then to get past the protection.)
In short, my firewall does protect other machines on the Internet from a stupid user opening a virus on a local machine.
If the spammer uses the proxy/trojan installed by Sobig.a which listens on port 1180 (socks) and 1182 (http), it's very traceable. You need only the password to the proxy management station (it's "zaq123") and you can watch the traffic or shut it down altogether.
See this analysis of Sobig and Spam for more details.
Of course, this MBIWYL (may be illegal where you live)
Well, since I'm not only an abuse guy in a previous life, but also a present and future abuse guy (for big networks, even), I can give some further insight into this sort of thing.
h ttp://www.iss.net/security_center/advice/Exploits /Ports/1234/default.htm
e nc efile=2493
s p=apnic
s o?isp=arin
s o?isp=ripe
1234 seems appallingly close to one of the ports sub-7 uses (1243). I would suspect some sort of back-door root-shell, and BEHOLD (through the power of Google):
http://www.itsecurity.com/asktecs/jun1901.htm
There are MANY trojans which use this port. "Ultors Trojan", is perhaps best known. There's also "SubSevenJavaclient". Nasty, nasty.
UDP traffic on port 1234 is indicative of "Infoseek Search Agent", which is the legit use for this port. The trojans do not produce UDP traffic.
Check out http://www.neohapsis.com/neolabs/neo-ports/
I would think that your experience predates the current round of spammer-specific trojans. This is, however, only the tip of the iceberg. Spammers are now creating entire zombie IP address allocations from abandoned or otherwise unused network space. A spammer with his own ASN and spammer-controlled BGP can create ENDLESS havok.
Zombies on the Register of Known Spam Operations:
http://www.spamhaus.org/rokso/search.lasso?evid
Below are the lists of DIRECT ASNs owned or pirated by spammers, including many of the zombie netblocks:
APNIC zombies
http://spamhaus.org/sbl/listings.lasso?i
ARIN zombies and spammer allocations
http://spamhaus.org/sbl/listings.las
RIPE zombies and spammer allocations
http://spamhaus.org/sbl/listings.las
--Og
They rarely spam directly from dialups because it's slow.
Untrue -- and I run the domain anti-spam.org, so I know a bit about the problem. By using the BCC mechanism, they are able to find an open relay, send the message once and BCC a hundred or more recipients. The open relay SMTP server then sends a copy of the message to each BCC recipient. Thus, the spammers get bandwidth multiplication.
It's a very good reason to block email from dynamic DSL and cable modem IPs.
Now you're grasping at straws.
http://www.martiansoftware.com/tarproxy/