Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spamming Trojan "Proxy Guzu"

Posted by CmdrTaco on from the brekaing-the-law dept.

squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."

8 of 236 comments (clear)

  1. Filter egress port 25!! by RT+Alec · · Score: 4, Informative

    If you are running a network, it behooves you to filter outgoing port 25. SMTP is a lousy protocol, and there is no successor to replace it (anytime soon).

    E-mail server admins: Please lock down your servers! Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25. It's not that tough, and it's your job. Do it.

    There, no excuses.

  2. Untraceable? by Old+Uncle+Bill · · Score: 5, Informative

    "It's untraceable. I hate to put that in print, but it's the truth."

    So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source? I musta missed something in IP 101.

    --
    Yes, I am an agent of Satan, but my duties are largely ceremonial.
    1. Re:Untraceable? by Mike1024 · · Score: 3, Informative

      Hey,

      So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source?

      They could put a proxy function in. The spammer contacts one computer, and that computer contacts another. Thus the second computer couldn't locate the spammer, but any e-mail messages would only have the second computer's IP address.

      If they were really crafty, they could have a web-like feature. Each infecteed system could scrape web pages for, say, 15 e-mail addresses (Could use IE's cache), and port scan computers for 5 different computers with the virus. The spammer injects one message into the network, and the infected computer forwards it to all 5 on the list, which forward it to all the systems on it's list, and so on. One day later, the network switches to 'send' mode, and each node sends out the message to it's 15 e-mail addresses.

      A sort of Gnutella network + Code red port scanning + web page scraper + mail program virus.

      Of course, such a program would get zapped by port blockers and virus scanners pretty fast.

      Just my $0.02,

      Michael

      --
      "Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
  3. Re:I think I've seen something like this... by Saint+Aardvark · · Score: 3, Informative
    Sorry, express search link here:

    http://archives.neohapsis.com/archives/bugtraq/199 9-q4/0317.html

    And I meant to mention that the first incident was at the beginning of March this year, and the second at the beginning of April.

    --
    Carousel is a lie!
  4. Re:OE Question. by Meowing · · Score: 3, Informative

    That's why they call them trojan horses. The recipient is told that the program will enable access to unlimited free prawns or a faster internet connection or some other crap along those lines.

  5. Re:Proxies & broken e-mail by satch89450 · · Score: 3, Informative
    Secondly, you can have the best firewall in the world, but if a trusted host behind it is compromised then it's "game over". The attacker doesn't have to connect to your machine through your firewall. The compromised machine can connect out and initiate a backchannel - literally punching a hole through the firewall. This would normally be to an IRC server, but could be anywhere really, using any protocol allowed out by the firewall.

    You are right, the spam-virus can try to initiate a connection to something on the other side. Of course, I don't forward smtp traffic, so a spam virus would find little happiness running on any of my computers, because it will find itself in a little jail -- and the discussion was a spamming SMTP zombie.

    No host behind my firewall is "trusted". One of the beauties of my firewall implementation is that perimeter protection is both ways: protect my computers from bad-boy Internet packets, and protect the Internet from any nastiness that might creep into my computer.

    That's the power provided by IPTABLES under Linux. I can filter traffic independently in both directions, using the stateful capabilities of IPTABLES, so that my sieve can handle in-bound SMTP separately from out-bound SMTP, passing one and blocking the other. And I do, because I can.

    (N.B.: that's not to take anything away from firewall products for Windows, Macintosh, BeOS, and other systems that implement stateful filtering. There are $50 software packages that afford the same protection, if you elect to use it. The problem, of course, is that a computer virus may be able to "sneak around" a same-system firewall implementation. That's why I like separate firewall computers, and firewall appliances such as the SonicWall. A virus would have to work very hard indeed then to get past the protection.)

    In short, my firewall does protect other machines on the Internet from a stupid user opening a virus on a local machine.

  6. Re:I think I've seen something like this... by Caveman+Og · · Score: 5, Informative

    Well, since I'm not only an abuse guy in a previous life, but also a present and future abuse guy (for big networks, even), I can give some further insight into this sort of thing.

    1234 seems appallingly close to one of the ports sub-7 uses (1243). I would suspect some sort of back-door root-shell, and BEHOLD (through the power of Google):

    http://www.itsecurity.com/asktecs/jun1901.htm
    h ttp://www.iss.net/security_center/advice/Exploits /Ports/1234/default.htm

    There are MANY trojans which use this port. "Ultors Trojan", is perhaps best known. There's also "SubSevenJavaclient". Nasty, nasty.

    UDP traffic on port 1234 is indicative of "Infoseek Search Agent", which is the legit use for this port. The trojans do not produce UDP traffic.

    Check out http://www.neohapsis.com/neolabs/neo-ports/

    I would think that your experience predates the current round of spammer-specific trojans. This is, however, only the tip of the iceberg. Spammers are now creating entire zombie IP address allocations from abandoned or otherwise unused network space. A spammer with his own ASN and spammer-controlled BGP can create ENDLESS havok.

    Zombies on the Register of Known Spam Operations:

    http://www.spamhaus.org/rokso/search.lasso?evide nc efile=2493

    Below are the lists of DIRECT ASNs owned or pirated by spammers, including many of the zombie netblocks:

    APNIC zombies
    http://spamhaus.org/sbl/listings.lasso?is p=apnic

    ARIN zombies and spammer allocations
    http://spamhaus.org/sbl/listings.lass o?isp=arin

    RIPE zombies and spammer allocations
    http://spamhaus.org/sbl/listings.lass o?isp=ripe

    --Og

  7. Re:No, don't limit the Internet! by fmaxwell · · Score: 3, Informative

    They rarely spam directly from dialups because it's slow.

    Untrue -- and I run the domain anti-spam.org, so I know a bit about the problem. By using the BCC mechanism, they are able to find an open relay, send the message once and BCC a hundred or more recipients. The open relay SMTP server then sends a copy of the message to each BCC recipient. Thus, the spammers get bandwidth multiplication.

    It's a very good reason to block email from dynamic DSL and cable modem IPs.

    Now you're grasping at straws.