Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spamming Trojan "Proxy Guzu"

Posted by CmdrTaco on from the brekaing-the-law dept.

squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."

2 of 236 comments (clear)

  1. Untraceable? by Old+Uncle+Bill · · Score: 5, Informative

    "It's untraceable. I hate to put that in print, but it's the truth."

    So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source? I musta missed something in IP 101.

    --
    Yes, I am an agent of Satan, but my duties are largely ceremonial.
  2. Re:I think I've seen something like this... by Caveman+Og · · Score: 5, Informative

    Well, since I'm not only an abuse guy in a previous life, but also a present and future abuse guy (for big networks, even), I can give some further insight into this sort of thing.

    1234 seems appallingly close to one of the ports sub-7 uses (1243). I would suspect some sort of back-door root-shell, and BEHOLD (through the power of Google):

    http://www.itsecurity.com/asktecs/jun1901.htm
    h ttp://www.iss.net/security_center/advice/Exploits /Ports/1234/default.htm

    There are MANY trojans which use this port. "Ultors Trojan", is perhaps best known. There's also "SubSevenJavaclient". Nasty, nasty.

    UDP traffic on port 1234 is indicative of "Infoseek Search Agent", which is the legit use for this port. The trojans do not produce UDP traffic.

    Check out http://www.neohapsis.com/neolabs/neo-ports/

    I would think that your experience predates the current round of spammer-specific trojans. This is, however, only the tip of the iceberg. Spammers are now creating entire zombie IP address allocations from abandoned or otherwise unused network space. A spammer with his own ASN and spammer-controlled BGP can create ENDLESS havok.

    Zombies on the Register of Known Spam Operations:

    http://www.spamhaus.org/rokso/search.lasso?evide nc efile=2493

    Below are the lists of DIRECT ASNs owned or pirated by spammers, including many of the zombie netblocks:

    APNIC zombies
    http://spamhaus.org/sbl/listings.lasso?is p=apnic

    ARIN zombies and spammer allocations
    http://spamhaus.org/sbl/listings.lass o?isp=arin

    RIPE zombies and spammer allocations
    http://spamhaus.org/sbl/listings.lass o?isp=ripe

    --Og