Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spamming Trojan "Proxy Guzu"

Posted by CmdrTaco on from the brekaing-the-law dept.

squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."

22 of 236 comments (clear)

  1. Uhh by cscx · · Score: 3, Insightful

    Hotmail disables said account. Case closed...?

    1. Re:Uhh by fidget42 · · Score: 4, Insightful

      After the spammer harvests IP addresses of newly opened relays. Case is still open...

      --
      The dogcow says "Moof!"
    2. Re:Uhh by sinergy · · Score: 5, Insightful

      The virus writer would have been smarter to send notices to IRC, or muliple email addresses. Or use broadcasts a la the SQL worm.

      More clever thought behind things like these would make them much more devistating.

      --
      ...
    3. Re:Uhh by Guppy06 · · Score: 2, Insightful

      "The virus writer would have been smarter to send notices to IRC, or muliple email addresses. Or use broadcasts a la the SQL worm."

      If the spammer had two braincells to rub together to figure that one out, would they be in the spam business to begin with?

    4. Re:Uhh by dougmc · · Score: 4, Insightful
      If the spammer had two braincells to rub together to figure that one out, would they be in the spam business to begin with?
      Possibly. Spammers do seem to make money, don't they? And there are many intelligent people out there who like money. Smart people do morally wrong things to make money just like dumb people do.

      The way to stop spam is to remove the profit motive. PEOPLE NEED TO STOP BUYING STUFF THAT THEY GET SPAMMED ABOUT! Once they stop, people will stop paying spammers to advertise their wares, and the spammers will then stop spamming.

      Yes, most spammers do seem pretty stupid. But if it makes money, and it's not illegal, many people, even smart people, have no problems with doing it even if it's morally reprehensible.

    5. Re:Uhh by jafuser · · Score: 2, Insightful

      This is a good page. I especially learned a lot from reading the ICQ Chat Logs.

      Sometimes I wonder if the companies who finally benefit from the spam even know just how scummy their sources are. If you read this chat log, you will see a guy, Jeff, is gathering leads for mortgage loans from a "very professional company".

      In situations like this, I wonder how effective it would be to subvert the spam network by using decoy identities to make contact with these companies and hold them liable for their sources so that the people responsible for setting up the chain of communication to the spammers will be fired.

      --
      Please consider making an automatic monthly recurring donation to the EFF
  2. Virus...? by MrNemesis · · Score: 3, Insightful

    Are there any AV vendors out there with fixes for this yet? I didn't see any in the article.

    --
    Moderation Total: -1 Troll, +3 Goat
  3. Proxies & broken e-mail by greyrax · · Score: 5, Insightful

    Great. First we have the trojan that downloads kiddie porn (has anyone else ever heard of this one?) and now this.

    Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?

    I'm not talking about some of the (innovative) kludges that people have come up with for SMTP, I'm talking about a bare-metal rebuild of the entire system. Sure it will be a pain, but when you move to a new place, you have to give your friends the new phone number and address -- giving a new e-mail address (on the new e-mail system) won't be all that bad will it?

    1. Re:Proxies & broken e-mail by 42forty-two42 · · Score: 3, Insightful
      Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?

      There is - it's called PGP. SMTP is only intended to transport mail, not to authenticate it. It's the client's job to determine if it should be accepted.
    2. Re:Proxies & broken e-mail by dasunt · · Score: 4, Insightful

      SMTP is broken? Maybe, but lets look at this logic.

      1. An email attachment pretends to be something it isn't, people click on it.
      2. The email attachment opens up a relay, sends email back to an hotmail account.
      3. Spammer uses email account to spam other email accounts.

      Now lets look at this with $SMTP+1 (With spiffy authentication).

      1. An email attachment arrives from a trusted source/new source. People click on it.
      2. The email attachment opens up a backdoor, sends email back to hotmail.
      3. Spammer uses email software on that machine to spam other machines. Since we have email authentication now, the other users either get "from a trusted source" (if they already knew the person) or "from a new source (Key matches Joe Outlook Idiot)".

      Yep, that sure fixed the problem.

  4. Re:Filter egress port 25!! by Webmonger · · Score: 2, Insightful

    Why would it matter whether users submit their email on the standard SMTP port?

    I can see why you'd want to block port 25 outgoing on your firewall so no one can bypass your SMTP server, but configuring your SMTP server to accept mail on port 8025 or something... what's the point?

  5. I don't get The Register by Anonymous Coward · · Score: 1, Insightful

    It looks like they have "the scoop", but really they just cut and paste the original Security Focus article two days after the fact. Why don't they bother mentioning that? Do they have a partnership? Am I supposed to just know?

  6. No, don't limit the Internet! by fmaxwell · · Score: 4, Insightful

    If you are running a network, it behooves you to filter outgoing port 25.

    Why? So that I can't test to see if the spam I received came from an open relay? So that I am forced to answer confidential e-mail from client A through client Y's SMTP server when I am at client's Y's site?

    I agree that port 25 should be, by default, locked down on residential dial-up accounts (which spammers use as throwaway accounts), but don't lock it down everywhere. It breaks too many things.

    Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25.

    At the HELO/EHLO, an SMTP server doesn't know if the mail coming into it is "an initial mail submission" or just a message destined for an address served by that user.

    If you set up an SMTP server on a non-standard port, then no one's mail gets there. AOL is not going to talk to your server on port 20025.

    What happens when lots of mail servers are available on non-standard ports? Suddenly your port 25 block does not work any longer. Then the spammers will look for open relays on non-standard ports. You know that there will be a lot of them because there will be the "security through obscurity" crowd who believes that, because their SMTP server is running on port 31172, they can safely leave it open.

    You're headed in the right direction, but leave port 25 alone. My SMTP server is configured to require identification and authentication to send e-mail outside of my domain. All mail servers should be configured that way. This crap of allowing anyone to send e-mail without a username and password is ridiculous.

    1. Re:No, don't limit the Internet! by RT+Alec · · Score: 2, Insightful

      My suggestion is to leave port 25 open, but only to allow incoming mail from other SMTP servers-- and only for your local users (by definition, it will not relay mail). So how does a user relay mail (i.e. initial mail submission)? The responsible admin of the user's SMTP server has set up SMTP + AUTH + SSL on that server (or perhaps a different server altogether-- an even better idea). Now this user can send mail (i.e. relay mail, or use the server for initial mail submission-- different terms for the same thing in this case). However, other people (unauthorized people) cannot. Spammers may port scan to their heart's content, but will still be unable to relay any spam.

      My server is port scanned all the time. Many have found my port 465 open, and many have found that it is running an SMTP server with SSL. However, they don't have a user name and password, and thus their attempt to spam is blocked.

  7. Untraceable Really ?? by Crashmarik · · Score: 5, Insightful

    Every Spam is selling something. Someone is paying to have it sent out. Don't trace the spammers. Hit the advertisers. Subpoena for who they are paying to send out the stuff, and then go after them criminally.

    The people that actually have their capitol tied up in penis and breast enlargers, sure as heck don't want it seized.

    1. Re:Untraceable Really ?? by isomeme · · Score: 4, Insightful

      I suspect that in many cases there is no real product (or even 'real' company) behind the sleazier spams. The whole thing is a trick to get your money, and probably your CC number for further fun and games. After all, most people will be too embarrassed to complain to the cops that their penis enlargment pills never arrived.

      --
      When all you have is a hammer, everything looks like a skull.
  8. No, actually.. by Lord+Bitman · · Score: 2, Insightful

    This is more to say "Not everyone who gets blocked deserves it"
    Prove me wrong.

    --
    -- 'The' Lord and Master Bitman On High, Master Of All
  9. Re:Activists vs. anti-spam crowd by etrnl · · Score: 3, Insightful

    No. The antispam crowd believes that it boils down to consent. It is fine for companies to send me newsletters... only if I have given them the permission to do so. If I have not given them permission, then it's UCE.

    There is a difference between CE and UCE, and only the latter is bad.

    Don't mix Stallman's ideas about commercial interests with the antispam crowd. None of us are as rabid as he is.

    --etrnl

  10. Have your attorney attack indirectly by ArsSineArtificio · · Score: 4, Insightful

    Why don't you have your attorney sue the proprietors of the 'extreme rape' sites, as well as parties unknown who act as their mass-mailing advertisers?

    Then, you can force the site admins to turn over their records during discovery, find out who exactly the spammers are, and go after them directly as well.

    ABW

    --
    All employees must wash hands before seeking equitable relief.
  11. Re:Why not by Anonymous Coward · · Score: 1, Insightful

    192.168.*
    10.1.*
    127.0.0.1

    i imagine these folks are probably too stupid to filter it...

  12. How about outgoing spam filtering? by Nogami_Saeko · · Score: 2, Insightful

    Would it be possible to set an ISP's router to automatically re-direct any TCP packet with a port-25 destination through a spamassasin-type filter to check it before it continues it's journey?

    Basically having a router that intercepts anything going out to port 25 from any port and pre-check it before allowing it to continue on?

    N.

    --
    "Nothing strengthens authority so much as silence." - Charles de Gaulle
  13. This IS traceable by Anonymous Coward · · Score: 2, Insightful

    1. The spammers are doing this because they get paid to do it.
    2. Someone is paying them; paying them to advertise a product and contact the payer (somehow) to sell a product.
    3. The person paying them knows who they paid to email this crap.
    4. If the email was sent via this trojan, just follow the trail from the email sent to the payer and, from there, to the spammer.

    Even if the spammer claims that someone else (riiiight) must have sent the trojans on their way, he got paid for it and should be levied with fines equal to (or greater than) the payment. A few cases of this should stop the use of this trojan.

    Actually, given that spammers would not be doing this unless they made money, why aren't the people who pay for spam to be delivered being held responsible for spam? They do it with drugs and prostitution.