Slashdot Mirror
Spamming Trojan "Proxy Guzu"
squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."
If I were going to design this, I would make it look up freshly posted email addresses on some public forum that I had cleverly and anonymously posted, rather than some single fixed address. That way when the first one gets closed, I could post another. Or some other scheme along those lines.
find out the hotmail address and send it loads of dummy IP addresses...
---- There are 10 types of people in the world. Those that understand binary and those that don't
See, almost any time we've had people spam before, it's been someone who has signed up for an unlimited dialup account, then goes and spams right away before they get cut off. It got to the point where I was able to guess that someone was going to do this when I was taking down their details for an account; this happened with someone signing up for this guy, and I locked the account before it was even active. This person, like every other spammer I'd dealt with, never called back: they knew exactly what they were doing, and what I would tell them. But this customer did.
Furthermore, she was extremely convincing when she told me she knew nothing about spam. To all appearances she was nearly clueless about computers (no offense to her -- I'm sure I couldn't do her job), could not believe her computer had done anything wrong, and was offended by the spam her computer had sent when she saw the complaint from SpamCop. She didn't argue that it wasn't really spam, or say that she didn't know that it was wrong, or that everyone had opted in, or that it was just an experiment, or anything: she didn't know what she had done, and was confused and astounded when I told her. I ended up letting her back on, against my better judgement, with a warning that if it happened again I'd close her account and that would be that. We changed her password just to be sure that no one else was using her account; unfortunately, the modem she'd dialed in on didn't have caller ID, but she swore blind that no one else knew her password or used her computer.
So a month goes by and I get another complaint from SpamCop -- and it turns out to be the same customer. "Teach me to be nice," I thought, and locked her account. Caller-ID was recorded this time, and it was her number. I told the guy at the branch office where she lived that I'd locked this customer's account -- he had dealt with her the last time -- and he gave her a call. Again, he was convinced that she couldn't be spamming, and he convinced me that we should at least look at her computer. We brought it in to the branch office for a look.
Unfortunately, neither one of us really knew what to do beyond the obvious. It was running Windows 98, no updates; the guy at the office knew Windows, and I know Unix, but neither one of us had experience with this sort of thing. I did a portscan and found one port open (1234), but it the banner said "Express Search"; eventually found this link, which didn't seem to offer much. Meanwhile, the guy in the office ran Trend Micro's HouseCall and Panda's online virus scanner, and didn't find much of interest.
He ended up reinstalling Windows on her computer, adding a firewall, doing all the updates, and letting her back on; we didn't know what else to do. We kept looking around for some mention of a virus or trojan with an SMTP engine (beyond something like Klez, I mean), but couldn't really find anything -- just lots of "This is weird, anyone seen anything like this?".
Sorry to be so vague on the details, but like I said, I really don't know Windows and I'm really not a security guy. But I'm still fairly sure that either she was a wonderful actress, or some 133t haX0r had rooted her box to send spam. Needless to say, this is going to wreak havoc with anyone who has to be the abuse guy -- "Innocent victim of a virus or spammer scum? Hm..."
ObRant: Fucking goddamned spammers anyway. Fuckwads.
Carousel is a lie!
Wait a second... you assume that the lusers that use Outlook, are running a virrusscanner and on top of that keep it up to date?
Boy, are you living in a happy world!
Those are all from a sequential block of spam bounces that we received. Look at the locations: Spain, Greece, the Netherlands, Maylasia, Turkey. That has to be some kind of distributed attack.
They're using our name. I operate Downside, a respected financial information site, and own "Downside" as a registered US trademark. I want to find out who's behind this. They're making us look bad. I get hate mail, because this spammer is advertising "extreme rape" sites.
Insights on how they're doing this would be appreciated. If this spammer can be clearly tied to felony computer intrusions, that would give me something solid to give my attorney.
SMTP is not broken and does not need to be fixed. For example, this virus would never succeed on my windows system. First, my IP address, 10.0.0.11, would not be of much use to the spammer. (And if you know anything about networks, you know why, and why I can post it and not worry.)
Second, in between my windows machine and the rest of the internet I have a firewall. THAT'S what really renders the virus moot. Nobody connects to any machine I have from the outside, period, ever. (Now of course there's ways to defeat a firewall, but that's also a much more difficult task.)
SMTP is not the issue. Naked machines on the 'net and crappy mail readers are. If a virus can take control of your machine, what authentication process can you devise that the virus can't duplicate now that it has control of the very same program you use to send email in the first place?
Even typing a password with every single email you send wouldn't work, because all a virus has to do is pop up a fake password box once, record what you type, and it can send all the authenticated email it wants. PGP and cookies don't help either, becuase that virus still has control of your machine. It can run your email program directly and just send mouse clicks to drive your email program. (Yes, this is done all the time for automated testing of windows programs.)
Basically, what's really needed is to put some or all of these SOBs in jail. And technical measures like SECURITY are the ticket, not just SMTP. This must be automatic for home users--ISPs must get involved as well as MS (and desktop Linux) to ensure that home users are adequately protected. And Outlook should just plain be made illegal. Period. Scrub that POS off the hard drive and forget it.
Sorry if I went off too much there. Laters.
I've had a weird instance with email going out my mail client (Outlook, but I switched to Mozilla Mail now) without knowing it. Here's the story:
1. Just opened up outlook and looked in the "sent" folder to re-read an email i sent to a friend.
2. I find 4-5 emails that were mailed to addresses I never heard of, with the messages saying something to the effect of: "please remove me from your mailing list." (The messages were all identical to each other).
3. This has only happened twice, and then stopped.
I haven't found any more suspicious sent email in my "sent" folder.
FYI: This is a personal computer, no one else uses it but me.
Now, i don't send alot of email, and when I do I know who i sent it to. I also know not to write emails back to spammers even with a "remove from list" message enclosed, because it just sends the spammers the signal that my email account exists and is active, which results in even more spam. (so i've heard at least)
Any idea what caused this?
I've also heard that the main reasons one gets an email trojan is by clicking on a link in a email, or downloading/running an email attachment.
I also know about "drive-by downloading" that happens while visiting websites. The next thing you know you got spyware coming out the ass because of this. (and of course certian programs sneakily install them as well.)
My second question is, could it be possible for a website to install this trojan on your computer without you knowing it? I mean, they do it with spyware, I don't see why they couldn't do this with email trojans as well.
A Penny for my thoughts? Here's my two cents. I got ripped off!
I suspect that it's pretty easy to make money spamming if you've got half a brain and some programming experience. You could write your own simple address-collection and spam-blasting programs in under a day, and then all you need is to find some customers -- and apparantly they're out there.
If you're clueless and you spend a few hundred on somebody's CD of email addresses, and a few more hundred on a CD of spam software and don't know anything more about your computer than how to click on things, then you're right -- you're just going to make other spammers rich and not yourself -- and it's obvious that spammers are perfectly happy to prey upon other would-be spammers.
There's definately a lot of `spam MLM' (MLM = Multi Level Marketing) going on -- but unlike your traditional MLM, there is money to be made outside of the MLM. Kind of like Amway -- yes, it's a MLM but they do sell a real product.