Slashdot Mirror
Spamming Trojan "Proxy Guzu"
squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."
Hotmail disables said account. Case closed...?
Are there any AV vendors out there with fixes for this yet? I didn't see any in the article.
Moderation Total: -1 Troll, +3 Goat
I am shocked! They seemed like such good upstanding members of society.
Great. First we have the trojan that downloads kiddie porn (has anyone else ever heard of this one?) and now this.
Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?
I'm not talking about some of the (innovative) kludges that people have come up with for SMTP, I'm talking about a bare-metal rebuild of the entire system. Sure it will be a pain, but when you move to a new place, you have to give your friends the new phone number and address -- giving a new e-mail address (on the new e-mail system) won't be all that bad will it?
If you are running a network, it behooves you to filter outgoing port 25. SMTP is a lousy protocol, and there is no successor to replace it (anytime soon).
E-mail server admins: Please lock down your servers! Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25. It's not that tough, and it's your job. Do it.
There, no excuses.
find out the hotmail address and send it loads of dummy IP addresses...
---- There are 10 types of people in the world. Those that understand binary and those that don't
Desperation is when they start selling the penis enlargers door to door.
Seriously, has anyone actually *seen* one?
Be you Admins? nay, we are but lusers!
See, almost any time we've had people spam before, it's been someone who has signed up for an unlimited dialup account, then goes and spams right away before they get cut off. It got to the point where I was able to guess that someone was going to do this when I was taking down their details for an account; this happened with someone signing up for this guy, and I locked the account before it was even active. This person, like every other spammer I'd dealt with, never called back: they knew exactly what they were doing, and what I would tell them. But this customer did.
Furthermore, she was extremely convincing when she told me she knew nothing about spam. To all appearances she was nearly clueless about computers (no offense to her -- I'm sure I couldn't do her job), could not believe her computer had done anything wrong, and was offended by the spam her computer had sent when she saw the complaint from SpamCop. She didn't argue that it wasn't really spam, or say that she didn't know that it was wrong, or that everyone had opted in, or that it was just an experiment, or anything: she didn't know what she had done, and was confused and astounded when I told her. I ended up letting her back on, against my better judgement, with a warning that if it happened again I'd close her account and that would be that. We changed her password just to be sure that no one else was using her account; unfortunately, the modem she'd dialed in on didn't have caller ID, but she swore blind that no one else knew her password or used her computer.
So a month goes by and I get another complaint from SpamCop -- and it turns out to be the same customer. "Teach me to be nice," I thought, and locked her account. Caller-ID was recorded this time, and it was her number. I told the guy at the branch office where she lived that I'd locked this customer's account -- he had dealt with her the last time -- and he gave her a call. Again, he was convinced that she couldn't be spamming, and he convinced me that we should at least look at her computer. We brought it in to the branch office for a look.
Unfortunately, neither one of us really knew what to do beyond the obvious. It was running Windows 98, no updates; the guy at the office knew Windows, and I know Unix, but neither one of us had experience with this sort of thing. I did a portscan and found one port open (1234), but it the banner said "Express Search"; eventually found this link, which didn't seem to offer much. Meanwhile, the guy in the office ran Trend Micro's HouseCall and Panda's online virus scanner, and didn't find much of interest.
He ended up reinstalling Windows on her computer, adding a firewall, doing all the updates, and letting her back on; we didn't know what else to do. We kept looking around for some mention of a virus or trojan with an SMTP engine (beyond something like Klez, I mean), but couldn't really find anything -- just lots of "This is weird, anyone seen anything like this?".
Sorry to be so vague on the details, but like I said, I really don't know Windows and I'm really not a security guy. But I'm still fairly sure that either she was a wonderful actress, or some 133t haX0r had rooted her box to send spam. Needless to say, this is going to wreak havoc with anyone who has to be the abuse guy -- "Innocent victim of a virus or spammer scum? Hm..."
ObRant: Fucking goddamned spammers anyway. Fuckwads.
Carousel is a lie!
(sees seens from commercial of guy getting on plane to go visit telemarketer in person) to a brutal beat down :)
(one must also be careful of the submit button early on a sunday morning ... doh)
. I love the sound of burning women and screaming rubber....
"It's untraceable. I hate to put that in print, but it's the truth."
So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source? I musta missed something in IP 101.
Yes, I am an agent of Satan, but my duties are largely ceremonial.
...beats a pound of medication (or something like that - I'm not to good at english proverbs).
Don't run attachments from mails if you don't trust the sender. Do get a firewall that lets you block both ways (ZoneAlarm from ZoneLabs is my free favorite).The result? You won't get caught by this trojan, and if you should break the first rule of thumb, the second won't turn your PC into a spam-factory.
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
If you are running a network, it behooves you to filter outgoing port 25.
Why? So that I can't test to see if the spam I received came from an open relay? So that I am forced to answer confidential e-mail from client A through client Y's SMTP server when I am at client's Y's site?
I agree that port 25 should be, by default, locked down on residential dial-up accounts (which spammers use as throwaway accounts), but don't lock it down everywhere. It breaks too many things.
Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25.
At the HELO/EHLO, an SMTP server doesn't know if the mail coming into it is "an initial mail submission" or just a message destined for an address served by that user.
If you set up an SMTP server on a non-standard port, then no one's mail gets there. AOL is not going to talk to your server on port 20025.
What happens when lots of mail servers are available on non-standard ports? Suddenly your port 25 block does not work any longer. Then the spammers will look for open relays on non-standard ports. You know that there will be a lot of them because there will be the "security through obscurity" crowd who believes that, because their SMTP server is running on port 31172, they can safely leave it open.
You're headed in the right direction, but leave port 25 alone. My SMTP server is configured to require identification and authentication to send e-mail outside of my domain. All mail servers should be configured that way. This crap of allowing anyone to send e-mail without a username and password is ridiculous.
Every Spam is selling something. Someone is paying to have it sent out. Don't trace the spammers. Hit the advertisers. Subpoena for who they are paying to send out the stuff, and then go after them criminally.
The people that actually have their capitol tied up in penis and breast enlargers, sure as heck don't want it seized.
This is more to say "Not everyone who gets blocked deserves it"
Prove me wrong.
-- 'The' Lord and Master Bitman On High, Master Of All
Is AnalogX Proxy, which is quite popular with spammers.
As for the not traceable, well I wouldn't count that out. What if someone really knew what was happening, deiced to download, and isolate the program with the intent of finding them?
Yes I know they could use anon proxys, but then there is the chance that the anon proxy is not an anon proxy. I wouldn't be surprised if just like honeypots fake anon proxys start popping up with the intent of catching their real ip.
Only problem I see is that the spammers are willing to take the risk and also start using chains of proxys. But wouldn't doning that make things too slow?
Those are all from a sequential block of spam bounces that we received. Look at the locations: Spain, Greece, the Netherlands, Maylasia, Turkey. That has to be some kind of distributed attack.
They're using our name. I operate Downside, a respected financial information site, and own "Downside" as a registered US trademark. I want to find out who's behind this. They're making us look bad. I get hate mail, because this spammer is advertising "extreme rape" sites.
Insights on how they're doing this would be appreciated. If this spammer can be clearly tied to felony computer intrusions, that would give me something solid to give my attorney.
That's why they call them trojan horses. The recipient is told that the program will enable access to unlimited free prawns or a faster internet connection or some other crap along those lines.
or other Oulook like unix mail programs
They do mention it. At the top, where it says "By Kevin Poulsen, SecurityFocus", and at the bottom with "© [SecurityFocus logo]" as a link to www.securityfocus.com. Clearly you did read it, so how did you manage to miss that?
No. The antispam crowd believes that it boils down to consent. It is fine for companies to send me newsletters... only if I have given them the permission to do so. If I have not given them permission, then it's UCE.
There is a difference between CE and UCE, and only the latter is bad.
Don't mix Stallman's ideas about commercial interests with the antispam crowd. None of us are as rabid as he is.
--etrnl
Why don't you have your attorney sue the proprietors of the 'extreme rape' sites, as well as parties unknown who act as their mass-mailing advertisers?
Then, you can force the site admins to turn over their records during discovery, find out who exactly the spammers are, and go after them directly as well.
ABW
All employees must wash hands before seeking equitable relief.
Would it be possible to set an ISP's router to automatically re-direct any TCP packet with a port-25 destination through a spamassasin-type filter to check it before it continues it's journey?
Basically having a router that intercepts anything going out to port 25 from any port and pre-check it before allowing it to continue on?
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
If the spammer uses the proxy/trojan installed by Sobig.a which listens on port 1180 (socks) and 1182 (http), it's very traceable. You need only the password to the proxy management station (it's "zaq123") and you can watch the traffic or shut it down altogether.
See this analysis of Sobig and Spam for more details.
Of course, this MBIWYL (may be illegal where you live)
I've had a weird instance with email going out my mail client (Outlook, but I switched to Mozilla Mail now) without knowing it. Here's the story:
1. Just opened up outlook and looked in the "sent" folder to re-read an email i sent to a friend.
2. I find 4-5 emails that were mailed to addresses I never heard of, with the messages saying something to the effect of: "please remove me from your mailing list." (The messages were all identical to each other).
3. This has only happened twice, and then stopped.
I haven't found any more suspicious sent email in my "sent" folder.
FYI: This is a personal computer, no one else uses it but me.
Now, i don't send alot of email, and when I do I know who i sent it to. I also know not to write emails back to spammers even with a "remove from list" message enclosed, because it just sends the spammers the signal that my email account exists and is active, which results in even more spam. (so i've heard at least)
Any idea what caused this?
I've also heard that the main reasons one gets an email trojan is by clicking on a link in a email, or downloading/running an email attachment.
I also know about "drive-by downloading" that happens while visiting websites. The next thing you know you got spyware coming out the ass because of this. (and of course certian programs sneakily install them as well.)
My second question is, could it be possible for a website to install this trojan on your computer without you knowing it? I mean, they do it with spyware, I don't see why they couldn't do this with email trojans as well.
A Penny for my thoughts? Here's my two cents. I got ripped off!
1. The spammers are doing this because they get paid to do it.
2. Someone is paying them; paying them to advertise a product and contact the payer (somehow) to sell a product.
3. The person paying them knows who they paid to email this crap.
4. If the email was sent via this trojan, just follow the trail from the email sent to the payer and, from there, to the spammer.
Even if the spammer claims that someone else (riiiight) must have sent the trojans on their way, he got paid for it and should be levied with fines equal to (or greater than) the payment. A few cases of this should stop the use of this trojan.
Actually, given that spammers would not be doing this unless they made money, why aren't the people who pay for spam to be delivered being held responsible for spam? They do it with drugs and prostitution.