Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spamming Trojan "Proxy Guzu"

Posted by CmdrTaco on from the brekaing-the-law dept.

squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."

18 of 236 comments (clear)

  1. Re:Uhh by fidget42 · · Score: 4, Insightful

    After the spammer harvests IP addresses of newly opened relays. Case is still open...

    --
    The dogcow says "Moof!"
  2. Proxies & broken e-mail by greyrax · · Score: 5, Insightful

    Great. First we have the trojan that downloads kiddie porn (has anyone else ever heard of this one?) and now this.

    Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?

    I'm not talking about some of the (innovative) kludges that people have come up with for SMTP, I'm talking about a bare-metal rebuild of the entire system. Sure it will be a pain, but when you move to a new place, you have to give your friends the new phone number and address -- giving a new e-mail address (on the new e-mail system) won't be all that bad will it?

    1. Re:Proxies & broken e-mail by dasunt · · Score: 4, Insightful

      SMTP is broken? Maybe, but lets look at this logic.

      1. An email attachment pretends to be something it isn't, people click on it.
      2. The email attachment opens up a relay, sends email back to an hotmail account.
      3. Spammer uses email account to spam other email accounts.

      Now lets look at this with $SMTP+1 (With spiffy authentication).

      1. An email attachment arrives from a trusted source/new source. People click on it.
      2. The email attachment opens up a backdoor, sends email back to hotmail.
      3. Spammer uses email software on that machine to spam other machines. Since we have email authentication now, the other users either get "from a trusted source" (if they already knew the person) or "from a new source (Key matches Joe Outlook Idiot)".

      Yep, that sure fixed the problem.

  3. Filter egress port 25!! by RT+Alec · · Score: 4, Informative

    If you are running a network, it behooves you to filter outgoing port 25. SMTP is a lousy protocol, and there is no successor to replace it (anytime soon).

    E-mail server admins: Please lock down your servers! Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25. It's not that tough, and it's your job. Do it.

    There, no excuses.

  4. Re:Uhh by sinergy · · Score: 5, Insightful

    The virus writer would have been smarter to send notices to IRC, or muliple email addresses. Or use broadcasts a la the SQL worm.

    More clever thought behind things like these would make them much more devistating.

    --
    ...
  5. This isnt desperation... by acehole · · Score: 5, Funny

    Desperation is when they start selling the penis enlargers door to door.

    Seriously, has anyone actually *seen* one?

    --
    Be you Admins? nay, we are but lusers!
    1. Re:This isnt desperation... by tigress · · Score: 4, Funny

      Oh, they come in pills now. My boyfriend tried them out for a month and he gained an amazing eight inches to his penis. Unfortunately, he also gained two cupsizes, lost 60 pounds and started receiving NBC and FOX.

  6. I think I've seen something like this... by Saint+Aardvark · · Score: 5, Interesting
    I think I might have seen something like this. In my previous life as helpdesk/abuse guy at a small ISP, I was in charge of locking accounts for spamming. (Fortunately, it never happened very often.) So one day I get this complaint from SpamCop about a dialup customer of ours -- typical pr0n spam. Check the logs, find the account and lock it -- nothing that unusual, except for what happened next: the customer called in.

    See, almost any time we've had people spam before, it's been someone who has signed up for an unlimited dialup account, then goes and spams right away before they get cut off. It got to the point where I was able to guess that someone was going to do this when I was taking down their details for an account; this happened with someone signing up for this guy, and I locked the account before it was even active. This person, like every other spammer I'd dealt with, never called back: they knew exactly what they were doing, and what I would tell them. But this customer did.

    Furthermore, she was extremely convincing when she told me she knew nothing about spam. To all appearances she was nearly clueless about computers (no offense to her -- I'm sure I couldn't do her job), could not believe her computer had done anything wrong, and was offended by the spam her computer had sent when she saw the complaint from SpamCop. She didn't argue that it wasn't really spam, or say that she didn't know that it was wrong, or that everyone had opted in, or that it was just an experiment, or anything: she didn't know what she had done, and was confused and astounded when I told her. I ended up letting her back on, against my better judgement, with a warning that if it happened again I'd close her account and that would be that. We changed her password just to be sure that no one else was using her account; unfortunately, the modem she'd dialed in on didn't have caller ID, but she swore blind that no one else knew her password or used her computer.

    So a month goes by and I get another complaint from SpamCop -- and it turns out to be the same customer. "Teach me to be nice," I thought, and locked her account. Caller-ID was recorded this time, and it was her number. I told the guy at the branch office where she lived that I'd locked this customer's account -- he had dealt with her the last time -- and he gave her a call. Again, he was convinced that she couldn't be spamming, and he convinced me that we should at least look at her computer. We brought it in to the branch office for a look.

    Unfortunately, neither one of us really knew what to do beyond the obvious. It was running Windows 98, no updates; the guy at the office knew Windows, and I know Unix, but neither one of us had experience with this sort of thing. I did a portscan and found one port open (1234), but it the banner said "Express Search"; eventually found this link, which didn't seem to offer much. Meanwhile, the guy in the office ran Trend Micro's HouseCall and Panda's online virus scanner, and didn't find much of interest.

    He ended up reinstalling Windows on her computer, adding a firewall, doing all the updates, and letting her back on; we didn't know what else to do. We kept looking around for some mention of a virus or trojan with an SMTP engine (beyond something like Klez, I mean), but couldn't really find anything -- just lots of "This is weird, anyone seen anything like this?".

    Sorry to be so vague on the details, but like I said, I really don't know Windows and I'm really not a security guy. But I'm still fairly sure that either she was a wonderful actress, or some 133t haX0r had rooted her box to send spam. Needless to say, this is going to wreak havoc with anyone who has to be the abuse guy -- "Innocent victim of a virus or spammer scum? Hm..."

    ObRant: Fucking goddamned spammers anyway. Fuckwads.

    --
    Carousel is a lie!
    1. Re:I think I've seen something like this... by Caveman+Og · · Score: 5, Informative

      Well, since I'm not only an abuse guy in a previous life, but also a present and future abuse guy (for big networks, even), I can give some further insight into this sort of thing.

      1234 seems appallingly close to one of the ports sub-7 uses (1243). I would suspect some sort of back-door root-shell, and BEHOLD (through the power of Google):

      http://www.itsecurity.com/asktecs/jun1901.htm
      h ttp://www.iss.net/security_center/advice/Exploits /Ports/1234/default.htm

      There are MANY trojans which use this port. "Ultors Trojan", is perhaps best known. There's also "SubSevenJavaclient". Nasty, nasty.

      UDP traffic on port 1234 is indicative of "Infoseek Search Agent", which is the legit use for this port. The trojans do not produce UDP traffic.

      Check out http://www.neohapsis.com/neolabs/neo-ports/

      I would think that your experience predates the current round of spammer-specific trojans. This is, however, only the tip of the iceberg. Spammers are now creating entire zombie IP address allocations from abandoned or otherwise unused network space. A spammer with his own ASN and spammer-controlled BGP can create ENDLESS havok.

      Zombies on the Register of Known Spam Operations:

      http://www.spamhaus.org/rokso/search.lasso?evide nc efile=2493

      Below are the lists of DIRECT ASNs owned or pirated by spammers, including many of the zombie netblocks:

      APNIC zombies
      http://spamhaus.org/sbl/listings.lasso?is p=apnic

      ARIN zombies and spammer allocations
      http://spamhaus.org/sbl/listings.lass o?isp=arin

      RIPE zombies and spammer allocations
      http://spamhaus.org/sbl/listings.lass o?isp=ripe

      --Og

  7. Untraceable? by Old+Uncle+Bill · · Score: 5, Informative

    "It's untraceable. I hate to put that in print, but it's the truth."

    So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source? I musta missed something in IP 101.

    --
    Yes, I am an agent of Satan, but my duties are largely ceremonial.
  8. Re:Uhh by pohl · · Score: 5, Funny

    Somewhere in the world, a virus author adds a couple of bullet points to his TODO file.

    --

    The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...

  9. No, don't limit the Internet! by fmaxwell · · Score: 4, Insightful

    If you are running a network, it behooves you to filter outgoing port 25.

    Why? So that I can't test to see if the spam I received came from an open relay? So that I am forced to answer confidential e-mail from client A through client Y's SMTP server when I am at client's Y's site?

    I agree that port 25 should be, by default, locked down on residential dial-up accounts (which spammers use as throwaway accounts), but don't lock it down everywhere. It breaks too many things.

    Only allow initial mail submission by authorized and authenticated clients, and only allow such subissions on a port other than 25.

    At the HELO/EHLO, an SMTP server doesn't know if the mail coming into it is "an initial mail submission" or just a message destined for an address served by that user.

    If you set up an SMTP server on a non-standard port, then no one's mail gets there. AOL is not going to talk to your server on port 20025.

    What happens when lots of mail servers are available on non-standard ports? Suddenly your port 25 block does not work any longer. Then the spammers will look for open relays on non-standard ports. You know that there will be a lot of them because there will be the "security through obscurity" crowd who believes that, because their SMTP server is running on port 31172, they can safely leave it open.

    You're headed in the right direction, but leave port 25 alone. My SMTP server is configured to require identification and authentication to send e-mail outside of my domain. All mail servers should be configured that way. This crap of allowing anyone to send e-mail without a username and password is ridiculous.

  10. Untraceable Really ?? by Crashmarik · · Score: 5, Insightful

    Every Spam is selling something. Someone is paying to have it sent out. Don't trace the spammers. Hit the advertisers. Subpoena for who they are paying to send out the stuff, and then go after them criminally.

    The people that actually have their capitol tied up in penis and breast enlargers, sure as heck don't want it seized.

    1. Re:Untraceable Really ?? by isomeme · · Score: 4, Insightful

      I suspect that in many cases there is no real product (or even 'real' company) behind the sleazier spams. The whole thing is a trick to get your money, and probably your CC number for further fun and games. After all, most people will be too embarrassed to complain to the cops that their penis enlargment pills never arrived.

      --
      When all you have is a hammer, everything looks like a skull.
  11. This spammer uses proxies by Animats · · Score: 5, Interesting
    The "girslwhocry" spammer I mentioned yesterday makes heavy use of proxy servers. The spams come from a large number of different IP addresses. Some of the IP addresses from which they send spam are running Telnet proxy servers which answer ordinary Telnet requests. Others, though, are DSL ports from all over the world. Here are some typical "received" lines:
    • Received: from cpe-203-51-210-143.qld.bigpond.net.au ([203.51.210.143] helo=downside.com)
    • Received: from dsl-200-78-25-58.prodigy.net.mx ([200.78.25.58] helo=downside.com)
    • Received: from kawij-aw-5452.mxs.adsl.euronet.nl ([212.129.212.82] helo=downside.com)
    • Received: from 80-24-219-243.uc.nombres.ttd.es ([80.24.219.243] helo=downside.com)
    • Received: from abn134-41.interaktif.net.tr ([195.174.134.41] helo=downside.com)
    • Received: from wd-c-68dd.mxs.adsl.euronet.nl ([62.234.136.221] helo=downside.com)
    • Received: from host-148-244-79-22.block.alestra.net.mx (HELO downside.com) (148.244.79.22)
    • Received: from elog-lab.ret.forthnet.gr (HELO downside.com) (193.92.145.218)

    Those are all from a sequential block of spam bounces that we received. Look at the locations: Spain, Greece, the Netherlands, Maylasia, Turkey. That has to be some kind of distributed attack.

    They're using our name. I operate Downside, a respected financial information site, and own "Downside" as a registered US trademark. I want to find out who's behind this. They're making us look bad. I get hate mail, because this spammer is advertising "extreme rape" sites.

    Insights on how they're doing this would be appreciated. If this spammer can be clearly tied to felony computer intrusions, that would give me something solid to give my attorney.

  12. Re:Uhh by dougmc · · Score: 4, Insightful
    If the spammer had two braincells to rub together to figure that one out, would they be in the spam business to begin with?
    Possibly. Spammers do seem to make money, don't they? And there are many intelligent people out there who like money. Smart people do morally wrong things to make money just like dumb people do.

    The way to stop spam is to remove the profit motive. PEOPLE NEED TO STOP BUYING STUFF THAT THEY GET SPAMMED ABOUT! Once they stop, people will stop paying spammers to advertise their wares, and the spammers will then stop spamming.

    Yes, most spammers do seem pretty stupid. But if it makes money, and it's not illegal, many people, even smart people, have no problems with doing it even if it's morally reprehensible.

  13. Have your attorney attack indirectly by ArsSineArtificio · · Score: 4, Insightful

    Why don't you have your attorney sue the proprietors of the 'extreme rape' sites, as well as parties unknown who act as their mass-mailing advertisers?

    Then, you can force the site admins to turn over their records during discovery, find out who exactly the spammers are, and go after them directly as well.

    ABW

    --
    All employees must wash hands before seeking equitable relief.
  14. Other Methods by NetGyver · · Score: 4, Interesting

    I've had a weird instance with email going out my mail client (Outlook, but I switched to Mozilla Mail now) without knowing it. Here's the story:

    1. Just opened up outlook and looked in the "sent" folder to re-read an email i sent to a friend.

    2. I find 4-5 emails that were mailed to addresses I never heard of, with the messages saying something to the effect of: "please remove me from your mailing list." (The messages were all identical to each other).

    3. This has only happened twice, and then stopped.
    I haven't found any more suspicious sent email in my "sent" folder.

    FYI: This is a personal computer, no one else uses it but me.

    Now, i don't send alot of email, and when I do I know who i sent it to. I also know not to write emails back to spammers even with a "remove from list" message enclosed, because it just sends the spammers the signal that my email account exists and is active, which results in even more spam. (so i've heard at least)

    Any idea what caused this?

    I've also heard that the main reasons one gets an email trojan is by clicking on a link in a email, or downloading/running an email attachment.

    I also know about "drive-by downloading" that happens while visiting websites. The next thing you know you got spyware coming out the ass because of this. (and of course certian programs sneakily install them as well.)

    My second question is, could it be possible for a website to install this trojan on your computer without you knowing it? I mean, they do it with spyware, I don't see why they couldn't do this with email trojans as well.

    --
    A Penny for my thoughts? Here's my two cents. I got ripped off!