Slashdot Mirror
Spamming Trojan "Proxy Guzu"
squiggleslash writes "El Reg has the scoop on a trojan that actually turns your machine into a spam sending proxy. Called "Proxy Guzu", the proxy arrives in your mailbox in the usual "Outlook virus" way (ie disguised as something else so you'll run it.) It then sends an email to a Hotmail email account reporting the IP address of the infected machine and port it's running on. The spammer then merely transmits spam to the infected machine which in turn forwards it on. There's a bright side to all this: Spammers are doing this because they're desperate, with fewer and fewer spam friendly havens. And what they're doing is illegal and opens them up for prosecution."
Great. First we have the trojan that downloads kiddie porn (has anyone else ever heard of this one?) and now this.
Let's face it: SMTP is broken and it needs to be fixed. There has to be some way of authenticating senders and attachments to messages?
I'm not talking about some of the (innovative) kludges that people have come up with for SMTP, I'm talking about a bare-metal rebuild of the entire system. Sure it will be a pain, but when you move to a new place, you have to give your friends the new phone number and address -- giving a new e-mail address (on the new e-mail system) won't be all that bad will it?
The virus writer would have been smarter to send notices to IRC, or muliple email addresses. Or use broadcasts a la the SQL worm.
More clever thought behind things like these would make them much more devistating.
...
Desperation is when they start selling the penis enlargers door to door.
Seriously, has anyone actually *seen* one?
Be you Admins? nay, we are but lusers!
See, almost any time we've had people spam before, it's been someone who has signed up for an unlimited dialup account, then goes and spams right away before they get cut off. It got to the point where I was able to guess that someone was going to do this when I was taking down their details for an account; this happened with someone signing up for this guy, and I locked the account before it was even active. This person, like every other spammer I'd dealt with, never called back: they knew exactly what they were doing, and what I would tell them. But this customer did.
Furthermore, she was extremely convincing when she told me she knew nothing about spam. To all appearances she was nearly clueless about computers (no offense to her -- I'm sure I couldn't do her job), could not believe her computer had done anything wrong, and was offended by the spam her computer had sent when she saw the complaint from SpamCop. She didn't argue that it wasn't really spam, or say that she didn't know that it was wrong, or that everyone had opted in, or that it was just an experiment, or anything: she didn't know what she had done, and was confused and astounded when I told her. I ended up letting her back on, against my better judgement, with a warning that if it happened again I'd close her account and that would be that. We changed her password just to be sure that no one else was using her account; unfortunately, the modem she'd dialed in on didn't have caller ID, but she swore blind that no one else knew her password or used her computer.
So a month goes by and I get another complaint from SpamCop -- and it turns out to be the same customer. "Teach me to be nice," I thought, and locked her account. Caller-ID was recorded this time, and it was her number. I told the guy at the branch office where she lived that I'd locked this customer's account -- he had dealt with her the last time -- and he gave her a call. Again, he was convinced that she couldn't be spamming, and he convinced me that we should at least look at her computer. We brought it in to the branch office for a look.
Unfortunately, neither one of us really knew what to do beyond the obvious. It was running Windows 98, no updates; the guy at the office knew Windows, and I know Unix, but neither one of us had experience with this sort of thing. I did a portscan and found one port open (1234), but it the banner said "Express Search"; eventually found this link, which didn't seem to offer much. Meanwhile, the guy in the office ran Trend Micro's HouseCall and Panda's online virus scanner, and didn't find much of interest.
He ended up reinstalling Windows on her computer, adding a firewall, doing all the updates, and letting her back on; we didn't know what else to do. We kept looking around for some mention of a virus or trojan with an SMTP engine (beyond something like Klez, I mean), but couldn't really find anything -- just lots of "This is weird, anyone seen anything like this?".
Sorry to be so vague on the details, but like I said, I really don't know Windows and I'm really not a security guy. But I'm still fairly sure that either she was a wonderful actress, or some 133t haX0r had rooted her box to send spam. Needless to say, this is going to wreak havoc with anyone who has to be the abuse guy -- "Innocent victim of a virus or spammer scum? Hm..."
ObRant: Fucking goddamned spammers anyway. Fuckwads.
Carousel is a lie!
"It's untraceable. I hate to put that in print, but it's the truth."
So, if I'm running a sniffer while they are sending email through my PC I won't be able to find the source? I musta missed something in IP 101.
Yes, I am an agent of Satan, but my duties are largely ceremonial.
Somewhere in the world, a virus author adds a couple of bullet points to his TODO file.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Every Spam is selling something. Someone is paying to have it sent out. Don't trace the spammers. Hit the advertisers. Subpoena for who they are paying to send out the stuff, and then go after them criminally.
The people that actually have their capitol tied up in penis and breast enlargers, sure as heck don't want it seized.
Those are all from a sequential block of spam bounces that we received. Look at the locations: Spain, Greece, the Netherlands, Maylasia, Turkey. That has to be some kind of distributed attack.
They're using our name. I operate Downside, a respected financial information site, and own "Downside" as a registered US trademark. I want to find out who's behind this. They're making us look bad. I get hate mail, because this spammer is advertising "extreme rape" sites.
Insights on how they're doing this would be appreciated. If this spammer can be clearly tied to felony computer intrusions, that would give me something solid to give my attorney.