Slashdot Mirror
NYT Reports Porn Spam Hijacking Network
twitter writes "This NYT story describes how thousands of PCs have been used as porn spambots and reverse proxy servers, and mentions that they could be used for kiddie porn. Finally, though Microsoft is not mentioned, people might start to understand what a monoculture of poor quality software enables."
Try this link
Well, there's spam egg sausage and spam, that's not got much spam in it.
here you go
There is no god
Hackers Hijack PC's for Sex Sites
By JOHN SCHWARTZ
ore than a thousand unsuspecting Internet users around the world have recently had their computers hijacked by hackers, who computer security experts say are using them for pornographic Web sites.
The hijacked computers, which are chosen by the hackers apparently because they have high-speed connections to the Internet, are secretly loaded with software that makes them send explicit Web pages advertising pornographic sites and offer to sign visitors up as customers.
Advertisement
Unless the owner of the hijacked computer is technologically sophisticated, the activity is likely to go unnoticed. The program, which only briefly downloads the pornographic material to the usurped computer, is invisible to the computer's owner. It apparently does not harm the computer or disturb its operation.
The hackers operating the ring direct traffic to each hijacked computer in their network for a few minutes at a time, quickly rotating through a large number. Some are also used to send spam e-mail messages to boost traffic to the sites.
"Here people are sort of involved in the porno business and don't even know it," said Richard M. Smith, an independent computer researcher who first noticed the problem earlier this month. Mr. Smith said he thought the ring could be traced to Russian senders of spam, or unwanted commercial e-mail.
By hiding behind a ring of machines, the senders can cloak their identity while helping to solve one of the biggest problems for purveyors of pornography and spam: getting shut down by Internet service providers who receive complaints about the raunchy material.
The web of front machines hides the identity of the true server computer so "there's no individual computer to shut down," Mr. Smith said. "We're dealing with somebody here who is very clever."
By monitoring Web traffic to the porn advertisements, Mr. Smith has counted more than a thousand machines that have been affected.
The creators of the ring, whose identities are unknown, are collecting money from the pornographic sites for signing up customers, the security experts say. Many companies play this role in Internet commerce, getting referral fees for driving customers to sites with which they have no other connection.
The ring system could also be used by the hackers to skim off the credit card numbers of the people signing up, said Joe Stewart, senior intrusion analyst with Lurhq, a computer security company based in Myrtle Beach, S.C.
The current version of the ring is not completely anonymous, since the hijacked machines download the pornographic ads from a single Web server. According to the computer investigators, that machine apparently is owned by Everyones Internet, a large independent Internet service company in Houston that also offers Web hosting services to a large number of companies. Jeff Lowenberg, the company's vice president of operations, said that he was not aware of any illegal activity on one of his company's computers but said that he would investigate.
Mr. Stewart said the ring was most likely a work in progress, and that flaws, like being tied to a single server, would be eliminated over time.
He said the ring was troubling not just because of what it is being used for now but also because of what it might be used for next.
"This system is especially worrisome because they have an end-to-end anonymous system for spamming and running scams," he said. "It's not a far stretch to say that people who are running kiddie porn sites could say, `Hey, this is something we could use.' "
The computer ring is the latest in an evolution of attacks that allow creators of spam and illicit computer schemes to use other people's computers as accomplices. For several years, senders of spam have relied upon a vestigial element of the Internet mail infrastructure known as "open relay" to use Internet servers as conduits for their spam.
As network administrato
Whatever. That won't happen anytime soon.
Just as an example, we brought a remote user's laptop into the shop the other day to update it and found over 250 infected files. Even though we provide the option everytime he logs in to update the virus identites, they hadn't been updated in over a year.
To many people, a computer is like a screwdriver. They could care less about it, they just want to pick it up, make it work, and toss it aside when they are done with it. It's unfortunate, yes, but that's just the way it is.
Ryan O'Rourke
More than a thousand unsuspecting Internet users around the world have recently had their computers hijacked by hackers, who computer security experts say are using them for pornographic Web sites.
The hijacked computers, which are chosen by the hackers apparently because they have high-speed connections to the Internet, are secretly loaded with software that makes them send explicit Web pages advertising pornographic sites and offer to sign visitors up as customers.
Unless the owner of the hijacked computer is technologically sophisticated, the activity is likely to go unnoticed. The program, which only briefly downloads the pornographic material to the usurped computer, is invisible to the computer's owner. It apparently does not harm the computer or disturb its operation.
The hackers operating the ring direct traffic to each hijacked computer in their network for a few minutes at a time, quickly rotating through a large number. Some are also used to send spam e-mail messages to boost traffic to the sites.
"Here people are sort of involved in the porno business and don't even know it," said Richard M. Smith, an independent computer researcher who first noticed the problem earlier this month. Mr. Smith said he thought the ring could be traced to Russian senders of spam, or unwanted commercial e-mail.
By hiding behind a ring of machines, the senders can cloak their identity while helping to solve one of the biggest problems for purveyors of pornography and spam: getting shut down by Internet service providers who receive complaints about the raunchy material.
The web of front machines hides the identity of the true server computer so "there's no individual computer to shut down," Mr. Smith said. "We're dealing with somebody here who is very clever."
By monitoring Web traffic to the porn advertisements, Mr. Smith has counted more than a thousand machines that have been affected.
The creators of the ring, whose identities are unknown, are collecting money from the pornographic sites for signing up customers, the security experts say. Many companies play this role in Internet commerce, getting referral fees for driving customers to sites with which they have no other connection.
The ring system could also be used by the hackers to skim off the credit card numbers of the people signing up, said Joe Stewart, senior intrusion analyst with Lurhq, a computer security company based in Myrtle Beach, S.C.
The current version of the ring is not completely anonymous, since the hijacked machines download the pornographic ads from a single Web server. According to the computer investigators, that machine apparently is owned by Everyones Internet, a large independent Internet service company in Houston that also offers Web hosting services to a large number of companies. Jeff Lowenberg, the company's vice president of operations, said that he was not aware of any illegal activity on one of his company's computers but said that he would investigate.
Mr. Stewart said the ring was most likely a work in progress, and that flaws, like being tied to a single server, would be eliminated over time.
He said the ring was troubling not just because of what it is being used for now but also because of what it might be used for next.
"This system is especially worrisome because they have an end-to-end anonymous system for spamming and running scams," he said. "It's not a far stretch to say that people who are running kiddie porn sites could say, `Hey, this is something we could use.' "
The computer ring is the latest in an evolution of attacks that allow creators of spam and illicit computer schemes to use other people's computers as accomplices. For several years, senders of spam have relied upon a vestigial element of the Internet mail infrastructure known as "open relay" to use Internet servers as conduits for their spam.
As network administrators have gradually shut down the open relay networks, spam senders have used viruses t
This isn't a distributed webserver. It simply acts as a proxy server with a hardcoded destination host/port.
There is a technical writeup here:
http://www.lurhq.com/migmaf.html
Mirror: http://www.joestewart.org/migmaf.html
Interesting thing is, though, that it occurred in the UK, not the US. In the US, he would have been guilty because the child porn statutes are strict-liability offenses, meaning that possession of child porn, even if unintentional, is still a crime.
Yeah, it's a messed up law, but it's not the first one...
The society for a thought-free internet welcomes you.
The article makes a good point about unwitting hosts participating in world-wide spamming. A host that is insecure can become compromised by an automated worm or mailicous attacker and then configured to relay junk mail.
As a system administrator this worries me. Typically we use blocklists for netblocks that are known to be sources of spam. But when a random internet host is compromised and used as a mail relay, this slips past our blocklists (for a while).
The moral of the story is that computer security and spam fighting go together. Though average users don't get the point, it is every internet user's responsibility to keep their host secure both for their own good, and to be a good neighbour.
They probably use MS to generate their forcasts.
Nope, the NOAA is smarter than that, they use Linux
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
Simply click the link. When the NYT site asks you to register, replace the 'www' in the url window with 'archive'. The site will error out and drop you into the front page.
Thank you, drive through...
It was about ten months ago that I first saw trojaned/hacked machines used as the webservers for the "extrarape.com" porn spam domain. No one will host the nameservers used to access trojaned machines, so alerting the hosts for the nameservers took it down. About a month ago he came back. Alerting the hosts of the nameservers worked again.
One only needs one working nameserver in the root servers to send victims on to the trojaned machines which serve as the webservers. Abuse desks are busy. Hey! Suppose we can find a registrar who will enter the IP addresses of a new set of four trojaned machines every day! Of course, one needs a registrar who, when informed of this, declares it to be perfectly legitimate since they are not hosting the porn site.
He came back about two weeks ago running both the websites and nameservers off trojaned machines.
Lots of info on it in news.admin.net-abuse.email and some in alt.spam.
I wish I could give the hostname/domain name which is working today. Check the nameservers *listed in the root servers* for seductionissimple.com and seduceherfast.com. Then get a reverse lookup on the IP address of the nameservers. I get two ShawCable, a RoadRunner, a cable.rogers.com, a client.mchsi.com, a client2.attbi.com, a bellsouth.net and one with no rDNS which is in Korea. The nameservers listed in the root servers were all different yesterday. Now who changes the IP address of his four nameservers every day?
Unfortunately, the hostnames, www.seductionissimple.com and seduceherfast.com do not resolve at the moment (yesterday they did, to different IP addresses every minute or so, all on trojaned machines - many of them on AOL). Has the publicity gotten to him? Is he having problems? You can check what registrar was willing to submit the IP addresses of trojaned machines after having been informed of what is going on.
But, there are trojaned machines out there being used as nameservers and webservers by spammers. For this spammer, the webserver was tiny (a page or so) and sent you off to somewhere else to signup for whatever.
......but these days, computer users should have some basic training on "what attachments are likely to contain pictures from grandma - and what aren't!". Otherwise they might end up hosting some illegal warez server in their own house - without their knowledge...
Training is a good idea, but unfortunately it doesn't always work. I have a l-user here at work that has been trained on how to use email securely. Then everyday, I get phone calls about pr0n email that she has received. She takes great delight in explicitlly describing the contents of the message, and then pretending to be offended. Then I get the "Why don't you do something about this" statement. I do have filters on the email server, but unfortunately they only pickup about 85% of the spam. The other 15% get sent to the users and then opened. Luckly I have AV pushed to everyone and configured it so that it can not be turned off or messed with, and every one gets updated nightly. Just based on the AV logs, I can tell you exactly which l-users do not apply the security training.
I worked tech support for an ISP for several years a while ago, and when products like ZoneAlarm started making their way around it was no help.
Even other tech support people came to me everytime a port was scanned, or anything showed up on it. Then those tech support people recommended it to their callers, and the problem got worse.
Of course, 99.9999% of these scans/hits/etc were not attacks and were just routine net traffic. The personal firewalls just builds paranoia of something they don't understand.
no comment
One of the sites I created a while back was a mod site for NwN, I had it hosted by a company Called XO Communications since I didn't have a fast connection at my house. After getting a little notice from the NwN community I of course started getting spam - however I also started getting these weird emails from people saying they would sue me for sending them spam. I didn't know what was going on until I got 15 bounced emails from yahoo saying my messages were undeliverable. I hadn't sent the message and I had no idea who the recipients were. I contacted XO and they told me "Yeah this happens occasionally there really isn't anything you can do, but we have proof that it's not from you so don't worry about getting sued."
Well I didn't appreciate that responce so I changed hosts I tried icestorm and I tried globalhost it would be fine for awhile then it would start again - the more traffic I got the more of a pain in the ass it became to explain to people that I was sorry for something I wasn't doing.
In the end I just stopped caring, unless I ever get a fast enough connection at home to host the site myself it looks like this is somethign that will just happen. And as an end-user I have no control over the security of the website since it is my hosting companies responsibility to lock there shit down. And everyone I've tried seems to have the same responce "well its easy to fake where email comes from, sorry your shit out of luck in having people confuse you with ass holes"
Ave Molech Setting
I want to drive my car to work, you're right. I shouldn't need to know every single component and how it works. I don't need to know the tire pressure. I don't need to understand what the gas guage is for or what the speedometer indicates. I ignore the little blinking red lights, too.
Oh - wait - no, I don't. A car requires a lot of upkeep if you want it to work properly, just like a computer does. I have to change my oil every three months (patch the OS), fill up my car with gas every week or so (update AV software), and need to get it inspected every year (reinstall Windows :)). I also need to watch for any error lights lighting up on my dash and need to take action based on them. (Answering AV software alerts?) If it breaks down, I take the car into the mechanic. He knows far more about cars than I do and can fix it properly and safely.
Why should a computer be treated any differently from a car? Because people have been told that computers are "smart" and are only slowly beginning to learn the horrible truth - they aren't. Computers are dumb. They do what they're told, even if it's harmful, even if it wasn't what was meant (Do What I Mean!). They require constant checkups to ensure that "what they are told" is as close to "what they are supposed to do" as possible.
Computers require upkeep, just like cars. Just like cars, doing the upkeep prevents your doing what you actually want to do - and just like cars, regularly maintaining your computer helps to ensure smooth operation.
You are in a maze of twisty little relative jumps, all alike.
The problem is, you can't use "RunAs" to run Explorer (for file maintainence), or to change some settings (e.g. network connection settings). And I personally had quite a bit of trouble with bluescreens when I tried to change hardware settings as a non-Administrator user via RunAs (on 2000).
However, you are right that for many things, RunAs does the job of sudo. But it's not a complete replacement.
cannot speak for later versions of Windows since I stopped using them, but I never saw a version of windows that does not force you to completely log off and back on to access privileged functions, encouraging people to run with privileges on all the time, because they cannot just enter the password for privileged activities. Su does not exist, nor does sudo.
That may have gotten modded up as interesting, but it's just plain wrong. All modern versions of Windows have the "Run As..." command whereby you can start a process as if you were logged in as any other given user. This includes doing things like starting a Control Panel applet or CD Burning program as Administrator or running an installation program as a Power User.
To do this, just shift-right-click on the shortcut, or use "runas" on the command-line
I clearly stated that I was not up on the latest windows versions. Another poster in the thread has said he was never able to get this sort of thing to work for him.
When OSX or Mandrake install, they provide GUI support for this sort of thing, and install configuration icons, etc. by default that way, so they can easily be accessed by non-privileged users via su or sudo. If Windows XP and Windows 2000 also have GUI support and discourage the user from running as root by default, then I stand corrected. But if it is too difficult for a novice to use in a default installation, then it hardly qualifies.
My neighbor tells me that when he installs XP, it makes them root by default, demonstrating that it is apparently not practical to do security right on that box. Relative novices, on the other hand, use Mandrake's non-privileged defaults easily, supplying the privileged password when performing a GUI management function.
A way to do it without a GUI is no way at all for most users, especially if XP is still commonly installed to log in the default user as root, unlike OSX and Mandrake.
Is the problem just one of your e-mail being harvested off the webpage(s)? If so, try this:
<script language="JavaScript">
function writeAddress(name, domain, msg) {
document.write('<a href="mailto:' + name + '@' + domain + '">');
document.write(msg);
document.writeln('</a>');
}
</script>
Blah blah blah
<script language="JavaScript">
writeAddress('mymail', 'nospam.com', 'E-mail me!');
</script>
Now you've produced a document which displays links to e-mail addresses, without specifying any easily-harvested e-mail addresses in the source of the document.
!#@%*)anks for hanging up the phone, dear.
Fair enough.
But the real problem from the spam point of view is the negligence of consumer broadband ISPs.
Dialup pools block outbound port 25. Why can't attbi.com, comcast.com, and rr.com get their acts together too?
At present, 12.0.0.0/8, 66.0.0.0/8 (fuggit, I'm lazy!) and 24.0.0.0/8 produce nothing but spam, and I block 'em wholesale.
You wanna run an MTA? Fine - smarthost. The 90% of Windoze luzers with SoBig.* and 9% of 0wn3d Linux boxen don't belong on the 'net, and IMO the ISPs where these boxen reside are criminally negligent in not blocking outbound port 25 traffic to anything other than the ISP's outbound mail server.
Ease of use, Remote administration, blah blah blah.
If Microsoft focused on shipping their product so that a base install was somewhat hardend as opposed to lighting up every service under the sun, having hidden shares enabled etc.. so the system is WIDE open maybe things wouldn't be this bad.
Sure, no OS is completely secure. And certainly whats secure today may not be tomorrow but and some point Microsoft needs to change its policy regarding this.
But, I am happy that Dell is taking the initiative to ship systems with a hardened OS.
Kudos to DELL!