Slashdot Mirror
P2P Spam?
Sgt York writes "In a NYT article (republished in the Houston Chronicle, no subscription required) experts at CERT, F-secure, Trusecure, and the Hall of Justice (see article) think that SoBig.F is a spam scheme in the making. They say that SoBig.F is the 6th variant in an ongoing experiment with the possible goal of setting up a distributed spam network, to be rented out to the highest bidder. If that is their goal, they are well on their way. Another disturbing note in the article is that "In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding one". SoBig.F expires in two weeks. "
So someones business plan is to admit to writing/distributing the worm and then rent out the affected boxes?
I must be missing something because it seems to me that such a business would be immediately sues into oblivion.
They who would give up an essential liberty for temporary security, deserve neither liberty nor security
We need to have serios penalties for hackers, crackers, and script kiddies. Jail time should be manditory. We also need a better email protocol which would make it difficult to fake headers.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Its not the spammers!
It's probably someone out to eventually make every computer a 'trusted computer'
The last thing spammers want to do is lose their ability to spam. If this virus is really intended to help spammers, then it will be in short order that we will al be oredered to use a trusted computer platform( cough* microsoft*cough) and that will be pretty be the end to any sort of freedomes that the net enjoyed in its early and its glory years.
Would like to hear some discussion thanks!
Sigs are dangerous coy things
I don't think many businesses would want to be associated with a virus spam scheme. Even if most people wouldn't know it came from spam, the truth would come out eventually, and that company would be investigated, and then whoever wrote the virus would be found (and jailed). This would be a horrible plan for any business.
So I'm not sure I buy that explanation.
if(!cool) exit(-1);
... that Sobig.F expires on September 10th, and the next one will probably come out on September 11th.
libertarianswag.com
I would have assumed that this was a six degrees attack on sensitive structures, given the back doors. Flood the network with viruses, and some moron will eventually lead you to the computer you've been actually targetting.
meh
I have been noticing a lot of my hosting customers are being restricted to using only their ISPs SMTP server to send e-mail. They will not be able to connect to their colocated/hosted e-mail servers to send e-mail. I believe this is to prevent SOBIG and other types of works from sending out e-mail, but this is making my job quiet hard. I have to configure webmail for all these customers who would rather use Outlook.
Spam is becoming such a huge business that they need to resort to crime to grow. The stretches of Spam have become so extensive and intrusive that they can't even legally think of anything else. My suggestion, like millions of annoyed consumers, would be to just stop spamming. It is a waste of resources both for the spammer and the spamm-e (what the hell, that doesn't look like a word). Furthermore, all the evidence I can gather suggests that it is entirely ineffective.
So why resort to a series of virusus that rip through international networks? Then again, why climb Mt. Everest? Because it was there.
(Note: Obviously the reaches of SoBig and spam in general reach well outside the United States and in all likelyhood, originated elsewhere. Don't think that I am som egocentric American who thinks that the U.S.A. is the only place on Earth. I was just using it as a frame of reference because it is what I am most familiar with.)
The New Root Council, kickin' ass sinc
execution is pisspoor. reference the previous article about viruses/worms being good for us. massive attacks like melissa/iloveyou/sobig/whatever the latest one is gives us another chance to educate our users and friend about not doing things like opening PIFs and EXEs, even from people you know. plus it gets the vulnerability plugged (theoretically anyway).
creating a network THIS way is counterproductive.
turn up the jukebox and tell me a lie
This protocol allows anonymous delivery of data within your networks. I predict death of feasibility within 1-2 years. No amount of legislation or threat of legal action can stop the flow from a vast supply of potential "dumb" drones.
Welcome to the Internet, 2003.
Next up, authenticated delivery, whitelisting, and the death of the mail server as we know it.
Nah, just what I needed. After spending days patching all those Windows PCs from my friends, family and even coworkers I feel kind of tired. I love to come home to my Slackware-Box where everything is just the way I left it and wonder why, oh why, they won't listen to my words? I mean, I told them I would hold their hands while switching. I can't see how someone with a modem connection can honestly stick with something that makes himt download hundreds of MB from http.windowsupdate.com (sorry, i meant http://windowsupdate.microsoft.com, say it one more time and I will scream! ;-).
Can't wait til they fire up their distributed Spam-Network, that will show them. Wonder who will be left to hold their hands? Muahaha!!
Sorry for beeing offtopic but I had to say it.
Cu,
Lispy
Spam merchants and virus/worm writers are collaborating and will collaborate, and build networks that make spam filters entirely useless.
Of course Sobig is about spam. Why else does some mysterious but well-financed entity want to control half the desktops of the world?
How about this spam technique, which I predict will occur in 6-9 months' time:
Tampering with real emails, inserting the spam message mixed with the real email.
Does that scare anyone? It makes a mockery of current technology for fighting spam.
Ceci n'est pas une signature
we had a dink here who would spam Quake and Q3:A servers. He'd join a game, get killed and then just "talk" for an hour. He might have even been a bot. I don't know.
Boobies never hurt anyone. - Sherry Glaser.
Maybe its just that the virus writer is actually starting to follow the kinds of ideas that geeks often toss out. "Oh yeah, if I was making a virus I'd have it..."
.doc files, or something similarly nasty. And he'll only share the key if we put deposit money in a Swiss bank account! ... hey, that's not a bad idea.
Granted, it still exploits the most obvious problem in computing: the people who use Outlook in its "Automatically Run Attachments" mode, but it would be foolish to ignore the largest and most potentially devastating venue.
Once the guy figures out exactly the heuristic to hit the most targets in the shortest amount of time, he can put a real payload in it, like a file encrypter for
skye
Wonderful, I have gotten 5237 of these things and counting as I type this. If the next one is any better than this version I can expect to see greater volumes of this crap and that is not really a pleasing thought for a Mac user. Yeah, this time we are suffering too.
Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
once the blacklist people start cutting off EVERY ISP in the world because of spam messages SOBIG
would defeat itself because no one would be getting mail.
That's exactly the point of SoBig.
It's practicly impossible to stop, except in 2 cases:
a) Everyone (or at least 95-97%) would use Outlook anymore...
b) All holes (of the same nature as Sobig uses) are closed in Outlook...
Can't really make up my mind about wich is more unlikely to happen....I'm not holding my breath for either to happen though.
I dont know about you but ever since SOBIG has come into picture, my mail box has been full of antivirus alerts from companies whosupposedly got infected mails from my mail ID. Looking at the smtp headers of the infected messages attached in the response, I can see that the mails were never sent from my computer or from any person I know (I dont know any one in Russia for once), but still somehow someone got my address and used it to spread the virus. Which makes me believe that somehow someone who knows me got infected by the virus and the whole address hook was sent to someone somehow.
What's under yellowstone?
Quite a few national ISP's already do port 25 filtering so that customers connected to their network can only use their relays. What's needed on top of that is outbound spam filtering and virus filtering. It doesn't stop at the ISP level, though. If Joe Customer gets a copy of Sobig.f in his inbox, opens it, starts spamming everyone in his address book, but is blocked due to the diligent efforts of his ISP. It doesn't stop him from taking his laptop to work and passing it along to all his friends at his office and thus hosing their Microsoft Exchange server with no outbound filtering. I have no idea what the authors' motives are and I won't try and guess them until they've made their first move. Unless, of course, the first move has already been made. Let's not forget the incredible insecurity of the internet at large due to the presence of so many unpatched systems. At the very least this virus is yet another example of the grossly underestimated flaws in one of the world's vital communication systems.
Greg Poirier -- Magic Fairy Bunny Princesses, Inc.
Would it be possible that the creators of SoBig took a page from the DirecTV playbook and are slowly building up a software program on each infected computer?
1 8&mode=nested&tid=129
From
http://slashdot.org/article.pl?sid=01/01/25/13432
We get:
Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were simply trying to annoy the community into submission. The updates contained useless pieces of computer code that were then required to be present on the card in order to receive the transmission. The hacking community accommodated this in their software, applying these updates in their hacking software. Not until the final batch of updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon.
"Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their new dynamic code ally
Could it be that SoBig is doing the same thing? With each new infection a bit of the code is added to the master?
Cheers,
-- RLJ
Well, I don't know about p2p spam this way, but I do know the RIAA spams me on Kazaa...
Half (okay, exaggaration) the songs I download are clips for their anti-piracy campaign, which I could careless about. I equate this to spam for penis-enlargement pills. I don't need either of them.
Sobig always makes me think of the film Independence Day. You know how the aliens positioned their ships at strategic points around the globe and then waited for the countdown to strike simultaneously?
It makes Sobig seem more 'sinister' when I think of it in these terms. Sure it's annoying, sure it's a drain on time and resources, but what's going to happen when all the ships are in position and the countdown hits zero?
5, 4, 3...
Seems to me that the companies protocols are all out of wack, there should be certain steps a person has to go through to determine if the attachment is valid. Use special Extentions, or name the files in a particular way that is unique to your company so that you know what files are valid, and what aren't.
What is slashdot?
better yet, take the next part of the virus payload and base64 it, then fetch it from the google cache. its unlikely that google would get taken out from the volume of the traffic, but they might purge the documents from the cache when the next variant is reverse engineered.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Nah, HTTP doesn't initiate the connections, the clients do, so presumably, those clients want that webpages to be displayed (pop-up's aside).
SMTP on the otherhand initiates the connection to send you the data, no matter if you wanted it or not.
I'd be all for an SMTP registry, but at that point it would make more sense just to make a new RFC for SMTPv2 or similar. If it ever came down to a registry there are a few things that are needed.
#1: Free or close to free for a home user. I have a mail server on my home machine that is for outgoing messages only, I've had times where my ISP's mail server has failed to deliver the messages so I use my own. my mail server isn't listening on any port other than 127.0.0.1, so there is no way someone is going to be relaying through it.
#2: A way to verify that registration data is valid. How many times will micky mouse and Donald Duck register an e-mail server just to spam for a few hours?
#3: Reliability. How does the site stay up against a DDOS? Even the root DNS servers are vulnerable to that.
The more I think of it the more I think an SMTPv2 is needed as opposed to dicking around with SMTP to get it more secure. It's the cutover that will be a bitch.
Do you Gentoo!?
Sobig scans the address book, cached webpages, text files on the harddrive, etc., for email addresses. Has it occurred to anyone that the rapid reproduction and spreading may just be a side effect of a spammer trying to gather the largest email list on earth? Imagine what they could do with a list that size? Even people who are careful with their personal email addresses could lose them to the spammer by their parents getting infected.
... and it's NEARLY untraceable back to you.**
.scr and .pif extensions and curled in a fetal position under my deskand took a nap.
Now, add this on top of how the sobig already spoofs emails and you get other people doing your spam for you
-Ab
** I know they can be traced, at least to the last computer, but getting back to the source is tough cause people tend to delete the original virrused email. I know I traced several attacks and helped notify the host companies/universities and got them cleaned up, but after my 7th track, I got fed up and gave up, adjusted my MTA to block all mails with the
Nothing fails quite like prayer.
Hmm.. how about a spam virus as a business "hit"? Even though the business will deny it, what could they do? They'd still be dragged through the dirt. If it has an effect either way, don't be surprised if it is used...
Kjella
Live today, because you never know what tomorrow brings
Politically-motivated makes more sense. The current version expires on September 10, so a reasonable assumption is that the big attack comes on September 11.
. . . and let Homeland Security take care of them.
I mean, dang, wouldn't it satisfying to think of the wankers behind this stuck in a cell down in Guantanamo?
And just think: The hour of exercise they'd get each day would probably more than they're getting now!
IMHO, the only way for SMTP to be replaced by something secure & authenticated (a la whitelists) is if the current system goes belly up in the most insane, painful and costly way imaginable. I wish it wasn't so, but reasoning, debate and research have proven useless to convince the powers that be that something needs to be done. MASSIVE, huge spamming, unstoppable is a way that will costs billions without doing any physical harm. If that doesnt trigger change, nothing will.
When will I end this grieving ? When will my future begin ?
It's logical for spamware writers to turn to viruses, but not necessarily to propagate spam, but as a way to cull addresses and acceptable headers for spams to those addresses. This will enable them to penetrate whitelists, and even Bayesian filters which use headers as fodder for analysis.
My personal email address, which I reveal to almost no one, has now been spread across the world because it was in the address book of someone who opened SoBig.
How about a multi-layer checking system?
1. Do a reverse DNS lookup on the connecting IP and verify in PARANOIA_MODE (a la TCP Wrappers).
2. Attempt to relay through any new servers that haven't already been registered.
3. Require TLS/SSL (this is for everyone's benefit of privacy).
If the connecting server fails those tests, firewall them off. If they pass, register the connecting server IP as an approved sender for, oh, 30 days. That should provide increased security and protection without getting into some kind of registration system. Let the system manage itself.
Intelligent Life on Earth
This is certainly what the article is hinting out, but I'm not sure it's feasible... the army of zombies has to get its orders from somewhere. It might not be just one central machine, but if the spammer wants to control his army, they have to either accept some form of communcation from him, or they have to contact him. Either way, it should trace back to a small # of computers.
SoBig.F had central servers where the machines were supposed to go to get a payload. The list was decrypted and 19 out of 20 servers were taken offline before Sobig hit them. The machines were apparently hacked beforehand and set-up to distribute program of some sort when a certain time hit and when they recieved a 8bit ID string that SoBig contained.
If I were a spammer here's what I would do. First, I would set up a few servers, like the creator of Sobig.F apparently did. The first worm would only contain the IP of the first server, and the instant the worm is recieved it checks that server (and would continue to check it or one of the other servers at regular intervals). From the server it gets a spam message, and the IP of another one of the hacked servers. Email is sent, both spam and those containing Sobig, with the new server address. The same thing happens again with the people who get the new emails, and the chain continues.
Here's what's in it for the spammer: they can change the spam being sent merely by uploading a different copy to the hacked servers, and a constantly changing network of hacked computers can be used to distribute the spam to the virii simply by adding new servers to the system and telling the old servers to send out the new addresses. Unless all the servers can be shut down before the new servers' IP adresses are delivered to them, the chain will continue to propagate.
I probably missed something important that makes this "plan" impossible, but I do think something like it could work.