P2P Spam?

Sgt York writes "In a NYT article (republished in the Houston Chronicle, no subscription required) experts at CERT, F-secure, Trusecure, and the Hall of Justice (see article) think that SoBig.F is a spam scheme in the making. They say that SoBig.F is the 6th variant in an ongoing experiment with the possible goal of setting up a distributed spam network, to be rented out to the highest bidder. If that is their goal, they are well on their way. Another disturbing note in the article is that "In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding one". SoBig.F expires in two weeks. "

huh?

[captain_craptacular]

So someones business plan is to admit to writing/distributing the worm and then rent out the affected boxes?

I must be missing something because it seems to me that such a business would be immediately sues into oblivion.

Bad plan

[connsmythe96]

I don't think many businesses would want to be associated with a virus spam scheme. Even if most people wouldn't know it came from spam, the truth would come out eventually, and that company would be investigated, and then whoever wrote the virus would be found (and jailed). This would be a horrible plan for any business.

So I'm not sure I buy that explanation.

It is probably no coincidence, then...

[bc90021]

... that Sobig.F expires on September 10th, and the next one will probably come out on September 11th.

6 degrees attack

[bigattichouse]

I would have assumed that this was a six degrees attack on sensitive structures, given the back doors. Flood the network with viruses, and some moron will eventually lead you to the computer you've been actually targetting.

This is why ISPs are changing their SMTP rules?

[phaetonic]

I have been noticing a lot of my hosting customers are being restricted to using only their ISPs SMTP server to send e-mail. They will not be able to connect to their colocated/hosted e-mail servers to send e-mail. I believe this is to prevent SOBIG and other types of works from sending out e-mail, but this is making my job quiet hard. I have to configure webmail for all these customers who would rather use Outlook.

Illegal Business Practices

[Kenterlogic]

Spam is becoming such a huge business that they need to resort to crime to grow. The stretches of Spam have become so extensive and intrusive that they can't even legally think of anything else. My suggestion, like millions of annoyed consumers, would be to just stop spamming. It is a waste of resources both for the spammer and the spamm-e (what the hell, that doesn't look like a word). Furthermore, all the evidence I can gather suggests that it is entirely ineffective.

So why resort to a series of virusus that rip through international networks? Then again, why climb Mt. Everest? Because it was there.

(Note: Obviously the reaches of SoBig and spam in general reach well outside the United States and in all likelyhood, originated elsewhere. Don't think that I am som egocentric American who thinks that the U.S.A. is the only place on Earth. I was just using it as a frame of reference because it is what I am most familiar with.)

SMTP IS DYING/DEAD

This protocol allows anonymous delivery of data within your networks. I predict death of feasibility within 1-2 years. No amount of legislation or threat of legal action can stop the flow from a vast supply of potential "dumb" drones.

Welcome to the Internet, 2003.

Next up, authenticated delivery, whitelisting, and the death of the mail server as we know it.

I've said this before and I'll repeat myself...

[heironymouscoward]

Spam merchants and virus/worm writers are collaborating and will collaborate, and build networks that make spam filters entirely useless.

Of course Sobig is about spam. Why else does some mysterious but well-financed entity want to control half the desktops of the world?

How about this spam technique, which I predict will occur in 6-9 months' time:

Tampering with real emails, inserting the spam message mixed with the real email.

Does that scare anyone? It makes a mockery of current technology for fighting spam.

Re:ICQ spam

[RatBastard]

we had a dink here who would spam Quake and Q3:A servers. He'd join a game, get killed and then just "talk" for an hour. He might have even been a bot. I don't know.

Smarter Virus Writers

[skyknytnowhere]

Maybe its just that the virus writer is actually starting to follow the kinds of ideas that geeks often toss out. "Oh yeah, if I was making a virus I'd have it..."

Granted, it still exploits the most obvious problem in computing: the people who use Outlook in its "Automatically Run Attachments" mode, but it would be foolish to ignore the largest and most potentially devastating venue.

Once the guy figures out exactly the heuristic to hit the most targets in the shortest amount of time, he can put a real payload in it, like a file encrypter for .doc files, or something similarly nasty. And he'll only share the key if we put deposit money in a Swiss bank account! ... hey, that's not a bad idea.

skye

Could be just be a way to harness email addresses

[abhikhurana]

I dont know about you but ever since SOBIG has come into picture, my mail box has been full of antivirus alerts from companies whosupposedly got infected mails from my mail ID. Looking at the smtp headers of the infected messages attached in the response, I can see that the mails were never sent from my computer or from any person I know (I dont know any one in Russia for once), but still somehow someone got my address and used it to spread the virus. Which makes me believe that somehow someone who knows me got infected by the virus and the whole address hook was sent to someone somehow.

Checkmate

[Andy+Smith]

Sobig always makes me think of the film Independence Day. You know how the aliens positioned their ships at strategic points around the globe and then waited for the countdown to strike simultaneously?

It makes Sobig seem more 'sinister' when I think of it in these terms. Sure it's annoying, sure it's a drain on time and resources, but what's going to happen when all the ships are in position and the countdown hits zero?

5, 4, 3...

Re:Truly P2P if SOBIG.G contains the spam message

[Binestar]

Nah, HTTP doesn't initiate the connections, the clients do, so presumably, those clients want that webpages to be displayed (pop-up's aside).

SMTP on the otherhand initiates the connection to send you the data, no matter if you wanted it or not.

I'd be all for an SMTP registry, but at that point it would make more sense just to make a new RFC for SMTPv2 or similar. If it ever came down to a registry there are a few things that are needed.

#1: Free or close to free for a home user. I have a mail server on my home machine that is for outgoing messages only, I've had times where my ISP's mail server has failed to deliver the messages so I use my own. my mail server isn't listening on any port other than 127.0.0.1, so there is no way someone is going to be relaying through it.

#2: A way to verify that registration data is valid. How many times will micky mouse and Donald Duck register an e-mail server just to spam for a few hours?

#3: Reliability. How does the site stay up against a DDOS? Even the root DNS servers are vulnerable to that.

The more I think of it the more I think an SMTPv2 is needed as opposed to dicking around with SMTP to get it more secure. It's the cutover that will be a bitch.

what about the email lists?

[Abm0raz]

Sobig scans the address book, cached webpages, text files on the harddrive, etc., for email addresses. Has it occurred to anyone that the rapid reproduction and spreading may just be a side effect of a spammer trying to gather the largest email list on earth? Imagine what they could do with a list that size? Even people who are careful with their personal email addresses could lose them to the spammer by their parents getting infected.

Now, add this on top of how the sobig already spoofs emails and you get other people doing your spam for you ... and it's NEARLY untraceable back to you.**

-Ab

** I know they can be traced, at least to the last computer, but getting back to the source is tough cause people tend to delete the original virrused email. I know I traced several attacks and helped notify the host companies/universities and got them cleaned up, but after my 7th track, I got fed up and gave up, adjusted my MTA to block all mails with the .scr and .pif extensions and curled in a fetal position under my deskand took a nap.

Re:Truly P2P if SOBIG.G contains the spam message

[Kjella]

Hmm.. how about a spam virus as a business "hit"? Even though the business will deny it, what could they do? They'd still be dragged through the dirt. If it has an effect either way, don't be surprised if it is used...

Kjella

If there's a motive, it's political

[Animats]

It can't be a business venture, even a spam-based one. It's too high-profile a criminal enterprise. If the people behind it try to collect money, they'll be hunted down and arrested, or worse.

Politically-motivated makes more sense. The current version expires on September 10, so a reasonable assumption is that the big attack comes on September 11.

I hope this is true ! (no troll!)

[selderrr]

IMHO, the only way for SMTP to be replaced by something secure & authenticated (a la whitelists) is if the current system goes belly up in the most insane, painful and costly way imaginable. I wish it wasn't so, but reasoning, debate and research have proven useless to convince the powers that be that something needs to be done. MASSIVE, huge spamming, unstoppable is a way that will costs billions without doing any physical harm. If that doesnt trigger change, nothing will.