Slashdot Mirror

← Back to Stories (view on slashdot.org)

P2P Spam?

Posted by CmdrTaco on from the bend-over-and-take-it dept.

Sgt York writes "In a NYT article (republished in the Houston Chronicle, no subscription required) experts at CERT, F-secure, Trusecure, and the Hall of Justice (see article) think that SoBig.F is a spam scheme in the making. They say that SoBig.F is the 6th variant in an ongoing experiment with the possible goal of setting up a distributed spam network, to be rented out to the highest bidder. If that is their goal, they are well on their way. Another disturbing note in the article is that "In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding one". SoBig.F expires in two weeks. "

27 of 340 comments (clear)

  1. Truly P2P if SOBIG.G contains the spam message by JohnGrahamCumming · · Score: 4, Insightful

    I think the superheroes involved in the SOBIG fight miss the entire point.
    The authors are probably testing the feasibility of sending out a virus (which
    given the number of copies I receive) will happily be opened by people and
    then simultaneously sending out spam messages to the same group of people.

    There's no need for the SOBIG authors to control the machines after SOBIG has
    been executed. They just need to include the spam message in the virus
    itself.

    That would make it truly P2P spam. Unsuspecting user X who opens SOBIG would
    transmit the mechansim for sending more spam and his portion of the spam
    deluge. Of course there could be a downside to all this, once the blacklist
    people start cutting off EVERY ISP in the world because of spam messages SOBIG
    would defeat itself because no one would be getting mail.

    John.

    1. Re:Truly P2P if SOBIG.G contains the spam message by Brad+Mace · · Score: 5, Insightful

      They'd need some big balls to associate their company name with a virus. Once the identity of the people unleashing viruses AND sending tons of spam in known, they won't exist for long. For that reason alone I'd say it's much more likely they'd be setting up a distributed spamming network.

    2. Re:Truly P2P if SOBIG.G contains the spam message by RatBastard · · Score: 4, Insightful

      But teh spam message is not for the person who's computer is infected. It's for every email recipient that that computer user knows. The P2P spam network created in this way would be HUGE and unblockable. Who is going to block every subnet on earth? Not gonna happen. The best we can hope for is that ISPs get smart and start blocking SMTP ports on all ip addresses not registered as SMTP servers.

      This could turn into a VERY ugly mess.

      --
      Boobies never hurt anyone. - Sherry Glaser.
    3. Re:Truly P2P if SOBIG.G contains the spam message by IM6100 · · Score: 5, Insightful

      That's interesting. A formal registry of SMTP servers.

      Will we soon be formally registering all people running an HTTPD in the same fashion?

      --
      A Good Intro to NetBS
    4. Re:Truly P2P if SOBIG.G contains the spam message by jrumney · · Score: 5, Funny

      That could be a PAINFUL 10 years if they continue to sell their PENIS ENLARGEMENT PILLS while they're inside!

    5. Re:Truly P2P if SOBIG.G contains the spam message by Kjella · · Score: 4, Interesting

      Hmm.. how about a spam virus as a business "hit"? Even though the business will deny it, what could they do? They'd still be dragged through the dirt. If it has an effect either way, don't be surprised if it is used...

      Kjella

      --
      Live today, because you never know what tomorrow brings
  2. huh? by captain_craptacular · · Score: 5, Interesting

    So someones business plan is to admit to writing/distributing the worm and then rent out the affected boxes?

    I must be missing something because it seems to me that such a business would be immediately sues into oblivion.

    --
    They who would give up an essential liberty for temporary security, deserve neither liberty nor security
    1. Re:huh? by wmaker · · Score: 4, Insightful

      No one actually knows how he/she got the list though. The person wrote the virus, gains the list, and sells it. No questions asked about HOW he got the e-mail addresses.

      --

      What is slashdot?
    2. Re:huh? by GrenDel+Fuego · · Score: 4, Informative

      This virus has it's own built in SMTP engine. I believe the thought is that it's going to be used as a worldwide network of open relays rather than collecting the e-mail addresses from the infected machines.

      Although hey, free e-mail addresses.

  3. So the highest bidder get's to spam? by iplayfast · · Score: 5, Insightful

    OK, so some company decides to buy. Wouldn't they now be liable for unauthorized use of the computers. Why would a company take the risk? I think this is a red herring, and that it's just another way for worm/virus writers to justify themselves to the world (and themselves).

  4. I can say one thing for sure... by bopo · · Score: 4, Funny
    Blockquoth the article:
    "You can liken this guy to Lex Luthor and we're all supermen," said Russ Cooper, a security expert at Trusecure in Herndon, Va. "Luckily we've been able to get the kryptonite from around our necks each time so far."
    I certainly know a lot more about this guy's sex life than I did five minutes ago.

    "Now, liken me to Sinestro and you're the Green Lantern..." *shiver*

    --
    "Understand you're having a little Jimmy Page trouble."
  5. ICQ spam by Wiseazz · · Score: 4, Funny

    Back when I used ICQ, I used to like getting spammed:

    HotSxzzGrl says: Can we talk?

    Or something like that. It's been awhile. God I miss her, though.

    --
    My sig sucks.
  6. It is probably no coincidence, then... by bc90021 · · Score: 4, Interesting

    ... that Sobig.F expires on September 10th, and the next one will probably come out on September 11th.

    --
    libertarianswag.com
  7. 6 degrees attack by bigattichouse · · Score: 5, Interesting

    I would have assumed that this was a six degrees attack on sensitive structures, given the back doors. Flood the network with viruses, and some moron will eventually lead you to the computer you've been actually targetting.

    --
    meh
  8. A Bad Thing? by sethadam1 · · Score: 4, Insightful

    If the entire internet were absolutely smashed with spam, at leats one good thing might emerge - the will to actually combat it realistically!

    With all the techno-dweebs on this site and all the fasntastic opinions about whitelists and blacklists and graylists and modifying SMTP and replacing SMTP and handshakes and authentication and a million other solutions, perhaps someone, somewhere, will finally being to make a dent in actually dealing with the spam problem.

  9. SMTP IS DYING/DEAD by Anonymous Coward · · Score: 4, Interesting

    This protocol allows anonymous delivery of data within your networks. I predict death of feasibility within 1-2 years. No amount of legislation or threat of legal action can stop the flow from a vast supply of potential "dumb" drones.

    Welcome to the Internet, 2003.

    Next up, authenticated delivery, whitelisting, and the death of the mail server as we know it.

  10. I've said this before and I'll repeat myself... by heironymouscoward · · Score: 4, Interesting

    Spam merchants and virus/worm writers are collaborating and will collaborate, and build networks that make spam filters entirely useless.

    Of course Sobig is about spam. Why else does some mysterious but well-financed entity want to control half the desktops of the world?

    How about this spam technique, which I predict will occur in 6-9 months' time:

    Tampering with real emails, inserting the spam message mixed with the real email.

    Does that scare anyone? It makes a mockery of current technology for fighting spam.

    --
    Ceci n'est pas une signature
  11. Smarter Virus Writers by skyknytnowhere · · Score: 4, Interesting

    Maybe its just that the virus writer is actually starting to follow the kinds of ideas that geeks often toss out. "Oh yeah, if I was making a virus I'd have it..."

    Granted, it still exploits the most obvious problem in computing: the people who use Outlook in its "Automatically Run Attachments" mode, but it would be foolish to ignore the largest and most potentially devastating venue.

    Once the guy figures out exactly the heuristic to hit the most targets in the shortest amount of time, he can put a real payload in it, like a file encrypter for .doc files, or something similarly nasty. And he'll only share the key if we put deposit money in a Swiss bank account! ... hey, that's not a bad idea.

    skye

  12. Fixed hosts don't work, but... by RobertB-DC · · Score: 5, Insightful

    I suspect that the 20 hardcoded download sites in the current variant are a proof-of-concept, not a future strategy. Every time a virus is exposed that tries to download from some fixed location, I've wondered why virus writers would even try such a thing, when it's obvious that white hats will reverse-engineer their code?

    What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.

    For even better effect, use a moderately common word or phrase that Google couldn't remove from its index without causing big problems.

    On the non-technical side... I was struck by the post in a previous SoBig discussion that noted that this variant expires on 9/10, and if the F-Secure expert is right, that's not a good sign:

    "I think the motivation is clear. It's money," said Mikko Hypponen, director of anti-virus research at F-Secure, an antivirus firm based in Finland that is decoding the illicit program. "Behind Sobig we have a group of hackers who have a budget and money."

    If there's a budget and money, then there's organization, and I'm concerned about the organizations that might see 9/11 as a good day to launch a distributed attack.

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
    1. Re:Fixed hosts don't work, but... by Simon+Brooke · · Score: 5, Insightful
      What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123 [google.com]", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.

      OK, let's see how you would do it...

      The payload of the original virus would be a encrypted peer-to-peer daemon somewhat like Freenet, except that it would only allow uploads signed with a particular digital signature. The client would of course have to include the public key of that signature, but not the private key.

      Once infected a machine would open a listening port and attempt to connect to machines chosen randomly but with a bias to its local class C (as with CodeRed). Once contact has been established the machines would exchange IPs so that each could recontact the other. Each machine would continue to probe for peers until it had found a certain number - say twenty - and then it would remain quiescent, just listening. Periodically (say weekly) it would handshake again with its known peers, and if any failed to handshake twice successively it would seek others until it had again reached quota.

      Once the virus was widespread the author would send a signed file to one infected machine. The name of the file would be a unique string (for simplicity of exposition say a serial number, although any systematically unique string would do) so the first file the virus author injected might be 0001, the next 0002 and so on. The machine would accept the file as genuine because it could decrypt it with its local copy of the public key, and would pass it on unchanged to all the other infected nodes it knew about. If a machine had already received 0001 and was offered 0001 by a peer it would refuse it to save time and network congestion - not to be nice to other users, but because if the thing blocked up network bandwidth completely, it wouldn't be able to do it's own dirty work.

      The signed files could contain

      1. a list of targets and a date/time. When the action date/time in the file was reached, the virus would mount a DDoS attack on the hosts listed in that file for twenty four hours and then delete the file.
      2. the URL of a file to load and then spam out in the same way the virus itself originally spread. Because this file doesn't have to be put up before the virus is launched it could be put up on any defaced site anywhere and need not be tracable back to the author.
      3. a hotfix patch to the virus itself, which would immediately be installed and run.

      This would be incredibly difficult to defend against because

      • in DDoS mode the hosts to be attacked wouldn't be known until the attack file began to propagate - and it could propagate very, very fast indeed, since the peer-to-peer network has connected itself in advance.
      • It would be impossible to introduce 'white' payloads into the network because only the author would have the necessary private key.
      • Because of the upgrade facility, as defences against the virus became available the author could inject into the network 'hot fixes' which would work around these defences.
      • Because the author could inject new signed files into any infected node, it would be very difficult to track down where they were being injected.

      Furthermore, the network could be used to launch several sequential attacks, which would not even need to have been planned at the time the virus was written. The author could, in effect, sell use of a flexible, massively distributed mass-UCE/DDoS attack engine to the highest bidder...

      Hang on, hang on... just wait until I get a patent on that idea!

      --
      I'm old enough to remember when discussions on Slashdot were well informed.
  13. sobig.M kills blacklists? by glsunder · · Score: 4, Insightful

    What if the goal (or effect, either way) was to get things to the point where nearly everything was blacklisted for spam? The virus wouldn't have to send real spam, just fake spam in a way that would cause the person's ISP to be put on the blacklists. Once that happened, people would shut off the spam blocking software, and spam would reign supreme.

  14. Holy Crap by stratjakt · · Score: 4, Insightful

    They could be hunting spam relays. They could be looking to anonymously bounce kiddy porn. They could be looking for thousands of boxes to keep their warez .torrent files alive and kicking.

    Hey, I just thought of that. That'd rock, be much easier and more effective than hunting for pubs. You even have one of your drones host the tracker in the first place.

    Anyways, who cares. Patch your machines and shut up. We're seeing as many sobig stories as we are SCO, and it really isnt that big of a deal.

    --
    I don't need no instructions to know how to rock!!!!
  15. One way to stop the spread of viruses by harley_frog · · Score: 5, Funny

    Don't touch the keyboard.

    --
    It's all fun and games until someone loses the key to the handcuffs.
  16. SoBIG.G Release Proposal by GillBates0 · · Score: 4, Funny

    Stream : SoBIG.main
    Revision : 6.0
    Code to be released : Pending Approval
    Target Release Date : Sept 9, 2003
    Proposed fixes :
    1. Enhance subject line generator.
    (Incorporate statistics from /. poll)
    2. Enhance performance.
    3. Incorporate "increase penis length" email.
    4. Fix critical product change requests
    5. Add string confirming soBIG refers to
    average penis size of development team.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  17. Re:Eventually by forkboy · · Score: 4, Insightful

    THe other possible scenario is that prosecutors will start going after the company that advertised via the spam. I'd like that solution, I've been saying that should be going on for years...spammers will go away if people are now afraid to use that method of marketing for fear of hefty fines.

    --
    This message brought to you by the Council of People Who Are Sick of Seeing More People.
  18. what about the email lists? by Abm0raz · · Score: 4, Interesting

    Sobig scans the address book, cached webpages, text files on the harddrive, etc., for email addresses. Has it occurred to anyone that the rapid reproduction and spreading may just be a side effect of a spammer trying to gather the largest email list on earth? Imagine what they could do with a list that size? Even people who are careful with their personal email addresses could lose them to the spammer by their parents getting infected.

    Now, add this on top of how the sobig already spoofs emails and you get other people doing your spam for you ... and it's NEARLY untraceable back to you.**

    -Ab

    ** I know they can be traced, at least to the last computer, but getting back to the source is tough cause people tend to delete the original virrused email. I know I traced several attacks and helped notify the host companies/universities and got them cleaned up, but after my 7th track, I got fed up and gave up, adjusted my MTA to block all mails with the .scr and .pif extensions and curled in a fetal position under my deskand took a nap.

    --
    Nothing fails quite like prayer.
  19. I hope this is true ! (no troll!) by selderrr · · Score: 4, Interesting

    IMHO, the only way for SMTP to be replaced by something secure & authenticated (a la whitelists) is if the current system goes belly up in the most insane, painful and costly way imaginable. I wish it wasn't so, but reasoning, debate and research have proven useless to convince the powers that be that something needs to be done. MASSIVE, huge spamming, unstoppable is a way that will costs billions without doing any physical harm. If that doesnt trigger change, nothing will.

    --
    When will I end this grieving ? When will my future begin ?