P2P Spam?

Sgt York writes "In a NYT article (republished in the Houston Chronicle, no subscription required) experts at CERT, F-secure, Trusecure, and the Hall of Justice (see article) think that SoBig.F is a spam scheme in the making. They say that SoBig.F is the 6th variant in an ongoing experiment with the possible goal of setting up a distributed spam network, to be rented out to the highest bidder. If that is their goal, they are well on their way. Another disturbing note in the article is that "In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding one". SoBig.F expires in two weeks. "

huh?

[captain_craptacular]

So someones business plan is to admit to writing/distributing the worm and then rent out the affected boxes?

I must be missing something because it seems to me that such a business would be immediately sues into oblivion.

So the highest bidder get's to spam?

[iplayfast]

OK, so some company decides to buy. Wouldn't they now be liable for unauthorized use of the computers. Why would a company take the risk? I think this is a red herring, and that it's just another way for worm/virus writers to justify themselves to the world (and themselves).

Re:Truly P2P if SOBIG.G contains the spam message

[Brad+Mace]

They'd need some big balls to associate their company name with a virus. Once the identity of the people unleashing viruses AND sending tons of spam in known, they won't exist for long. For that reason alone I'd say it's much more likely they'd be setting up a distributed spamming network.

6 degrees attack

[bigattichouse]

I would have assumed that this was a six degrees attack on sensitive structures, given the back doors. Flood the network with viruses, and some moron will eventually lead you to the computer you've been actually targetting.

Fixed hosts don't work, but...

[RobertB-DC]

I suspect that the 20 hardcoded download sites in the current variant are a proof-of-concept, not a future strategy. Every time a virus is exposed that tries to download from some fixed location, I've wondered why virus writers would even try such a thing, when it's obvious that white hats will reverse-engineer their code?

What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.

For even better effect, use a moderately common word or phrase that Google couldn't remove from its index without causing big problems.

On the non-technical side... I was struck by the post in a previous SoBig discussion that noted that this variant expires on 9/10, and if the F-Secure expert is right, that's not a good sign:

"I think the motivation is clear. It's money," said Mikko Hypponen, director of anti-virus research at F-Secure, an antivirus firm based in Finland that is decoding the illicit program. "Behind Sobig we have a group of hackers who have a budget and money."

If there's a budget and money, then there's organization, and I'm concerned about the organizations that might see 9/11 as a good day to launch a distributed attack.

Re:Fixed hosts don't work, but...

[Simon+Brooke]

What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123 [google.com]", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.

OK, let's see how you would do it...

The payload of the original virus would be a encrypted peer-to-peer daemon somewhat like Freenet, except that it would only allow uploads signed with a particular digital signature. The client would of course have to include the public key of that signature, but not the private key.

Once infected a machine would open a listening port and attempt to connect to machines chosen randomly but with a bias to its local class C (as with CodeRed). Once contact has been established the machines would exchange IPs so that each could recontact the other. Each machine would continue to probe for peers until it had found a certain number - say twenty - and then it would remain quiescent, just listening. Periodically (say weekly) it would handshake again with its known peers, and if any failed to handshake twice successively it would seek others until it had again reached quota.

Once the virus was widespread the author would send a signed file to one infected machine. The name of the file would be a unique string (for simplicity of exposition say a serial number, although any systematically unique string would do) so the first file the virus author injected might be 0001, the next 0002 and so on. The machine would accept the file as genuine because it could decrypt it with its local copy of the public key, and would pass it on unchanged to all the other infected nodes it knew about. If a machine had already received 0001 and was offered 0001 by a peer it would refuse it to save time and network congestion - not to be nice to other users, but because if the thing blocked up network bandwidth completely, it wouldn't be able to do it's own dirty work.

The signed files could contain

1. a list of targets and a date/time. When the action date/time in the file was reached, the virus would mount a DDoS attack on the hosts listed in that file for twenty four hours and then delete the file.
2. the URL of a file to load and then spam out in the same way the virus itself originally spread. Because this file doesn't have to be put up before the virus is launched it could be put up on any defaced site anywhere and need not be tracable back to the author.
3. a hotfix patch to the virus itself, which would immediately be installed and run.

This would be incredibly difficult to defend against because

• in DDoS mode the hosts to be attacked wouldn't be known until the attack file began to propagate - and it could propagate very, very fast indeed, since the peer-to-peer network has connected itself in advance.
• It would be impossible to introduce 'white' payloads into the network because only the author would have the necessary private key.
• Because of the upgrade facility, as defences against the virus became available the author could inject into the network 'hot fixes' which would work around these defences.
• Because the author could inject new signed files into any infected node, it would be very difficult to track down where they were being injected.

Furthermore, the network could be used to launch several sequential attacks, which would not even need to have been planned at the time the virus was written. The author could, in effect, sell use of a flexible, massively distributed mass-UCE/DDoS attack engine to the highest bidder...

Hang on, hang on... just wait until I get a patent on that idea!

Re:Truly P2P if SOBIG.G contains the spam message

[IM6100]

That's interesting. A formal registry of SMTP servers.

Will we soon be formally registering all people running an HTTPD in the same fashion?

One way to stop the spread of viruses

[harley_frog]

Don't touch the keyboard.

Re:Truly P2P if SOBIG.G contains the spam message

[jrumney]

That could be a PAINFUL 10 years if they continue to sell their PENIS ENLARGEMENT PILLS while they're inside!