Sobig Worm Attacking RBL Lists?

Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"

DDoS

[lbruno]

Everyone on the various anti-spam mailing lists and newsgroups were thinking that these worms were creating a network of spam proxies.

Maybe they were creating a network of DDoS zombies.

Where's the hard evidence?

[bersl2]

Has anybody done a disassembly of Sobig? How is it even distributed, as a binary or as a script? I don't think we should attribute Sobig to the spammers just yet.

OTOH, I have no friggin' idea what I'm talking about...

Re:Where's the hard evidence?

[GoneGaryT]

There have been a number of comments on this topic on a closed list for academic sites here in the UK and the analyses point to Sobig DDoS attacks, specifically against spamhaus.org in these cases. Sobig-F was a very well written piece of binary code, encrypted and compressed to 76k AFAIR, and a description of its functionality shows this. In particular, the possibility that it could act as a portal for Trojan downloads reinforces the claim.

I was trapping infected workstations by monitoring perimeter firewall logs for DNS calls to the root servers, as this is a feature of its activity. Pity I didn't have time to find out what it wanted to resolve, because that could have been interesting.

Re:And how could they win?

[The_DOD_player]

This is a very valid point. To many users, the absence of spamfilters would pretty much render the email system unusable.

If the spammers are able to shut down spamfiltering services in this way, there will be a significant demand towards getting SMTP replaced by a smater protocol, that will not allow spamming in the form we see it today = spammers lose.

To install new software on all mailservers is quite a task. This is likely to take time, and be quite an interruption = everyone lose.

There's also a great danger that Microsoft would take advantage of the situation, and try to create a new propritary mail protocol based on Palladium, for Windows users only = everyone not using Windows lose.

Do they go after the companies that use spammers

[ziaz]

I'm guessing this has already been said, but... Instead of focusing on just the spammers themselves, why not target the companies or individuals that from time to time benefit from the spam. I'm assuming there must be some way to track those people receiving money for viagra, enlargements, etc.

Wrong!

[fmaxwell]

There is at least one gaping hole in your argument, namely that blacklists are also suppressing free speech. You Suck.

That's an idiotic statement. Blacklists don't suppress speech. No one forces you or your ISP to use the blacklists or to refuse e-mail from IP addresses listed on them. I use blacklists and my server may reject messages from you. So what? You have no Constitutionally guaranteed right to use my server to deliver your message. It's my private property, just as your ISP's server is their property.

Suppose your ISP started blocking all e-mail from ISP X after reading a New York Times article that ISP X hosts spammers. Would you accuse the New York Times of suppressing free speech? If not, then why would you accuse a blacklist provider of suppressing free speech? Because it's easier to search their database than to search the NY Times archives?

You need to take a class in Constitutional law.

Re:More Harm Than Help

[Skapare]

Oh it's you again. You're still pissed off because your ISP harbors spammers and you think that you're not somehow supporting that by helping your ISP stay in business.

As to your statement about Bayesian filtering ... there are many negative effects. First, it works on the basis of content. What makes mail be spam is not what the content is; it's that the senders are using bulk methods to send to people who didn't want it. I do get some mailings that I have optted in to, which if they were sent to people that don't want them, would be spam to them. Bayesian filtering doesn't work on the basis of what spam really is. Secondly, to even use Bayesian filtering, it becomes necessary to let the spam arrive, using up network and server resources as it comes in. Then the Bayesian filtering has to be run which uses up even more server resources. And finally, if it is considered spam and rejected, then a bounce message has to be queued (taking up disk space), and delivery of it has to be attempted (which for most because it is from real spammers, cannot be delivered, and takes space and delivery attempts for several days). So I will never use Bayesian filtering because it is simply all wrong.

We figured it out this summer

[bigberk]

Anti-spammers figured out what's going on this summer (see news.admin.net-abuse.email). These numerous Windows worms we're seeing are in fact trial software deployments (funded by major spammers) that are in the process of setting up an anonymous, distributed worldwide spam injection network.

You may mistakenly believe, as I did in the past, that spammers are just a bunch of unemployed losers that sit around late night bulk mailing ads for scams. It turns out that in fact they're well funded losers engaged in such a lucrative industry that they can afford to hire good programmers.

The series of windows worms we've seen this year had preset expiry dates -- ending each of the carefully released wild tests. The most recent versions (swen) have very efficient SMTP engines built-in; these are not amateur projects.

Thanks to Microsoft's monopoly of operating systems, spammers can easily deploy software around the world that relays spam. swen demonstrated the power of this software; many people were DDoS'd off the net. I alone received over 40,000 emails carrying the worm.

Except an all-out-spamwar to break out in 2004.

Proposal for a DDOS-immune RBL

[Pig+Hogger]

The idea is to provide a distributed RBL, using only proven recipes and technology.

The list is a re-emplementation of a DNS-dased RBL, so to allow current MTAs to access it without modification.

The RBL servers are distributed, PRIVATE AND SECRET, in order to avoid being DDOSed. The servers are ordinary BIND, whose zone file is updated by a process to be implemented.

Those willing to use the RBL service have to run their own DNS server - they are free, however, to allow other trusted people to use their services; only them are going to be affected by an eventual DDOS, but not other users of the DRBL.

The RBL information is distributed via USENET. USENET has proven it's ability to survive all sorts of attacks in the past. It has survived the church of scientology, therefore it will survive chickenboners. It's distributed nature makes it quite invulnerable to the kind of DDOS attacks that currently affect centralized DNS RBLs.

The list maintainer posts PGP-signed updates to USENET via a network of trusted volunteers who do it from dynamic IP addresses of disposable dialup accounts. For safety, the IP addresses are changed immediately following the posting of updates, in order to avoid being DDOSed.

Authentification agaisnt spoofing and flood attempts is provided by the PGP signature.

The RBL users then scan USENET for the updates, who, once authenticated, are used to update the zone files on their private and secret DNS servers.

Who owns the First Amendment?

[fm6]

Blacklists don't suppress speech. No one forces you or your ISP to use the blacklists or to refuse e-mail from IP addresses listed on them. I use blacklists and my server may reject messages from you. So what? You have no Constitutionally guaranteed right to use my server to deliver your message. It's my private property, just as your ISP's server is their property.

It's not quite that simple. It's true that the first amendment mainly serves to keep the government from supressing speech. But private entities have a certain responsibility to tolerate free speech as well, and the courts have always recognized this. If you own a large shopping mall, you can't arbitrarily restrict what people say and do there. If it's large and diverse enough to be considered a "public forum" you may just have to put up with people with people collecting signatures or passing out leaflets, as long they don't interfere with the operation of the mall. Or not, depending on how broadly your state courts interpret the first amendment. But in any case, you're wrong to assume that private property rights always trump free speech rights.

But never mind all that, just suppose that we do allow owners of networks and servers absolute control of what passes over their wires. Is that something you really want? Sure, it gives them the power to shut down spam. But it also gives them the power to control what web sites their users can access. Or what their users can put on their own web sites. Now, if hardware is owned by a private company and all its users are employees who are supposed to be using the internet to do their jobs, I suppose you have to grant that company a large measure of control. But if we're talking about public ISPs, then we're talking about something very scary. These ISPs, if they coordinated their efforts, and were allowed to totally control whatever passes over their wires, could do something that governments have repeatedly tried and failed to do: censor the internet.

A few years ago, there was a site called blackdeath.org that offended certain parties with its anti-Christian rants. Who demanded that their ISP pull the plug. When the ISP declined, they went to the ISP's backbone provider. Which happened to be owned by a major media company. Now, media companies are not fans of censorship, but they like offending people even less -- they might complain to the FCC, or worse, stop watching TV. So the backbone provider told the ISP to pull the plug on blackdeath.org, or else they'd lose their own internet service, and be forced out of business. Naturally they complied. Blackdeath.org went dark, briefly came back with a low-bandwidth provider, then finally disappeared forever.

This really scared me at the time, since the internet backbone had been consolidated into just a few big companies, most of them with the same censorship-prone connections as the Time Warner backbone. Since then, the backbone situation has gotten a little more competitive. But with the trend to consolidate more and more communications into fewer and fewer companies, I wouldn't get to sanguine. And I'd look for solutions to the spam problem that emphasizes individual, not central, control over network traffic.

Re:Who owns the First Amendment?

[fmaxwell]

Thank you for your very reasoned and intelligent reply.

I believe that the shopping mall analogy falls down in one key respect: There is no direct cost to the shopping mall if I hand out leaflets. To make the a truly analogous situation, I would have to distribute the leaflets at some cost to the mall. For example, I would need to occupy enough space that they would need to expand the mall (analogy to additional servers needed for spam processing), I would have to draw enough traffic that they would need to increase the size of their entrances and exits (analogy to bandwidth), and I would need to cause them to need to increase the size of their parking lot (analogy to disk storage). Then the analogy works. The key to this is that I have a right to express myself, but I don't have a right to make you pay for it.

But never mind all that, just suppose that we do allow owners of networks and servers absolute control of what passes over their wires. Is that something you really want?

In one sense, yes. A network owner has a right to limit unwanted, unrequested, and harmful traffic. An ISP has a right to block port 135 to stop the spread of a worm. They have the right to refuse e-mail from a spammer who wishes to flood their network with messages. They have a right to block port 80 incoming to keep their residential users from running web servers. What I don't think that they have a right to do is purposely block requested content -- and I don't think that they want to do that, either.

These ISPs, if they coordinated their efforts, and were allowed to totally control whatever passes over their wires, could do something that governments have repeatedly tried and failed to do: censor the internet.

But the free market will stop them from doing that. If AOL, Earthlink, and MSN all entered into a censorship pact, then other ISPs would capitalize on offering the "Internet uncensored." There is also the ever-present threat of being considered publishers rather than common carriers. If an ISP were to exercise editorial control over the content that traversed their network, they would quickly find themselves in the legal role of publisher, complete with all of the pitfalls and dangers that entails.

This really scared me at the time, since the internet backbone had been consolidated into just a few big companies, most of them with the same censorship-prone connections as the Time Warner backbone. Since then, the backbone situation has gotten a little more competitive. But with the trend to consolidate more and more communications into fewer and fewer companies, I wouldn't get to sanguine.

I agree with your concerns and what they point out is how important it is for the federal government to actively assure that the marketplace remains competitive, that we don't get a "Clear Channel" or "AOL Time Warner" controlling vast swaths of the marketplace.

Re:Who owns the First Amendment?

[fm6]

believe that the shopping mall analogy falls down in one key respect: There is no direct cost to the shopping mall if I hand out leaflets.

Few shopping mall owners would agree with you. But that's neither here nor there. If property rights trump leafletting rights, then mall owners don't have to have a good reason for forbidding leafletting. Or any reason.

But the free market will stop them from doing that. If AOL, Earthlink, and MSN all entered into a censorship pact, then other ISPs would capitalize on offering the "Internet uncensored."

Yes, that's a reasonable safeguard as long as there's lots of competition. And I don't mean ISP competition, because ISPs just retail bandwidth that they buy from backbone wholesalers. If you're reduced to 3 or 4 backbone providers (which was the situation 5 years ago), that's a real threat. Nowadays less so.

Which I suppose support your basic argument: that the free market has a healthy ability to create alternate avenues of communication. Which would seem to make serious internet censorship more and more difficult. But by the same token, it also make spam harder and harder to control. In the end "free speech", whether it's "we hold these truths to be self-evident" or "i'm a nigerian banker with money to give away", seems not so much a right as a law of nature.