Sobig Worm Attacking RBL Lists?

Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"

Where's the hard evidence?

[bersl2]

Has anybody done a disassembly of Sobig? How is it even distributed, as a binary or as a script? I don't think we should attribute Sobig to the spammers just yet.

OTOH, I have no friggin' idea what I'm talking about...

Re:Where's the hard evidence?

[GoneGaryT]

There have been a number of comments on this topic on a closed list for academic sites here in the UK and the analyses point to Sobig DDoS attacks, specifically against spamhaus.org in these cases. Sobig-F was a very well written piece of binary code, encrypted and compressed to 76k AFAIR, and a description of its functionality shows this. In particular, the possibility that it could act as a portal for Trojan downloads reinforces the claim.

I was trapping infected workstations by monitoring perimeter firewall logs for DNS calls to the root servers, as this is a feature of its activity. Pity I didn't have time to find out what it wanted to resolve, because that could have been interesting.

Re:And how could they win?

[The_DOD_player]

This is a very valid point. To many users, the absence of spamfilters would pretty much render the email system unusable.

If the spammers are able to shut down spamfiltering services in this way, there will be a significant demand towards getting SMTP replaced by a smater protocol, that will not allow spamming in the form we see it today = spammers lose.

To install new software on all mailservers is quite a task. This is likely to take time, and be quite an interruption = everyone lose.

There's also a great danger that Microsoft would take advantage of the situation, and try to create a new propritary mail protocol based on Palladium, for Windows users only = everyone not using Windows lose.

Do they go after the companies that use spammers

[ziaz]

I'm guessing this has already been said, but... Instead of focusing on just the spammers themselves, why not target the companies or individuals that from time to time benefit from the spam. I'm assuming there must be some way to track those people receiving money for viagra, enlargements, etc.

Wrong!

[fmaxwell]

There is at least one gaping hole in your argument, namely that blacklists are also suppressing free speech. You Suck.

That's an idiotic statement. Blacklists don't suppress speech. No one forces you or your ISP to use the blacklists or to refuse e-mail from IP addresses listed on them. I use blacklists and my server may reject messages from you. So what? You have no Constitutionally guaranteed right to use my server to deliver your message. It's my private property, just as your ISP's server is their property.

Suppose your ISP started blocking all e-mail from ISP X after reading a New York Times article that ISP X hosts spammers. Would you accuse the New York Times of suppressing free speech? If not, then why would you accuse a blacklist provider of suppressing free speech? Because it's easier to search their database than to search the NY Times archives?

You need to take a class in Constitutional law.

We figured it out this summer

[bigberk]

Anti-spammers figured out what's going on this summer (see news.admin.net-abuse.email). These numerous Windows worms we're seeing are in fact trial software deployments (funded by major spammers) that are in the process of setting up an anonymous, distributed worldwide spam injection network.

You may mistakenly believe, as I did in the past, that spammers are just a bunch of unemployed losers that sit around late night bulk mailing ads for scams. It turns out that in fact they're well funded losers engaged in such a lucrative industry that they can afford to hire good programmers.

The series of windows worms we've seen this year had preset expiry dates -- ending each of the carefully released wild tests. The most recent versions (swen) have very efficient SMTP engines built-in; these are not amateur projects.

Thanks to Microsoft's monopoly of operating systems, spammers can easily deploy software around the world that relays spam. swen demonstrated the power of this software; many people were DDoS'd off the net. I alone received over 40,000 emails carrying the worm.

Except an all-out-spamwar to break out in 2004.

Proposal for a DDOS-immune RBL

[Pig+Hogger]

The idea is to provide a distributed RBL, using only proven recipes and technology.

The list is a re-emplementation of a DNS-dased RBL, so to allow current MTAs to access it without modification.

The RBL servers are distributed, PRIVATE AND SECRET, in order to avoid being DDOSed. The servers are ordinary BIND, whose zone file is updated by a process to be implemented.

Those willing to use the RBL service have to run their own DNS server - they are free, however, to allow other trusted people to use their services; only them are going to be affected by an eventual DDOS, but not other users of the DRBL.

The RBL information is distributed via USENET. USENET has proven it's ability to survive all sorts of attacks in the past. It has survived the church of scientology, therefore it will survive chickenboners. It's distributed nature makes it quite invulnerable to the kind of DDOS attacks that currently affect centralized DNS RBLs.

The list maintainer posts PGP-signed updates to USENET via a network of trusted volunteers who do it from dynamic IP addresses of disposable dialup accounts. For safety, the IP addresses are changed immediately following the posting of updates, in order to avoid being DDOSed.

Authentification agaisnt spoofing and flood attempts is provided by the PGP signature.

The RBL users then scan USENET for the updates, who, once authenticated, are used to update the zone files on their private and secret DNS servers.