Spammers Using Hacked Machines as Decoys

avi33 writes "This Wired story shows a disturbing alliance between hackers [sic] and spammers. Interestingly, they blame part of the alliance on market forces, leading some skilled engineers to the dark side for profit's sake. A Polish firm claims to have control of 450,000 Trojaned systems that it uses to mask the IP addresses of its hosted sites. In other words, you could host your Viagra-peddling site with a company that has a stringent no-spam policy, but a DNS lookup will point to a home user's compromised machine. Not quite bulletproof, but certainly ups the ante in the spam war."

Firewall

[JohnGrahamCumming]

Of course if broadband ISPs were to implementing a simple inbound firewall
for every user then they'd eliminate most of these problems overnight:
trojaned machines would be unreachable, worms like CodeRed that scan for
vulnerabilities would be halted.

The few users of broadband who actually need to run an Internet visible
server would then have to contact their ISP for a port to be opened, but
that seems like a small price to pay for cutting off 1000s of machines that
have been hacked.

Naturally, this would cause file steal^H^H^H^Hharing applications to stop
working.

John.

Re:Firewall

[Frostalicious]

an Internet visible server would then have to contact their ISP for a port to be opened

Considering the quality of customer service at my ISP, I'd better hurry up and request an open port for my Duke Nukem Forever server to be up in time.

Re:Firewall

[loknor]

Yes and it is worth the jump backwards in technology to help OS manufacturers continue to pedal sub par product and services that are the real cause of the problem. Attacking a problem at somewhere other than its source has always been such a great way to deal with challenges like this.

Re:Firewall

[fractalus]

This actually would block quite a few things.

1. Personal web servers. Given the quality of most of these sites, probably not a great loss.

2. Game servers. No more running a CounterStrike servers for your buddies.

3. IM file transfers (AIM, ICQ). These require open ports.

4. VoIP, unless that VoIP implementation routes connections through a third computer.

The problem is, when you advocate blocking inbound connections, you force the bulk of the net to only be passive consumers of prepackaged content, rather than equal participants in the net. Blocking specific ports for specific reasons (like outbound port 25, although that has problems too) is one thing, but just deciding everything should be blocked but "approved" stuff means a lot of apps are dead in their tracks... stuff that isn't web/mail.

Re:Firewall

[Shamashmuddamiq]

I'm all for ISPs performing automatic blocking as long as the user has the option of opening all ports. I wish ISPs would charge, say, an extra $5/month for users that want no port blocking. I just bought a house and am moving into a neighborhood that has no DSL. That means that (1) if I get cable, I can't run my services (here in Indianapolis, all the cable companies do port blocking), and (2) if I get satellite, it's really expensive and I can't play the RTS games I always enjoyed. I LIKE running my low-traffic mail, http, and ssh servers. I LIKE being able to do nerdy stuff like accessing my computer from the remote world without having to do all kinds of port redirecting. I don't care what measures the ISP takes to make sure I'm not spamming my neighbors, just as long as they don't take away my basic capabilities. If they want to do relay tests on my machine once a day or limit my outgoing SMTP traffic, then fine. But I'd like to buy an *INTERNET CONNECTION*, and I like to do more than use my connection to look at advertisments.

Re:Firewall

[JohnGrahamCumming]

I never said just "approved" applications. I just said that the default should be everything is off. If you need a port open then it's a service request with the ISP.

That would be a bad idea, but just because someone can't *by default* start running a web server on their machine accessible from the Internet does not make them into "passive consumers". If they want to they can, they just ask the ISP.

A close family member's Windows 2000 box was 0wn3d within days of getting broadband even though they never need any "server" capabilities on the net. Which would have cost the ISP more... dealing with his complaint or dealing with others' requests to open certain ports?

John.

Re:Firewall

[WindBourne]

Oh, you must be on comcast.

Re:Firewall

[nsxfreddy]

Usually when a machine is trojaned, it communicates with the trojan creator actively, meaning it connects to an IRC channel, sends an email, somehow communicates on it's own. Most trojans would not be affected by an inbound firewall block since they would still be able to connect to the controller.

It would not be that difficult to modify a trojan that gets it's commands through an IRC channel to send a spam through that same channel.

Re:Firewall

[NickFortune]

I have broadband and a good solid firewall. I use a deny-by-defualt iptables script on my gateway box and and a second layer filtering outbound connections on my desktop machine. I have neither need nor desire for my ISP to provide a firewall. If they start closing my ports for me, then I get myself a new ISP.

How easy do you suppose it's going to be to get ISPs to open one of those ports? If it's too hard, written confirmation and three days notice perhaps, then its no good if I want to, say, open a port of ssh for a few days.

On the other hand, if it's too easy then it's going to be easy for some hacker to social engineer himself access to port X, should he or she so desire.

Lastly, if ISPs get to thinking that ports are some sort resource that they control, then its only a matter of time before they start charging for them. If I wanted to subscribe to one of those browser only services then that's what I would have done.

I'd have no problem with a ISP based firewall that I had administrative control over. It should be easy enough to design a web-based interface, similar to the webmail pages you see everywhere. Allow me to configure firewall rules at the ISP and I'll use that as well as my own setup. But the minute they start dictating what I can do with which, or messing around with my settings, I look for a new provider.

But I'll not willingly be locked in a cage. Not for my own protection, nor for anyone else's.

Re:Firewall

[Dr.+Manhattan]

Hell, a lot of ISPs can't even be bothered to do outbound filtering to drop packets with spoofed source addresses. If they did that, it would make DOS attacks vastly more difficult. But try getting anyone to care... until they get DOSd.

Re:Firewall

[Suidae]

Most cable companies will be happy to sell you a 'commercial' account too, they'll turn off the port blocking.

Its not any faster, the customer service still sucks, and you don't get any more IP's, but you do get to pay three times as much.

Re:Firewall

[4of12]

not always that easy to find the real "root of the evil"

I have to smile when I think of how true that is. All of the onus of responsibility for computer viri and worms these days is conveniently placed on the writer and dispatcher of the virus or worm. And, yes, they should be held responsible for their primary role.

Fewer people take the time to think that such viri and worms would be fewer and farther between if the underlying OS were designed and implemented better.

Fewer still concede that they have some personal responsibility to apply patches and updates in a timely manner, or that they have to take the time to understand how to harden their systems.

But it's a whole lot more convenient and comfortable to place blame onto the "hacker" than to think that we all have a hand in the creating environment where exploits flourish. Despite how comfortable we feel about placing blame in a simple-minded way, it doesn't seem to have been an effective framework for a policy for improving the situation. At least, not if the past 5 years are any guide, it hasn't.

It's consistent, though. Along with an incorrect view of the problem will come an incorrect solution. TCPA will be foisted upon us in the name of curing "The" problem of "hackers", just as the "Patriot" Act has cured us of the problem of "terrorists."

Re:Firewall

[LWATCDR]

I have issues with paying for someone to not do something. Why do I have to pay for an unlisted phone number I should get a rebate. Why should I pay for my ISP to not block my ports because the vast majority of people can not set up there own firewall. Naw they should pay me for not having to provide me with a firewall.

nailing the bastards

[tarzan353]

It's not that hard to take down a spammer who causes you problems beyond just sending you unwanted email... I had one friend who had a spammer run a couple hundred thousand emails thru his system (a bug had made it into an open relay). It took one stern call to the ISP hosting the advertised websites to get his hosting and DNS cut off at the knees.

This is more than just sending off a single email to a scantly watched abuse email.. This means getting hold of a real person and explaining, realistisay, what sort of legal liabilities they might be open to if they continue to support the spammer's actions. (Hacking laws, aiding and abetting, Trademark infringement and vicarious liability) often fit in there.

If more people would do this, life would get a lot harder for spammers.

Re:nailing the bastards

[avi33]

Right, the point of the article is that this makes it almost impossible to determine which ISP to contact (without ordering a bottle of Viagra and tracing the money trail.)

Am I missing something here

[zymano]

Just sue the owner of the company that they're advertising.

Make some $$$.

Re:Am I missing something here

[jqh1]

My site/service got mentioned in a spam "newsletter" once without my knowledge or consent. I was promptly strung up on spamcop as a business that had advertised in spam -- and my site/service is a spam *fighting* service to begin with!

The point here is there's so much spam with so many variations on the base set of presumed facts, that hair-trigger lawsuits will cause many friendly-fire victims. I doubt the spammer I mentioned above meant to cause me any harm by mentioning me in his "newsletter", but I doubt it would be too hard to find a situation where it's done on purpose -- i *have* been "joe jobbed" several times (used as the reply address on spam) and that gets pretty nasty, too, and presents a similar situation where spammers falsely implicate others. Add in swift and sure legal consequences, and it would be much worse. Even assuming the courts have the ability to determine a false positive defendant when they see one, just think of the expense of doing that.

interesting methodology

[fractalus]

It sounds like they run DNS which "load-balances" requests to the spamvertised sites through zombies set up as open proxies. Since the zombies are scattered throughout all IPs, it makes blocking them hard.

Of course the scumbags know their weak spot is the DNS. Blocking particular domains is easy, and changing the authoritative DNS for a zone takes a while (done that too often). It steps up the spam blacklisting to now require not just refusing mail, but also refusing to talk to certain DNS servers that are known to operate this way. They can move around, but it's harder; I'm not sure if this is better or worse than the current situation.

Damn spammers.

Re:interesting methodology

[fractalus]

I've watched the spam to my inbox go from a few messages a day at the beginning of this year to over 300 a day now. Doubling every ten weeks is a statistic I can believe.

It's clear spammers have no regard for the law. One need only look at their track record: abusing open relays to defray the cost of sending mail, forging headers to divert attention away from themselves, advertising illegal products, businesses, or outright scams, exploiting vulnerabilities in computers to turn victims into zombies for more spamming.

Educating users is futile... I can't even got most of my friends to stop forwarding the latest chain message. I barely saved one of my friends from falling for a credit card phishing scheme, and she's pretty experienced compared to most.

The only thing that is going to work is to go after the people running spamvertised sites. But that's going to cause problems by creating a new kind of "Joe Job"... hire a spammer to spam for your competitor's product; the wrath of the anti-spam crowd then goes straight to your competitor.

Damn spammers.

Guess Who's To Blame

[the_mad_poster]

most of them home computers running Windows with high-speed connections.

WHY wasn't ICF turned on by default in XP Home? WHY aren't there pamphlets included with new computers about keeping AV up to date and not opening unknown e-mail attachments? WHY are so many ports in Windows open by default on Home installations? WHY is Microsoft still clinging to the broken "identify executables by extension" mechanism?

We include pamphlets about how not to hurt yourself while you're using your pretty new Gateway PC, but we can't even drop in a fucking 2 page paper about keeping A/V up to date and the danger of executable attachments? Not only that, Microsoft runs on almost all of the Home PCs out there but almost nobody (sorry geeks, we're all still nobodies when we're not on Slashdot) demands any accountability or quality or security from Microsoft?

Fuck it... I'm going to become a goddamn mime.

Re:Guess Who's To Blame

By including the pamphlet in the box, Gateway is then possibly opened to suits because of the hard link between Gateway and updating AV software.

Also, it can become a support nightmare, as Gateway like most vendors don't support 3rd party software for free.

Even then, troubleshooting or offering any advice to a customer becomes very subjective, and by offering advice on certain products that are not shipped with their systems, Gateway further opens its doors to possible legal action.

I remember once at Gateway about 10 years ago when there was pressure comming down because a customer had a virus on a driver disk. Even though it was obvious that the disk was infected by the persons machine, many internal changes were implemented to protect the company from litigation. Believe me, the last thing that they would want is another repeat of MOD001AAUS.

Re:Guess Who's To Blame

[mosha]

> WHY wasn't ICF turned on by default in XP Home?

This is very good question. ICF is going to be turned on by default in XP - see this CNET article for more details on how Microsoft is doubling its efforts on security.

Re:Guess Who's To Blame

[Animaether]

WHY is Microsoft still clinging to the broken "identify executables by extension" mechanism?

For the same reason that Adobe Photoshop will tell you that a .jpg file is broken if it's actually a Targa file with a JPEG extension ?
It's easy, and it is generally trustworthy.

Your gripe should be with mis-identifying the extension, not with looking at the extension per se.

E.g. anna_kournikova.jpg.exe
Nothing wrong with that, except that you get to see ".jpg", rather than ".exe" - a stupid flaw by whoever wrote that piece of code, but the identifying of an executable by the .exe extension is by no way wrong.

In fact, I would be more worried about something the other way around.
Imagine you get anna_kournikova.jpg, which is actually an executable ?
Right now your OS will simply fail to load the .jpg, and rightly so.
If your OS were to recognize it as an executable and have no inhibitions from running it as such, then you're really screwed.

And just to plug Irfanview over Photoshop (at least in this respect, I know they are not comparable) : Irfanview will tell you that a picture is of a particular filetype with a wrong extension, and even pop up a dialog asking you if it should just rename the file for you. Excellent stuff.

Re:Guess Who's To Blame

[sporty]

The problem isnt' windows. The problem are broken machines on a network. MS released a patch and it never got populated as much as it should. MS doesn't edcuate users on turnning on/off certain things.

But you know what? For every reason these things should be turned off, it's turned on.

And does finger pointing solve anything? No. Did pointing fingers get most everyone to stop using telnet vs ssh? Did it stop people from sending sensitive data over non-ssl connections? No. Did it stop people from running daemons as root? No.

It was proof of concept and people learning. All finger pointing does is make you seem like a colosal jerk. Either propose a solution, help someone out, or become your goddamn mime.

Re:Guess Who's To Blame

[Kphrak]

WHY wasn't ICF turned on by default in XP Home? WHY are so many ports in Windows open by default on Home installations?

AIM. MSNM. ICQ.

Kazaa. Grokster. Morpheus.

Counterstrike. Unreal. Quake.

Personal web servers. Blog software. Update software. File shares.

That's WHY. Much as I hate MS software, don't blame them for saying "the customer is always right." People want to turn their computers into servers (aka traps for every conceivable virus and trojan in existence). They're going to be extremely pissed off if their Aunt Tillie can't see their photos of the new puppy by downloading from their "ZeroSoft NetSharer" webserver, which happened to come packaged with their new ink-jet printer.

Incidentally, I have some personal experience with this thing. A month ago, one of the guys I do freelance work for said his file shares were not working. I looked and found that he had the error "Incorrect function" on those drives. Three hours later, I found out that there was a firewall sitting in memory, autoinstalled by some HP update (no icon, and named like an NT process, of course). That was blocking port 445 and preventing him from connecting to the SMB server. Should have suspected it in the beginning, but who can infer anything from an error message like that?

That cost him $180 in consulting fees, and he'll probably never use a firewall again. To add to his pain, his box had been NATed, so the firewall was almost completely redundant in this case.

Re:So much spam it sucks.

[Trigun]

Spammers are winning.

I hate to say it, but they are. They're winning because they play dirty, and we can't stoop down to their level. After two weeks of battling an unusual torrent of spam, I'm ready to torture one of the bastards in a week-long live-webcast to serve as a warning to everyone else. It's time to sink below their level, so we can punch them in the nuts without throwing out our backs!

Does port blocking mean it's not "Internet"

[DoofusOfDeath]

Forgive my ignorance of the relevant RFCs, but if a service provider doesn't let all valid (according to the RFCs) packets get to your box, are they actually providing "Internet" access?

I.e., isn't it a different protocol at that point?

Now we know how Skynet evolved...

[naztafari]

it started as a network of hi-jacked zombie machines...

And its original purpose was more nefarious than destroying the human race: shoving SPAM down people's throats!

Illegal for Spammers and their clients?

[WatertonMan]

The only reason to Spam is to sell a product. But surely if some seller advertises this way, utilizing hacked systems, they are in serious violation of law. Why don't the feds simply go after the clients of spammers. If that happened enough you'd think that the spammers wouldn't be able to make money and would simply stop spamming!

It's only a matter of time...

[Have+Blue]

...Before computer use (at least on the Internet) requires a license. I realize that has some very large drawbacks, but at the rate we're going one day the benefits really will outweigh the drawbacks. Do we have to wait until network traffic is 90% spam and viruses? 99%? 100%? A computer can do more damage to the network than a car can do to a highway, and we license driving. Maybe we'll wait until poor network performance starts to kill people by interfering with hospitals and emergency services.

Geography 101

[Greedo]

Uh ... Poland is a country of the former Soviet Union? I don't think so.

Maybe an eastern block country. Maybe a Soviet satellite state. But hardly on the same level as Belarus or the *-stan countries (Turkmenistan, Kazakhstan, Uzbekistan, etc.).

No need for a SPAM law then

[jmv]

If that's the way spammers operate, there's no need for new spam laws, no? What they're doing (unauthorized access to a machine) is already a criminal offense. Why not prosecute on that?

Protection on a home level

[ducomputergeek]

I know that we have a NAT firewall on the Wi-fi router in my appartment and then I use Apple's IP firewall on my ibook along with several *iux based security tools and Zone Alarm on my PC and I rarely see any messaged on the PC pop-up about attempted port scan.

When I lived on the dorms, it was a different story. There were an average of 4000 attempt portscans on my machine a day.

Its almost gotten to the point of without turning to viglantism on the internet and launching counter DDos attacks on the spammers themsleves, especially those outside of countries that don't enforce or don't attempt to enfore any type of Spam laws. Most spammers now operate outside of western countries, so what's the cure?

Filtering helps, tools like Spamassassin has brought my total spams from like 80 a day to less than 10.

I for one, as much as I hate them, wouldn't mind to see a few class action lawsuits against spammers. How much longer until the pipes bust with junk and turn the Internet into a near useless medium.

I know several of my clients now call me instead of email as they say that they "Have to wade through 30 junk messages for one valid message". I have rules set up to where my customer's and family email go to seperate folders, and that helps even more, but something needs to be done.

As much as I hate to bitch and not offer any answers, I am afraid that I am stumped. I fear that any attempts to write new protocals, espically by the likes of M$, Yahoo, HP, and other major players, with result in the closing of networks, (i.e. this message was not authenticated by a pallidum enabled server, therefore it will be rejected. Please trade your Mac in for a PC with Win XP^2 for $1000) and cause a leap backwards. At the same time, while people here can say the OSS community will develop an "open" solution, the very fact that its open means that the very people we try to stop will be able to circumvent anything the community develops. Not to say this won't happen with closed-source technology, but then companies like M$ can possible use DMCA against the spammers that reverse engineer such technology.

In any case, spammers are winning and we all are losing.

Spammers == Criminals

[str8]

Here is yet another example of how spammers have no regard for laws and where their activity is blatantly criminal. It also illustrates why spam laws will be ineffective.

It is about time for Law enforcement to find them (follow the money, duh!) and prosecute them. If they are hiding someplace that has no effective rule of law, find them and then knee-cap them. Maybe then they will appreciate law-and-order a bit more.

Psst. Hey buddy, can you spare a .sig?

Re:So much spam it sucks.

[letxa2000]

Spammers are winning.

They are only winning to those that don't do anything to help themselves.

The Verisign SiteFinder was a bad thing, obviously, but I laughed at the reaction "It's breaking my spam filter." What kind of archaeic, obsolete spam filter were these people using?

Likewise, that spammers are using trojaned systems is bad, of course. Any system compromise is bad. But this is just normal virus and hacking. It doesn't make it any harder to get rid of your spam.

I've said it once and I'll say it again, Bayesian filers is the solution. It works today and it depends on no-one but yourself to start using it. Since I started using it in May, I've received 20,596 spams--of those I've seen 89 of them. I.e., only 0.43%. It comes out to one spam every other day, though that's deceptive since probably half of those that got by were cases of a single spam sent 5 times in rapid-fire mode and they all happened to get through at once--the same spam 6 hours later would've been filtered. In reality, I'd guess I see one spam per week. In a perefect world I wouldn't see any, but that's good enough for me in this imperfect world.

Now, some will say "But that doesn't solve the bandwidth problem." In the short-term, no, it doesn't. But in the short-term it doesn't waste my time which is my single largest expense when it comes to spam. And, in the long-term, if more people started using Bayesian the response rate on spam would continue to plummet making it less and less useful to spam in the first place.

But those that are being bothered by spam on a daily basis simply aren't using the tools and technology that are available to them, and have been for over a year.

Good place for a honeypot

[russotto]

If what they're doing is redirecting to random compromised machines which in turn go to the real site, one method for combatting them is to set up a honeypot of easily-compromised machines and wait for one or more of them to get infected by these loser's trojans. Then firewall logs (or analysis of the trojan) will reveal the real addresses being relayed.

How can we get a list of these IP addresses?

[El]

Shouldn't we be monitoring spam anyway, building a list of source IPs, and notifying the ISPs responsible for those IPs to pass along a message to their customers to either a) stop sending spam or b) fix the holes in their machines, or c) they will be cut off from the 'net...

Listed in DNS

[wowbagger]

OK, so these cracked machines are listed in the bad guy's DNS servers.

1. ISPs can start preventing their DNS servers from talking to the bad guys DNS servers. Thus, all spammer domains will fail to resolve.
2. We now have a list of trojan'ed machines. Just do DNS queries, find out the ISPs involved, and have them go after the infected machines.
3. Alternatively, go after the infected machines directly - ram a worm down their throats that cleans the machine up, or at least formats the hard disk to knock it offline.
4. Hack the trojan - harvest the addresses of the spammers' web sites from the data feed.

I cant belive that even slashdotters cant get it..

[Microsofts+slave]

ITS CRACKERS! Hackers are just normal computer enthusiats like me and you. Crackers are the malicious ones. http://www.catb.org/~esr/writings/hacker-history/h acker-history-3.html

Re:So much spam it sucks.

[eriko]

I've said it once and I'll say it again, Bayesian filers is the solution.

No, it's not. Filtering is merely automating "just hit delete." It still gets sent, it still travels the wires to your box, it still hits your spool.

The core argument against spam is that it shoves the costs of advertising onto the recipents. That's why we said that "just hitting delete" wasn't an acceptable answer.

Now, you're singing "Just use Baysian to delete for you." Same spam on the wire, same hit on the spool, same copy to /dev/null -- and worse, now you're spinning extra cycles to scan the mail.

Just hit delete means you kill 1000 this month -- and 10000 a year later. I'm tired of paying for bandwidth that spammers use. I'm tired of throwing cycles at SpamAssassin to trap the spam.

Filtering is not an answer. Filtering is a bandage -- and it's one that's soaking through.