Spammers Using Hacked Machines as Decoys

avi33 writes "This Wired story shows a disturbing alliance between hackers [sic] and spammers. Interestingly, they blame part of the alliance on market forces, leading some skilled engineers to the dark side for profit's sake. A Polish firm claims to have control of 450,000 Trojaned systems that it uses to mask the IP addresses of its hosted sites. In other words, you could host your Viagra-peddling site with a company that has a stringent no-spam policy, but a DNS lookup will point to a home user's compromised machine. Not quite bulletproof, but certainly ups the ante in the spam war."

Firewall

[JohnGrahamCumming]

Of course if broadband ISPs were to implementing a simple inbound firewall
for every user then they'd eliminate most of these problems overnight:
trojaned machines would be unreachable, worms like CodeRed that scan for
vulnerabilities would be halted.

The few users of broadband who actually need to run an Internet visible
server would then have to contact their ISP for a port to be opened, but
that seems like a small price to pay for cutting off 1000s of machines that
have been hacked.

Naturally, this would cause file steal^H^H^H^Hharing applications to stop
working.

John.

Re:Firewall

[Frostalicious]

an Internet visible server would then have to contact their ISP for a port to be opened

Considering the quality of customer service at my ISP, I'd better hurry up and request an open port for my Duke Nukem Forever server to be up in time.

Re:Firewall

[loknor]

Yes and it is worth the jump backwards in technology to help OS manufacturers continue to pedal sub par product and services that are the real cause of the problem. Attacking a problem at somewhere other than its source has always been such a great way to deal with challenges like this.

Re:Firewall

[fractalus]

This actually would block quite a few things.

1. Personal web servers. Given the quality of most of these sites, probably not a great loss.

2. Game servers. No more running a CounterStrike servers for your buddies.

3. IM file transfers (AIM, ICQ). These require open ports.

4. VoIP, unless that VoIP implementation routes connections through a third computer.

The problem is, when you advocate blocking inbound connections, you force the bulk of the net to only be passive consumers of prepackaged content, rather than equal participants in the net. Blocking specific ports for specific reasons (like outbound port 25, although that has problems too) is one thing, but just deciding everything should be blocked but "approved" stuff means a lot of apps are dead in their tracks... stuff that isn't web/mail.

Re:Firewall

[Shamashmuddamiq]

I'm all for ISPs performing automatic blocking as long as the user has the option of opening all ports. I wish ISPs would charge, say, an extra $5/month for users that want no port blocking. I just bought a house and am moving into a neighborhood that has no DSL. That means that (1) if I get cable, I can't run my services (here in Indianapolis, all the cable companies do port blocking), and (2) if I get satellite, it's really expensive and I can't play the RTS games I always enjoyed. I LIKE running my low-traffic mail, http, and ssh servers. I LIKE being able to do nerdy stuff like accessing my computer from the remote world without having to do all kinds of port redirecting. I don't care what measures the ISP takes to make sure I'm not spamming my neighbors, just as long as they don't take away my basic capabilities. If they want to do relay tests on my machine once a day or limit my outgoing SMTP traffic, then fine. But I'd like to buy an *INTERNET CONNECTION*, and I like to do more than use my connection to look at advertisments.

Re:Firewall

[nsxfreddy]

Usually when a machine is trojaned, it communicates with the trojan creator actively, meaning it connects to an IRC channel, sends an email, somehow communicates on it's own. Most trojans would not be affected by an inbound firewall block since they would still be able to connect to the controller.

It would not be that difficult to modify a trojan that gets it's commands through an IRC channel to send a spam through that same channel.

Re:Firewall

[NickFortune]

I have broadband and a good solid firewall. I use a deny-by-defualt iptables script on my gateway box and and a second layer filtering outbound connections on my desktop machine. I have neither need nor desire for my ISP to provide a firewall. If they start closing my ports for me, then I get myself a new ISP.

How easy do you suppose it's going to be to get ISPs to open one of those ports? If it's too hard, written confirmation and three days notice perhaps, then its no good if I want to, say, open a port of ssh for a few days.

On the other hand, if it's too easy then it's going to be easy for some hacker to social engineer himself access to port X, should he or she so desire.

Lastly, if ISPs get to thinking that ports are some sort resource that they control, then its only a matter of time before they start charging for them. If I wanted to subscribe to one of those browser only services then that's what I would have done.

I'd have no problem with a ISP based firewall that I had administrative control over. It should be easy enough to design a web-based interface, similar to the webmail pages you see everywhere. Allow me to configure firewall rules at the ISP and I'll use that as well as my own setup. But the minute they start dictating what I can do with which, or messing around with my settings, I look for a new provider.

But I'll not willingly be locked in a cage. Not for my own protection, nor for anyone else's.

Re:Firewall

[Dr.+Manhattan]

Hell, a lot of ISPs can't even be bothered to do outbound filtering to drop packets with spoofed source addresses. If they did that, it would make DOS attacks vastly more difficult. But try getting anyone to care... until they get DOSd.

Re:Firewall

[Suidae]

Most cable companies will be happy to sell you a 'commercial' account too, they'll turn off the port blocking.

Its not any faster, the customer service still sucks, and you don't get any more IP's, but you do get to pay three times as much.

Re:Firewall

[4of12]

not always that easy to find the real "root of the evil"

I have to smile when I think of how true that is. All of the onus of responsibility for computer viri and worms these days is conveniently placed on the writer and dispatcher of the virus or worm. And, yes, they should be held responsible for their primary role.

Fewer people take the time to think that such viri and worms would be fewer and farther between if the underlying OS were designed and implemented better.

Fewer still concede that they have some personal responsibility to apply patches and updates in a timely manner, or that they have to take the time to understand how to harden their systems.

But it's a whole lot more convenient and comfortable to place blame onto the "hacker" than to think that we all have a hand in the creating environment where exploits flourish. Despite how comfortable we feel about placing blame in a simple-minded way, it doesn't seem to have been an effective framework for a policy for improving the situation. At least, not if the past 5 years are any guide, it hasn't.

It's consistent, though. Along with an incorrect view of the problem will come an incorrect solution. TCPA will be foisted upon us in the name of curing "The" problem of "hackers", just as the "Patriot" Act has cured us of the problem of "terrorists."

interesting methodology

[fractalus]

It sounds like they run DNS which "load-balances" requests to the spamvertised sites through zombies set up as open proxies. Since the zombies are scattered throughout all IPs, it makes blocking them hard.

Of course the scumbags know their weak spot is the DNS. Blocking particular domains is easy, and changing the authoritative DNS for a zone takes a while (done that too often). It steps up the spam blacklisting to now require not just refusing mail, but also refusing to talk to certain DNS servers that are known to operate this way. They can move around, but it's harder; I'm not sure if this is better or worse than the current situation.

Damn spammers.

Re:interesting methodology

[fractalus]

I've watched the spam to my inbox go from a few messages a day at the beginning of this year to over 300 a day now. Doubling every ten weeks is a statistic I can believe.

It's clear spammers have no regard for the law. One need only look at their track record: abusing open relays to defray the cost of sending mail, forging headers to divert attention away from themselves, advertising illegal products, businesses, or outright scams, exploiting vulnerabilities in computers to turn victims into zombies for more spamming.

Educating users is futile... I can't even got most of my friends to stop forwarding the latest chain message. I barely saved one of my friends from falling for a credit card phishing scheme, and she's pretty experienced compared to most.

The only thing that is going to work is to go after the people running spamvertised sites. But that's going to cause problems by creating a new kind of "Joe Job"... hire a spammer to spam for your competitor's product; the wrath of the anti-spam crowd then goes straight to your competitor.

Damn spammers.

Guess Who's To Blame

[the_mad_poster]

most of them home computers running Windows with high-speed connections.

WHY wasn't ICF turned on by default in XP Home? WHY aren't there pamphlets included with new computers about keeping AV up to date and not opening unknown e-mail attachments? WHY are so many ports in Windows open by default on Home installations? WHY is Microsoft still clinging to the broken "identify executables by extension" mechanism?

We include pamphlets about how not to hurt yourself while you're using your pretty new Gateway PC, but we can't even drop in a fucking 2 page paper about keeping A/V up to date and the danger of executable attachments? Not only that, Microsoft runs on almost all of the Home PCs out there but almost nobody (sorry geeks, we're all still nobodies when we're not on Slashdot) demands any accountability or quality or security from Microsoft?

Fuck it... I'm going to become a goddamn mime.

Re:Am I missing something here

[jqh1]

My site/service got mentioned in a spam "newsletter" once without my knowledge or consent. I was promptly strung up on spamcop as a business that had advertised in spam -- and my site/service is a spam *fighting* service to begin with!

The point here is there's so much spam with so many variations on the base set of presumed facts, that hair-trigger lawsuits will cause many friendly-fire victims. I doubt the spammer I mentioned above meant to cause me any harm by mentioning me in his "newsletter", but I doubt it would be too hard to find a situation where it's done on purpose -- i *have* been "joe jobbed" several times (used as the reply address on spam) and that gets pretty nasty, too, and presents a similar situation where spammers falsely implicate others. Add in swift and sure legal consequences, and it would be much worse. Even assuming the courts have the ability to determine a false positive defendant when they see one, just think of the expense of doing that.

Re:So much spam it sucks.

[Trigun]

Spammers are winning.

I hate to say it, but they are. They're winning because they play dirty, and we can't stoop down to their level. After two weeks of battling an unusual torrent of spam, I'm ready to torture one of the bastards in a week-long live-webcast to serve as a warning to everyone else. It's time to sink below their level, so we can punch them in the nuts without throwing out our backs!

It's only a matter of time...

[Have+Blue]

...Before computer use (at least on the Internet) requires a license. I realize that has some very large drawbacks, but at the rate we're going one day the benefits really will outweigh the drawbacks. Do we have to wait until network traffic is 90% spam and viruses? 99%? 100%? A computer can do more damage to the network than a car can do to a highway, and we license driving. Maybe we'll wait until poor network performance starts to kill people by interfering with hospitals and emergency services.

Good place for a honeypot

[russotto]

If what they're doing is redirecting to random compromised machines which in turn go to the real site, one method for combatting them is to set up a honeypot of easily-compromised machines and wait for one or more of them to get infected by these loser's trojans. Then firewall logs (or analysis of the trojan) will reveal the real addresses being relayed.

How can we get a list of these IP addresses?

[El]

Shouldn't we be monitoring spam anyway, building a list of source IPs, and notifying the ISPs responsible for those IPs to pass along a message to their customers to either a) stop sending spam or b) fix the holes in their machines, or c) they will be cut off from the 'net...

Listed in DNS

[wowbagger]

OK, so these cracked machines are listed in the bad guy's DNS servers.

1. ISPs can start preventing their DNS servers from talking to the bad guys DNS servers. Thus, all spammer domains will fail to resolve.
2. We now have a list of trojan'ed machines. Just do DNS queries, find out the ISPs involved, and have them go after the infected machines.
3. Alternatively, go after the infected machines directly - ram a worm down their throats that cleans the machine up, or at least formats the hard disk to knock it offline.
4. Hack the trojan - harvest the addresses of the spammers' web sites from the data feed.