Prosecuting Spamming Crackers?

lnixon asks: "As a recent Slashdot article mentioned, the latest trend in spamming is to use cracked Windows machines for sending spam and hosting spamvertised web sites, 'spacking', as Wired terms it. A couple of weeks ago, I started tracking one of these cracker rings down, carefully documenting the trail as I went.Mostly through luck, I actually found the originating server. This information should seriously put a crimp in their activities...if only I could get the law interested. I have tried to get the attention of CERT, of FBI and of my local police authorities, but nobody seems to be interested. Now, what should I do? Organize a posse?"

Post it on the wed

[Resnikov]

Post it on the web and let the public take the law in to thier own hands

What's the street address?

[crotherm]

If it is near me I can scrounge up a few buddies with the promise of beer afterwards and make the spacker an offer he cannot refuse.

Re:What's the street address?

[You're+All+Wrong]

I don't know if it's regional slang, but where I'm from
"spacker" means "spastic".

So - you wanna confine these spackers to wheelchairs?

YAW

Re:What's the street address?

[crotherm]

I got spacker from the article where the author said that Wired used the term "Spacking" to refer to spamming hackers.

Although confining these folks to a wheel chair is not a bad idea.

Post a URL on /.

[dnotj]

That would:

1. get their attention
2. be the end of their spam operation (for a while)
3. ???
4. profit

So, whats the url/IP of this/these clowns...

...as I prepare the morality guage for /.

Re:Post a URL on /.

[Acidic_Diarrhea]

You failed to click on the link that said documentation didn't you? Go there and you can see all the information this guy has been able to gather.

Here's how to get law enforcement's attention

[El]

You're mistake was referring to them as "spammers" instead of "terrorists". Isn't anybody who cracks a system now official considered a "digital terrorist"?

Re:Here's how to get law enforcement's attention

[m0rph3us0]

Too true, write something like: Cyber Terrorists have gained control of a large number of machines that could be used to attack critical infrastructure and are cracking machines via use of email and web browsers. Then let the news media know.

Re:Here's how to get law enforcement's attention

[the+Man+in+Black]

Modded funny, but you've got a reasonable point there. Call up your local FBI office with reports of "an unknown organization that has illegally compromised computer systems for the purposes of anonymously sending subversive and possibly terrorist communications." Try to get transferred to an Electronic Crimes Unit, if your FBI office has one. Toss them the IP and detail how you tracked it down. Trust me, they'll unleash the dogs of war.

Hell, crying "terrorism" is working for everything else nowadays, why not get something positive done with it?

Re:Here's how to get law enforcement's attention

[mellon]

This is a funny idea, but filing a false report of a crime is itself a crime. So you really don't want to play this game. However, I agree that using the term "spammer" is a bad idea - you can just call it "for the purposes of distributing fraudulent messages," or some other accurate statement that doesn't mention the word "spammer."

However, getting law enforcement to take you seriously on something like this might be a real challenge anwyay - they don't know you from Jack, and so why should they trust you?

I don't mean you're not trustworthy - I'm just pointing out that there's no trust relationship there, and you're putting yourself forth as an investigator, not a crime victim. It will be very hard for you to get them to think of you as legitimate.

Re:Here's how to get law enforcement's attention

for the purposes of distributing fraudulent messages,

How about "For the purposes of coordinating internet-based assaults." That sounds vague yet accurate.

mmm, prosciuto, spam, and crackers

You guys are making me hungry!

Alert the media

[splattertrousers]

Give the information to your local newspapers and TV news programs. The spotlight might spur the authorities into action, and the reporters will love you because you saved them from doing any pesky work for themselves.

Re:Alert the media

[glassesmonkey]

Give the information to your local newspapers and TV news programs. . . and the reporters will love you because you saved them from doing any pesky work for themselves.

Coming up after the break, weather and the world series, but first let's go out to Field Reporter Trisha Takinowa with this report on a man and him crusade... Trisha..

Thanks Don. We are here to interview a man who used nmap and DNS records to trace down a serial.. um, emailer. Please tell us how you did it, knowing that the community is a little safer tonight and forever in your debt. The hard part of tracking these criminals down is now over, and all that is left is to praise you and love you for all that you have done for us. Please leave no details out, tell us about every IP, URL, exe, port, traceroute and DNS entry.

Re:Alert the media

Not to mention that the local media are probably incapable of following such a trail. They not only get a story, they get to look smart, too.

Posse?

[Atzanteol]

One slashdot posse, coming up!

I'll get the pitchforks, you get the caffeine...

MS Piracy

[m0rph3us0]

You said their servers are distributing the MS Proxy Server. Why not let MS know about this, I'm sure they'd fire off a memo to the hosting companies letting them know that the sites are hosting pirated software.

Easy solution

Hack the source web site and turn it into an Al Quaida home page. The terrorist reports will flood in and the spammers will be shut down. That is, until tomorrow when they start up again from somewhere else.

This is why Anti-Spam laws are meaningless

[rudy_wayne]

"...if only I could get the law interested. I have tried to get the attention of CERT, of FBI and of my local police authorities, but nobody seems to be interested."

You can pass all the laws you want, but what good are they if nobody wants to actually ENFORCE them?

Spamming Crackers

[greenhide]

Yuh, it's always them Midwest crackers spamming my Inbox.

jeez

spamming crackers?

why is it always a race issue on this site?

Post the information to slashdot

[complete+loony]

Im sure there are enough vigilanties hanging around here to finish the job for you....

But seriously folks, if you can discover and take down the master host hiding behind all these proxies, you have a much better chance of taking them down.

Another idea, subvert their own network, let a machine or two get into their network of proxies so you can track their future activities.

This kind of computer fraud (yes fraud, there are pretending to be something they're not) needs to be taken much more seriously by the authorities.

Lemme see.. you want me to click where?

[glassesmonkey]

So I got out my Internet Explorer (cause that's what the article says the website needed) and clicked on all those websites mentioned in the article, but nothing loaded... The page was just blank. Oh, my firewall did ask me something about something called DNS, so I clicked 'OK'.. Could someone please email me what was on the site that I was supposed to look at? He said it might be pron ;)

Thanks in advanced.

Re:I got the first post!

If you're willing to compromise on the "living" detail, I know where you can get some sweet lovin... just wear your raincoat.

posse

[Suppafly]

Now, what should I do? Organize a posse?"

Why not? Worked for Andre the Giant.

Congresscritters

[linuxwrangler]

Contact the congresscritters for your local district. They certainly know that any effort to fight spam will look good come re-election and they have the power to "make a couple calls".

Re:Congresscritters

RTFA. He's in Sweden.

that actually sounds good

[TwistedGreen]

Mmmm... spam and crackers...

ObHomerism

[Dr.+Photo]

Mmmm... Spam and crackers.... :)

Now, what should I do? Organize a posse?"

[jefeweiss]

That would be great. I always wanted a posse. If you get one together you should make them all wear MC Hammer pants. .... And everytime you say something a bunch of them should go "Word!" Then you could give them shout outs and stuff.

Post to Bugtraq

[abulafia]

A lot of folks who might know some folks watch the list. Plus, your analysis is the best one I've seen so far on what's going on - this is of interest to others doing security, if nothing else.

Re:Post to Bugtraq

[PerlGuru]

Well this might be better suited for the incidents list, but yes securityfocus probably has the list this should go to. I actually considered posting a message my self to the incidents list as I haven't seen this discussed there.

State attorney generals and the FTC

[Speequinox]

These sorts of cases can be prosecuted by the attorney general of any state in which part of the criminal activity takes place. For example, if any part of the crime took place in New York, even if it's only that some New York residents received the spam, then you would contact the Internet Bureau of the New York State Attorney General. They have a complaint form you can use, or you could call them up. They'll know what you're talking about. If you follow that link, you'll see press releases about spammers they have successfully brought to justice.

The FTC also has some jurisdiction over this.

I'm not a lawyer, but the lawyers at those places will be happy to but your investigational talent to use. Keep up the good work!

Re:State attorney generals and the FTC

Have you ever actually tried to get a state attorney general's office to prosecute a spammer?

I have. I don't know about other states, but Washington State's AGO is pretty much worthless about enforcing their own laws. You can hand them a spammer with thousands of prosecutable spams on a silver platter, and they will do nothing but send you a letter encouraging you to sue them yourself.

Put it on Paper

[Detritus]

Write up a report, print it out and mail it to the appropriate agencies.

Bureaucrats hate paper trails. It's very easy to blow off a phone call. A written report has to be handled more carefully.

Pre-emptive Strike

[Markus+Registrada]

The only way to deal with these distributed attacks is pre-emptively: any host that is susceptible to attack by a spammer must be attacked first by an anti-spammer. The most effective way would be via worms, but that does not suffice. Spammers also enter via booby-trapped web pages and e-mail viruses, so anti-spammers must use those vectors as well. Anti-spammers have to attack first, because otherwise the spammers will plug up the holes behind them, making it progressively harder to root them out after they have installed their own malware.

It is tempting to think that simply closing off the known holes in the target machines should suffice. That's just wishful thinking. There will always be other ways for the spammers to enter, not yet discovered. The only way to keep the spammers out of those hosts is to wipe them clean. Eventually the owners will either leave them disconnected from the internet, or wiped, or will install something secure. Until then, they need to be wiped as many times as needed to get the message across.

This level of conflict was inevitable once the spammers encountered enough interference in their old methods. Now there's no going back. We need to ensure, positively, that any host that is connected to the net really is secure enough not to be hijacked by the spammers, and there's only one way to do that.

The only practical problem with this method is that the spammers have a vector available that anti-spammers don't. Spammers can put their viruses in their own spam, and booby-trap their own web pages referenced by their spam, but anti-spammers can't use those vectors without themselves spamming. Fortunately there are so many holes in the target systems that it will be some time before that difference actually protects the target hosts.

Investigate the bejeebers out of them.

[jonadab]

You'll want to get a whole team of volunteers in on this. Make sure it's
clear, the goal is to investigate, to obtain information. No threats are
to be made, and no physical harm-inducing action to be taken. Just a big
fat trainload of investigation. Spamming itself, though highly objectionable
socially, is not per se illegal, but given the stigma attached to it, there's
an excellent chance that spammers, *especially* ones that also use cracking
techniques, may have the kind of morals that may lead them to view other
illegal actions as "only illegal if you get caught", which could mean that
by investigating you can turn up some real dirt. Can't hurt to check.

An important secondary goal is to make sure, without telling them, that they
KNOW that they are being investigated, but not by whom. So, spare nothing
when it comes to forms of investigation that they'll notice. If you can find
out where they work, phone up their employer and start asking questions.
Don't do anything illegal, but whatever you can do legally, do it. The
going-through-the-garbage trick is fairly well-known now, having been used in
the movies, so if you can determine that it's legal in the jurisdiction in
question, do it -- repeatedly if possible. You want them to *see* their
trash being pilfered by somebody other than trashmen, but not have any way
to track who it was (so, don't let them see your license plates or anything).
The reason you don't want them to know who it was, is because it's scarrier
for them that way. Yeah, taking their garbage may be legal, but even if
you'll win that court case, they'll feel better just by being able to *do*
something about you. Plus, if they know who you are, they'll know also who
you *aren't*, namely, various types of people by whom it would be scary to
be investigated, such as the police, FBI, tv newspeople, professional
investigators, or whatever. You don't want them to be able to rule out
those possibilities. Even if they strongly suspect it's just anti-spam
activists clowning around, you want doubts in the back of their minds.

Basically, there are two things you want to accomplish. First, if they've
done anything illegal, you want to know and, if possible, be able to document
it. Second, and at least as important, you want them so worried about being
investigated that they're up nights, stressed out, irritable, crabby and, in
short, miserable. Bonus points if you can get their families worried about
it too. This will all be most effective if, rather than warning them that
you will investigate them, you let them figure it out on their own. That way
they wonder what *else* is going on. You cannot make any threats that will
scare them as much as what their own immaginations will come up with when
they realise they are being investigated. So don't make threats. If they've
done anything illegal, you want them wondering if the FBI might be involved.
If they haven't, you want them wondering who on earth would be investigating
them and why, and whether possibly a major news network is doing a story on
them for primetime the next time a slow news day rolls around, or some
equally life-disrupting thing. You don't want to hint at anything specific,
of course, because vagueness is scarier. You want them stressed out,
enumerating unpleasant possibilities in their minds, biting their nails,
taking heartburn medications and headache pills.

Ultimately, your goal is for them to decide to get out of spamming. Unless
your investigation turns up anything you can interest the authorities in.
In that case, of course, by all means do that.

How are we doing so far? lets see...

[complete+loony]

nslookup: - drugstorepharmacy.biz, down
- bubra.biz, down
- vhost01.768men.info, down
- hosthype.com, down
- ucp6.biz, 127.0.0.1 huh?

Looks like posting to slashdot gets results.

The IE exploit exe file should be posted to all the anti-virus companies, at least then some windoze lusers will be protected. Leif has left it on his website here.

Re:How are we doing so far? lets see...

[lnixon]

Actually, bubra.biz seem to be doing fine;

$ ./bubrawatch.py -v
ns1.bubra.biz is 81.203.73.17 (81-203-73-17.user.ono.com)
ns2.bubra.biz is 80.138.221.95 (p508ADD5F.dip.t-dialin.net)
ns3.bubra.biz is 80.11.243.45 (AMarseille-102-1-2-45.w80-11.abo.wanadoo.fr)
ns4.bubra.biz is 80.46.141.109 (dsl-80-46-141-109.access.uk.tiscali.com)
ns5.bubra.biz is 82.65.110.228 (lns-p19-16-82-65-110-228.adsl.proxad.net)
$

bubra.biz just handles the nameserver stuff, not web hosting.

Lots of hardcoded information in there

[Zocalo]

This does not seem a very resiliant spam net to me; a lot of the binaries you have examined seem to contain hardcoded values of hosts in the domains "768men.info", "bubra.biz" and "ucp6.biz". You even imply a hardcoded IP address (66.227.96.168) currently being hosted by FDCServers.net. One angle of attack might be to talk to the registrars and ISPs responsible for those domains and try and get them delisted under any AUP they might have. If you can get the domains delisted, then the entire spam net falls apart and the operator will have to start over. Clearly there is criminal behaviour going on here so you have some leverage, albeit not much, to try and convince them to take this course of action.

As to the law enforcement agencies, spam is simply not a serious crime in their eyes, especially given the amount of effort they need to effect a successful prosecution. Sure, the network is being used for spam now, but a simple change to the .exe being hosted by FDCServers (or whatever hosting company the spammer is using at the time) could change that into *anything*. Make sure that you make that clear. Give them a list of any compromised IPs you have identified and suggest that they see if any of those IPs have also been used to launch DoS attacks, etc (likely, given the lack of patching). If you can establish a link to a high profile case then that might be sufficient to kick start an investigation.

Good hunting!

Re:This is why Anti-Spam laws are meaningless- NOT

[schon]

what good are they if nobody wants to actually ENFORCE them?

Well, if you'd been paying attention, you'd notice that the anti-spam laws in most states make it a civil penalty, not a criminal one. So enforcement would be up to the victim.

And (again, if you'd been paying attention, you'd also realize) these spammers are cracking machines - so the submitter is not trying to get them prosecuted under anti-spam laws, but under computer crime laws.

Crack the crackers...

If they hijacked these machines, why can't you hijack them and patch??

Only way to get law enforcement to help...

[macdaddy]

...short of being a corporation that makes millions each year, is to get the media involved. The best thing in the world to make law enforcement do something is bad PR. I know a couple reporters at a few large newspaper that might run a story about it. Let me know if you want me to put you in touch.

Use the Back Door ( Using leverage (media, etc.))

[Stephen+Samuel]

Somebody else pointed out that your problem is that the authorities don't know you from a hole in the ground, so they have a hard time trusting what you've got to say.

Read what I have below, but I think that your best bet is to go to the local university and find a Computing Science professor who's willing to listen to what you have to say. Once you can get the backing of someone like that and their willingness to walk into a meeting with you, then you should be able to go to almost anybody and get their ears perked.

Most University professors are used to having random people (students mostly) coming to to talk to them. Take advantage of this, but remember that you've probably only got a few minutes to get their attention.
Even if they can't help you directly, they can probably point you to someone who can.
____________

Chances are, however, that you do know somebody who can get you an inside track. People like that include would include friends who know high ranking public officials, media people politicians, etc.

Ask around.. see who can get you an appointment of interest. Once you have contacts lined up, your next step is to figure out, for each person of interest, where you can generate a common interest... Your end goal is to get a fire lit under an appropriate police investigator.

A journalist, for example, is going to want a story. On thing you'll need to do here is get their agreement to embargo the story until the hacker's been nailed, or it's clear that some publicity is needed to get some action. My worry here is that once the story breaks, the spammer is likely to destroy lots of evidence.

Politicians, of course, want fame and glory. Knowing that you've got a journalist on the line will help get their attention. The story that will make them look good is "Representative Muck-a-Muck, having been contacted by a constituent, got the appropriate authorities involved and active". Once the story actually breaks, then they can claim to have been on top of it almost from day one.

Police officers are generally overwhelmed. More than anything, they just want to get their assigned jobs done and get home by midnight. There are two ways to approach this (depending on what end of the totem pole they're on).

On the lower end, you're probably looking for someone who knows enough about computers to vette your evidence and verify that it's legitimate. You may have to go through a few officers to get to someone who can understand your evidence well enough to explain it to someone who can get action.
. Remember... they hate spam too. If you can get this spammer 5 years in jail, this will probably set back spamming volume by a year or two as the rest of the spamming community drops these hacking tools for fear of Mr. Bendover.

On the upper end of the totem pole, You're probably best to go in with the backing of a journalist or a computing science professor. Journalists will put the fear of the pen to them. Professors will give you an air of serious credibility.
Let it be known just how much time you've but into the investigation so far, and how mudh more you're willing to put in. Also let them know that your primary interest is putting this b*stard behind bars, and you'd prefer to see the investigation complete before this breaks in the press than afterwards (mostly because it will result in more usable evidence).

Shoot the Hostage?

[ezraekman]

The only way to keep the spammers out of those hosts is to wipe them clean. Eventually the owners will either leave them disconnected from the internet, or wiped, or will install something secure. Until then, they need to be wiped as many times as needed to get the message across.

Let me make sure I'm understanding you correctly. We should illegally hack into innocent users machines to "teach them a lesson" in security... repeatedly, until they either disable their network connection or disable their vulnerabilities? Isn't that like shooting the hostage?

To make a more accurate, real-world example, that would be like walking down the street, shooting at anything that moves, in an attempt to make sure that no one walks outside without adequate protection from... well, people like you. After all, we'll have no terrorists taking hostages if we kill all of the potential hostages, right?

I hope no one depends on you for network security or sysadmin support.

Re:Shoot the Hostage?

[Markus+Registrada]

...we'll have no terrorists taking hostages if we kill all of the potential hostages

I don't recall suggesting to kill anybody. Anyhow, every vulnerable host, sooner or later, will be hijacked by a spammer, or worse. The owners typically neither know nor particularly care if their machines have been hijacked that way, so long as it doesn't interfere too much with their own surfing, e-mailing, or file-sharing. Their ISPs, if they are responsible, do care, but can do little.

There's a legal term for operating a vulnerable host on the 'net: it's an "attractive nuisance". In the absence of possible legal measures, removing such nuisances is the obligation of responsible citizens. Anybody operating a secure host will be unaffected, other than to welcome each incremental decrease in spam.

Nobody has an inherent right to keep a loaded cannon pointed at the town square where anybody might walk up and fire it. Responsible townsmen will pour concrete into any such cannon they find before, not after, the local hooligans come around to fire it. As it is, the local hooligans are firing them again and again, and the owners are generally doing nothing to stop it.

And no, I'm not a sysadmin, but lots of sysadmins agree with me, although they (as I) doubt they could participate in such an action themselves.

Re:Shoot the Hostage?

[ezraekman]

I wasn't trying to insinuate that you advocated killing people; I was making an analogy. The point I was trying to make was that your method for solving the problem is to punish the theoretically innocent and uninformed, rather than teaching them. Perhaps there should be a method for informing them instead, such as tracking their IP (which is legal), and letting their ISP know of the problem, who then contacts the user/subscriber.

There are many "attractive nuisances" in this world, but an unsecured machine, mail server, etc. is not a loaded cannon in the middle of town. It is more like a hardware store. It is intended to be used as a tool. Yes, some people have the knowledge and inclination to turn those tools into weapons, but that doesn't mean that we should clean out the store's inventory the day the owner only locks the handle, but forgets to lock the deadbolt. Doing that will (hopefully) land the thief in jail. There are better ways to teach, and locking all the locks on the door won't necessarily stop a determined enough cracker with the right tools and training.

If you want to ensure that this doesn't happen, advocate information distribution. But what you're advocating (hacking the machines of vulnerable users) is illegal, and is the wrong way to teach this lesson, IMHO. You're right; the ISPs can do little. But that little is enough if the affected person is responsible. If not, I'm sorry, but there's nothing more you can (or should) do, than inform them. I know that it sucks... but people do stupid and dangerous things all the time. As much as you want to, you cannot force people to live the kind of lives that you want them to. To do more will only inflame the decision, and can quite possibly cause more problems than already exist.

Re:Shoot the Hostage?

[Markus+Registrada]

You miss the point. There is no longer any such thing as "innocent and uninformed". Plugging an insecure host into the wide-open internet is, now, itself a hostile act. Your gentle information distribution has already been demonstrated a near-total failure. (Certainly my parents would have no idea what to make of your advice, and would necessarily ignore it.) Insecure hosts are not just vulnerable to misuse themselves, they are weapons for the misuse of all hosts, secure and otherwise.

I don't expect anyone to live the kind of life I want. I do expect the machines they own not to attack mine. If they do not do what is necessary, then it is not only the right, but the responsibility of others to make their machines stop. You like analogies: every vulnerable host is a rabid dog. Surely you will not argue that shooting a rabid dog that is attacking you is somehow immoral? How about a rabid dog that is has not yet begun attacking you and your children, but certainly will -- but you (or they) might not be armed when it does?

The only choices available are (1) to have an internet in which some hosts are able to operate normally (the secure ones) and (2) one in which none can. If no hosts can operate normally, because the insecure hosts have made it impossible, how is failing to take down the insecure hosts doing their owners any favors? The internet they would like to be connected to doesn't exist, because it's being destroyed by them and their like. No one is prevented from setting up a secure host -- that option is open to all. The only effective encouragement possible is for that option to be the only one that actually works for any length of time.