Prosecuting Spamming Crackers?

lnixon asks: "As a recent Slashdot article mentioned, the latest trend in spamming is to use cracked Windows machines for sending spam and hosting spamvertised web sites, 'spacking', as Wired terms it. A couple of weeks ago, I started tracking one of these cracker rings down, carefully documenting the trail as I went.Mostly through luck, I actually found the originating server. This information should seriously put a crimp in their activities...if only I could get the law interested. I have tried to get the attention of CERT, of FBI and of my local police authorities, but nobody seems to be interested. Now, what should I do? Organize a posse?"

Here's how to get law enforcement's attention

[El]

You're mistake was referring to them as "spammers" instead of "terrorists". Isn't anybody who cracks a system now official considered a "digital terrorist"?

Re:Here's how to get law enforcement's attention

[m0rph3us0]

Too true, write something like: Cyber Terrorists have gained control of a large number of machines that could be used to attack critical infrastructure and are cracking machines via use of email and web browsers. Then let the news media know.

Re:Here's how to get law enforcement's attention

[the+Man+in+Black]

Modded funny, but you've got a reasonable point there. Call up your local FBI office with reports of "an unknown organization that has illegally compromised computer systems for the purposes of anonymously sending subversive and possibly terrorist communications." Try to get transferred to an Electronic Crimes Unit, if your FBI office has one. Toss them the IP and detail how you tracked it down. Trust me, they'll unleash the dogs of war.

Hell, crying "terrorism" is working for everything else nowadays, why not get something positive done with it?

Re:Here's how to get law enforcement's attention

[mellon]

This is a funny idea, but filing a false report of a crime is itself a crime. So you really don't want to play this game. However, I agree that using the term "spammer" is a bad idea - you can just call it "for the purposes of distributing fraudulent messages," or some other accurate statement that doesn't mention the word "spammer."

However, getting law enforcement to take you seriously on something like this might be a real challenge anwyay - they don't know you from Jack, and so why should they trust you?

I don't mean you're not trustworthy - I'm just pointing out that there's no trust relationship there, and you're putting yourself forth as an investigator, not a crime victim. It will be very hard for you to get them to think of you as legitimate.

Alert the media

[splattertrousers]

Give the information to your local newspapers and TV news programs. The spotlight might spur the authorities into action, and the reporters will love you because you saved them from doing any pesky work for themselves.

Re:Alert the media

[glassesmonkey]

Give the information to your local newspapers and TV news programs. . . and the reporters will love you because you saved them from doing any pesky work for themselves.

Coming up after the break, weather and the world series, but first let's go out to Field Reporter Trisha Takinowa with this report on a man and him crusade... Trisha..

Thanks Don. We are here to interview a man who used nmap and DNS records to trace down a serial.. um, emailer. Please tell us how you did it, knowing that the community is a little safer tonight and forever in your debt. The hard part of tracking these criminals down is now over, and all that is left is to praise you and love you for all that you have done for us. Please leave no details out, tell us about every IP, URL, exe, port, traceroute and DNS entry.

Posse?

[Atzanteol]

One slashdot posse, coming up!

I'll get the pitchforks, you get the caffeine...

Re:Post a URL on /.

[Acidic_Diarrhea]

You failed to click on the link that said documentation didn't you? Go there and you can see all the information this guy has been able to gather.

MS Piracy

[m0rph3us0]

You said their servers are distributing the MS Proxy Server. Why not let MS know about this, I'm sure they'd fire off a memo to the hosting companies letting them know that the sites are hosting pirated software.

Lemme see.. you want me to click where?

[glassesmonkey]

So I got out my Internet Explorer (cause that's what the article says the website needed) and clicked on all those websites mentioned in the article, but nothing loaded... The page was just blank. Oh, my firewall did ask me something about something called DNS, so I clicked 'OK'.. Could someone please email me what was on the site that I was supposed to look at? He said it might be pron ;)

Thanks in advanced.

Congresscritters

[linuxwrangler]

Contact the congresscritters for your local district. They certainly know that any effort to fight spam will look good come re-election and they have the power to "make a couple calls".

Put it on Paper

[Detritus]

Write up a report, print it out and mail it to the appropriate agencies.

Bureaucrats hate paper trails. It's very easy to blow off a phone call. A written report has to be handled more carefully.

Pre-emptive Strike

[Markus+Registrada]

The only way to deal with these distributed attacks is pre-emptively: any host that is susceptible to attack by a spammer must be attacked first by an anti-spammer. The most effective way would be via worms, but that does not suffice. Spammers also enter via booby-trapped web pages and e-mail viruses, so anti-spammers must use those vectors as well. Anti-spammers have to attack first, because otherwise the spammers will plug up the holes behind them, making it progressively harder to root them out after they have installed their own malware.

It is tempting to think that simply closing off the known holes in the target machines should suffice. That's just wishful thinking. There will always be other ways for the spammers to enter, not yet discovered. The only way to keep the spammers out of those hosts is to wipe them clean. Eventually the owners will either leave them disconnected from the internet, or wiped, or will install something secure. Until then, they need to be wiped as many times as needed to get the message across.

This level of conflict was inevitable once the spammers encountered enough interference in their old methods. Now there's no going back. We need to ensure, positively, that any host that is connected to the net really is secure enough not to be hijacked by the spammers, and there's only one way to do that.

The only practical problem with this method is that the spammers have a vector available that anti-spammers don't. Spammers can put their viruses in their own spam, and booby-trap their own web pages referenced by their spam, but anti-spammers can't use those vectors without themselves spamming. Fortunately there are so many holes in the target systems that it will be some time before that difference actually protects the target hosts.

Lots of hardcoded information in there

[Zocalo]

This does not seem a very resiliant spam net to me; a lot of the binaries you have examined seem to contain hardcoded values of hosts in the domains "768men.info", "bubra.biz" and "ucp6.biz". You even imply a hardcoded IP address (66.227.96.168) currently being hosted by FDCServers.net. One angle of attack might be to talk to the registrars and ISPs responsible for those domains and try and get them delisted under any AUP they might have. If you can get the domains delisted, then the entire spam net falls apart and the operator will have to start over. Clearly there is criminal behaviour going on here so you have some leverage, albeit not much, to try and convince them to take this course of action.

As to the law enforcement agencies, spam is simply not a serious crime in their eyes, especially given the amount of effort they need to effect a successful prosecution. Sure, the network is being used for spam now, but a simple change to the .exe being hosted by FDCServers (or whatever hosting company the spammer is using at the time) could change that into *anything*. Make sure that you make that clear. Give them a list of any compromised IPs you have identified and suggest that they see if any of those IPs have also been used to launch DoS attacks, etc (likely, given the lack of patching). If you can establish a link to a high profile case then that might be sufficient to kick start an investigation.

Good hunting!

Only way to get law enforcement to help...

[macdaddy]

...short of being a corporation that makes millions each year, is to get the media involved. The best thing in the world to make law enforcement do something is bad PR. I know a couple reporters at a few large newspaper that might run a story about it. Let me know if you want me to put you in touch.

Re:Shoot the Hostage?

[Markus+Registrada]

...we'll have no terrorists taking hostages if we kill all of the potential hostages

I don't recall suggesting to kill anybody. Anyhow, every vulnerable host, sooner or later, will be hijacked by a spammer, or worse. The owners typically neither know nor particularly care if their machines have been hijacked that way, so long as it doesn't interfere too much with their own surfing, e-mailing, or file-sharing. Their ISPs, if they are responsible, do care, but can do little.

There's a legal term for operating a vulnerable host on the 'net: it's an "attractive nuisance". In the absence of possible legal measures, removing such nuisances is the obligation of responsible citizens. Anybody operating a secure host will be unaffected, other than to welcome each incremental decrease in spam.

Nobody has an inherent right to keep a loaded cannon pointed at the town square where anybody might walk up and fire it. Responsible townsmen will pour concrete into any such cannon they find before, not after, the local hooligans come around to fire it. As it is, the local hooligans are firing them again and again, and the owners are generally doing nothing to stop it.

And no, I'm not a sysadmin, but lots of sysadmins agree with me, although they (as I) doubt they could participate in such an action themselves.

Re:Shoot the Hostage?

[Markus+Registrada]

You miss the point. There is no longer any such thing as "innocent and uninformed". Plugging an insecure host into the wide-open internet is, now, itself a hostile act. Your gentle information distribution has already been demonstrated a near-total failure. (Certainly my parents would have no idea what to make of your advice, and would necessarily ignore it.) Insecure hosts are not just vulnerable to misuse themselves, they are weapons for the misuse of all hosts, secure and otherwise.

I don't expect anyone to live the kind of life I want. I do expect the machines they own not to attack mine. If they do not do what is necessary, then it is not only the right, but the responsibility of others to make their machines stop. You like analogies: every vulnerable host is a rabid dog. Surely you will not argue that shooting a rabid dog that is attacking you is somehow immoral? How about a rabid dog that is has not yet begun attacking you and your children, but certainly will -- but you (or they) might not be armed when it does?

The only choices available are (1) to have an internet in which some hosts are able to operate normally (the secure ones) and (2) one in which none can. If no hosts can operate normally, because the insecure hosts have made it impossible, how is failing to take down the insecure hosts doing their owners any favors? The internet they would like to be connected to doesn't exist, because it's being destroyed by them and their like. No one is prevented from setting up a secure host -- that option is open to all. The only effective encouragement possible is for that option to be the only one that actually works for any length of time.