Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heise Online Reveals Trojan / Spam Connection

Posted by timothy on from the how-to-make-friends-and-influence-people dept.

yourruinreverse writes "Virus distributors have been caught red-handed selling IP addresses of trojan-infected machines by editors of the German IT magazine c't. Several individuals appear to have been arrested already after c't, revealing one of the virus writer's nationality as British, passed on the information to Scotland Yard. Check out the German article first, then its translation on Groklaw and maybe also same translation posted in the English section of the Heise website (in order of appearance)."

11 of 150 comments (clear)

  1. So, I suppose the next question is... by Xystance · · Score: 5, Interesting

    When will they post a website that has an engine that will allow us to submit IP addresses / MAC addresses to find out whether they are infected? I have the entire IP table of where I work... knowing what machines have been compromised through trojans would be helpful... Either way... Go Heise!

    1. Re:So, I suppose the next question is... by ogre57 · · Score: 2, Interesting

      nessus needs a server (nessusd) running on the machine that is being checked.

      Um, no, nessud runs on the machine that is doing the checking. Machine being checked doesn't need to be running anything special, just up and accessible.

      Re g*parent, seems a public site like that would be a great thing, for the spammers. User enters an IP to scan, say 1 in 1000 with a vuln they report as "none found", then use. Now, a non-public web interface equivalent to the nessus client program, for use on an internal-only server, for eg SOHO use .. hmm. I see potential problems, but might not be such a bad idea at that.

  2. Also with Linux Root Kit by rqqrtnb · · Score: 4, Interesting

    Hello!

    This article does not surprise at all. Thus I already read some months ago in the net of a root kit for Linux, which on the stricken computer installs itself and camouflages and then a special SMTP server starts, which from the outside refers always 1000 email addresses in the way of Client server communication and sends then the Spam. In the connection it sent back even still the Resultcodes to the server.

    In the case it was more difficult to pursue the author back because on the one hand the servers were located in several states and on the other hand the companies, to which the IPs/Domains belonged again mail box or dummy firms was.

    The problem is that here regular servers were stricken, which did not have dial up IP and thus also not over RBLs are recognized.

    Which one from it learns is probably clear: Safety updates bring in, mail content scaning (spamassassin), and feel safe never.

    Unfortunately did not know I meant articles any longer to find, otherwise I would have quoted him :(

  3. Excellent work by tiger99 · · Score: 5, Interesting
    It is about time that something like this happened, and I hope the courts deal with them severely.

    It would be very useful if the police forces had well-publicised points of contact for reporting computer and internet crime. At the moment, the local police station is unlikely to know anything at all, unless you are lucky to meet one of the few policemen who is really into computers, likely as a hobby. The expertise seems mainly to be in Scotland Yard, the department there could do with more funding, more staff, and more publicity, such as a simple means to contact them by email or web. My systems get beseiged by attacks from a handful of IP addresses, and if there was a central point for reporting all these easily, it would not be hard to spot the patterns and take appropriate action. For example, a warning letter from the police might be sufficient to get open mail relays closed, and cable modem users who have been trojaned might pay heed and take proper precautions. This could be largely automated, only where the parties concerned were deliberately committing criminal acts, or who failed to react to a warning, would the full powers of the Computer Misuse Act need to be applied.

    Not so long ago there was an idiot on the NTL cable network who was causing continual problems to others because his machine was running continually and had been trojaned, and was being used by hackers elsewhere. Something like that, after a few independent reports, should automatically trigger a "cease and desist" letter, together with some good advice on cleaning up the problem.

    It seems to me that it should be quite simple to gather and collate information from the public, which with the ISP's logs would enable the causes of problems to be located and dealt with. I for one don't mind my ISP's files being available automatically to a law-enforcement robot, I rather would get a warning letter or email if something was amiss.

    Of course the way to deal with the most recent round of severe problems is to simply ban Outlook. I wonder if the Convicted Monopolist could gain another conviction for deliberately producing software which facilitates contravening the Computer Misuse Act? BTW it would help if other countries enacted similar legislation instead of being misled by fascists like the RIAA into stupidly focussing on those who might want to play a DVD on their Linux computer, for example. In the UK, the CMA has real teeth, sadly it does not get exercised as often as it should, because it provides a means to outlaw certain vile practices. For example, if an installer deliberately cripples another application (we all know some that do, and most come from the Redmond area), that is a criminal offence, and rightly so, yet I have not seen any prosecutions. The wording of the Act would suggest that if installing Windoze as the second OS blows away the ability of Linux/BSD/OS-2 (or whatever) to boot, then an offence is committed. The only defence seems to be that it was done in ignorance. Can you imagine Bill standing in the dock in the Old Bailey, pathetically whining that he was not guilty, he was only ignorant? Justice would be admirably served by that admission.

  4. Re:The future of law enforcement? by null_session · · Score: 2, Interesting

    Will this continue to be a pattern in the future? I sure hope so

    I don't know that I wouild count on that. There are lots of CS students with lots of time on their hands. Some trade music files, some write virii, and some track down the people doing the first two (and ocassionally someone writes an OS). Anyone with adiquate knowlege and time can do any of the above, their choice is up to them.

    What choice will you make?

    --
    Politics, Culture, Food?
  5. And the network operaters still do nothing by cluge · · Score: 5, Interesting

    This is no suprise for people involved in the anti-spam community. It has been discussed for some time in NANAE. What is REALLY sad is that some networks really don't seem to care, or don't have the time to police against this sort of thing. When I was Joe Jobbed by one of these spam gangs, using infected machines for webservers, I reported it to RR and comcast security. They were hosting their site all-oem.biz on several obviously compromised machines AND using my e-mail address in advertisements about their company. What did I get for my trouble? E-mail after e-mail that said - "To the best of our knowledge, the incident that was the basis of your complaint was neither posted by an individual using the Road Runner (Or Comcast) system, nor is it in any way related to the Road Runner (or Comcast) system or content maintained by Road Runner." What was funny is that if you did a dig on the domain being advertised it ALWAYS contained a road runner cable modem account.

    Lets try it again for a test shall we?
    # host www.all-oem.biz
    www.all-oem.biz is an alias for all-oem.biz.
    all-oem.biz has address 217.81.243.206
    all-oem.biz has address 24.98.35.54
    all-oem.biz has address 212.83.89.135
    all-oem.biz has address 213.33.0.67
    all-oem.biz has address 24.6.6.196

    And again, what do we have, 2 comcast cable modems working away trying to sell software that APPEARS to be pirated, and is advertised via spam with false headers.

    Lets check the DNS shall we, the dns servers for the domain are listed as follows

    Name Server:NS1.MOROZREG.BIZ
    Name Server:NS2.MOROZREG.BIZ
    Name Server:NS3.MOROZREG.BIZ
    Name Server:NS4.MOROZREG.BIZ
    Name Server:NS5.MOROZREG.BIZ

    Each of these name servers is also hosted on compromised machines, mostly broadband connections. Don't take my word for it, haul out nmap and take a look for yourself. The IP's for these name servers change pretty often. At this time no road runner accounts are showing up. I give it an hour before we get a few more.

    In short this is nothing new, and no one should be shocked. Spammers have shown themselves to be an unscrupulous lot. What IS good is that this is starting to get some press. Perhaps this will put pressure on providers to police their networks better. Otherwise more drastic action may be required to be taken by other networks to simply protect themselves.

    AngryPeopleRule

    --
    "Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
  6. Re:Theo article by tiger99 · · Score: 3, Interesting
    Probably true, but most of it would be stopped if people stopped being stupid and got rid of Outlook, as well as taking all the other appropriate precautions. Theives take advantage of open doors, and Sir Bill has left so many openings..... Especially with new viruses, where it is going to take at best hours, more likely days, to get the countermeasures in place, the simple removal of Outlook and its malignant Express mutant gives far more benefit in terms of cost and time than any other single action. Yes, you do still need a stealth-mode firewall, even better a hardware firewall, and one or more virus scanners, but close the biggest hole first!

    I saw a book in the shop the other day called "Writing Secure Code" or something similar. When I saw the publisher, I did not even bother to pick it up for a look, as the company concerned (Guess who?) has a solidly demonstrated long-term track record of gross incompetence in that area.

  7. Re:The future of law enforcement? by Vlad_the_Inhaler · · Score: 5, Interesting

    I did not read the article online, but assume it is the same as was in the copy of C't which I read this morning.

    This is not really 'vigilante justice', especially in the racist sense which some ACs below saw there. It was someone who was affected (if only when cleaning up someone else's computer) and took the trouble to see what the trojan could do and where it came from. He then went to the only organisation he could think of (C't) which was technically able to understand the problem and had the legal knowledge necessary.

    Interesting was that companies like Symantec had also done the analytical work on the trojan(s) (and had posted the results) but had no interest in treating this problem at source (the ISS team). They make their money protecting computers from threats and not attacking those threats at source.

    What is going to happen to ISS now?

    --
    Mielipiteet omiani - Opinions personal, facts suspect.
  8. Re:The future of law enforcement? by Vlad_the_Inhaler · · Score: 1, Interesting

    C't reported the people to the police who arrested them. No-one got strung up. What is 'anti-democratic' about putting an 'unpopular minority' (trojan authors) at the mercy of the police? What the hell has this got to do with gay marriage?

    --
    Mielipiteet omiani - Opinions personal, facts suspect.
  9. Re:AMerican Media by ScrewMaster · · Score: 4, Interesting

    Yes. More to the point, a number of foreign sources simply report events, which is how I want it. I'll form my own opinions in any event, but at least I don't have to filter out someone else's first. The U.S. media has way too much political and economic influence to really be trusted to report anything reliably anymore. I was talking to someone a few years ago who was in school to be a journalist, and she was told that it is the journalist's job to mold public opinion. Can you believe that? Not to report the facts honestly and completely, with one's own opinions delivered separately and clearly marked as such, but to tell the rest of us what to think. I guess the term "free press" now means that they are free to say anything they want and package it as "news."

    --
    The higher the technology, the sharper that two-edged sword.
  10. Illegal IP addresses? by sglines · · Score: 4, Interesting

    Selling infected IP addresses may be immoral but what is illegal about it?

    I run snort on a bunch of systems and have some very large lists of infected IP addresses. I suspect many others do too. Every time snort burps up a new IP address I inform the ISP that "owns" the IP address. The reality is that no one cares. I have been "hit" by 68.162.91.238 over 20 times in the last month by different viruses.

    These lists are easy to come by and even easier to generate. If someone is dumb enough to pay good money for a list of infected computers - let me know. I wonder what the going rate is.

    If these machines get abused enough maybe, just maybe they'll get fixed.