Slashdot Mirror
Heise Online Reveals Trojan / Spam Connection
yourruinreverse writes "Virus distributors have been caught red-handed selling IP addresses of trojan-infected machines by editors of the German IT magazine c't. Several individuals appear to have been arrested already after c't, revealing one of the virus writer's nationality as British, passed on the information to Scotland Yard. Check out the German article first, then its translation on Groklaw and maybe also same translation posted in the English section of the Heise website (in order of appearance)."
GNAA (sung to the tune to Y.M.C.A. by the Village People)
... you'll find it at the G-N-A-A.
... you'll find it at the G-N-A-A.
Black man, there's no need to feel bad.
I said, black man, c'mon don't be so drab.
Don't let those bloggers ruin your day.
There are still pla-ces to be gay.
Black man, there's this place you should see.
I said, black man, fire up IRC.
There's this channel, that I'm sure you will like.
Every-thing is gonna be all-right.
It's fun to hang with the G-N-A-A!
It's fun to hang with the G-N-A-A!
You can go as you please,
Feel your hair in the breeze,
Crapflood Live Journal with ease!
It's fun to hang with the G-N-A-A!
It's fun to hang with the G-N-A-A!
You can write a good troll,
For the next Slashdot poll,
You can jerk off to goatse's hole!
Black man, why be here all alone?
I said, black man, you can get yourself boned.
I said, black man, you can get on teh spoke,
With thou-sands of gay nigger blokes.
Black man, are you down with this funk?
I said, black man, why you touching your junk?
Just go there, go to #gnaa
And apply for membership today!
It's fun to hang with the G-N-A-A!
It's fun to hang with the G-N-A-A!
You can go as you please,
Feel your hair in the breeze,
Crapflood Live Journal with ease!
G-N-A-A
Black man, there's no need to feel bad.
I said, black man, c'mon don't be so drab.
G-N-A-A
Black man, are you down with this funk? I said, black man, why you touching your junk?
Phil Blasthen, who posts under the user name "AmerikanWay," apparently has strong opinions regarding the United States' current role in world affairs.
"It's all about the oil," states Mr. Blasthen. "Once Shrub is done raping the Iraqi people for all they're worth, he and his Halliburton cronies will come in and finish them them off by claiming what resources they have for the good ol' U.S. of A. What else would you expect from a country that dropped not one but two nuclear bombs upon a largely civilian population?"
Added Mr. Blasthen, "I only hope that once the undoubtedly farcical 'trial' of Saddam Hussein is at its end we'll punish the real dictator in this whole illegal act of war: Dubya."
Though the unpopular sentiment was a shock to many at first glance, many more found themselves in agreement after careful, solemn consideration. Eventually, moderators thought Mr. Blasthen's statements worthy of reward and rated the insightful comment at +5, ensuring a viewing by every reader of the article.
One reader, however, was displeased by the attention received by Mr. Blasthen. "Why was this crap modded as insightful?" inquired long-time reader "jwitney." "And what the hell does any of it have to do with the new Linux drivers for the Logitech Rumblepad?" Moderators took swift action in labeling his response as flamebait and subsequently rating it at -1.
Those readers who chose to view the signatures appended to posted comments discovered a link from Mr. Blasthen's comment to the Green Party homepage along with the particularly poignant statement, "Won't it be time to actually elect a leader in 2004?"
I hope they send them to a British pound-me-in-the-ass prison!
Congratulations trolls for attacking the previous article! The thread has been flooded with ASCII cows! We will strike again tomorrow!
To find out more about the Neo Trolling Group, visit them now!
Don't worry, the American media won't ever mention
this. They've already been bought out.
"With the help of c't, a student of computer science has tracked down the authors of a computer virus. The editorial staff were able to establish contact with the virus distributors and buy IP addresses of infected machines. Because one of the virus distributors has been located in Great Britain, c't has passed on all information to Scotland Yard. By now, individuals in several countries have been arrested."
The Slashdot heading leaves out that it was a College Student who did this primarily. Will this continue to be a pattern in the future? I sure hope so, as law enforcement is typically behind the times, and overworked as it is. This way, order is still maintained without vigilante justice, since those in the know involved proper law enforcment.
libertarianswag.com
Back in 2000 Theo predicted that this would be problem... why I took so long to happen god knows....
When will they post a website that has an engine that will allow us to submit IP addresses / MAC addresses to find out whether they are infected? I have the entire IP table of where I work... knowing what machines have been compromised through trojans would be helpful... Either way... Go Heise!
From the description of the virus. It seems like the author was just asking to get caught.
That said, It doesn't seem like this trojan would of been a major security problem.
Contacting him through IRC, personally sending commands to infected computers. All of this can be traced.
Rob "CmdrTaco" Malda
Heise Online reveals Catholicism / Pope connection!
Keep Smiling!
Erick
http://www.busyweather.com/
OK, we all knew it, but maybe this will be enough incentive for the major news outlets to pick the story up. In an ideal world people would see this story, realize that much of the spam they get can be blamed on viruses and patch their systems.
Too bad we don't live in a perfect world.
I thought that people have been saying that open relays (which, effectively a machine with a RAT on it is) were not to blame for spam these days.
So, if you're paying for IP addresses then that's probably not entirely accurate. Unless you're just trying to bring the advertisement directly to the person's screen. I'd believe that.
What's the difference between a black man and a pizza?
A pizza can feed a family of four.
So did these guys have IP addresses hanging from their necks like bling blings?
From excellent karma to terible karma with a single +5 funny post...
Hello!
:(
This article does not surprise at all. Thus I already read some months ago in the net of a root kit for Linux, which on the stricken computer installs itself and camouflages and then a special SMTP server starts, which from the outside refers always 1000 email addresses in the way of Client server communication and sends then the Spam. In the connection it sent back even still the Resultcodes to the server.
In the case it was more difficult to pursue the author back because on the one hand the servers were located in several states and on the other hand the companies, to which the IPs/Domains belonged again mail box or dummy firms was.
The problem is that here regular servers were stricken, which did not have dial up IP and thus also not over RBLs are recognized.
Which one from it learns is probably clear: Safety updates bring in, mail content scaning (spamassassin), and feel safe never.
Unfortunately did not know I meant articles any longer to find, otherwise I would have quoted him
First problem: Spammers abuse the system and find the compromised targets and set out to abuse them before the well meaning sysadmin has so much as raised a finger.
...i'm sorry to say it, but goddamn, an example needs to be made of these fools.
plain and simple: virus writing will get you in deep shit.
Ummmm...yeah, but you attacked a story about Stargate SG-1.
So, all fucking BOTH people who cared about that show and read the story were mildly inconvenienced. Great job.
Next time, how about you target a story that somebody MIGHT ACTUALLY FUCKING READ. Like maybe one of the stories about Indians stealing our jobs that every fucking unemployed dirty hippy slashbot reads. Then you might actually have some kind of effect.
Jackass.
If so, its his/her job to do that ( actually to prevent it in the first place ) .. not yours.
---- Booth was a patriot ----
I think we've hit the point where three outlawed industries are now joining forces to support each other. P2P file sharing is an application consumers want but just isn't legal. Therefore, the writers of P2P applications just can't use legal means to collect money for it, they have to get paid under the table. Spyware and virus writers have the same goal, find any way possible to get their software onto your computer so they can get it to do their bidding. To them, how they get their payload isn't important How do they get paid? Well, who most needs distributed computing resorces with scattered IP addresses and bandwidth? Spammers. So, they'll gladly pay the creators of bot nets for their services, in a way no ethical buyer ever word. So there you have it, the connection between P2P and spam...
Maybe he is the admin? o.0
I try to be nice I really do. But when moderators mod a post offtopic when it wasn't really gets me steamed. What do I have to do? put Microsoft Sux0rs after every sentence? would that make you happy? huh?
Note: To all the meta moderators - if you come across this post you know what to do with it.
A few weeks ago I noticed a HUGE spike in the number of trojan scans against my firewall. I found that the scans were coming from pretty much everywhere (world-wide), and seem to start up almost as quickly as I connect to the net. I have been wondering what was behind such a spike in trojan scan activity; I guess this is my answer.
Fortunately, there are no known trojans on my system, the firewall and the virus checker are doing their jobs.
Be excellent to each other. And... PARTY ON, DUDES!
It would be very useful if the police forces had well-publicised points of contact for reporting computer and internet crime. At the moment, the local police station is unlikely to know anything at all, unless you are lucky to meet one of the few policemen who is really into computers, likely as a hobby. The expertise seems mainly to be in Scotland Yard, the department there could do with more funding, more staff, and more publicity, such as a simple means to contact them by email or web. My systems get beseiged by attacks from a handful of IP addresses, and if there was a central point for reporting all these easily, it would not be hard to spot the patterns and take appropriate action. For example, a warning letter from the police might be sufficient to get open mail relays closed, and cable modem users who have been trojaned might pay heed and take proper precautions. This could be largely automated, only where the parties concerned were deliberately committing criminal acts, or who failed to react to a warning, would the full powers of the Computer Misuse Act need to be applied.
Not so long ago there was an idiot on the NTL cable network who was causing continual problems to others because his machine was running continually and had been trojaned, and was being used by hackers elsewhere. Something like that, after a few independent reports, should automatically trigger a "cease and desist" letter, together with some good advice on cleaning up the problem.
It seems to me that it should be quite simple to gather and collate information from the public, which with the ISP's logs would enable the causes of problems to be located and dealt with. I for one don't mind my ISP's files being available automatically to a law-enforcement robot, I rather would get a warning letter or email if something was amiss.
Of course the way to deal with the most recent round of severe problems is to simply ban Outlook. I wonder if the Convicted Monopolist could gain another conviction for deliberately producing software which facilitates contravening the Computer Misuse Act? BTW it would help if other countries enacted similar legislation instead of being misled by fascists like the RIAA into stupidly focussing on those who might want to play a DVD on their Linux computer, for example. In the UK, the CMA has real teeth, sadly it does not get exercised as often as it should, because it provides a means to outlaw certain vile practices. For example, if an installer deliberately cripples another application (we all know some that do, and most come from the Redmond area), that is a criminal offence, and rightly so, yet I have not seen any prosecutions. The wording of the Act would suggest that if installing Windoze as the second OS blows away the ability of Linux/BSD/OS-2 (or whatever) to boot, then an offence is committed. The only defence seems to be that it was done in ignorance. Can you imagine Bill standing in the dock in the Old Bailey, pathetically whining that he was not guilty, he was only ignorant? Justice would be admirably served by that admission.
If hes the admin, he shouldnt have to ask those questions, and have a much better handle of what his network is doing...
---- Booth was a patriot ----
Yes this is truly excellence in posting. Hello GNAA!
Help stamp out slashdot trolls--send $1 to GNAA PO Box 69 Key West, FL 32269-069
The machines infected with the trojans can be used as spam relays.. sure - but at the same time theyre also a gold mine for fraud, just think about all the data stored on the hard drives available for download - financial data, all kinds of private documents.. this worries me more than spam. I think data theft will become a hotter topic in the near future.
This is no suprise for people involved in the anti-spam community. It has been discussed for some time in NANAE. What is REALLY sad is that some networks really don't seem to care, or don't have the time to police against this sort of thing. When I was Joe Jobbed by one of these spam gangs, using infected machines for webservers, I reported it to RR and comcast security. They were hosting their site all-oem.biz on several obviously compromised machines AND using my e-mail address in advertisements about their company. What did I get for my trouble? E-mail after e-mail that said - "To the best of our knowledge, the incident that was the basis of your complaint was neither posted by an individual using the Road Runner (Or Comcast) system, nor is it in any way related to the Road Runner (or Comcast) system or content maintained by Road Runner." What was funny is that if you did a dig on the domain being advertised it ALWAYS contained a road runner cable modem account.
Lets try it again for a test shall we?
# host www.all-oem.biz
www.all-oem.biz is an alias for all-oem.biz.
all-oem.biz has address 217.81.243.206
all-oem.biz has address 24.98.35.54
all-oem.biz has address 212.83.89.135
all-oem.biz has address 213.33.0.67
all-oem.biz has address 24.6.6.196
And again, what do we have, 2 comcast cable modems working away trying to sell software that APPEARS to be pirated, and is advertised via spam with false headers.
Lets check the DNS shall we, the dns servers for the domain are listed as follows
Name Server:NS1.MOROZREG.BIZ
Name Server:NS2.MOROZREG.BIZ
Name Server:NS3.MOROZREG.BIZ
Name Server:NS4.MOROZREG.BIZ
Name Server:NS5.MOROZREG.BIZ
Each of these name servers is also hosted on compromised machines, mostly broadband connections. Don't take my word for it, haul out nmap and take a look for yourself. The IP's for these name servers change pretty often. At this time no road runner accounts are showing up. I give it an hour before we get a few more.
In short this is nothing new, and no one should be shocked. Spammers have shown themselves to be an unscrupulous lot. What IS good is that this is starting to get some press. Perhaps this will put pressure on providers to police their networks better. Otherwise more drastic action may be required to be taken by other networks to simply protect themselves.
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
I guess it has to do with ratings. It's unfortunate that editing the content of the news increases viewership. You see I, a US citizen, want to see ALL of the news, but unfortunately, our corporate news outlets censor a lot of what's going on to boost ratings! That's why I read foreign news sources as much as I can.
There is no spoon or sig.
The version I've always heard is that hundreds of years ago the only way to be educated was a private tutor. When they were introduced, "public schools" (schools where pupils' parents pay fees) were called that to differentiate between private tuition and a public school.
;-)
The terminology is a bit unfortunate, now that private tuition doesn't happen and state schools are more public than "public schools", but that's how the English language works
Schools entirely paid for by taxes are "state schools" (as in "separation of Church and State", not as in "Washington state").
There's a good side to this - spammers pay for addresses, meaning their costs go up. I guess you can get a fairly good list of infected machines, for free, just by tracking nanas. Just to show you how commercialized the internet has become :)
I'm supposed to RTFA 3 times?
1: You're lucky if one out of every 3 read it once.
2: Is this supposed to be a cascading Slashdotting? Next time just submit the story 3 times with a different link each time.
an d th3 striking
Microsoft has $250,000 set aside for a bounty on MyDoom authors and so did SCO. What are the chances this CS student will get some small amount for turning these guys in?
This doesn't surprise me in the least. While it sickens me, I don't find this to be that startling. I, for one, have always thought the people who write malware are scum. They may try to justify their actions with lame claims of: 'Oh, i only did it to show how weak the system is', or 'I am only trying to learn more about the internal workings of the O/S'. But, let's face it, they are little more than little creeps with serious social behavioural problems. They know what they are doing is wrong, yest can find any manner of reason to justify their behaviour. In the end, they are criminals, scum, and a**es. That some are now selling harvestedd ip addresses to spammers should come as no surprise at all. I just wish I knew a way to punish them that would not only satisfy the gravity of their offence, but would also serve as a good deterrent. A pox on all of them.
when it comes to security, allow slashdot users show just how dumb and naive they are. silly hackers, slashdot is for dumb linux users. It takes a retarded german site, whose authors hang on efnet 24 hours a day, to tell u this? they prob heard about it in fucking #darknet.
how do i delete my account? oh yea you cannt prob. Hence we 700,000 accounts here and 75% of the people never came back. fuck this place.
pizza's don't make racist jokes.
This space is intentionally staring blankly at you
Not all true public schools are boarding, and a few state schools are. Therefore to be correct, the parent should have said "In Britain, this happens in boarding schools, not the prisons".
To make life even more complicated, the UK has a prison (Ford Open Prison) which is where all the fraudsters and bent accountants go. It is supposed to provide one of the best (unofficial) MBAs you can get.
Panurge has posted for the last time. Thanks for the positive moderations.
The Trojan broke and the spammers were born.
Selling infected IP addresses may be immoral but what is illegal about it?
I run snort on a bunch of systems and have some very large lists of infected IP addresses. I suspect many others do too. Every time snort burps up a new IP address I inform the ISP that "owns" the IP address. The reality is that no one cares. I have been "hit" by 68.162.91.238 over 20 times in the last month by different viruses.
These lists are easy to come by and even easier to generate. If someone is dumb enough to pay good money for a list of infected computers - let me know. I wonder what the going rate is.
If these machines get abused enough maybe, just maybe they'll get fixed.
In related news Norman Bates may not be the best person to teach a course in hospitality.
"+5, righteous bloodlust"?