Infected Windows PCs Now Source Of 80% Of Spam

twitter writes "The Register is reporting a study by Sandvine.com that blames Microsoft Zombies for 80% of all spam. The study goes on to claim that 90% filtering is not effective given the unprecedented volume and that sophisticated trojans are able to drop spam directly on end user's computers despite current efforts. Just another cost of supporting Microsoft, I suppose."

So instead of investing all this time and money

[foidulus]

in filter research, maybe we should be spending it on educating users in basic protections....or converting the unwashed masses. I like the 2nd one better :P
Please note the sarcasm in the "unwashed masses" comment before modding me as a troll :P

training

[millahtime]

Schools need to start teaching security. Just the idea and what you do. Kids will go home and teach thier parents. And slowly more people will become educated. How else can you educate the masses?

Unprecedented rates of infection

[div_2n]

I can't speak for all geeks out there (we are usually on the front line), but I have seen so many computers running Windows XP out there just getting raped by adware/spyware/worms/trojans lately. One of the primary culprits? Internet Explorer.

The reason I believe it is Internet Explorer is that I have seen a machine that is behind 2 different firewalls (one of which is a very well configured PIX) get molested. It wasn't used for e-mail, no P2P programs for downloading and nothing else was used except the browser. I am SURE some people were browsing dodgy websites on that machine. So far, it is the only PC on that IP segment that has been infected so it wasn't from another machine.

Anyone else see this out there?

Re:Unprecedented rates of infection

[thogard]

I had a NT4 box get owned from inside our test network. It appears that a users home box got owned and when he VPNed internal machine, a virus rode along for the ride and then started scanning iternal machines and found the NT sitting duck on the test network. The NT box then procedded to try to open some odd connections so I let it. It then downloaded something that would open up a smart proxy and then it tried to send out something in the order of a billion messages which my free bsd firewall/cluestick box accepted and most of them were addressed to AOL.

So what we have here is someone writing a virus that can get into a recent windows box that then looks for remote control connections and knows how to exploit them. Then it installs a different program that can scan and install a spam proxy on machines that can access the net and only machines that have net access.

That was about a year ago. MS came out with the pach many months after the box had been owned. After that, I've got a new rule, no pc can talk to anything else except the samba server by defautl. No PC has any access to the net except through squid. I don't set up default gateways now either. Default PC installs can't even ping anything but the samba/squid box. Too bad SAP Business one is forcing me to break some of this for some clients. Maybe they will port it to solaris like they said they would.

Oh, our new dev machines are made by apple.

Re:Will only get worse

[mobiux]

I guess I have to disagree with you on this one.
Most people are using the OS that thier computer shipped with, whatever HP or Compaq or Dell put on there.

The people who are using a pirated copy, more that likely know enough about computers to actually keep a computer clean.

It's the other home users out there, joe blow, who gets his cable modem, his new PC and leaves it on all the time. That's the guy they are refering to in the article. Not someone involved enough to actually track down a pirated copy of XP, get a serial that works, and spend the time upgrading.

Re:An Idea

[BiggerIsBetter]

Seems like a good idea at first look, but it's not. Here's why: lots of small businesses run their systems on static IPs which ISPs allocate within their dynamic residential netblocks. Without *very* thorough checking it's a bad idea... but who cares right, I mean, you'll just be blocking some small time companies... nobody who matters, right?

I can't send email to *anyone* at AOL now, despite running an OpenBSD firewalled Linux server for our business. It's doesn't even bounce, just disappears into the void. There are *no* Windows worms or spam coming out of my network, but some ass at AOL decided to block the whole ADSL subnet anyway. Nice way to break the Internet guys. And THANKS AOL for replying to my question about it - NOT! The arrogance of IT geeks and uninformed management strikes again. How about thinking a little harder about it, and implementing reverse host checks based on sender address, or rate limiting with temporary blocking - a real email server can cope with that just fine. There's lots of alternatives other than just shutting yourself off from a chunk of the Internet.

On behalf of all responsible MS admins....

[Atrax]

... I apologise for the percentage of MS users who are beyond help, and for the admins who allow them to be so.

We keep our corporate networks nice and clean, we stomp on infections fast, we try to educate our users, we run filters and firewalls, we put in place policies and we try our damndest to prevent this stuff.

But if those users go home to an infected PC, then we've failed. failed badly. We don't get paid to keep home machines clean, but how much harder would it be to really educate our users? really?

What can we do? Well, we can impress on our users, as I'm trying to do, that thay can suffer real, genuine harm if they don't practice safe computing.

I have this idea. A user doesn't give a crap if they're not harmed directly by a virus. OK, they have a spamming trojan on their machine, do they notice? no, they don't.

So I make sure I tell my users that there are viruses out there which can log their keystrokes and, by inference, steal their credit card number or online banking details or any other personal information.

That makes them wake up. Once there's a chance they might be directly affected in ways other than a slightly slowed down machine, then they start to take notice.

I'd urge every other techie on a windows network to inform your users in the same way. make sure they know that viruses aren't just something that affects other people. then they'll wake up, and everyone else will be better off. really.

Sounds low to me

[alhaz]

For the next two weeks until i start a non-crappy job at a linux based company, I still work graveyards at one of the larger aggregate dialup resellers in the US (no, my email address, whois records, etc, are not indicative) and this means i mainly handle abuse complaints.

We get the occasional hit & run spammer who signs up for one of the $9.95/mo services with a prepaid credit card (so we can't effectively fine them) and then spams the heck out of the connection until we cut them off, but 99% of spammer complaints (that aren't due to spamcop being fooled by well crafted headers from brazil, or confused by unpublished relay hosts in our spam filtering cluster) are traced to users who have been with us for some time, who have never given us any trouble, and who have called customer service frequently for fairly basic help with simple internet setup tasks -- usually an account shared by a family with several children, or used by an old lady who just wants to look at pictures of the grandkids on the intarweb gadget. Pretty unlikely spammers.

The accounting department doesn't like it, would prefer to shoot first with a $100 fine and let customers beg for forgiveness later, but i argue constantly that we should give them at least one chance to disinfect their computer. We go ahead and fine 'em if they don't fix their issue within a few days, though, and then accounting makes them prove they are disinfected before giving them their money back.

It's poor customer service, ultimately, but wtf is an isp to do? If we just pestered them with email they'd assume we didn't really mean it, and would never fix their systems.

Re:Is this suprising?

[EvilTwinSkippy]

They don't. They will simply lop port 25, and force you to use their smtp servers, or lack thereof. While they are at it, meter you $0.10 a letter. And 50 years from now we will be asking why email costs so damn much.

It's not 80% _OF_ spam

[jokkebk]

As far as I can figure from the statement in the article:

"After comparing those data points with the total volume of legitimate messages passing through the service provider's mail system, we are able to arrive at our percentage of 80 per cent", ..it seems to me that the article should say 80% of the service provider's mail traffic was generated by zombies. This is completely different from the statement made in the topic.

It's like you'd go to a bar and observe that 80% of women leave with drunken idiots, and thus proclaim that drunken idiots are able to hit 80% of women.

There may be some causality and statistical significance, but it definitely isn't as clear as the article suggests.

Re:Symptom of the (near) mono-culture

[larien]

The users often are the problem; give a user 10 steps to perform to possibly view some naughty pictures of a celebrity and chances are, a significant proportion of them will do so and infect their computer in the process. Heck, some of them would probably run it as root/admin if you asked them to...

Re:Step One: Follow the money.

[Michael+Hunt]

Speaking from experience, I can tell you that it's not as easy as it seems...

Various jurisdiction's spam laws vary, but at least in .au where I'm located, the Spam Act 2003 only provides for civil penalty provisions against the spammers (in essence, the .au government will sue you for violating the spam act in civil court.)

Even though the evidential burden in a civil case is much less (balance of probabilities/preponderance of the evidence) than in a criminal case (beyond reasonable doubt,) it still proves difficult to tie a spam purporting to advertise, for example, penis pills, to a purveyor of penis pills.

Penis pill guy sends his spam through a few thousand of 'fresh proxies' (spam guy terminology for freshly rooted or virused machines garnered from crackers or vx people), penis spam ends up in inbox with penis pill guy's contact details.

So far so good, but there's no causal link between A and B of any forensic value whatsofuckingever. Correlation is not causation.

I'd be more inclined to see a system which plugs into the MTA somewhere between RCPT TO and DATA, which performs a basic open proxy scan on the originating MTA (similar to what many EFnet servers are doing ATM,) and if the originating MTA fails the test, mail is refused (preferably with a '550 5.1.1 no such user' error as this may help get you off certain lists) and the originating IP is added to some form of distributed blacklist for X hours (i'd suggest 48... long enough to allow ample time for the machine's owner to find out that they have a virus or spam problem and fix it, not really long enough to cause a major problem.)

I'm actually working on building such a system at the moment... Details will be posted to my website when I have some half decent code that runs (instead of making postfix' smtpd dump core.)

Re:That does it!

[phazethru]

There's only so much you can really do with "being smart with your email address"

My point is that you do what you can by...
1) Not giving out real email address in forms
2) Not posting un-obfuscated email address to the web
3) Securely running your OS

But if I follow point 4...
4) Don't give your friends your email address

Then really why do I have an email addy in the first place?

Most of my spam I get are actually those annoying bounce-back messages you get from anti-virus filters. "The email you sent had the virus W32.Blaster" etc etc. The problem is that I run a solely Linux household, so it's probably coming from a virus on someone else's computer.

And for my 2c, Thunderbird's spam filter isn't half bad, if you don't mind the spam hitting your box prior to filtering.

Pikes would stop the sapm

[msobkow]

I've had spam show up at new accounts that were only registered, never used. I've even had spam arrive at an email account that was sent before I even created the account!

Then theare are the moron spammers who send out group addressed emails (the ones with 20-30 variants on spelling anything at all like your name.)

Anti-spam on the client is not the solution.

Sticking there severed heads on pikes outside ISPs would be far more effective and satisfying.

Or the traffic problem could be justifiably claimed as a result of poor engineering by Microsoft, and make Bill & co. responsible for the resulting expenses.

Or we could just make ISP's responsible for disconnecting any customer who has an infected machine connected. When the machine is cleaned, then they could reconnect, not before.

No, I don't care about people who can't afford to take care of their machine, buy hardware firewalls, virus scanners, etc. I don't care that people driving rust buckets can't afford better cars, either -- get the hazard off the public byways!

Re:Once again, I'll have to disagree with this.

[TheLink]

"In order for Linux to have the same infection rate as Windows, Linux would have to have the same (or similar) flaws. "

If 80% of the users had Red Hat 9 installed, they'd be sending out 80% or more of the spam. RH9's sshd is exploitable out of the box. Heck many distros CDs come with exploitable sshds and often sshd is the service that gets started by default.

The same people who don't patch their windows machines won't patch their linux machines.

In some stupid hacking contest half a year back, there were silly people who picked RH as their O/S, didn't know how to secure it and kept getting rooted. Either they didn't patch sshd or didn't patch OpenSSL.

The spammers won't really care whether there are 100 vulns or 1 vuln in one machine. All they care is how many vulnerable machines there are.

Heck, from my webserver logs I see that at least some spammers are trying to get apache's mod_proxy to send email. They are succeeding for some configs.

Here's a victim:
http://forums.devshed.com/archive/t-99035
Here's another incident
http://cert.uni-stuttgart.de/archive/bug traq/2003/ 07/msg00277.html

Re:That does it!

[DrDebug]

>>But if I follow point 4...
>>4) Don't give your friends your email address

Here is a semi-interesting tangent.

I gave my wife and one son (both computer illiterates) each an e-mail address.

My wife gave her e-mail address to her sister, but my wife would not write any email (she prefers Long Distance phone calls.... argh!). However her sister emails her things, include some of those stupid 'pass this on to a friend' emails. Still, my wife doesn't even read her own email. After about a month, I found her email address on one of these bulk 'pass it on' messages. Since that time, spammers have inundated her mailbox.

In the meantime, my son has never sent an email, nor has he given out his email address to anyone. As an experiment, I wanted to see if the spammers would find him. So far, they haven't.

So you are right-- if you don't want spam, don't give out your email address.

Starting a class action against Microsoft

[Animats]

There are law firms that handle class actions for negligence. That firm has already won against Microsoft in another case. They're currently sueing AOL, AT&T, Nextel, and Lucent over various consumer-related claims. So they clearly handle cases like this.

So if you're a victim of Microsoft's negligence in making systems that can easily be converted to attack zombies, click here to contact that law firm. The most effective victims would be those who run Linux, because they're not subject to Microsoft's EULA. For them, it's a pure negligence issue. A Linux-based ISP or hosting service would be the poster child for such an action. They're being hammered on, they didn't sign any Microsoft EULA, and they're clearly suffering sizable damages due to Microsoft's negligence.

It's time for this to become a major legal issue.

Re:You don't have to open anythign to get a virus

[Nosf3ratu]

Same thing with Blaster...if you didn't install the patches from a CD, as soon as you got online, you would get infected. Perhaps the situation is better now, but that's how it was last Fall.
I had the misfortune of working as a technician (I know, it's idiotic -- some of us have bills to pay) at Best Buy during that time, and we had to patch every single new machine that was sold off the floor.
Of course, we charged a $25 fee for this service.
And, of course, people bitched that it was a scam, but, hey, we didn't write the virus. And we sure as hell didn't make Windows insecure by default.
Sure enough, people that refused to pay the extra $25 came back a week later, crying that they were infected.
We did some testing (nothing scientific, I assure you) and the fastest we saw a machine get infected was within thirty seconds of being on a dial-up network.
So claiming that Windows is insecure has nothing to do with the stupidity of its users (although that factor does play a role).

You think it's coincidental that Microsoft released a patch CD for free last October? (Which, btw, was FAR TOO LATE to do jack shit about intercepting Blaster's wrath.)