Slashdot Mirror
How Hackers Identify Their Targets
narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays. Huston's research also revealed that 'they were doing much more server analysis' than he had expected and that they take a multi-step approach: 'They scan the server for proper RFC compliance, and then they send a test message to a disposable address. Only after these are complete did they adopt the tool to dump their spam.'"
1) Look for SSID "Linksys"
2) Connect
3) ????
4)> Profit!
The Microsoft Windows logo is dead give away. It screams "Bite Me!"
I thought they build bot-nets and largely hit as many people as the can.
This article suggest that hackers are primarily spammers, when there are many tactics, the largest involves malicious code on a webpage or bot-nets distributing worms via instant messangers.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
The title to the story says how hackers identify there targets but the story is about spammer. They are different.
...for getting into the minds of spammers is a couple rounds of semi-jacketed .357 hollow-points.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Don't forget the rising trend of using DVR players as a way to spread spam, as mentioned in an earlier Slashdot article.
-Mike
This is the type of negative image that hackers need to stop. I had a long conversation with someone on the differences between hackers and crackers and I can understand the confusion, but spammers and hackers, this is taking it a bit to far.
Utinam me logica falsa tuam philosophiam totam suffodiant.
If the reason spammers go through this procedure is because they're so affraid of being tracked, how does this do them any good? If they find a RFC compliant honeypot server, it's still a honeypot server and they're still being tracked...
Much Madness is divinest Sense --
To a discerning Eye --
Much Sense -- the starkest Madness
it wouldn't take more than a few dead spammers to teach 'em all a lesson.
1) identify
2) [...] (bang!)
3) peace!
I'm a hacker. I choose my target by seeing some new device or system that does something at least kinda cool. Then I say "I bet I can make it do something else cool." Then I do it.
They're talking about "crackers", "phishers", scammers and criminals. They're not trying to make a system do anything cool, except when it damages or robs a person. Just making a system do something unexpectedly cool is irrelevant unless it takes something from a person, not the system.
--
make install -not war
Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays.
But he says that only because his company released software related to it.
The remainder of the world knows better. The vast majority of SPAM does not arrive via open relays, but via compromised Windows machines. His second method.
Zonk dude/chick, not sure. About 2 out of every 3 of your stories are misinformed, not important, or just fud. I admire the 1 of 3 stories you post but damn, lay off the POST button till you get your stuff straight. Spammer = hacker... sometimes yes, but in this community hacker > spammer. That's like calling PeeWee Herman and stud for what he did back in the day.
Thanks but no thanks for this one.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
One possible solution to at least domestic-originated spam from open relays is to create a small government-contracted group of server administrators. Their sole job would to be to identify open relays and provide short-term aid to organizations with such open relays. Many of the smaller, vulnerable servers likely do not have a full time administrator, or even a part time one, for that matter.
While I don't doubt the writer's observation that "continuous scans for open mail systems are ongoing in most IP blocks," his claim that this is the method that generates the bulk of spam is wrong. As someone who gets about 200 spams a day over three domains, and successfully blocks over 99% of it without using any techniques that can create false positives, I can tell you that well over 90% of spam comes from "servers" on IP addresses allocated for dial-up, dsl, cable or the like. In other words, either spammers running their own server software on an ISP account, or, more likely, botnets.
I'd say that they were looking for 3 things:
#1. Testing that it isn't someone's zombie.
#2. Making sure that it's compliant enough to get through other people's anti-spam tests.
#3. Testing the response (like nmap's ability to identify the OS) to identify the actual server instead of relying upon what it claims it is.
If they were worried about avoiding honeypots, they wouldn't be continually scanning ranges containing addresses that they had previously rejected because they were honeypots.
And for me, the majority of the spam comes from zombies. Open relays are easily tested and rejected at smtp time. There's no reason to accept email from an open relay unless you're running amazon.com or ebay.com or some such.
Tell me the name of a single MTA admin who couldn't have told him all of this and more. Really, there are 16 year olds in the security field with more expertise than this guy. Would you buy computer security services from someone this cluess?
Gah.
asl?
A bit too far?-- It is only another example of NewSpeak, which is now a juggernaut jeopardizing everything from Advertising (Belly Fat is Not Your Fault) to Politics (We fight them there so we don't have to fight them here); the list of misleading euphemisms grows as our collective mental quotient declines...
Conflating spammers and hackers because they both use computers is like saying that crooks and cops are dangerous people because they carry guns. Bad example. You get the idea.
I was under the impression that infected Windows machines just randomly scanned blocks of IPs looking for more services/machines to exploit.
Well, that's what my <insert service here> logs tell me anyways.
Registered Linux user #421033
WTF is this 'hackers' business about? Seriously, what kind of an asshole is this Zonk guy to equate spammers and hackers? He makes himself sound like a damn n00b. Dumbass.
Dude, give it up! "Hackers" now means someone doing something malicious to computers. You can say it means whatever you'd like, but that's not what the word means in common usage. That's how language works. I can tell people that I drove my banana to work today, but "banana" doesn't mean "car" just because I say so, any more than "hacker" means benign computer geek because you and a handful of "hackers" says so. I suggest you move on with your life, and pick a new word for the good guys.
"(Score:-1, Funny)"
Do we have a new rating for bad humour?
--- Hindsight is 20/20, but walking backwards is not the answer.
With that comment, I would guess that your IQ has dropped 50 points. Have you gone and joined the GOP?
abuse.net will test your mail server for you. It tries many ways of relaying and displays a report that you can print out and show your boss how secure your server is :-)
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
ooo
These days it's a lot different - crackers are using malware to turn PCs into zombies, and renting them to spammers or phishers, as well as using them for DDOS. The junk-selling spammers using open relays may be using products written by hackers, but the spamware is being a bit more clever about it. The small-time spammers aren't mostly hackers themselves, just customers; the big operations that Spamhaus's ROKSO Top Spammers list are hiring talent, as are the mafia phishers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
A few years ago, a couple of Russian-immigrant spammers in New Jersey were found murdered. General opinion was that they were running a pump&dump stock scam, and some of their "customers" got upset about losing money. There've been a few others since then.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'm doing anti-spam research, and although this sort of thing isn't my direct interest, I have dabbled enough to have implemented my own SMTP honeypot from scratch. My experience in doing so, and in tracking spam generally, is rather different from this article.
In the first instance, I'm surprised that botnets aren't listed as the #1 distribution vector for spam. Any computer criminal worth his salt uses a botnet these days. The really hard-core phishers not only distribute their spam that way, but reverse-proxy their websites through the botnet.
Open relays, on the other hand, seem to be relatively small beans in terms of actual spam distribution. Sure, I got a lot of hostile traffic on my SMTP honeypot, but it was a lot of sound and fury signifying nothing. Nearly all the relay-exploiting activity originated in Korea and sent non-English (presumably Korean) spam.
As for their testing of RFC-compliance -- what a joke! Most of the relay-testers I encountered couldn't even get SMTP syntax right: I had to adjust my parser to allow extra whitespace and other brain damage. What they test for is delivery. As far as I can tell, they don't give a damn about anything else but whether the mail passes through your system and into their test account (typically a free webmail account, like Yahoo!). I found that when I manually forwarded a test message out of my honeypot to the test address, I would get a flurry of mail representing an actual spam run (not just a relay test message). It gives one a certain smug satisfaction to know that you've just null-routed an entire spam run -- the first couple of times, at least. After that you realise that it's about as significant as taking a piss in the Pacific, and stop wasting your time.
The article says of the web-form distribution vector that "the spammer community maintains a database or list of vulnerable forms". I think their database is called "Google", or something like that. I get constant attempts at compromise on my phpBB forum, and I think that works the same way. Why maintain a database when you can just plug an identifying phrase into a search engine?
I should mention that the spam experience can vary distinctly from person to person, so my different experience doesn't necessarily indicate sloppy research on the part of this reporter. The article gives me the impression that this is his first foray into spam research, however.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
Except - maybe - the level that spammers take to test the MTA for RFC compliance. But then, after all, is that worth an article and a mention on /. ?
Here we still get plenty of spam from webmail and stuff. Here I couldn't confirm the 90% 'all open relay' thingy. As long as 'open relay' indicates a proper box, meant and setup as SMTPd and relaying. Personally, I don't call an owned clickety-click box an open relay. Call Redmond.
Unless things have changed in the few months since I stopped admining a mail server, most DO NOT do any verification that the email was actually sent. At one point last year our server was experiencing serious slowdowns because some spammer was trying to send thousands of phishing emails, all of which were rejected with the standard "550 We do not relay". We just ended up adding their botnet's IPs to our firewall reject list.
Hackers attack on the any digital system goes through various stages. Below list defines the outline of a generic hacker attack: 1)Inventory of the targets. Hackers identify the possible attack targets inside a network system. 2)Assess the vulnerability. Once they identify the targets, hackers will attempt to determine if the company has any vulnerability. 3)Estimate exploits against the vulnerability. Finding vulnerability does not mean a hacker can execute an attack. The person must create an exploit that can take advantage of the vulnerability. 4)Establish who can attack the target. The hacker determines the company players that can either use another person or be used themselves to execute the attack. Execute attack. A hacker breaks into the system. 5)Cover electronic tracks. Some criminals erase all traces of their presence in order to delay forensics or make forensics more complex.
Whoah!!!..this is way huge gap!...Hacker does not congregate spammer and spammer does not congregate hacker..Spammer uses the vulnerability of the MTA which does not recognize the sender even a fake ONES. The MTA only authenticate the recipients...So, which one poser more threat to DIGITAL SYSTEM?..HACKER OR SPAMMER???....
my personal opinion base on research that i have done...Thinking like a successful hacker is not much different from thinking like a good developer. The most successful hackers follow a specific methodology that they have developed over time. They apply patience and carefully document every step of their work, much like developers. The hacker's objective is to compromise the intended target or application. The hacker begins with little or no information about the target; however, by the end of the analysis,the attacker will have constructed a detailed roadmap that will allow them to compromise the target. This can only be achieved through careful analysis and a methodical approach to investigating the soon-to-be-victim. The hacker's systematic method generally Perform a footprint analysis, Enumerate information, Obtain access through user manipulatio, Escalate privileges,Gather additional passwords and secrets, Install backdoors and also Leverage the compromised system
1. Find temporary authorized and valid accounts with ISPs
2. Send spam through compromise hosts
3. Broaden using web forms
4. Spread through open relays
i don't really get it.why the article talks about spam whereas the title is about hacker.isn't hacker and spammer are two different thing?or i'm the one who get it wrong.
According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was increased over that recorded in the first half of 2005.
Crackers are now target home users for cash. Consumers at home are now on the main target of malicious hackers intent on enriching themselves. Vulnerabilities are happen in desktop applications. Crackers are using a variety of methods excusing detection and remain on infected systems for longer. The most popular attack targets are Client-side applications such as web browsers and email clients. For example the cracker spread the spam, the most common method that spammers use is via open relays. The hackers scan the server and then send a message to a not reusable target address. Then after all this complete they can easily spread the spam broadly.
According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. These bot-networks can be used not only to spread malicious code, but to send spam or phishing messages, download adware and spyware, launch denial of service attacks, or harvest confidential user information. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was increased over that recorded in the first half of 2005. Crackers are now target home users for cash. Consumers at home are now on the main target of malicious hackers intent on inspiring themselves. Vulnerabilities are happen in desktop applications. Crackers are using a range of methods excusing detection and remain on infected systems for longer period. The most popular attack targets are Client-side applications such as web browsers and email clients. For example the cracker spread the spam, the most common method that spammers use is via open relays. The hackers scan the server and then send a message to a not reusable target address. Then after all this complete they can easily spread the spam broadly. For those users who did not update their PC randomly using anti-virus or anti adware and spyware, the risks to be detected are increased.
According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. These bot-networks can be used not only to spread malicious code, but to send spam or phishing messages, download adware and spyware, launch denial of service attacks, or harvest confidential user information. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was increased over that recorded in the first half of 2005. Crackers are now target home users for cash. Consumers at home are now on the main target of malicious hackers intent on inspiring themselves. Vulnerabilities are happen in desktop applications. Crackers are using a range of methods excusing detection and remain on infected systems for longer period. The most popular attack targets are Client-side applications such as web browsers and email clients. For example the cracker spread the spam, the most common method that spammers use is via open relays. The hackers scan the server and then send a message to a not reusable target address. Then after all this complete they can easily spread the spam broadly. For those users who did not update their PC randomly using anti-virus or anti adware and spyware, the risks to be detected are increased.
/ hackproof.htmd .shtml
here are some url for prevent crack attempts :
http://www.gabrielvilla.com/blog/
http://mobileoffice.about.com/od/mobilesecurity/a
http://3d2f.com/programs/15-673-anti-hack-downloa