Slashdot Mirror
Deconstructing a Pump-and-Dump Spam Botnet
Behind the Front writes "eWeek has teamed up with Joe Stewart, a senior security researcher at SecureWorks in Atlanta, to show the inner working of a massive botnet that is responsible for the recent surge of 'pump and dump' spam. It's a detailed picture of how these sleazy operations work and why they're so hard to shut down. Sobering numbers: 70,000 infected machines capable of pumping out a billion messages a day, virtually all of them for penis enlargement and stock scams. Excellent graphics, too, including one chart that shows that Windows XP Service Pack 2 is hosting nearly half the attacked machines."
If more ISPs did egress filtering of email this sort of thing would be harder to do.
Get pregnant, then that little piece of spam will have to provide child support for 18 years.
In Soviet Russia, dots slash you!
Did we call or DID WE CALL IT?!?
ESNX up $3.13 from open of trading...
then they would use the massive botnets of 0wned machines for something else, that probably also wouldn't be conducive to the health and general well-being of the internet...
my password really is 'stinkypants'
The charts would be a lot more interesting if they had them compared to market share. then you've got to consider that people are more likely to target the biggest market share. i mean, how many virus writers are targeting FDOS?
I'm sorry, but the terms "Penis Enlargement" and "Excellent Graphics" were situated a bit too close together in that summary for my liking.
Is it just my observation, or are there way too many stupid people in the world?
OSX and Linux are not listed in the percentages of infected machines. This is an outrage. It's time we demand that these trojan and virus writers include alternative Operating systems in their designs.
Proof that Microsoft is exterting their manopoly strength to exclude other operating systems.
Thats crazy... that's like going after P2P admins for users sharing illegal content. It would never fly.
It is time to rebuild the email protocol. It needs to be redesigned to cope with modern systems and security needs. The pain of the transition would be worth it. It is just too easy to spoof header info now.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Perused the article to know how to find out if my computer is infected or not but couldn't find anything. This is such an important news for Windows users, at least tell something abou thow to verify if a particular windows machine is having this problem.
And implemented greylisting on it. Cut out almost %100 of the spam I have been receiving (Was up to 50 emails a day, now I think only one has gone through since I installed postgrey on my mail server in 1.5 months!). Unfortunately, this is easy to get around, so it should only be a matter of time till that is worked around and becomes useless in the spam fight. By that time, hopefully another anti-spam method comes up...
i guess many of those from "unknown" are actually german since germanys largest ISP cannot get its head out of his arse and finally change hostnames to something.DE.. instead it is .net all the time for most germans. This also always causes great disconcert when you have to explain logs to a customer and the damn script does not base location on IP but on host..
From the graphs, it's obvious that Linux, BSD, and MacOS lumped together are only 0.05 percent of the desktop market!!
--
Given enough personal experience, all stereotypes are shallow.
Seeing the complexity of a botnet like this is scary. The people responsible for this kind of thing are intelligent, always evolving and don't care about any of the repercussions of their actions. It seems that any proposed solution we can come up with to combat spam will just be worked around shortly after it is implemented.
From the article:"the Trojan comes with its own anti-virus scanner--a pirated copy of Kaspersky's security software--that removes competing malware files from the hijacked machine"
I never would have thought of something like this. Trojans fighting for territory... crazy.
The software uses proxy servers to avoid blacklisting bot IP addresses, harvests email addresses from the infected machines and randomly changes images used in image-based spam to throw off anti-spam technologies. The people behind this are clever. How can we compete effectively?Well of course Windows is going to be in the majority of affected machines... There is a dramatically higher number of people in the world using Windows than any other OS, so... wouldn't it make sense?
/.'s tendency to point out everything that appears to be wrong with Windows... but come on, isn't it a little much to explicitly point it out in this case?
As a proud user of Kubuntu, I can relate to
/* No Comment */
Which leads me to wonder about the folks who actually believe that those penis enlargement pills work.
And as far as the "pump and dump" spam goes, are there folks who beleive those spams? Or are they of the mindset of the "greater sucker"? Meaning, if I buy this stock now, after this spam circulates, there will be others who buy this shit stock and push up the price allowing me to make money.
Yeah, I know the guy who originates the "buy" recomendation is hoping for everyone to buy the stock, but what makes some of the recipients think they'll make out?
If I were running an ISP, I'd have common ports such as IM, file-transfer/ftp/torrent, ssh, 80/443, irc, and many others allowed and all other ports blocked or restricted to certain destinations by default.
I'd have a web-page for my customers so they can click things such as:
Outgoing Email:
[x] web based [turn on port 80/443]
[x] through remote-login [turn on remote-login ports]
[x] through us [turn on mail ports, restrict to our servers]
[ ] through another server: ______ (specify list of outgoing mail servers)
[ ] through any server
+-- [x] check here to turn this off after 7 days (recommended)
x's show defaults.
Checking the last two would bring up the relevant sections of the AUP/TOS as a reminder of the strict "no spamming" and "we will suspend outgoing mail and charge you cleanup fees if your machine is taken over" clauses.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
But when, if ever, will anyone shut down the MS machine? Never is when. MS is far to invested into large corporations and government institutions to ever have anyone, never mind MS, say, all windows products must be updated or dumped. Its just not going to happen. If you owe the bank $1000 dollars, you are in trouble if you're late on the payments, if you owe the bank $10,000,000,000 dollars and you're late, the bank is in trouble.
Right now, the later is more the case. If MS had to upgrade or recall all XP products, it would cause a large harm to the economy, not just MS's bottom line. Think of what would have to be spent on the upgrades or change outs?
Too many people have invested in MS products to just shut it down, and just like England won't wake up one morning and start driving on the right side of the road, MS products will remain in service. (I'm not trying to imply that the left side is the incorrect one, just illustrating the size of the problem)
Reports like this do seem to show MS in a very bad light, but how it gets fixed will be even more interesting. When government types want to show they are doing something about spam, will they do anything to make MS responsible, or make MS fix it? Probably not, so the real answer to spam, or answers, is to implement measures that do not rely on the end user, or the end user's OS to fix it.
IMO, This means that ISP's are going to have to sandbox segments of their networks to throttle spam, and that cost will be passed on to consumers, or possibly will be borne by the ISP for bragging rights about having less spam than any other ISP, in much the same way that the Bell companies used to do advertising about what they are spending to improve services for consumers.
This also leaves me with a suspicion about the marketing team for Vista? How better to fix XP SP2 than to upgrade to Vista?
Support NYCountryLawyer RIAA vs People
According to their chart, 99.95% of the systems on the botnet run Windows in some form. Unless all other desktop operating systems only have .05% combined market share, maybe there is a correlation between the security of Windows and the botnet problem.
A house divided against itself cannot stand.
This is the basic problem with any single antispam measure, or really any single computer security measure.
1. Someone comes up with a defense mechanism that works well.
2. It works so well that more people use it.
3. It becomes popular enough for the bad guys to beat, so they do.
4. The defense becomes useless, forcing someone to come up with a new defense.
5. Goto 1.
Slashdot Burying Stories About Slashdot Media Owned
Fortunately, I should have significantly more money to invest shortly, as soon as I get a rather large sum from a new online friend and business associate and new friend, Mr. Emmanuel Obi from Africa, of all places.
Blue Security had a good thing going with their "Blue Frog" software. At one time there was an open source version being developed. Anyone know the status?
Its like going after Boeing because someone put some tape over the port that allows outside air to get at the gauge that measures air pressure and estimates elevation on a 757.
You can point your finger all you want at the maintenance worker who didn't read the warnings in GIANT PRINT - but Boeing was still sued and paid.
Boeing was not being irresponsible. I do not think the same can be said of Microsoft because many of the security problems have been pointed out CONSTANTLY since before 1995.
have you read the Moderation Guidelines Addendum?
I wonder tho how they ... know which os the bots are running?
... wine ...
... it would stop many script-kiddies from trying to automatic crack your machines, if they can't find which OS you're running ...
... in their OS detection ... on Windows and *Nix systems?
i mean i use nmap, and other portscanners myself but the OS detection
is just a sane guess and far from perfect
I also wonder what the 0.05 % of other OS'es are because i do think
this malware is written on the win32 api, so i rather guess these were inconclusive
OS fingerprinting and/or *Nix systems running a virtual machine or
if this is possible (i'm not trying to troll here)
And if this is possible i do want to know what kind of measures the users of these non conclusive
Os fingerprinting scans used because
Anyone has some tips about this in particular
How do i fool commonly used portscanners etc
I hope I'm not being Chicken Little, but there's much worse that botherds could do with their botnets than just sending stock scam and penis pill spam. I'm wondering if the only solution won't be for major governments to take major action (perhaps under the guise of national security), and I'm not sure this would be a bad thing. What if it were made a (minor) crime to operate a computer that's vulnerable to being a botnet node? The only question would be, who would pay for the cleanup: the vulnerable machine owners, Microsoft, or taxpayers?
getting. A few weeks back I read an article that stated that some crackers had managed to get into the accounts of some of TD Waterhouse's investment clients. Since most of these accounts were retirement accounts liquidating them and stealing all the assets would have been difficult, required a lot of paperwork, and ran a much higher risk of getting caught. So instead what the attackers did was liquidate all the assets of the victims and then used those assets to buy a bunch of pump and dump stocks(high demand low supply=much higher prices). Pumped the value of the stock up significantly then as the name suggests, dumped it.
As much as I think they are scum for doing so, you have to admit that was pretty creative....
Monstar L
Do these pump and dump scams even work? If so, by what kind of margins?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
This network of some 73,000 machines has to rank as one of, if not the, leading supercomputer in the world. Why aren't they ranked in the Top500 list?
Thad
I love Mondays. On a Monday, anything is possible.
From the impressive slideshow
a) That spam trojans are out there and running rampant on infected machines
b) That a country named 'Unknown' is second only to the US when it comes to the Top 20 spam locales
c) that there haven't been a lot of respondents to the penis-enlargement emails, hence the widespread marketing campaign
WARNING: Smartphones have side effects--most of them undocumented.
Since most infected computers on this botnet are XP SP2 and likely have Windows Firewall enabled on them... How hard can it be for MS to code up a patch to the firewall code that detects outgoing connections to TCP port 25 (SMTP) and throws a warning on the screen? Send the patch out over Windows Update. Your average Hotmail/Yahoo/Gmail user won't ever notice. People who use Outlook Express or some other SMTP-sending client may have to click a "yes, I'm actually sending e-mail" button when they send e-mail and suffer half a second of annoyance, and that's just assuming you alarm on every outgoing SMTP connection. There are probably better ways to do it. Something like this would completely wreck SpamThru's functionality, wouldn't it? Just a thought.
I recently helped an elderly neighbor secure her computer (I was paid for this service, and I make sure I do get paid every time I get called over for help) by installing some good firewall and anti-virus programs (as well as setting up Firefox and Thunderbird for their primary browsers. When I ran a virus scan on her computer (I installed AVG, as her McAfee subscription had expired), I found several viruses and malware programs on there, all of which I removed, which came with games she downloaded (stuff like mahjong and solitaire). I regret not writing down what viruses she had gotten infected with, so I could find out what she did.
I did the same thing on my grandmother's computer as well (when she was alive), and odds are there are a lot of seniors who are online and engage in a lot of bad habits that we know are bad - including running IE with minimal protections, opening strange attachments, and so forth. This is not a new problem, and, frankly, a problem that only education (or getting 75% of seniors to switch to Mac OS or Linux) can fix.Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Except greylisting+dnsblocking, for which there is no defense.
If everyone greylisted, spamming operations would slow down to a crawl. If the go full speed, then the only sites which will accept their spam (or better, to escape detection, temporarily reject it after DATA) are spamtraps, which means the rest of the world becomes instantly unavailable because of dnsblocking.
If they have to slow down.. well, we win.
It's just beautiful.
youd be surprised the limits people go round to send legitimate emails, a company i worked for had a rate limit of x per 30 seconds and xx per 10 min period. even the legit customers phoned for advice on how to get around it.
If it were possible to take short positions on these stocks, and people would chort rather than buy the stocks that are pumped, then the financial incentive for the pump and dumpers would go away, as would the spam.
... then you probably are.
Steps:
1) Get rid of XP. If you're going to run Windows, then run Server 2003. Try to get your company to pay for it if you can.
2) Don't disable the "MSIE Enhanced Security Configuration", whatever you do.
3) Use Firefox or Opera, never use IE, unless absolutely necessary (Windows Update)
4) Always run as a limited user. Never as a user with Administrator access. Right-click on installers and say "Run as... The Following User: Administrator" to install them.
5) Get yourself all of the SysInternals tools you can get your hands on. This can help you monitor file, registry and process access to look for unexpected behavior. Always check online to see if something is "normal" though before taking action, you don't want to kill your system accidentally.
5a) Software that requires administrator privledges to run iss probably not worth using anyway. You can special case essential software by using "Run as..." or by giving your user permissions on key files that it can't access. Use RegMon and FileMon in SysInternals to determine what the application is trying to access and give your user (or the Users group) the appropriate permissions on those files/registry keys.
6) Don't use software you haven't heard of. Free software is usually okay if it's open source, or you can independantly verify its reputation as safe and without adware or malware. Most $30 and below shareware you find through quick google searches is garbage and usually a malware vector, don't buy it.
7) Don't use Outlook to open mail. Never open unexpected attachments. Always turn off HTML email support and use plain text viewing instead.
8) Get a virus scanner. Don't use the home versions of McAfee or Symantec, they're garbage. The Norton PC suites are garbage too. Personally I use Symantec Corporate. You should try AVG, BitDefender, or F-Prot. The free versions are decent.
9) Install and periodically run SpyBot Search and Destroy.
10) Don't bother with a 3rd party firewall. Use the builtin windows firewall, or an external device. Learn how to properly use them.
11) Investigate Windows OneCare offerings. I haven't used them, but I hear they are okay. It's a service though, so pony up the cash.
This is what you have to do to protect yourself in Windows. It's no wonder people have issues.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Too bad it died...
Join the anonymous, help develop the network: http://www.i2p2.de
I don't see why the government doesnt go after companies using spam as a selling technique. They still have to recieve money somehow and that can be traced. If the G would shut a few down and lock a few people up for a deacade then there would be a lot less spamming going on.
Ninjas don't carry tic tacs
"Thats crazy... that's like going after P2P admins for users sharing illegal content. It would never fly."
It's not like that at all, but that's due to a distinction that's apparently too fine for some people.
Take a look at your favorite torrent tracker. Unless it's legaltorrents or something of its ilk, you know they set it up to capitalize on the huge demand for pirated material (and to make ad money off same), you know most of the traffic is pirated material, and you know that the admin knows this. Running a tracker with the belief that you will simply be able to tell the authorities that you're "not responsible for your users" might make perfect sense to a 14-year-old, but they're often unaware of a crucible in the legal profession known as "the laugh test." If it has the proper locomotion, vocalizations, and behavior, smart people don't need to be told that it's a duck.
Now, it might be funny and all to say that yes, Microsoft really does sell XP primarily for the purpose of running botnets and sending spam, but again, you, I, and everybody else know that it's simply not true. Again, the laugh test prevails.
Sitting in my day care, the art is decopainted.
Email? (in which case why dont more ISPs run good email virus scanners? Is there a free (as in beer) email virus scanner out there for those email server admins who cant afford to buy one? (or are there reasons other than cost as to why email server admins and ISPs and stuff arent routinely scanning email as a matter of couse?)
Exploits in the OS? (why arent ISPs blocking ports like MS-RPC and MS file sharing (things that shouldnt be going out over the internet anyway) for example)?
Is there something the SEC can do? (perhaps finding the people who buy the stock, pay the spammers to send the spams, sit back and watch whilst their stock becomes a lot more valuable and then proceed to sell it all. (IANAL or a stockbroker but I dont think you can buy/own stock without at least some way to tell who you are).
It is time to rebuild the email protocol.
We may have to settle for working on a fix. The industry isn't going to replace such an entrenched protocol easily, even if that may be the best solution.
A large part of the problem is lack of a good, entrenched E-mail Authenication standard. The IETF's Domain Keys Identified Mail is working on fixing this, but that will take a while. DKIM is pretty much the standardization of Yahoo's DomainKeys protocol.
My guess, is that we will have to wait at least a year before DKIM comes out with any type of RFC document. At least some of the big players including Yahoo and Google will support this protocol right off the bat. Hence it should have a good chance at solving the current lack of any email authentication.
Of course we know the spammers will adapt as well...
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
It did identify the trojan, but gave no info on how to check for the trojan or get rid of it.
The article mentions certain databases that were hacked to discover identities of potential victims to mail the pump & dump spew, but which databases were cracked? I think the owners of these databases are legally obligated to inform the folks who's data was acquired. Why are these databases not identified? Why have I not been contacted by any of these database owners? Since I am a recipient of the spew (700 to 1000 per day), I have to assume my data was among that which was cracked. I'd like to know who gave away my data....
All in all this article is no more than a rehash of old info on botnets. Give me some hard data I can use to to help me protect myself!!!!
Rick B.
Why would you say the Windows OS is clearly the problem? The trojan *only* run on Windows, so one would expect that all of the clients are Windows.
Have you found a trojan in the wild that runs on anything but Windows? That would be like finding a species of oxygen that degrades gold. Quick dump all your gold, in my pocket please, it's all going to rust next year!
Oh yeah, I've heard about a ssh trojan that does dictionary attacks for weak passwords. That one has been stopped in it's tracks by distributions requiring a little effort to get openssh-server.
Friends don't help friends install M$ junk.
Assumptions:
1. People who are least tech savy are the most likely to get "pwned".
2. People who are the least savy are most likely to click on everything.
3. People who are upset about not having the abilty to send pictures of their little dog Toto to all their contacts at once are most likely to scream and yell when you excersize the "charge you cleanup fees if your machine is taken over" Clause.
4. People on average are computer security morons, that's why IT people exist.
11:23 press enter
11:24 close ISP and hide from litigation.
Proposed solution:
"New Premium Front Line Security."
In order to provide you, the customer with the best, safest and most secure Internet Experiance (TM Al Gore)We here at (Fill_in_the_Blank - ISP) are now offering a Premium Service. For a small* monthly fee, our automated system will anaylize you outbound web traffic and apply our special metrics. If your computer appears to have been compromized we will send some one to your bussiness or home immediatly** to fix it! We will also provide*** a Hardware Fire Wall and Wireless Router that one of our representitives will set up for you. With the Wireless Router you will be given an Instalation CD**** to run on any Computer you would like to add to your home wireless network! Finally the representative will set up a complete security sollution for your computer.***** Idenity Thieft Insurance is also available!
* - Small = large. Fee pays for rental of a router ammatorized over 6 months.
** - Immediatly = When available and where able for a fee to be determined by whomever when the time comes.
*** - Provide = Rent for a profit with substantial deposit.
**** - Burned directly from windows.
***** - IE. sell you a complete Norton Suite as part of a multi user lisence and collect the proceeds with montly payments as part of your ISP bill, maybe Spybot Search & Destroy
Now you make money from security and people have some one to call when things break. They will be happy to pay the money, (in general) because now you are protecting them from the horrors of the internet.
As an additional note, Netcraft "toolbar" is one of the most advanced/reliable anti-phishing solution around. The data is closed unlike phishtank but they have the technology in hand to find out what is the most abused OS/Scripting. It may take 5 minutes with their expertise.
;)
Why they wouldn't they release? Well, my post you replied to has a "overrated" punishment/moderation, it could be the reason.
Hackers and Spammers no longer support Windows 95. It's too hard to write worms, bots, and viri that are backward compatible.
There's a lot of humor potential in going to a site laced with ads and a list of 30 sponsors to read about spam.
Are you saying that it's impossible to do? That if granny was running Linux she couldn't click on a link and run a shell script that downloads the rootkit dujour and installs it? You've got to be very, very naive to think that Linux prevents trojans. Just because you don't have root, doesn't mean it can't extract itself to... let's say /var/tmp, put itself into your .profile, .xinitrc, etc and attatch as a proxy to >1024
Just to passify you there have been a number over the years. Heck let me create a super simple one for you right now (no error checking, trying to hind itself, etc). All I have to do is get granny to download it and run it (which most grannies seem to do these days). She probably has never seen xeyes before, but she won't realize that the next time she logs into X all of her email will be gone.
#!/bin/sh
xeyes 2>/dev/null &
echo "rm -rf $HOME/.mozilla" >> ~/.xinitrc
echo "rm -rf $HOME/.mozilla" >> ~/.xsession
So, let's look at what we have here: The vast majority of SPAM is aimed at small-cocked poor men who aren't too bright.
SPAM exists because it works.
People who respond to SPAM aren't to bright: they're replying to SPAM. This is confirmed by several people I know who are dimwits, who have replied to SPAM to "get a great deal". You know the type: they get great stereo speaker deals from the backs of moving vans.
The majority of SPAM has penis-enlargement and stock-scams as their subject matter.
So we need to educated the small-cocked men of the world, help them get decent jobs, and SPAM will be eradicated!
Why would the brokerage firm care if someone threw their money away?
Call it a tax on the financially irresponsible.
I just love it when things work out like this... both on the article page and on this very page that I'm typing on now there is a full color ad for Windows Server 2003 and the London Stock Exchange. Making the worlds computing systems more reliable one trojan infested botnet at a time...
Did it pass? As long as (and my guess is many of these hacked machines fall into this cateogy) machines can be installed and the default user as (1) admin rights and (2) no password and (3) is already grossly behind security related updates that (4) aren't automatically downloading and installing (this setting is reccommended) said updates you don't think they have *some* responsablity for the overall number of zombie machines out there?
I'm not suggesting they did any of this on purpose, they want to build a functioning box home idiots ^H^H^H^H^H users can use, but that in itself has helded create the world where 80% of all internet traffic is spam being sent by such botnets.
I'm no rocket surgeon, but you're really thinking outside the grindstone with your cliché selection. I'll get off of my soap horse now.
No broker will allow you to short a pink sheet stock, which the overwhelming majority of pump and dump spam deals with.
The truth about Scientology, Xenu, and you: Operation Clambake
The problem isn't "Windows is insecure", the problem is that people are given a general-purpose computing instrument and they want a web & email appliance.
If you change their computer into a web & email appliance and prevent programs from being run that are not specifically installed by someone that knows what they are doing, the problem goes away. But that isn't where we are today. Everyone has general purpose computing instruments and nobody has a web TV box.
Most of this stuff is not installed because of security exposures in that allow stealh installations because of exposures in email readers and web browsers. It is installed the same way the user would install any other "desired" program. They user just doesn't know they don't want it. They have been manipulated into believing they need whatever this is and without more knowledge and understanding they are going to install the bot.
Solution? Give people appliances not general-purpose computers. Programmers need computers, people need entertainment appliances.
Are you saying that it's impossible to do?
No, just that it's more difficult to do, more limited in scope and much easier to identify and repair. These things don't exist in the Unix world, which includes plenty of granmothers on Mac OS X. There's a reason for that and it's not some silly market share issue.
All I have to do is get granny to download it and run it [a silly script that hoses user files]
Like I said, hard to do, limited in scope and unable to create a botnet. I'd like to see you get granny to pull up a browser or prompt, change your silly script to executable and then actually run it. Right.... Other, more insidious problems you might think of are limited in ability to spread by differences between distributions. Repair is trivial. Replacing binaries always brings improvement and is never difficult. All my family's important personal files are backed up to separate machines periodically with no effort on their part, so it will take a dedicated attack by someone who knows what they are doing to cause me real grief. Some very rational coding choices and the ability to share those decisions and work make the free software world a much better place for users. The best part about it all is how cheap and easy it is.
This can be contrasted to the Winblows world where content and executable code are mixed, your browser and email client run both without asking you and the OS has services you can't turn off that listen to the network when they should not. A billion dollar "security" industry has not been able to cover all of these holes.
Friends don't help friends install M$ junk.
Securities manipulation is a very serious crime, and these scammers will spend a long time in jail if they get caught.
"The vast majority of SPAM is aimed at small-cocked poor men who aren't too bright."
I like to walk around the office whistling "Smil'n Bob's" theme song.
L8r
The whole issue isn't about being able to do what you want with your bandwidth. It's about other people using your bandwidth against your wishes. They should block port 25 for everyone, and if you want to run your own mail server, you call them up and tell them, and they unblock the port for you. Surely you wouldn't mind a 5-minute one-time phone call if you actually want to run a server.
I don't see how blocking this is such a problem. If a machine suddenly starts pumping out email, the ISP cuts its net connection and phones the owner and asks about it. If the owner doesn't know about it, refuse them access until their machine is fixed, since after all it is the *owner's* responsibility to keep their computer clean.
Now, what am I overlooking? Why is that apparently so hard?
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Because the asshats hosting these viruses because they click every shiny link they see have the money.
But what you're discussing is quite a bit different than the original poster's suggestion, is it not?
In the original post, he was proposing criminalizing the operation of an infected PC. In your case, you're talking more about some sort of "public PC health policy". (EG. I can't be arrested and criminally charged because I got sick with the measles. BUT, the health dept. can offer vaccinations against it, and in co-operation with such places as school systems, it can be demanded that a child receives one before being allowed in school.)
Exactly what the computer equivalent might be is probably still unclear. But one example I could envision might be "Homeland Security" developing guidelines on firewall requirements that they recommend all Internet users follow. Then, commercial ISPs could mandate that you use a hardware firewall/router that meets this minimum requirements, or be subject to account termination. (Presumably, they could issue an appropriate unit with all new accounts, and run automated processes that do some sort of "challenge/response" query at random, to see if the units are still in place?) I know in my own community, Charter Cable is very bad about this - since their standard install only includes a cable modem with no firewall or even NAT capabilities in it. Sure, they provide an "installation CD" with some half-baked anti-spyware/virus type software on it and tell you to use the Windows firewall on your PC. But in my opinion, that's ineffective. It slows down older computers so people uninstall it. Some people just neglect to install it when they realize their net connection works fine without it. Others purposely skip it in favor of their own pet programs, which may or may not turn out to be good choices.
The reason pump and dump scams do not work is because the initiators of the scam will have bought early at the low price, THIS IS RECORDED by stockbrokers, and REFLECTS NEW DEMAND for a stock. Then then send out these emails hoping to increase demand, and thus the price. Now, someone with some brains Understands That These Stocks are PUMP AND DUMP. Then then get short options on the stock.
surprise! the stock goes up for a while and crashes.
remember kids, the stock market transmits all known information near instantaneously through price. the price change is immediate, because participing in the stock market causes these changes.
the SEC can also easily learn who is pumping and dumping by analyzing buying patterns.
Those guys shouldn't be that hard to find with enough law enforcement effort. Get a credit card from a cooperating bank. Put a trace on it. Buy some Viagra from a spam. Watch where the money goes, which is probably some bank in a high-crime country. Visit the bank and talk to them. Threaten to have their abilty to process credit cards cut off. Pry the actual payee out of them. Discover that it's another intermediary and start over.
This is what we pay the FBI for. This is why the FBI has field offices outside the US. This is why the Financial Crimes Information Network exists.
The FBI's Internet-related criminal enforcement unit has gotten soft. They sit up in Baltimore and send out child pornography, then go after the people they've entrapped. The process is even mostly automated now. That's an easy way to get their stats up, and fits the Bush administration's "regulate sex, not business" mindset, but doesn't solve crimes that have victims. Something to push on after Jan. 20, when the Democrats take Congress and can start asking hard questions of the executive branch.
What a Kernel Klink analysis. Gawd - some people think because they are logical that most people are. Sorry folks. P&D can work really well. Check HAO.V (CDN) and MENV.PK (USA?) Check the news releases.
Check who runs the show. Check the insider trading. Check their daily production. Check their market cap.
Oh. How little you know.
Simple. Many ISPs' don't pull the plug.
You should really get a class action lawsuit going against every home builder that has ever existed. There are MASSIVE security flaws in my house. There are "windows" that require nothing but a small rock to break through, and they don't even lock themselves or make it aware to me that they are unlocked when I am not home! My door locks can often be picked off with nothing but a credit card, but even if I install the upgrade (a deadbolt), the door can be broken through! What's worse, is that even if I install bullet proof windows and a steel door which are reasonably secure, the house is made of wood! Wood has been known to be easily cut through and set on fire for thousands of years! This is just absolutely scandalous, someone needs to think of the children and call a politician, these flaws have been known for centuries.
I understand that we should make secure software, and not fixing known critical bugs is irresponsible, but I do not understand why we place all the blame on the software companies, when there are people knowingly breaking the law out there causing all of these problems. If there were masked men constantly roving your neighborhood checking to see that your doors and windows were closed and locked, I don't think you would be calling the manufacturers, you would be grabbing your gun.
Isn't it about time Microsoft was held accountable for it's part in this mess? And I don't mean getting all it's XP users to upgrade to Vista, I mean doing something to solve the problem now. Surely a massive publicity campaign together with some patches would do a huge amount of good here?
-= This is a self-referential sig =-
Speaking of being pedantic I realized after I hit submit that I spelled it wrong. Whoops!
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
If an ISP detects an inordinate amount of traffic that is clearly spam related, then the ISP should dump that customer off their network until they get it cleaned up. Call the customer. Or email. Give them a chance to explain (it's always possible that the traffic is legit, even though it might not be "ordinary", and that should be OK). If the answer is "I have no idea why so much traffic is being sent from my machine on port 3456... and what's a port?" then kick them off the network. Tell them to go get a virus checker and get their system cleaned up and they'll re-enable them in a couple of days. If the traffic persists when they get back on, then dump 'em off for a week.
The problem is that to an ISP, you're just a $50 check every month. I guess they figure it's better for business to have a bunch of zombies on their network than it is to be without the monthly check from those customers.
Seriously, if the only way to get people to act with some level of responsibility is to kick them off the network, then so be it.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
An insane amount of money is getting pumped into this technology, and there is NO lacking of programming talant out there being exploited by these scummy spammers.
As long as companies are outsourcing their work to India and Russia, there are going to be a shitload of unemployed talated programmers the Russian Mafia can tap on, and combined with Russian programmers, makes for an unlimited of talant being tapped.
I know that if I were offered a job that didn't require me to travel, and it pays me enough money to get out of serious debt, I would probably jump at an opportunity to make $50,000 for writing a clever trojan. Wouldn't you? If you were about to loose your house and American Dream, and everything you worked for in the last 20 years after you got layed off because of outsourcing. An offer of an immediate cash outlay of $50,000 is a bit hard to turn down.
How sure are you? And how many people are we talking about?
I've seen plenty of those encrypted zipfile viruses, too, but I always assumed that most if not all of them were first-wave attacks, not manual propagations.
>If these bots have control over 'the most secure Windows yet', then that is worthy of note.
It's a program. The user downloads it and runs it. It opens ports and talks over them, a user-level activity.
Even OpenBSD would allow this to happen. It wouldn't happen in reality because the kind of people who run OpenBSD aren't going to run Trojans and may even have systrace policies.
Nothing short of capability-based OSes or Trusted Computing lockdown to approved software is going to stop this kind of thing. It's exploiting humans, and trying to protect the computer from its owner is an area where angels fear to tread.
Greylisting is no longer completely effective.
Congratulations; you are now a finalist in our "Understatement of the Month" contest.
The Penny Stock botnet very definitely gets past greylisting. It's available as an opt-in service here at my job; I recommend it as the first step these days in addressing user Spam complaints. I get a list of what hit the greylist filter once per day; I can deal with that. We also have a secondary central Spam filter (SpamAssassin?) using some standard definitions, updated weekly, that can catch most of the rest. I have mine set so that anything that gets more than 8 points is moved to my Spam folder.
Around early October, I noticed that I was getting sizable amounts of Spam again. So, I started reading headers. Most of the crap coming through was random text excepts (a mix of Guternberg and various web-accessible mail archives), one to three word subject lines, GIF inserts with penny stock pushes, and at most 2 points from the central spam detector. Within a week, I was getting user complaints-- and I since I try to keep my users both scared and happy, this was a bad sign. So, I pushed the question to the mail list for local support people, asking if anyone else had noticed, and come up with a solution. In then walked away from my desk to help someone; big mistake. I had a dozen "Yes, No clue, HELP!!!" responses in twice as many minutes — and most of the IT crowd doesn't check their Email very regularly.
After sending out a request to limit further responses to helpful suggestions, and sorting through the responses that came in by the end of the day, I didn't have squat. One guy thought Thunderbird's spam filter helped, another swore it didn't. One guy suggested The Fuzzy OCR Plug-in be added to SpamAssassin (which I forwarded to the relevant IT Powers). Another guy suggested a commercial hardware product might be needed; ditto. One guy had resorted to a whitelist (that I was luckily on).
My final solution was to check my email archives for gif attatchments, whitelist those who had sent them, and move anything else with a .gif included to a new category of spam-folder. I get an average of ten messages per day, and check that folder once per week. I've had one false positive since (dumb HTML stationary user), and warned the sender that I expected my new practice to become more widespread.
The problem is, these bad guys are NOT stupid; they're learning, and adapting. Switching from GIF to JPG attachments is the next obvious step. The botnets are growing in sophistication, although not yet to Warhol-worm grade. And the only measures I can think of range are at best grey-hat hacker; some are just plain old-west style black hat.
//Information does not want to be free; it wants to breed.
Look at NOD32 as well. In the underpublicized lab tests of detection rates, it was one of a very few to detect all viruses in the sample. Somewhat awkward user interface.
I'd quibble with point 10: something like Zone Alarm is theoretically unsound but nonetheless useful. Use at least a cheap DNetLinkGearSys NAT router regardless.
Point 9 is good but inadequate. No spyware scanner has a really high detection rate. Use two.
#6 is the most important in the 2006 threat landscape.
(b) append a request for contact info (name, actually address) to said spams
(c) have Evil Henchmen(tm) go door to door shooting people stupid enough to respond to the spams
(d) once the market is destroyed, spam will cease to be a problem
Just like crack, whores, smokes, and booze, as long as there are buyers, there'll be people willing to provide the "product."
-b.
...that you can do all this with XP but you're going to have to be very dilligent with anything that tries to use IE with OLE (which is a lot of stuff). You've also got a few more steps for locking down things.
Some people have access to Server 2003, and they just don't know it. They should investigate it because it is a good workstation OS and more secure by default.
Finally, you'll luck out that a good portion of malware is thrown by Server 2003 because certain assumptions about XP aren't true... permissions of certain registry keys, offset in a DLL of an exploit -- sometimes they check the OS version, don't see 5.0 or 5.1, and give up! (with the introduction of Vista being NT 6, not so much anymore).
*shrugs*
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Sure, and I'll make another $200,000 on the backside of the deal selling software to delete the trojan after its usefulness has expired. Pump out more malware and then make money selling protection software. The perfect waterfront racket.
-b.
Spybot is the only scanner I trust. AdAware has been known to de-list software that they get paid a lot of money to ignore (I'm looking at you AOL). Are there any others that can't be bought, that detect a decent set of malware, and don't hose up your system?
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
...If you dont mind me saying, a amatuer botnetter can manage that....Anyone who is 'talented' and knows what they are doing can easily manage 200k.
I mean, it's not like the spam that we get in our home mail boxes. That mail is traceable, and nobody cares about it. It is a waste of resources, and it is not illegal. It gets word out to advertise, and that is a money-making product in itself. This is how money moves through our market. Get use to it, because it's not going to change.
The best method to avoid it, is to not give you email address to anyone except your friends and family. If you get a spam message, then highlight it, and press the delete key on the keyboard. How is that hard?
If they are overseas, hire the Israelis. They'll track the fuckers down and take 'em out. Once you pump a bag of bullets into the first few dozen, spam will go away.
RS
Shoes for Industry. Shoes for the Dead.
Things like this can have an effect just as "brand awareness". If you're a daytrader, and you get a bunch of emails about stock WTVR, later that day when you look around the stocks, WTVR will pop out from the rest as you recognize it, and you're more likely to trade in it that you would otherwise have been.
A small effect, but send out a few billion mails, and it will add up.
So there doesn't even have to be a single person who actually believes the spam for it to have an effect.
What service are you paying for? While you may think you are paying for the right to transmit bits-and-bytes at a certain speed, you are really paying for whatever is in your contract.
BTW, most consumer ISPs aren't common carriers in the sense that telephone companies are. Most of them prohibit you from doing things which are harmful to others even if those things are not strictly-speaking illegal. For example, many of them won't let you run servers of any kind. Most block outgoing port 25. Now, ISPs providing business-grade service such as T1 or higher, may be a different story.
Personally, I'm waiting for some small-town monopoly telephone company that wants "net neutrality" to pass to make an example by blocking access to a political website then having a customer sue it just to make headlines. In order for this "test" to work the telco would have to insist that all DSL providers using its wires enforce the same policy. Of course it would all be arranged in advance for the telco to "consent" to not enforce this policy while the case proceeded in court.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy
Is a 70,000 node cluster capable of real-time brute-force decryption of monitored AES256/Rjindael streams?
I do not fail; I succeed at finding out what does not work.
Excellent point.
Unfortunately, I don't see any good solution to the pump-and-dump scams -- that's a much more complicated money trail. But we CAN stop the penis-enlargement spam by finding a way to stop the companies PAYING the spammers.
You mentioned Blue Security, which was seriously starting to make a difference (but had a huge Achilles heel in their business model...).
If enough dedicated developers are willing to help out on the slowly withering Okopipi project (founded to develop a decentralized version of Blue Security's system), it could quickly become a serious player in actually STOPPING spam, not just filtering it better for techies (which does *nothing* to discourage actual spammers).
The principle is the same as Blue Security used -- for every spam delivered to an Okopipi user (and reported as spam into the local Okopipi client), the advertised website gets an single generic opt-out request submitted automatically via the same client, generally submitting this request into the spamvertizers order forms, as that's often the only functional feedback mechanism they have (text something like "an unsolicited email advertising this product was sent to an Okopipi user: please visit okopipi.org for details on cleaning your lists").
There are obviously technical hurdles to surmount, and security issues to tackle, but a lot of design work addressing these is complete... right now the main issue is the project needs more smart, experienced programmers who can finalize designs, trash nonessential features, and get coding.
I'm personally trying to fire things up again, but there's no way I could do this kind of project solo.
Why can't we organise a class action against Microsoft? It is their shitty code that is responsible for most of this... their shitty code and really poorly thought out security measures.
Then we should go after some of the large ISP who hide their brains in the sand (shit anyone) and pretend they do not know certain customer's machines are spewing night and day.
Flamebait? When Lee Jordan said it he was greeted with nods and scattered applause...
ResidntGeek
I don't mean the source as the botnet, but the source as the people who paid to use these services.
For the pump and dump scams in stocks at least, it is highly likely that the majoriry shareholder (probably the company itself) is behind this.
There has been no need to redesign the phone to "cope with modern systems and security needs" just because con artists are using it. Every scam has a beneficiary; find where the money goes and who benefits, and you've found the source. Penis enlargement scams will sell pills or something from a physical address, penny stock scams will have company addresses on file with the stock exchange, pyramid scams will have a list of addresses the money should be sent to. THESE PEOPLE CAN BE FOUND! They are committing the crime of fraud. Why aren't they being arrested?
You should really get a class action lawsuit going against every home builder that has ever existed.
BULLSHIT.
Stinking dungheaps and firetraps are condemned. Microsoft Windows should be, too, for spreading viruses and spam like wildfire. Windows bots are pumping ONE BILLION + spam mails a day, and you think it's not a sign of a flawed OS?
These spams are causing damage to organizations and individuals that do not just use email, but rely on it. And the virus distribution engine is not spam-thru, it's Windows XP SP2. That's a FACT.
3 things about computers: they're alive, they're self-aware, and they hate your guts.
From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy
i find it odd that there is so many small penises out there looking for
larger penises for the penis enlargement scams to be so
profitable.
it kinda renews my self confidence.
penis
What about using OCR to flag these pictures as bad?
The government should not regulate either sex OR business!
Libertas in infinitum
So instead what the attackers did was liquidate all the assets of the victims and then used those assets to buy a bunch of pump and dump stocks(high demand low supply=much higher prices).
Posted A/C, since everyone else who knew was told to keep their damn mouths shut. Nobody said anything to me about it, but that was probably because no-one realized I had heard six individual pieces from six different people. (Which may mean I don't have all of the details, or perfectly accurate ones.)
A week or two back the FBI came to the company I work at to seize a compromised machine — and the luser (who had insisted on handling their own Admin).
At 8AM the CIO recieved orders from the FBI to sequester a particular machine, pending warrants due to be faxed by noon and hand-delivered by 1PM. The CIO told the IT guy in that area was told to go to the machine, disconnect WITHOUT SHUTDOWN and IN ORDER the power, network, keyboard, mouse, and any other connecting cables, deliver the CPU to his office for sequestration while Legal was notified, and to refer any questions from the user to him. Apparently the FBI had traced this machine as being the one that had performed the actual unauthorized account transaction.
The only thing that kept the stupid <ethnic> luser from being hauled off in cuffs the instant the FBI arrived was Legal's realization that there was data on the machine protected by federal law, and not specifically covered by the warrant. Several hours of negotiations ensued (probably including a teleconference with the warrant issuing judge), which gave the FBI enough time to collectively realize the user was not a plausible suspect (IE: dumb as a sack of hammers), and that the machine had almost certainly been hacked over the network. The user was not hauled off after all, but was told to contact the FBI before any out-of-town travel. The FBI tech made an image of the disk, courteously provided a copy of that image to our own Incident Team, tamper-sealed all the ports and openings on the machine, then wrapped it in crime scene tape. It's STILL locked in the CIO's office closet, not to be touched until the FBI gets back to him with an all-clear.
Forensics from our I-Team indicated the machine was utterly p0wn3d. Keyloggers, a proxy server, a pirated AV to take out other intruders, crypto software, and at least two different C&C bots. The luser is currently using a loaner laptop with Deep-Freeze; despite this, they must have it checked at least weekly by the local I-Team for any sign of tampering. I understand there will be a first-ever administrative hearing to discuss whether central IT will revoke all his network access, due to violation of various signed IT agreements and (mainly) criminal stupidity... which will effectively fire the poor dumb luser.
Anyway, my point: bot nets aren't being just used for the spamming part of the operation. They're being used for ordering the illegal wire transfers from other people's hacked accounts.
Warn your users: if their machine is not secured, they may lose it to an evidence locker, and have lawyers bills cutting into their budget for the replacement.
You might be surprised. How "compatible" with the platform is the browser? If it happily hands things like "browser help objects" to the system underneath you are hosed. If you have Macromedia flash and Windows Media working with Firefox, then Firefox is handing your system content mixed with executable code.
Because Linux has no browser plugins. Ever.
By summer it was all gone...now shesmovedon. --