Researchers Hijack Storm Worm To Track Profits

An anonymous reader points out a story in the Washington Post, which begins: "A single response from 12 million e-mails is all it takes for spammers to turn annual profits of millions of dollars promoting knockoff pharmaceuticals, according to an unprecedented new study on the economics of spam. Over a period of about a month in the Spring of 2008, researchers at the University of California, San Diego and UC Berkeley sought to measure the conversion rate of spam by quietly infiltrating the Storm worm botnet, a vast collection of compromised computers once responsible for sending an estimated 20 percent of all spam." The academic paper (PDF) is also available. We've previously discussed another group of researchers who were able to infiltrate the botnet for a different purpose.

Double standards?

How come they don't track down the IP addresses of infected computers and inform the users their computer is compromised? It seems these researchers also are getting a kick out of the botnet at the cost of the victims.

Re:Double standards?

[Seth+Kriticos]

That is a bit harsh, but the basic idea is not that wrong. Users don't care about security because it is a bigger inconviniance than the not doing it. The botnets are quiet and Joe Sixpack can't relate insecure OS / config with spam (don't cares).

Maybe someone should introduce some inconviniance for spam infected bandwitch usage (i.e. charge money for the potnet traffic)? If people have to pay for compromized systems, then maybe they will get up their ass*s. Just a thought.

And yes, I know, the idea must be elaborated and gives a whole set of new issues.. Just ment as starting point for a discussion.

Re:Double standards?

[wvmarle]

It sure is a point that back in the day, the end user was really inconvenienced by viruses. Internet didn't exist yet for end-users, and software was transfered by floppy or over BBSes. Spamming hadn't been invented.

The first virus I encountered was relatively benign: displaying fake cursors on your screen, something like that. Irritating enough to realise you're infected and figure out what's wrong and doing something about it.

At the time many viruses were also designed to wipe/corrupt data - something that keeps you on the edge. That risk is much more direct, and much more costly that a slightly slower computer that tries to send out a lot of e-mail.

Nowadays I do have to admit being less concerned about these viruses, except where it comes to keyloggers and so. That want to steal your banking data. However considering the profilation of fishing (recently I get dozens of mails for "update your Google AdWords payment information") even that seems to be a low risk issue.

Besides I'm not using Windows... OS/X and Linux only... and I know not to click on links in spam, and browsing with non-IE browsers blocks 99.9% of the drive-by downloads but not all: I have got some requests for where to save a .exe file to; automatic download function. At least not hidden.

Re:Double standards?

[mixmatch]

Maybe we should popularize free, safe sites like youporn, porntube, and xtube and this can all go away?

Spam protection

[Andr+T.]

I don't have any data to back this up, but it seems to me that people are migrating from small provider companies to big internet provider companies - and their e-mail is going together. And it also seems to me that all those big companies have good e-mail filters (or they're getting one that will be good in a small period of time). If that's true, spam will face a dead end pretty soon.

Even if you stay with a small provider company with your personal e-mail, there are many good solutions to avoid spam. I used Popfile for a long time and it worked pretty well.

Either way, if people will go to their spam box and click that viagra ad, it will be their problem. It doesn't affect me anymore.

the vigilante approach

[v1]

I realize this will either be wildly popular with you or you'll hate it, but what I'd like to see someone do is infiltrate the botnet somehow (either by vulnerability or crack their key or whatever) and send a command to the herd to zero the boot sector and shut down their host. (the zombies, not the herder's machines)

Nothing enough to cause data loss, but enough to force the naive owners to take their machines to someone to get them fixed/cleaned up. I'm tired of being a victim of computer neglect en masse.

Not saying there's just one botnet out there, so I'd be greatly entertained to see them fall one by one. Should make a nice spectacle. Wouldn't it be entertaining to get up tomorrow and read front page stories all over the place the likes of which we got with Code Red, that a sizeable chunk of zombies just dropped off the grid and there were long lines at the PC repair shops this morning? Stories of entire businesses being brought to a halt because 95% of the machines in their office were owned? Sorry, but "serves them right", and thank you have a nice day while I go check my mail and see 80% fewer medications for sale.

Re:the vigilante approach

[mdmkolbe]

No need to zero the boot sector, just pop-up a window that says "you have been infected by the Storm worm" every two minutes. The machine is still functional so it is easier to fix, but recovery is easier and less likely to result in data loss.

(This all is based on the assumption that doing so would be ethical which I don't think it is, but thought experiments don't hurt.)

Re:the vigilante approach

[kvezach]

How about turning the machines on them? As far as I understood from the scientific paper, the proxy hosts are contacted by the botmasters (through servers run on bulletproof hosting). Thus it would seem pretty easy to just substitute the send spam command (when the workers ask) with a "DDoS this target" command, where the target is the botmaster server you got the original spam command from. The stronger the botnet, the harder it falls, and while bulletproof hosting servers may scoff at threats of police action, they sure won't like being DDoSed up the wazoo.

Re:the vigilante approach

[russotto]

I realize this will either be wildly popular with you or you'll hate it, but what I'd like to see someone do is infiltrate the botnet somehow (either by vulnerability or crack their key or whatever) and send a command to the herd to zero the boot sector and shut down their host. (the zombies, not the herder's machines)

All that will do is get law enforcement after the vigilantes. Law enforcement is much more concerned with effective competition than they are with ordinary lawbreakers, so they won't stop botnet-building spammers but they will come down hard on vigilantes.

So, don't do that. Instead of shutting down the machines, take them over. And take precautions against anyone taking them back. Set up Bittorrent seeds for pirated films on them, if you like, and watch the MPAA go after the zombie owners. If you just look like another criminal, you probably won't get much attention from law enforcement.

(disclaimer: the above is a hypothetical scenario. Actually trying to pull it off may result in arrest, hospital time, or death depending on who gets to you first).

And the answer is . . .

A single response in 12 million emails ? So someone orders $50 of 'GetHard' or whatever.

Then introduce micropayments on all emails. $50/12,000,000 or about 0.5 millicents an email. No normal operation would suffer, and spammers can't make a profit. Job done.

Re:HMM...

[zappepcs]

Actually, I'd rather they be made to pick up a piece of litter for every spam email they sent, or some other such public service that equates piece for piece to the amount of spam they have sent.

Repaint a house for someone = 100 spam messages
Clean up a city block of litter = 100 spam messages

Well you get the point. Force them to wear bright yellow spandex jumpsuits with the spam logo on it until they have fully atoned.

Whatever the punishment, it should be public, and only mildly degrading.

Something that lets us all remember what they did, and what it costs in reparations.