Slashdot Mirror
Microsoft Engineer Discovers Android Spam Botnet, Google Denies Claim
An anonymous reader writes "Microsoft engineer Terry Zink has discovered Android devices are being used to send spam. He has identified an international Android botnet and outlined the details on his MSDN blog. A closer look at the e-mails' header information shows all the messages come from compromised Yahoo accounts. Furthermore, they are also stamped with the 'Sent from Yahoo! Mail on Android' signature. Google has denied the allegations. 'The evidence does not support the Android botnet claim,' a Google spokesperson said in a statement. 'Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using.'"
Would it kill you to link to MSDN - where the blog entry actually resides? I get the anti-MS sentiment (although jeez, quit living in the 90s), but making readers jump to ZDNet first (or sending them back to /.) is just being passive aggressive.
and he doesn't realise that any program on any computer on the internet could pretend to be on android? I don't know much about mail but I would guess the"'Sent from Yahoo! Mail on Android' signature" would have been set by the client
Is there any reason that Google's explanation isn't legit? Seems like a perfectly good explanation to me. Anti-spam techniques have become pretty abstract these days. I could easily see a hidden rule that prioritizes traffic sent with a properly formatted signature matching their flagship mobile OS (until said rule gets discovered).
What ? Spam lying?!?
I am shocked. SHOCKED, I tell you!.
I am anarch of all I survey.
This seems like a much easier way to send spam... Most users will be using the stock mail app so just install, ask for the world in privileges (most users just click yes to anything), then send spam in the background using the user's account.
If you are smart, you avoid sending any spam to that user's contacts and intercept any replies that contain the spam text as a quoted string. That would make it far less likely for the victim to notice anytime soon.
Even if the spam isn't coming from Android phones right now, I'm sure someone will do it eventually.
Natural != (nontoxic || beneficial)
Anyway, a botnet uses a standard mail client to send its payload? Even thinking that is a bad signal about them.
There is a follow-up blog post where Zink backtracks a bit and admits the headers could be forged.
"In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way. Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices."
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx
...givez them to meh...
-- sent from my orbiting HQ, beeeyatches!
In other news...spammers lie. More egg on MS face. No wonder Windows gets so many viruses etc.
If anyone knows how to get down and dirty with Google, it will be Microsoft.
Nothing ruins the experience like a few crapware downloads.
Or to disprove the claim if we can look at the mail headers. Especially if we have multiple samples.
The claim, on its face, is plausible. However if you're a spammer, you want to send out as many emails as quickly as you can. Sending emails via a wireless device (either WiFi or cellular) seems like wasted effort when there are so many cable/dsl/fiber connected PCs (running whatever OS, but usually Windows) out there that can send many more spam emails in the same amount of time -- Usually without alerting non-technical users who don't review their router/firewall logs often, if ever.
All that said, I suppose it's possible. It just seems a little strange that this should come out of Microsoft -- especially since there are many very technical people out there who are rolling their own Android -- you'd think they'd have found it first.
No, no, you're not thinking; you're just being logical. --Niels Bohr
Seems legit.
Well, either "doesn't realise" or "has a vested interest leading him to first fail to mention and, after that, downplay the possibility". Which is more likely is left as an exercise to the reader.
That carries as much weight for me as Steve BLAMMER stating that he's going to &^%&$!! bury Google.
Noise with no real content. Next.
And if so does it match the generation scheme used by Android.
If it's a repeating "Message-ID: " as the blog suggests then it's likely forged.
Are you a skilled Android, iOS, OSX, or Linux malware author, and enjoy damp north-west coastal weather? Well, get out of your parent's basement and apply now to work in a large office with other similarly minded psychotic co-workers. The borg collective needs you, in order to stop its sliding market share! (After all, you can only get so far with frivolous lawsuits.)
I see emails from compromised accounts. The one thing that appears to be common is that it is always from Yahoo accounts. After one of my friends had her Yahoo account compromised, I throughly scanned her PC -- nothing showed up. I scanned the hard drive while connected to a known clean PC, so it wasn't just a well hidden malware.
I am beginning to wonder if there is a vulnerability in Yahoo's security that is being used to compromise accounts.
The real "Libtards" are the Libertarians!
We wouldn't let the facts interfere with our theory, would we?
The best thing about a boolean is even if you are wrong, you are only off by a bit.
Also, it bears noting the Google typically doesn't deny those stories.
Also, it bears noting that the allegation comes from a direct compititor to the android phone.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
For roughly the last week I've been using the string from the summary as essentially perfect proof that a message delivery attempt to my server is spam. The fact that Yahoo delivers almost no legitimate mail eases my worries. How the messages are actually originating is irrelevant to me, but bloody Hell there are a lot of 'em.
Every three or four weeks the spammers seem to come up with a new template for the Yahoo spam they send and this is just the latest (actually, there seem to be a couple of huge spam operations running through Yahoo, not counting all the 419 scammers).
Yahoo doesn't accept abuse complaints, and 10,000 Yahoo accounts are openly advertised as costing $137. It's hard to see how this is not a very serious problem that Yahoo should feel obligated to address.
Here's roughly what a representative spam from this campaign looks like, slightly edited with mangled HTML so that Slashdot would display it:
Return-Path: .androidMobile@web140206.mail.bf1.yahoo.com>
Received: from nm23-vm1.bullet.mail.bf1.yahoo.com (98.139.213.141) by
myserver for spamvictim@mydomain>;
Sun, 1 Jul 2012 12:55:08 -0700
Received: from [98.139.212.145] by nm23.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [98.139.212.199] by tm2.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [127.0.0.1] by omp1008.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 31585.24743.bm@omp1008.mail.bf1.yahoo.com
Received: (qmail 53658 invoked by uid 60001); 1 Jul 2012 19:41:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1341171715; bh=XCjzxBAl+aG8gtCEWjueAIJtqJl1qzpQf/Pvh1rDXMQ=; h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=nilcBrxhBDZ0vkail/UfvoWOspyAWtrnB4QklyD6KWshJdxlXlynsFBMeRaBWQICEtqEITG+SmghLsJStFOWR+eb39JXx1a5tl6LV/CQc9yIIrdmdR8qsdY3bwaqXYp+OfxsePQCZ0C+AoeJDlmIk0m51VIB1io7Kk9P7iudDok=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
b=cHirUEK+wuN6DGQSrgiWi6qqyGJFrSO9BVJaVwv664oJ+u1RLo95cHPuIDPutn5hMoTiBFi3zmvjmprGCAVlP3EQDzWDQD6dG6tUO02acOYLJJ3WM9MKCqUKAb/nCAKaQ8xh/bzU1/zC/nQP9WZRidccQUSNChY6+bAhx3tol3E=;
Received: from [190.201.200.221] by web140206.mail.bf1.yahoo.com via HTTP; Sun, 01 Jul 2012 12:41:55 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: ##########.#####
Date: Sun, 1 Jul 2012 12:41:55 -0700 (PDT)
From: Desiree Chinnici DesireeChinnicifo64@yahoo.com>
Subject: FWD: 300% Gain!
To: "noncale@simon.com" noncale@simon.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--nottherealboundarymarker=:blargh--"
--nottherealboundarymarker=:blargh--
Content-Type: text/plain; charset=us-ascii
Please Enable Images to View this Important Newsletter!
img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>
Sent from Yahoo! Mail on Android
--nottherealboundarymarker=:blargh--
Content-Type: text/html; charset=us-ascii
table cellspacing="0" cellpadding="0" border="0">tr>td valign="top" style="font: inherit;">p>/p>
p>Please Enable Images to View this Important Newsletter!
br> /td>/tr>
img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>br>br>br>/p>
p>Sent from Yahoo! Mail on Android/p>
--nottherealboundarymarker=:blargh--
I noticed this same oddity a few days ago while investigating a wave of spam that was hitting the inboxes of our corporate email users. We use SpamAssassin at our network edge with fairly aggressive rules and a Bayes database, so the fact that people were receiving 5-10 spam messages a piece into their inbox was very unusual.
The amazing thing that everyone seems to be missing, including the so called security experts, is that all the spam messages have correct DKIM signatures!
Unless the spammers compromised Yahoo's current DKIM private signing key (unlikely) or cracked a 1024-bit RSA private key in less than the lifetime of a Yahoo DKIM key (highly unlikely), then this is absolute proof that the mail is authorized and transmitted by Yahoo. It eliminates all argument about whether or not the headers are forged. The entire purpose of DKIM is to provide a cryptographically secure method of verifying the validity of the headers in an email message.
This fact strongly supports the theory of the Microsoft engineer.
The only realistic alternative is that Yahoo is facing a very serious breach of highly sensitive servers on their network (again, unlikely).
Of course, the proof is in the pudding, so here are the actual headers of a sample spam message. I redacted certain hostnames and removed some headers that were added by our internal email servers to protect the anonymity of our organization.
"The only realistic alternative is that Yahoo is facing a very serious breach of highly sensitive servers on their network (again, unlikely)." - yes, we all know how well protected things like Yahoo and Facebook are. I can't imagine they've ever been compromised :-)
Captcha: cycled : if you see this word as "turned power off and on" rather than "rode a bike", you've been in the industry too long.
Also, it bears noting the Google typically doesn't deny those stories.
They did on this one. It's even on the summary
i signed up for them and suddenly my spam box exploded with bogus job ads. fucking assholes.
"We're not the only ones with problems.... look, look over there at those guys, they have problems too! Look at the problems they have! Bad Bad problems! Why would anyone buy their stuff, ours is so much better and stuff" It's a grade 7 deception, to keep people from looking at your bloody nose, you try to give another kid a bloody nose, then get everyone to look at their bloody nose. The truth is: microsoft has problems, and Android doesn't. Android is eating microsoft's lunch. Everyone loves Android. Windows phone 7 or whatever is unknown (I had to look it up to describe it, I hope I guessed the current whatever). Even Apple has to go to court to try and slow Android adoption. They can't compete in the marketplace.
It is a much more plausible explanation that there is an Android botnet out there that is sending the spam.
If Yahoo's DKIM private key had been compromised they would have already removed it and replaced it with a newly generated one. This issue has been going on for over a week, and I know Yahoo knows about it because I emailed their security vulnerability response team about it (as I'm sure tons of other people did too).
A direct competitor that is already using patent extortion to force android handset makers to pay royalties.
This doesnt start off sounding fishyatall “a mircosoft reasearcher” no MS has nothing to gain bymaking android look bad. And then this gem “Security expertGraham Cluley, from anti-virusfirm Sophos, said it was highlylikely theattacks originated from Android devices, given all available information, BUT THIS COULD NOT BE PROVEN.” Wait whatit hasnt been proven to come from android phones? REALLY? And then we learn even it it is happening its people in the third world SIDE LOADING PIRATED APPS. So as usual its not an android security flaw but a bunch of morons who may or may not have installed a supposed maleware wich came as a payload on side loaded pirated software. LOL And now Google and other security researchers are saying no it didn't come from the phones so guess my hunch was right Ms up to their old tricks again
The really sad part is how far Microsoft has fallen. They can't even do FUD well anymore.
I'm not interested in programming myself, but I've always pondered the possibility of blocking certain android permissions with an app.
There is an app called permission denied that will allow you to do this, but it doesn't do so gracefully. When a targeted app does something to utilize the permissions it already assumes the OS has given it, it will typically crash when it can't execute that function due to lack of a try/catch, because the developer normally wouldn't expect to need one there.
So instead of outright denying the permission, why not spoof the data that it is requesting? For example, create a bogus contact list, and when the app requests that information, it is redirected to the bogus list. When it tries to send an SMS, just let it think that the SMS was sent even though it wasn't. Also something that might be a little bit more extreme, and should probably be off by default, would be to deny apps the ability to reach IP addresses unless that address exists in the DNS cache (from what I understand, most fraudsters just use IP addresses and not DNS.)
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
You have obviously worked with them, unlike the grandparent.
How is that more plausible? It's technically possible that there is an Android botnet, but the fact is that doing so would be significantly more expensive than the more traditional options. Cell phones tend to have weak processors, unreliable data connection and low caps. What's more you'd have to get people to install the app and you'd probably find it somewhere in the Market.
Yes, there have been malware found in the Market, but without that it's unlikely to be a true allegation.
MS should understand and tolerate it. After all they always claimed that DOS/Windows wasn't more insecure than other OS but was simply targeted more often because they had the largest installed base.
Smug bastards and now apparently truly blithering idiots I say.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
This is one blog poster in a giant corporation. I doubt his blog is representative of any view MS would officially espouse, so let's lay off the anti-MS for a second. While this guy has clearly identified common behavior of obvious computer automated activity, it was a bit premature to announce an Android botnet discovery. But MS has a great track record in dealing with botnets and if there is merit to his claims I'm sure they'll sort it out.
Getting sick of this prejucide matters over truth here on SD. it gets worse and worse...
1. First: the example " by CO1EHSMHS003.bigfish.com (10.243.66.13) with Microsoft SMTP Server id 14.1.225.23; Sat, 30 Jun 2012 23:22:47 +0000" points to an "Host 0.66.243.10.in-addr.arpa. not found: 3(NXDOMAIN)".
2. Second: the example "Received: from [redacted]" ?!?! "via HTTP" doesn't point to a particular email sender source.
3. Third: no two different messages must ever have the same Message-ID. The message identifier (msg-id) itself MUST be a globally unique
identifier for a message, not platform or device.
4. Fourth: can you extrapolate saying that, there is a problem with other devices, if i give you the following spam examples that are plaguing me?
Message IDs : 1341366079.63455.yext-apple-iphone @ web29706.mail.ird.yahoo.com
and 1341466977.2241.yext-apple-iphone @ web114207.mail.gq1.yahoo.com
Conclusion: Please harden your "Microsoft SMTP Server" software. Don't post the Exchange-Lab forgery as an Android problem. Anyone is able to insert, any message mentions like "Sent from BlaBla" in the email body. "finding the same message id on the email and an old guacamole recipe can be used as evidence that a message was forged. "
See: http://www.forensicswiki.org/wiki/Using_message_id_headers_to_determine_if_an_email_has_been_forged
and RFC 822 - STANDARD FOR THE FORMAT OF ARPA INTERNET TEXT MESSAGES: http://tools.ietf.org/html/rfc822#section-4.6.1
Android is Linux, so it can't get any virii or malware. So, it looks as if Google is indeed correct in their theory that it must be Windows-based virii which are just faking an Android signature.
The realistic alternative is that someone's registering a whole bunch of Yahoo! e-mail addresses and pretending to be running an Android device in order to spam with them. Someone in the comments of the original Microsoft blog entry reckons that the e-mail addresses used all have the same format (FirstnameLastname + 2 digits @ yahoo.com) which would be a pretty clear sign they're not just existing accounts that are compromised, and if there was an Android botnet there's no reason why it should reveal it's running on Android to Yahoo and all the security researchers trying to find and eliminate it.
Internet-connected fridges used to send spam.
And these story's indeed seem to increase.
It is only pure coincidence that a new tablet called surface is going to see daylight in the near future.
It is also pure coincidence that a new OS called Windows 8 is going to be used on this "surface"
And it is completely coincidence that both products are targeting the same market as Android and the devices using Android.
And it is absolutely completely radically pure coincidence someone tightly associated with the company that is bringing out named device and OS to the market, is making these claims and so increasing the number of story's.
Sure.....
There's no way that an Android botnet exists. Google's "Don't Be Evil" edict ensures that will never occur....
Am I the only one who automatically deletes any message that contains 'sent from' anywhere in the doc?
I'm an iPhone user, but if people can't not send me advertising via their signature, I can't be bothered to read it.
On iPhone your only option is ...well you don't get to see the rights the app needs
You actually have this totally reversed.
On an iPhone app, you are asked for rights to access protected resources ONLY at the time the app tries to use them, not in some laundry list before you ever run the app and know what it needs.
Currently the address book is not a protected resource but it is in iOS6, and then it will feature the same sensible security measure of asking for permission at time of first access as opposed to the Android "users just allow anything" model.
"There is more worth loving than we have strength to love." - Brian Jay Stanley