Rise of the Spam Zombies

SecurityFocus.com ^ | 2003/04/25 | Kevin Poulsen

[TechJunkYard]

NEWS

< http://www.securityfocus.com/news/4217 >

---

Rise of the Spam Zombies By Kevin Poulsen, SecurityFocus Apr 25 2003 4:45PMPressed by increasingly effective anti-spam efforts, senders of unsolicited commercial e-mail are resorting to outright criminality in their efforts to conceal the source of their ill-sent missives, using Trojan horses to turn the computers of innocent netizens into secret spam zombies. "This is the newest delivery mechanism," says Margie Arbon, director of operations of anti-spam group MAPS. "I've been looking for it for a year, and in the last couple of months people have actually found Trojans that are doing it... They're carrying their own SMTP engines. Failing that, they install open proxy software." One of those programs popped up last week. Named "Proxy-Guzu," when executed by an unwitting user the Trojan listens on a randomly-chosen port and uses its own built-in mail client to dash off a message to a Hotmail account, putting the port number and victim's IP address in the subject line. The spammer takes it from there, routing as much e-mail as he or she likes through the captured computer, knowing that any efforts to trace the source of the spam will end at the victim's Internet address. Trojan horses generally rely on their wielder's ability to trick innocent people into executing them. Proxy-Guzu, naturally, arrives as spam -- in one sighting the program was offered as a naughty peek at an online webcam. One early victim of the malware, posting to an anti-virus message board, says he detected it only when his desktop firewall program alerted him to large quantities of outgoing e-mail messages sent to unfamiliar addresses, with subject lines like "Don't tell your parents about this!" and "your bill." 'Untraceable' Spammers are borrowing the trick from the method electronic vandals use to create computer armies capable of launching distributed denial of service (DDoS) attacks against webservers. What may have been the first Trojan horse custom-tailored for spammers emerged last November: called "Jeem," it grants the perpetrator full access to a victim computer, but also includes a built-in SMTP server to facilitate e-mail laundering. Arbon says the spam worlds' plunge into adolescent hacking techniques is a result of spammers enjoying fewer and fewer online havens from which to operate. "With the filters and the lists and heurists and all the mechanisms out there people are using, I think the people that are trying to find a way to get the mail delivered are resorting to alternative tactics," she says. "It's untraceable. I hate to put that in print, but it's the truth." Of course, it also puts the spammers squarely on the wrong side of the law. "As a general rule it's legal to send someone an e-mail even if they don't want it," says Mark Rasch, a former Justice Department computer crime attorney. "But once you break into their computer and get their computer to send e-mail to someone else, then you're violating federal and state computer crime laws."

<tips@securityfocus.com>

---

Copyright © 1999-2003 SecurityFocus

[TechJunkYard]

Something new for you Windows users to watch out for. Oh, and keep those anti-virus programs up-to-date.

[ovrtaxt]

Or buy a router. Better than a software shield. Then, you can have a network if you have more than one comp.

[EggsAckley]

BIG bump to the top!

[Born to Conserve]

Of course it is traceable. There is no benefit to spam unless someone is making money. The spam is there to get traffic to someone who is selling something -- they are responsible.

[PatrickHenry]

This happened to me. Several weeks ago, while I stepped away from the computer, thinking I was protected by ZoneAlarm, I discovered that I had been sending out spam for something called lendingtree.com. I only learned of it because about 50 of the emails were bounced back to me as being undeliverable. I have no idea how many were sent from my computer. You can visit the website of Gibson Research and get free software to clean up your computer and get rid of all the junkware.

[Born to Conserve]

"Or buy a router. . . "

You need both software and a firewall. You can get the Linksys models that are not wireless for cheap on ebay. Everyone likes the wireless and is selling their old wired ones.

[jpthomas]

You are correct, in that the email will usually contain a hyperlink to the website of the spammer where they're selling a product or service. The owner of that website can be determined by searching the internet's whois database. Unfortunately, the most unscrupulous spammers usually register their sites via either a P.O. Box or an invalid mailing address, sometimes also using a pseudonym. Makes it a lot tougher to serve legal papers on them.

If you determine that whois contact data is invalid for a particular domain, you can report it to ICANN (Whois data problem report), who will then notify the registrar, who is supposed to contact the registrant and request corrections. How often the registrars actually take action I can't say for certain, but I have submitted problem reports to ICANN and heard back from the registrars that they were taking action against domains for failing to provide accurate contact data.

[TechJunkYard]

The router box would probably be fine. As long as it's set up to NOT forward aby ports back to the "victim" PC with the trojan listening to a specific port, there's no way the spammer could call it back.

[Paleo Conservative]

It's all Al Gore's fault. He invented the internet.

[TechJunkYard]

Actually, "gore" and zombies sorta go together.. ;-)

[ShadowAce]

Yeah--I've got an old Pentium 120Mhz box configured as a Linux router in front of my network. Every port but 1 is shut down, and that one is well guarded inother ways. Nothing gets in that wasn't invited in.