Rise of the Spam Zombies

SecurityFocus ^ | Apr 25 2003 4:45PM | Kevin Poulsen

[LynnHam]

Pressed by increasingly effective anti-spam efforts, senders of unsolicited commercial e-mail are resorting to outright criminality in their efforts to conceal the source of their ill-sent missives, using Trojan horses to turn the computers of innocent netizens into secret spam zombies.

"This is the newest delivery mechanism," says Margie Arbon, director of operations of anti-spam group MAPS. "I've been looking for it for a year, and in the last couple of months people have actually found Trojans that are doing it... They're carrying their own SMTP engines. Failing that, they install open proxy software."

One of those programs popped up last week. Named "Proxy-Guzu," when executed by an unwitting user the Trojan listens on a randomly-chosen port and uses its own built-in mail client to dash off a message to a Hotmail account, putting the port number and victim's IP address in the subject line. The spammer takes it from there, routing as much e-mail as he or she likes through the captured computer, knowing that any efforts to trace the source of the spam will end at the victim's Internet address.

Trojan horses generally rely on their wielder's ability to trick innocent people into executing them. Proxy-Guzu, naturally, arrives as spam -- in one sighting the program was offered as a naughty peek at an online webcam.

One early victim of the malware, posting to an anti-virus message board, says he detected it only when his desktop firewall program alerted him to large quantities of outgoing e-mail messages sent to unfamiliar addresses, with subject lines like "Don't tell your parents about this!" and "your bill."

'Untraceable' Spammers are borrowing the trick from the method electronic vandals use to create computer armies capable of launching distributed denial of service (DDoS) attacks against webservers. What may have been the first Trojan horse custom-tailored for spammers emerged last November: called "Jeem," it grants the perpetrator full access to a victim computer, but also includes a built-in SMTP server to facilitate e-mail laundering.

Arbon says the spam worlds' plunge into adolescent hacking techniques is a result of spammers enjoying fewer and fewer online havens from which to operate. "With the filters and the lists and heurists and all the mechanisms out there people are using, I think the people that are trying to find a way to get the mail delivered are resorting to alternative tactics," she says. "It's untraceable. I hate to put that in print, but it's the truth."

Of course, it also puts the spammers squarely on the wrong side of the law. "As a general rule it's legal to send someone an e-mail even if they don't want it," says Mark Rasch, a former Justice Department computer crime attorney. "But once you break into their computer and get their computer to send e-mail to someone else, then you're violating federal and state computer crime laws."

[LynnHam]

This got passed out at work ... Thought I should post it since it is really a bad one!

[FierceDraka]

Rule of thumb - give your home e-mail address to NO ONE.

[DaveCooper]

Rule of thumb - give your home e-mail address to NO ONE.

Another rule: Never open an attachment, unless it's from a trusted source.

"I am not a number - I am a FREE MAN!"

Be seeing you. ;-)

[observer5]

Tar and Feather them...

[supercat]

One thing I don't understand: how do spammers make money targetting spams to people who take great pains not to receive them?

I can undrstand in a few cases, like "Buy our new improved spam-blocking software and you won't have to put up with this junk anymore", efforts to reach those who would otherwise be hard-to-spam could possibly net customers, but otherwise?

It seems to me there's something driving spam besides the profit motive, since the 'market' is so thoroughly glutted and I don't think there's much money there other than in sales of spam-related (pro- or anti-) services.

What's really going on?

[Swordmaker]

The solution to SPAM is to start class action lawsuits against the beneficiaries or the spam advertising. The spammers themselves may not be locatable, but someone is PAYING them to advertise their websites and products. Since the idea is to attract sales of known products and services or website hits on known locations, those who benefit from spam should be liable for the havoc their AGENTS create.

My time is worth $50 per hour. I find that I am devoting at least 1 hour per week to screening and deleting spam because no spam filter is 100% effective. This means that spam costs me $2,600 per year of my time. I should be able to add additional costs for wear and tear on my computer, some portion of my internet bill for downloading useless garbage, and punitive damages. I think that $5,000 per user would be a good figure.

Are there any creative Class Action Tort lawyers out there interested in making tons of money?

[appeal2]

Its also known as spyware. It is often contained in music pirating software such as Morpheous and Kazaa and others. I was getting barraged by pop ups on my machine. Some of them had a logo for "Gator" software. Upon checking out my machine I found two directories one called CMEII and the other called GME. They were located in the \program files\common files directories. I ran the taskmanager (hit ctl alt del) and found two programs working on my computer, GME.exe and CMEII. I disabled both programs and deleted the directories. I was unable to delete them until I cancelled the programs. Beware, spyware could be running on your computer.

[k2blader]

Rule of thumb - give your home e-mail address to NO ONE.

Hm, this would work.

...but then that means you'd never use it. ;-)

[Ciexyz]

A friend of mine sent me an email titled "From Suzy and Jacky". I knew her as Suzanne and her hubby as Jacques, not as "Suzy and Jacky", and I deleted the email, thinking it was porno. We got a good laugh out of it.

I delete at least one shady message a day. I don't know why I get them, I never visited a porn site.

[Allan]

Can someone explain this to me.
I have an e-mail account under a pseudonym
(hotmail)
which I use only to communicate with two people
(both family members).
I never have sent e-mail to anyone else from it.
Yet I get far more spam on it
than on any other account,
up to 100 a day.
I have other hotmail accounts
which I use much more frequently
yet they receive less spam.
Can anyone explain?

[k2blader]

I delete at least one shady message a day. I don't know why I get them, I never visited a porn site.

I empathize.

Not sure how the creeps got my address but recently I've been receiving around 10 spams a week. Just a couple months ago I had been receiving virtually none.

My suspicion is some virus/worm/trojan got into one of my friends' email address books...

[NewRomeTacitus]

Tried a new freeware named Spybot. Used with Ad-Aware your drive should be pretty sterilized. Zone Alarm is indespensable. PCcillin lifetime support came with an Asus motherboard (best deal ever in retrospect).
No such thing as too paranoid.

[Poohbah]

They send to ("every legal combination of email adderss characters")@hotmail.com

[Allan]

Mathematically impossible.

[Salman]

I'm wondering why they go to the trouble. Does anybody really respond to spam? Not anyone I know.

How much of response is necessary to make this sort of thing profitiable? Are they looking for the one big sucker? With the Nigerian banking scam I could believe this, but how does this work for

• Russian girls want to meet you.
• The world's smallest remote control car.
• Repair your credit.
• Enlarge your penis.
• Free PDA.
• Herbal remedies.
• etc.

Could it be that the spammers are incompetant as well as annoying? Or suckers themselves (become a spammer and make BIG BUCKS)?

[Mitchell]

This has been widely remarked on. Spammers sometimes send out mail addressed to (every name on a giant list)@somewhere.com. The giant list presumably consists of usernames that have been found to be valid at other ISP's.

Some people have also speculated that one or more individuals with administrative access at hotmail have sold address lists. Or that hackers have broken into hotmail and obtained address lists in that fashion.

[Poohbah]

How so?

It's a finite set of characters.

Hell, I have an alphanumeric hotmail address that is not tied to my name, address, or anything else--and it gets spammed regularly.

[Allan]

"How so?

It's a finite set of characters. "

Let's imagine a very short address: 9 characters.
Assume 30 ASCII characters.
Assume one-millionth of a second required
to send one e-mail to one possible address.

The operation would require 227 days.

Raise that to 12 characters the operation would require 2 billion years.

[maggief]

"Tried a new freeware named Spybot."

Spybot also rid my computer of freescratchandwin, gator, etc.