Spammer readme

2005-07-01

Brian McWilliams

Independent writer, USA
Editor: Helen Martin

Abstract

Brian McWilliams explains why, despite the recent outbreak of Sober.Q, which showered the Internet with neo-Nazi propaganda emails, he disagrees with the notion that virus writers and spammers are in cahoots.


Introduction

The recent outbreak of the Sober.Q worm, which showered the Internet with neo-Nazi propaganda emails, is likely to reinforce the notion that virus writers and spammers are deeply in cahoots.

Many anti-virus and anti-spam providers, with the help of the computer press and even the mainstream media, have been warning that mercenary VX'ers are collaborating with spammers and are bent on turning unprotected PCs into unwitting accomplices in spamming. I helped perpetuate this notion in chapter ten of my book Spam Kings [1], where I discussed the rise of spam zombies and the SoBig worm.

But the real message of Sober.Q, contained in a small text file dropped by the worm, is quite different. The file, spammer.readme.txt, included hyperlinks to a May 2005 press release issued by a Californian email management firm. The press release warned that computers infected by Sober.S were 'being transformed into spambots'.

Beneath the links, the author of Sober.Q had written (in German), 'I am still not a spammer! But perhaps I should become one.'

The Californian company's press release was pure FUD (fear, uncertainty, and doubt), and it took a malware writer to say it like it is.

No evidence

The fact is, there is no evidence that systems compromised by earlier versions of Sober have joined the legions of machines known as spam zombies. Aside from the author's own blasts of political 'spam' (and I use that term loosely), I have seen no proof that Sober-infected systems have joined the 'botnets' being used as proxies by commercial spam operations.

I would even go so far as to say that, in the wake of the big outbreaks of SoBig in 2003 [2] and Bagle in 2004, virus authors have discovered that there isn't much of a market for worm-infested spam zombies. Just look at Netsky, the biggest worm of 2004 [3], which has remained atop the Virus Bulletin prevalence table so far for 2005. Netsky and its variants employ numerous techniques for spreading. But ultimately the worm is all about propagation; it installs no backdoors or other code that could enable the author to access the victim computers remotely at a later date.

To be sure, a number of self-replicating malicious programs of late have installed remote-access code or proxy software. For example, Zafi [4, 5] opens port 8181. MyDoom [6, 7] listens on ports in the range of 3127 to 3198. Bagle installed a backdoor port on 2745. But none of these worms have made a serious run for the top of the prevalence charts.

Hence, I have a hard time concluding, as did Joe St Sauver, the author of an otherwise stellar article about zombies [8], that 'the prime focus of many recent viruses is the conversion of end user hosts into spam zombies.'

Spammer heaven

There's no doubt that a spammer's idea of heaven includes plentiful and freely available proxy computers. Routing spam through proxies helps junk emailers conceal their identity and makes them a tougher target for blacklisting. Almost all of the most popular spamware programs are designed to import lists of proxy computers - either in the form of a text file or a URL. By some estimates, up to 80 per cent of all spam currently emanates from proxies.

Gone are the days when spammers scanned the Internet manually for misconfigured SOCKS and other proxies on well-known ports such as 1080 and 3128. Spamware companies like Send-Safe still sell proxy scanners, but using them is a laborious process. Most impatient spammers (aren't they all?) simply visit one of the many websites, searchable via Google, that offer lists of open proxies.

However, anyone who's been in the spam business for any significant length of time has learned to bite the bullet and buy proxies from one of the many underground purveyors. Visit any 'bulk email' message board or Internet relay chat (IRC) channel for spammers, and you'll often see people selling proxies (or 'peas', as they're called).

Typically, proxies are rented by the week, with prices ranging widely. I've seen ads for 4,000 peas for as little as $50 per week, but proxies advertised as 'fast' or 'not beat up' can go for $600 per thousand per week.

Zombies from zombies

It is tempting to assume that all these proxies are the work of money-grubbing worm and virus writers in the employ of spam kings. Conversely, some have voiced suspicions that SoBig was created by Send-Safe, in order to generate a ready pool of spam proxies. (Ruslan Ibragimov, owner of Russia-based Send-Safe, told me that a document published anonymously in 2004 wrongly accused him and his company of authoring SoBig.)

Talk to anyone who monitors botnets closely, and they'll tell you that spam zombies are usually created by other spam zombies, not by viruses or worms.

'It's a really nasty situation to watch,' says Andrew Kirch, one of the operators of the anti-spam Abusive Hosts Blocking List [9]. He has been known to sit in private IRC channels, gawking as newly compromised drones connect to the channel by the hundreds or thousands per day. Soon, the drones respond to orders to begin attacking other hosts, and report back to the channel any successful system compromises.

Zombie code - programs like rbot, sdbot, and phatbot - may capitalize on backdoors opened by worms. But Kirch says the botnet Trojans are much more effective at scanning and compromising new hosts. 'Worms such as MyDoom and others are pretty limited in functionality, despite all the hype about the open ports they leave behind,' said Kirch.

To test this assertion, I posed a hypothetical question to a handful of white-hat hacker acquaintances. 'If you were tasked with turning lots of Windows PCs into spam zombies ASAP,' I inquired, 'what method of attack would you choose?'

To my surprise, none of the security experts said they would release an email worm along the lines of SoBig or Bagle. Instead, they almost universally favoured using a browser exploit embedded in a web page.

'Stupid, impatient, greedy hackers use viruses and direct-spammed Trojans,' said Joe Stewart, security researcher with LURHQ, who authored a fascinating treatise on SoBig and spam [10]. 'Smarter, more long-term-thinking hackers use drive-by downloads,' he opined.

One good-guy hacker disagreed, saying the ideal method for building a spam zombie network would be to act like a zombie: scan the Internet and exploit (or 'own') any system found with Windows vulnerabilities. 'If you want stealth and have the patience, you will scan and own,' said Steve Manzuik, a security product manager with eEye Digital Security.

Indeed, stealth seems to be a key issue in assembling a large botnet that can be rented out to spammers. Dmitri Alperovitch, security researcher with CipherTrust, reminded me of the 'Warhol worm' discussions of a few years ago. 'If the goal is to get the [largest] number of machines in the fastest amount of time, the choice would definitely be an automated worm that is exploiting some particular popular vulnerability,' said Alperovitch.

But unlike some virus writers, the goal of botnet operators isn't to make headlines on CNN or CNET. According to Alperovitch, 'The more noise you create with it, the more likely you are to attract attention from both law enforcement and also volunteers and security companies.' That's why Alperovitch says a browser exploit is currently the best way to assemble a zombie army.

Experienced spammers know it's pointless to try to help themselves to some free proxies by scanning for zombies. Botnet operators configure their zombies to listen on random, high-numbered ports (the Mitglieder Trojan, for example, creates proxies that listen on ports such as 35555 and 39999) and to 'phone home' to the zombie master. According to Stewart, botnet operators also take great pains to secure their zombies against takeover by others.

Scum of the earth

Of course, it's certainly possible that new, less widely spreading worms designed to create spam proxies will appear, even if none of the most prevalent current email worms appear to have this goal in mind.

Then again, changes underway in the behaviour of botnets suggest that mercenary worm-writers will instead turn their focus to propagating spyware. Stewart reports that botnet operators are moving away from renting their zombies out as spam proxies, and instead are using the compromised machines to install adware and quietly rack up big commissions.

I don't claim to know what motivates virus writers in general or the author of Sober-Q in particular. But I think his little readme file was illuminating. Even a neo-Nazi malware creator apparently thinks spammers are the scum of the earth.

Bibliography

[1] Brian McWilliams, Spam Kings, O'Reilly, 2004 ISBN 0-596-00732-9.

[2] Peter Ferrie, 'Sobig, sobigger, sobiggest', Virus Bulletin, October 2003, p.5.

[3] Mircea Ciubotariu, 'Netsky: conflict starter?', Virus Bulletin, May 2004, p.4.

[4] Gabor Szappanos and Tibor Marticsek, 'Patriot games', Virus Bulletin, July 2004, p.6.

[5] Gabor Szappanos, 'More patriot games', Virus Bulletin, August 2004, p.9.

[6] Gabor Szappanos, 'We're all doomed', Virus Bulletin, March 2004 p.9.

[7] Gabor Szappanos, 'Doomquest: life after Mydoom', Virus Bulletin, April 2004, p.8.

[8] Joe St Sauver, 'Spam zombies and inbound flows to compromised customer systems', MAAWG General Meeting, March 2005, http://darkwing.uoregon.edu/~joe/zombies.pdf.

[9] Abusive Hosts Blocking List, http://www.ahbl.org/.

[10] Joe Stewart, 'Sobig.a and the spam you receivedtoday', http://www.lurhq.com/sobig.html.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.