Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Aggressive Botnet Activities Behind Spam Increase

Posted by kdawson on Tue Nov 07, 2006 02:08 PM
from the spam-i-am dept.
Spam Security
An anonymous reader writes, "A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru employed numerous tactics to thwart detection and enhance outreach, such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection." According to MessageLabs (PDF), another contributor to the recent spam increase is a trojan dropper called "Warezov."
+ -
story

Related Stories

[+] What's With All This Spam? 212 comments
coondoggie writes to mention a Network World article about soaring spam levels, confirmed now by researchers, IT managers, and security vendors. So, indeed, it's not just you: October was a spammy month. From the article: "Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru. Others say a new breed of spam messages called image spam -- messages with text embedded in an image file that evade spam filters, which can't recognize the words inside the image -- is responsible." A note: I have no interest in penny stocks.
[+] 25 Percent of All Computers in a Botnet? 408 comments
Beckham's_Ponytail writes to mention an Ars Technica article, with some disturbing news out of the World Economic Forum in Davos, Switzerland. Vint Cerf, one of the 'fathers of the internet', has stated that the number of botnets online is larger than believed. So large, in fact, that he estimates that at this point one in four computers is infected with botnet software. We've discussed the rise of botnets numerous times here on Slashot, but the image of 150 million infected computers is more than a little bit sobering. With the extremely lucrative activities that can be done with botnets (such as password ripping, spamming, DDoSing), as well as reports of organized crime adopting 'cyber-terrorism' as a new line of income, is it likely that law enforcement will ever be able to curb this particular bane?
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Aggressive Botnet Activities Behind Spam Increase 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Someone's making a lot of money from this (Score:5, Interesting)

    by ShaunC (203807) * on Tuesday November 07 2006, @02:10PM (#16755147) Homepage
    I think the Securities and Exchange Commission may turn out to be the most appropriate investigative body for SpamThru and its controllers.

    Like many others, SpamThru first showed up on my radar a few weeks ago when a massive pump-and-dump stock spam [shaunc.com] campaign flooded the inboxes of just about everyone who uses email. They're still at it today, now pumping for ticker EGLY. There's no doubt in my mind that it's the same group of folks responsible for the initial run. All of these spam runs are coming solely through botnets, and the messages - and patterns of messages - share some obvious characteristics.

    SpamThru and the recent barrage of stock scams are inextricably linked, I have no doubt about it. If and when the SEC investigates suspicious trading activity surrounding some of these stocks, they're likely to discover a trail that leads them straight to the folks responsible for SpamThru.
    • It makes me wonder if the Stock Markets of the world have a plan to deal with this kind of nearly untraceable pump-and-dumping? Will it be illegal to invest in whatever spammed stock you see in your inbox, and dump it before other suckers invest in it based on spams?

      • Re:Someone's making a lot of money from this (Score:4, Insightful)

        by a_nonamiss (743253) on Tuesday November 07 2006, @02:31PM (#16755485)
        IANASB, but by the time you read the spam email, it's probably already too late. These people buy stocks before they blast out the spam, and sell them to the suckers that think they are going to get in early and dump later. Now, if you were really clever, you could probably figure a way to make money shorting them, but that would be unethical as well, not to mention very risky.

    • enforcement@sec.gov (Score:5, Informative)

      by RT Alec (608475) <alec@nOspAm.slashdot.chuckle.com> on Tuesday November 07 2006, @02:17PM (#16755257) Homepage Journal

      Forward the message to mailto:enforcement@sec.gov [mailto]. Use Thunderbird or another mail client that does not strip or mangle the original headers (like Outlook does).

      The SEC will devote significant resources investigating and often prosecuting the people who are behind these scams.

      • Re:enforcement@sec.gov (Score:5, Informative)

        by XSforMe (446716) on Tuesday November 07 2006, @02:30PM (#16755475)
        If you are using outlook, you can use OLSpamCop to rescue the headers and report to pretty much anyone any spam (including enforcement@sec.gov). It is a free download available here: http://www.olspamcop.org/doc.shtml#install [olspamcop.org]

        But I seriously doubt the SEC will be interested in origin of the SPAM. More likely they will do an audit on the fraudulent symbol. It usually is much more effective than tracing the origin of the spam, and it is more likely asses will get busted and the criminals (the people who proffit from the poor schmucks buying the stock) will get sent to jail.

        Nevertheless, if you want to report and spam, use spamcop so we can mitigate the damage done from the source before it pumps more shit onto the net.

        • Re: (Score:3, Interesting)

          by RT Alec (608475)

          I am not familiar with OLSpamCop, as I do not use Outlook. I am familiar with SpamCop, and how they need the detail in the headers to be intact, so I would guess that this is a workable solution.

          If we take the profit out of spam, we will see less spam. To date, pump and dump spam bombs work, so the scammers continue to hire spammers to flood our inboxes. Without getting caught, the risk to scammer and spammer is zero. With the SEC pursuing the scammers, the scam becomes less profitable due to the increase

      • LOL! A government entity giving a fuck about something? That'll be the day.
        • LOL! A government entity giving a fuck about something? That'll be the day.

          I understand the sentiment... but, isn't it usually our complaint that they poke thumbs into too many pies that would be better left to market forces?

          Remember, market forces (and 'tit for tat' in general) have a tough time dealing with sophisticated frauds, especially when the perpetrators remain anonymous. Force and fraud are the very reason why we need a government.

      • Use Thunderbird or another mail client that does not strip or mangle the original headers (like Outlook does).

        It looks like your Thunderbird is configured to forward emails as attachments, but that is not the default setting, if I rememebr correctly.

        In Thunderbird, others may have to go to "Message" -> "Forward As" -> "Attachment".

        In Outlook 2003, I didn't find how to forward as attachment. You have to copy the headers from the properties window, and paste them in your forwarded message. Far too compl

        • Tools, Options, Preferences (tab), E-mail Options, change "When forwarding a message" to "Attach original message."

          Note that I haven't actually checked to see if that really does attach the entire message, but it sure looks like it did. (Clicking Forward created a new email with the message attached, and opening the attachment I was able to get the full headers via the View, Options ("Options?" WTF?) menu item.

        • Re: (Score:3, Informative)

          by secolactico (519805)
          In Outlook 2003, I didn't find how to forward as attachment. You have to copy the headers from the properties window, and paste them in your forwarded message. Far too complicated to explain over the phone to someone who doesn't have a clue

          Compose a new message, then drag the message you want to forward from the Inbox (or whatever folder) into the new message windows. That's it.

          If you want to see the headers of a message, open it and select "View" and "Options".

          I wish outlook had a "view source" like that

      • Don't blame the victim! (Score:5, Insightful)

        by NotQuiteReal (608241) on Tuesday November 07 2006, @02:44PM (#16755761) Journal
        Personally I think the SEC should forcably de-list or begin the de-listing process of any stock that shows up in a SPAM campaign like this.

        Um, and do you also think scantilly clad women deserve to get raped?

        A pump and dump scheme simply selects a stock with the right combination of price and volume that they think they can manipulate.

        Take the EGLY.OB example (heh, it's up 6% right now). It is a low priced (under a dollar) stock, so lots of shares are cheap. It has sufficient volume (100K shares/day) to be useful. If it is too thinly traded you can't accumulate shares on the cheap. If the volume is too high, the market will keep the dumpers shares low.

        So, the spammers are doing a buy-low, "advertise" (pump it up), sell-high (dump) campaign. The particular stock selected was probably just a result of a screen for the desired trading properties.

        The company whose stock is manipulated (most likely) had nothing to do with it.

        • Take the EGLY.OB example (heh, it's up 6% right now).

          ... So what you're saying is ...

          THIS ST()CK is READY TO POP!!!
          EGLY.OB IS ABOUT TO BLOW YOUR MINDS!
          WATCH OUT HERE IT COMES!
          DONT BE LEFT OUT!

      • Re:Someone's making a lot of money from this (Score:5, Funny)

        by isometrick (817436) on Tuesday November 07 2006, @02:46PM (#16755817)
        Hmmm...

        Hot Stocks-Investor ALERT!!!
        SYMBOL: MSFT
        Timing is everything!
        Profits of 300-400 % EXPECTED
        TRADING SYMBOL: MSFT
        Opening Price: $28.93
        10 Day Target: $66.66
      • You can't tax Windows users unless you start clamping down on all the open relays and misconfigured email servers. SMTP is broken, and patchwork solutions like SPF are only helping a small amount. There are servers with no reverse DNS, no MX records, all sorts of invalid configurations. As an admin running several mail servers I have to choose between enforcing all the RFC's (and rejecting email from hundreds of legitimate but broken servers) or leaving the door open and being swamped by spam (which is then trapped by processor intensive sieve, filters, etc). If I turn up the security too high my users start complaining about rejected email from clueless organizations that are running perfectly good Linux/Mac/Windows mail server boxes that are not set up correctly.

        IMHO it ultimately comes down to fixing SMTP.

        John

        • Re:It's not the bots...it's the protocol (Score:4, Insightful)

          by cr0sh (43134) on Tuesday November 07 2006, @04:17PM (#16757463) Homepage
          IMHO it ultimately comes down to fixing SMTP.


          You are absolutely correct - the real question is, will we fix it (meaning us geeks and maintainers of the internet to develop and implement a new and more secure mail protocol and roll it out internetwork-wide, and fast), or will we wait for the government to fix it (whatever that means in an international arena, of course)?

          One choice leads furtherance of the core values of an open, but secure, internet. The other may lead to a broken design, corruption, and a failing system that does nothing to help curb the problem, and may make it worse. I leave it to you (and the future) to decide which falls where...

      • Spammers, ad-ware writers, and other scum have made many, many people's online experience a nightmare. While most people try to defend themselves by installing spam filters, spyware detectors, anti-virus programs and other software, spammers continue to come up with yet even more insideous ways around these defenses with impunity. We have even asked the government to help us, and what does Uncle Sam do? He passes a law that is most favorable to spammers. The law is called the CANNSPAM act. CANNS

  • Hold On Here (Score:5, Funny)

    by eldavojohn (898314) * <my/.username@@@gmail.com> on Tuesday November 07 2006, @02:12PM (#16755161) Homepage Journal
    Now, I know what you're going to say, you're going to say this is a dupe of last week's story, Bot Nets Behind Recent Spam Surge [slashdot.org], but it's not. You see, this is Aggressive Botnet Activities Behind Spam Incease. And it's no longer recent--it's a week old.

    So you can call this a dupe, but as you can see, this has clearly changed status from recent to aggressive. Or maybe like code orange to code red, DHS style.

    But please, feel free to karma whore the comments from the old discussion into this one. Seriously, anyone get any new information on this? We've got a named virus but is there anything else new?

    • How about, "Non-geeks beginning to be aware botnets behind spam increase" ?

      • This would require /. to be able to post from the future.

        The FAR future.

        How do you know a trojan threat is over? The "mundane" media covers it.
    • Not only that, but one story was about bots being behind and increase in spam, while the other is about bots being behind an incease in spam. Totally different topics.
  • I recommend "Duh" for this article.

  • I don't know who.. (Score:3, Insightful)

    by xENoLocO (773565) * on Tuesday November 07 2006, @02:12PM (#16755169) Homepage
    ...is getting only 75% spam.

    Mine is more like 1 real email for every 200 spam messages...
    • Without filtering I would be in trouble.
      it I get maybe 5% spam? not too much.
      Every on-line contact has a unique e-mail address, i.e. slashdot.com.1@networkboy.net, once that is on too many spam lists I re-visit the address. If I still need that contact I update the profile and add a new address: slashdot.com.2@networkboy.net, and :blackhole: the old one.
      Naturally if I no longer need the contact (was for a one-time download and such), then off to :blackhole: it goes. Works awesome!
      All the addresses forwar

      • Re: (Score:3, Insightful)

        by Scutter (18425)
        Unfortunately, you may not receive the spam, but it's still sent. It's still consuming network resources in the form of bandwidth and CPU time required to filter it. Right now, my company is filtering around 20,000 messages per day, and we're fairly small, with only around 75 mailboxes.

        • Re: (Score:3, Interesting)

          by garcia (6573)
          I *never* received spam (not even to SpamAssassin). Then, within the last 8 days I have seen it go through the fucking roof. Not only is SpamAssassin ignoring these e-mails (they are registering 1.0 and 2.0) but many of them seem like worthless spam to me.

          If you're going to spam me at least try to sell me something.

          The best is that I'm getting the exact same spams, within seconds, on several mailboxes on different domains at once (work, GMail, and home).

          I can't ban their IP ranges fast enough and when I d
          • ... when I do I end up blocking stuff like my wife's work IPs.
            You're sleeping on the couch tonight!

          • Re: (Score:3, Interesting)

            by CodeBuster (516420)
            If you're going to spam me at least try to sell me something.

            The worthless messages are an attempt to poison your spam filters by using many common business, home, and lifestyle related keywords (whether or not these messages are actually effective at confusing the Bayesian filters is an open question). The pitch for "Vla6|2a" and that can't lose stock market "opportunity" will be in a follow on message. It is sort of like in football where there is a lead blocker and fake handoffs to confuse the defens
        • Well, I've got only a dozen or so mailboxes, and I routinely get 20,000 spams every day. SpamAssassin catches the bulk of them, but 20-50 get through each day and have to be manually sifted.

          I'd love to describe my ideal spammer punishment, but it's NSFW.
    • ...is getting only 75% spam.

      Depends. On personal accounts I don't, but on generic emails like info@ and sales@ I get flooded. Keep in mind I've never used these emails to send people emails or register for forums or lists. The simply exist for automation for other things. Spam messages that don't match those automations don't come through.

      I should more than likely change them to something like sales-something123@ but the need isn't really there.
  • And human error behind typo "incease"!

  • dupe checking (Score:3, Insightful)

    by minus_273 (174041) <aaaaa@SPAM.yahoo.cTEAom minus caffeine> on Tuesday November 07 2006, @02:19PM (#16755287) Journal
    sites like freerepublic avoid dupes like this by having a rule that the subject of the article be used for the posting. Then, checking for a dupe is just a matter of a search for the exact same subject. Its simple and works a lot better.
    • Actually, there are protections in place, but Aggressive Botnet Activities are Behind this Dupe Increase. You just can't fight numbers!
  • What i don't get is why spam is still an issue in this day and age of the internet.

    The reason behind spam is simple : it works.

    i mean.... it just goddamn works... why otherwise would company pay hundreds of thousands to defend themselves legally and invest in various ways to get to our inbox ?

    There are stupid people out there buying from those guys, or whatever product they are advertising.

    If you cut the money income, you cut the spam...

    instead of spending $$$ and time trying to prevent spam from arriving i

    • You ... you ... you COMMUNIST! (Score:5, Insightful)

      by Opportunist (166417) on Tuesday November 07 2006, @02:39PM (#16755649)
      You mean educate people so they don't fall for scams? So they think for themselves? So they know that offers that are too good to be true can't be true?

      Are you nuts? Are you aware that this would mean to the market? People able and willing to compare prices before buying, people having used cars inspected before buying them, people informing themselves about the appliances they buy and who don't blindly believe the ads.

      Do you know just how many jobs hang on the fact that 99% of the people around are suckers, incapable of sorting out their own life?

    • Re: (Score:3, Insightful)

      by rduke15 (721841)
      instead of spending $$$ and time trying to prevent spam from arriving in our inbox we should spend that money and time educating the crowd

      I see you don't know much about that part of "the crowd" who falls for the spammers/phishers/etc. tricks.

      Even if you could educate them all, new suckers are born every day.

      The sad thing about it is that among them, there are even nice and clever people, who just have the particularity to be ignorant and naive in front of a computer...
    • You're trying to hold back the ocean with a broom on this one. Spam works only because the margins are so small. The emails are essentially free because they're using somebody else's computer to do the work. So it takes only a trivial response rate to make it worth their trouble to annoy every single person on the planet. (Well, at least the 20% or so of them with net access.)

      It is astonishing that anybody with an IQ high enough to operate a computer would buy v1@.gra, but the fact is the bell curve goes w
      • I keep bringing this up, time and time again.
        It's not the people trying to sell the crap that are the real issue, its the middle-men who sell the dream of "internet marketing".
        Moreover, I blame those "Work at Home, make Million$" ads you in magazines and on TV; these are essentially proxies for Internet marketing and the people who do well in those jobs turn to botnets and other illegitimate means. Meanwhile the parent marketing company can distances themselves from them, calling them "consultants" when peo
  • Everyone's aware of the excessive spamming on myspace. Hell, I almost think the powers at be at myspace are getting a kickback with the incredible abuse.

    But just yesterday I got a 419 email(but with French context, instead of Nigerian) on my Youtube messaging system. He/she even wrote back, regardless of the fact I posted a comment on the account saying "best 419 scammer ever!", that everyone can see.

    I'll be expecting facebook spam sometime soon. Er, maybe not.

  • Not so much regular spam, but 419 (Score:3, Interesting)

    by dr_dank (472072) on Tuesday November 07 2006, @02:33PM (#16755517) Homepage Journal
    Personally, I haven't seen an influx of the viagra/mortgage spam as much as I've seen a sharp increase in the number of 419 scam emails of varying degrees. One of them is an account that used to get spam only very rarely. I theorize that someone else on the email service fell for the scams and word got around that there are plenty of mugus ripe for the plucking if you spam this domain.

    Has anyone else seen a rise in the amount of this type of spam?
      • The email address I originally mentioned is also used for my Monster.com account and gets its own share of scammers: MLM/Amway/Quixtar, Primerica (where they misleadingly identify themselves as Citigroup Financial Services), and check wire scammers.

        The latter poses as a legit job doing payment processings where checks come in with the understanding that they are deposited, a percentage skimmed as a commission, and the remainder wired back to your "employers". Never mind that the checks are either bogus an

  • Time to pull the plug (Score:4, Insightful)

    by JohnnyGTO (102952) on Tuesday November 07 2006, @02:36PM (#16755573) Homepage
    Its time we force ISPs to pull the plug on infected client machines or block entire ISPs. There is no valid argument to support end users who refuse to clean up their machines. The argument that either they are not responsible for the infection or are unable to clean their own machines is crap. If end users don't know how to maintain their equipment then perhaps they should be off the net.

    Look at a car as an example. If I refuse to do or pay for routine maintenance it will begin to create more and more pollution and use more and more fuel. Is it the manufactures job to fix it, no, is it the road builders job, no, is it the jerks that sold me crappy fuel, only if I can catch them. So when I fail smog tests I need to either quit using the car or pay to fix it. Might not be the best analogy.
  • I've been seeing over 80% SPAM in the last couple months. And that is just what is being blocked (spamassassin). The actual number is a little higher. Sad, really.

    -matthew

  • OT: why is everything a trap today? (Score:3, Informative)

    by Mateo_LeFou (859634) on Tuesday November 07 2006, @02:51PM (#16755917) Homepage
    Is there a joke I'm not in on?

    • Re: (Score:3, Informative)

      by necro2607 (771790)
      This page [x-entertainment.com] explains the "it's a trap" inside joke well enough, although I don't know what the deal is behind tagging comments with itsatrap today in particular.
  • [Note, this post is referring to the tags that can be found amongst others, on this article, so this is a general-issue post not an offtopic one. Thank you.]

    It's getting annoying that every article without any relevance gets tagged with "itsatrap". The "fud" tag is grossly overused aswell, but at least it can be perceived as mostly applicable. I'm suggesting, to conform with slashdot grammar, to counter-tag every article that has an irrelevant "itsatrap" tags with "notsatrap".

  • Block email from Windows (Score:3, Interesting)

    by rohanl (152781) on Tuesday November 07 2006, @05:02PM (#16758531)
    Since all this extra spam is coming from botnets running on Windows, just block all email coming directly from a Windows box. I've been experimenting with host fingerprinting using p0f

        http://lcamtuf.coredump.cx/p0f.shtml [coredump.cx]

    From this I can see that almost all spam comes from Windows. I'm in the process of configuring my postfix server so it will just reject any mail from a Windows box.

    The only false positives I've seen so far, is a handful of legitimate emails that come from Windows Server 2003, so I may exempt that...

    Note: I'm not advocating blocking email from Windows users, just email coming directly from a Windows box. If a windows user sends email through their ISP's mail server, it will get thrugoh just fine.
    • You could've been slimmed instead of spammed!

      Given how fat Americans are becoming, I'd think a little slimming would do us some good.

      Oh, you meant slimed!

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.