Aggressive Botnet Activities Behind Spam Increase

An anonymous reader writes, "A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru employed numerous tactics to thwart detection and enhance outreach, such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection." According to MessageLabs (PDF), another contributor to the recent spam increase is a trojan dropper called "Warezov."

Someone's making a lot of money from this

I think the Securities and Exchange Commission may turn out to be the most appropriate investigative body for SpamThru and its controllers.

Like many others, SpamThru first showed up on my radar a few weeks ago when a massive pump-and-dump stock spam [shaunc.com] campaign flooded the inboxes of just about everyone who uses email. They're still at it today, now pumping for ticker EGLY. There's no doubt in my mind that it's the same group of folks responsible for the initial run. All of these spam runs are coming solely through botnets, and the messages - and patterns of messages - share some obvious characteristics.

SpamThru and the recent barrage of stock scams are inextricably linked, I have no doubt about it. If and when the SEC investigates suspicious trading activity surrounding some of these stocks, they're likely to discover a trail that leads them straight to the folks responsible for SpamThru.

Re:Someone's making a lot of money from this

IANASB, but by the time you read the spam email, it's probably already too late. These people buy stocks before they blast out the spam, and sell them to the suckers that think they are going to get in early and dump later. Now, if you were really clever, you could probably figure a way to make money shorting them, but that would be unethical as well, not to mention very risky.

enforcement@sec.gov

Forward the message to mailto:enforcement@sec.gov [mailto]. Use Thunderbird or another mail client that does not strip or mangle the original headers (like Outlook does).

The SEC will devote significant resources investigating and often prosecuting the people who are behind these scams.

Re:enforcement@sec.gov

If you are using outlook, you can use OLSpamCop to rescue the headers and report to pretty much anyone any spam (including enforcement@sec.gov). It is a free download available here: http://www.olspamcop.org/doc.shtml#install [olspamcop.org]

But I seriously doubt the SEC will be interested in origin of the SPAM. More likely they will do an audit on the fraudulent symbol. It usually is much more effective than tracing the origin of the spam, and it is more likely asses will get busted and the criminals (the people who proffit from the poor schmucks buying the stock) will get sent to jail.

Nevertheless, if you want to report and spam, use spamcop so we can mitigate the damage done from the source before it pumps more shit onto the net.

Don't blame the victim!

Personally I think the SEC should forcably de-list or begin the de-listing process of any stock that shows up in a SPAM campaign like this.

Um, and do you also think scantilly clad women deserve to get raped?

A pump and dump scheme simply selects a stock with the right combination of price and volume that they think they can manipulate.

Take the EGLY.OB example (heh, it's up 6% right now). It is a low priced (under a dollar) stock, so lots of shares are cheap. It has sufficient volume (100K shares/day) to be useful. If it is too thinly traded you can't accumulate shares on the cheap. If the volume is too high, the market will keep the dumpers shares low.

So, the spammers are doing a buy-low, "advertise" (pump it up), sell-high (dump) campaign. The particular stock selected was probably just a result of a screen for the desired trading properties.

The company whose stock is manipulated (most likely) had nothing to do with it.

Re:Someone's making a lot of money from this

Hmmm...

Hot Stocks-Investor ALERT!!!
SYMBOL: MSFT
Timing is everything!
Profits of 300-400 % EXPECTED
TRADING SYMBOL: MSFT
Opening Price: $28.93
10 Day Target: $66.66

It's not the bots...it's the protocol

You can't tax Windows users unless you start clamping down on all the open relays and misconfigured email servers. SMTP is broken, and patchwork solutions like SPF are only helping a small amount. There are servers with no reverse DNS, no MX records, all sorts of invalid configurations. As an admin running several mail servers I have to choose between enforcing all the RFC's (and rejecting email from hundreds of legitimate but broken servers) or leaving the door open and being swamped by spam (which is then trapped by processor intensive sieve, filters, etc). If I turn up the security too high my users start complaining about rejected email from clueless organizations that are running perfectly good Linux/Mac/Windows mail server boxes that are not set up correctly.

IMHO it ultimately comes down to fixing SMTP.

John

Re:It's not the bots...it's the protocol

IMHO it ultimately comes down to fixing SMTP.

You are absolutely correct - the real question is, will we fix it (meaning us geeks and maintainers of the internet to develop and implement a new and more secure mail protocol and roll it out internetwork-wide, and fast), or will we wait for the government to fix it (whatever that means in an international arena, of course)?

One choice leads furtherance of the core values of an open, but secure, internet. The other may lead to a broken design, corruption, and a failing system that does nothing to help curb the problem, and may make it worse. I leave it to you (and the future) to decide which falls where...

Hold On Here

Now, I know what you're going to say, you're going to say this is a dupe of last week's story, Bot Nets Behind Recent Spam Surge [slashdot.org], but it's not. You see, this is Aggressive Botnet Activities Behind Spam Incease. And it's no longer recent--it's a week old.

So you can call this a dupe, but as you can see, this has clearly changed status from recent to aggressive. Or maybe like code orange to code red, DHS style.

But please, feel free to karma whore the comments from the old discussion into this one. Seriously, anyone get any new information on this? We've got a named virus but is there anything else new?

Could be a lot worst...

You could've been slimmed instead of spammed! :P

This needs a tag.

I recommend "Duh" for this article.

Re:This needs a tag.

If you don't like how everything is getting tagged itsatrap, you can tag it !itsatrap, and vote against the tag. Enough !itsatrap votes, and the tag will be taken off the story.

I don't know who..

...is getting only 75% spam.

Mine is more like 1 real email for every 200 spam messages...

human error

And human error behind typo "incease"!

dupe checking

sites like freerepublic avoid dupes like this by having a rule that the subject of the article be used for the posting. Then, checking for a dupe is just a matter of a search for the exact same subject. Its simple and works a lot better.

What i don't get

What i don't get is why spam is still an issue in this day and age of the internet.

The reason behind spam is simple : it works.

i mean.... it just goddamn works... why otherwise would company pay hundreds of thousands to defend themselves legally and invest in various ways to get to our inbox ?

There are stupid people out there buying from those guys, or whatever product they are advertising.

If you cut the money income, you cut the spam...

instead of spending $$$ and time trying to prevent spam from arriving in our inbox we should spend that money and time educating the crowd that "spamware" is most of the time just a way to get money out of your pocket with no real return value.

You ... you ... you COMMUNIST!

You mean educate people so they don't fall for scams? So they think for themselves? So they know that offers that are too good to be true can't be true?

Are you nuts? Are you aware that this would mean to the market? People able and willing to compare prices before buying, people having used cars inspected before buying them, people informing themselves about the appliances they buy and who don't blindly believe the ads.

Do you know just how many jobs hang on the fact that 99% of the people around are suckers, incapable of sorting out their own life?

Spam not just in email anymore

Everyone's aware of the excessive spamming on myspace. Hell, I almost think the powers at be at myspace are getting a kickback with the incredible abuse.

But just yesterday I got a 419 email(but with French context, instead of Nigerian) on my Youtube messaging system. He/she even wrote back, regardless of the fact I posted a comment on the account saying "best 419 scammer ever!", that everyone can see.

I'll be expecting facebook spam sometime soon. Er, maybe not.

Not so much regular spam, but 419

Personally, I haven't seen an influx of the viagra/mortgage spam as much as I've seen a sharp increase in the number of 419 scam emails of varying degrees. One of them is an account that used to get spam only very rarely. I theorize that someone else on the email service fell for the scams and word got around that there are plenty of mugus ripe for the plucking if you spam this domain.

Has anyone else seen a rise in the amount of this type of spam?

Time to pull the plug

Its time we force ISPs to pull the plug on infected client machines or block entire ISPs. There is no valid argument to support end users who refuse to clean up their machines. The argument that either they are not responsible for the infection or are unable to clean their own machines is crap. If end users don't know how to maintain their equipment then perhaps they should be off the net.

Look at a car as an example. If I refuse to do or pay for routine maintenance it will begin to create more and more pollution and use more and more fuel. Is it the manufactures job to fix it, no, is it the road builders job, no, is it the jerks that sold me crappy fuel, only if I can catch them. So when I fail smog tests I need to either quit using the car or pay to fix it. Might not be the best analogy.

"Almost" three out of four?

I've been seeing over 80% SPAM in the last couple months. And that is just what is being blocked (spamassassin). The actual number is a little higher. Sad, really.

-matthew

OT: why is everything a trap today?

Is there a joke I'm not in on?

"Itsatrap" tagging

[Note, this post is referring to the tags that can be found amongst others, on this article, so this is a general-issue post not an offtopic one. Thank you.]

It's getting annoying that every article without any relevance gets tagged with "itsatrap". The "fud" tag is grossly overused aswell, but at least it can be perceived as mostly applicable. I'm suggesting, to conform with slashdot grammar, to counter-tag every article that has an irrelevant "itsatrap" tags with "notsatrap".

One typo fixed but...

...the RSS feed still says Incease...

Link Spambots

What's behind the increase in link spam on blogs/message boards?

Three out of four?

I would love it if my ratio was that low!

I love the way....

I love the way they say spammers are gearing up for the holiday season. Man, if I get nothing but viagra and penny stocks for Christmas, I'm going to be upset.

oh wow, breaking news

Oh wow, botnets and trojans responsible for spam? Oh, this is such breaking news, we would have never known. /sarcasm

Wrong Way?

A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails

Sounds like a decrease in spam for me, where do I sign up?

96% of my mail is spam

I've been inundated so heavily and for so long, I don't remember a time when I only got three spams out of every four emails. I recently tried outsourcing my anti-spam filtering to a third-party supplier. That supplier proxies the SMTP connections and closes them when it detects spam, as opposed to most outsourcers, who store-and-forward the messages.

Because my mail gateways couldn't handle the crushing load of spam I was seeing, I'd hoped that this outsourcer would save me. I was wrong. It turned out that my inability to handle the load at my mail gateways ended up causing DDOS problems for the outsourcer.

I got a call from the product manager who was in Sweden on a business trip, begging me to change my MX records back to my own gateways, because otherwise, his IT folks were going to shut me down in order to save themselves.

I'm currently testing MessageLabs, and it's looking good so far. They're catching nearly a million spams a day for me.

Messagelabs

Ah, that would be same Messagelabs that inundates me with backscatter spam [wikipedia.org].

Spam Percentage

I'm the IT Director for my company here in the northeast US. Our spam percentage over the past year has climbed from about 80% to 91.7% this past month (October 2006). I'd be interested, as a sub-thread here, to have other people with first-hand knowledge about their company spam percentages post a reply here.

Block email from Windows

Since all this extra spam is coming from botnets running on Windows, just block all email coming directly from a Windows box. I've been experimenting with host fingerprinting using p0f

    http://lcamtuf.coredump.cx/p0f.shtml [coredump.cx]

From this I can see that almost all spam comes from Windows. I'm in the process of configuring my postfix server so it will just reject any mail from a Windows box.

The only false positives I've seen so far, is a handful of legitimate emails that come from Windows Server 2003, so I may exempt that...

Note: I'm not advocating blocking email from Windows users, just email coming directly from a Windows box. If a windows user sends email through their ISP's mail server, it will get thrugoh just fine.

Gotta Question...

I was wondering what if someone setup "Bot Bait". That is, put a PC out on the Internet completely unprotected and let it get infected with a wide variety of spambots.

Then, you watch to see who is attempting to control the bots. Someone, somewhere must be sending the "attack!" command, and maybe you could trace the command back the origin of the perpetrator. Gather some evidence, and bring the long arm of the law upon the dude.

If you can't touch the perpetrator, you could start taking down his botnet. Once you figure out how that spammer is talking to his bots, you could start to track them down. Once you know where the bots are, you could contact the ISPs about shutting them down if the owners of the infected PCs don't clean them up.

There is no specific law that makes the ISPs responsible for bots, but under common law, if you have control over something, and you are warned about potential harm that the particular object could cause, you are liable for any damage caused by that object. Being the gateway to the Internet for these machines certainly does qualify.

Heck, once you know how the bots are activated and who controls them, you could take over the bots and program them them to attack their creator. Talk about irony.

Hard working hackers

Thank god there are so many fine young programmers out there (usually East European or Russian) who are using their great skills to make life a little bit more miserable. Spaciba!

Instant feedback to the ABUSE-departments...

My server uses fairly sophisticated set of anti-spam defenses and most of the crap gets rejected. But the hi-jacked IP addresses keep coming back.

There is ought to be a way to notify their abuse-departments quickly and automatically (better than SpamCop).

Perhaps, by sending syslog messages their way? They will then be able to capture a bit of outgoing SMTP-traffic of the accused IP, analyze it (using a Bayesian-based method, for example), and block the SMTP-traffic, if the analysis confirms the complaint.

A blocked user will be able to turn the outgoing SMTP access back on by simply visiting a web-page and entering a text matching a picture and their ISP password — something, a bot can not do. The page will also offer them links to anti-virus and spyware-removal software and strong verbiage about running their PCs responsibly, or face more serious disconnects.

This will allow very swift (within minutes) shutdown of SMTP access for hijacked PCs, without noticably hurting the victims of "false positives" — and without the wholesale disabling of outgoing SMTP-traffic.

Re:Spam through e-mail?

I think you might be confusing the canned meat product SPAM(TM) from Hormel(TM), with either "Spam" or "spam", ie. junk e-mail. I remember reading somewhere once that Hormel doesn't mind the world using the word spam to refer to junk email, but they'd prefer people not use their registered trademark of (all caps) SPAM when doing so....