Writing Viruses for Fun and Profit

JMPrice writes "There's a short article over at zdnet that explores a future synergy between viruses and spam, i.e. international crackdown on spam and open relays makes spammers opt to use infected computers instead as relays, and speculates a relationship between the virus writers and spammers."

Really?

[Bluelive]

Has it really become harder for spammers to remain anonymous ? Anyways, if it was really for spamming purposes the virus would just start open relaying.

On the plus side...

[kinnell]

Any spammer using this technique will be entering the realms of cyber-terrorism, and will be liable for a big prison sentence and dedicated criminal investigations. Given that spam is advertising, it probably wouldn't be very hard to track the perpetrators down once the appropriate warrants are issued. I predict that either this report is overblown, or a few spammers will end up getting the buggering they deserve in prison.

What cash flow?

[Anonymous Coward]

Seriously, how many spammers make enough money to be able to pay virus writers any decent sum for their work?

Re:Classic problem of a mono culture

[kink]

Interesting point, but you put forward the need for diversity and combine that with standards that have been implemented on many platforms. Following your line of thought we really should all be using different ways to communicate in stead of standards, to differentiate and mitigate the risk of an attack that uses one of the technologies. Standard communication protocols are just a monoculture as a "standard" operating system is. I'm more tempted to go for standards and accept the monoculture that comes with it. The "proper diversity" you're suggesting comes at the high price of losing standards; one I'm not willing to pay.

Re:Classic problem of a mono culture

[GreatDrok]

No, a standard can be implemented by people using different code bases. If the standard is faulty then it needs to be fixed and each implementation also needs to be fixed to deal with the problem. However, the vast majority of problems with standards come from there being a single code base. For example, SSH. There is code based on the original SSH implementation and code based on OpenSSH. Frequently there is a problem with one or the other but not both. Less frequently there is a problem with the standard itself.

Sobig virus

[Rosco P. Coltrane]

So, Sobig is a worm that infects your machine and sends spam ? Let me rephrase this : Sobig is a worm that infects your *Windows* machine and sends spam.

Since Microsoft has started a crusade against Spam (to free-up bandwidth for their own humongous patches and service packs no doubt, they never do anything without a reason), shouldn't they start by fixing the very platform that makes it possible for worms to send spam ?

Spammers & Virus Writers are the same anyway

[adzoox]

I had written a slashdot story submission not too long ago that was rejected [slashdot.org]. Here it is:

Some Spammers=Some Hackers

Today's court ruling [idg.net] in favor of the ISP Earthlink [earthlink.com] vs Spam Ring Leader Howard Carmack got me to thinking.

Are ALL Spammers doing it for a profit? I find that many to most SPAM emails I receive in my inbox have unresolved links. Meaning; you can't "take advantage of the DEALS you are getting". (not that you'd necessarily want to) What would be the purpose of sending out emails such as this in great quantity, and using the man hours, hardware, etc to do it?

I think it may have to do partially with "the hacker mentality" Not all hackers do things for the common mythical reasons we like to think they do. (Revenge on the corporate world, profit, fame) - they do it because they can and a lot do it because they are mentally obsessed with it.

This was the attitude of a former colleague of mine that was hacker. He came from a rich family, was very well known in the community, and had a 1000 easier ways to get what he was wanting accomplished. He was obsessed first of all with hacking, second doing it with a Macintosh, and 3rd just because he could.

I'm not alluding to hackers having a mental problem, nor really comparing hackers to spammers.

This ruling, just made me think of motivation. Maybe if we can tap the motivation for Spammers, then maybe we can come up with the solution.

Re:The problem

[Monoman]

You are on to what I have been saying for years.

If my company pays another company to advertise my product and or services and they use illegal advertising methods, then shouldn't my company be punished also?

Does it matter if my company knew about the advertising methods that would be used? I don't know anyone that would hire an advertising company without knowing what service was being provided.

New conspiracy theory

[GillBates0]

A couple of days back somebody brought up a point on this discussion [slashdot.org] about the W32.Sobig.E@mm worm that the short lifetimes and more or harmless payloads of recent viruses is probably an indication of antivirus companies releasing viruses and worms for fun and profit.

If that is the case, the popular ./ meme holds good for both spammers and antivirus people:

1. Release viruses/worms.
2. Use compromised computers as relays.
3. Send lots of spam.
4. ???
5. Profit
6. Sell antivirus software.
7. ???
8. Even more profit.

The solution

[thynk]

I'm really a good natured person 99% of the time. But, the easiest solution to this is not to fine the spammers we catch. Rather, a few violent and gory executions, broadcast on PPV Friday prime time, and I can imagine that you'd find a lot less spam in your mail box on Monday.

The same type of solution would work with auto accidents. If you want to reduce the number of accidents, remove the seat belts, air bags and ABS brakes. Line the dash with 6" steel spikes and I can bet you'll find the number of accidents drops to next to nothing over night because we all become the world's safest drivers.

It's all about incentive.

simple solution to this problem

[Lumpy]

Simply institute a fine of $1000.00 per ad to the company in the virus-transmitted spam. They are easy to find as they give you the website/telephone numbers in the spam it's self.

To hell with the spammers, target the companies in the content.

Re:PEBKAC

[MrMickS]

How long before someone writes a virus does the following:

1. Examine sent items folder looking for items with attachments.
2. Send another message to the same person as a follow up with an infected version of the attachement.

This would get through most of the operator suspicion filters. If the payload mutates enough to make it difficult to fingerprint it would miss virus checkers as well.

Taking this into account the problem isn't the operator but an MUA/OS that allows code to be executed in such a manner. Signed documents, trusted sources, etc may help here.

Bad for the business model

[ToadMan8]

Simply, those writing spam e-mails are trying to sell something. Spam is (for the most part, before more than now) legal. Taking over drone computers (hacking / virii) to send your spam e-mail is not. You have to make money from your business somehow. If you send spam from infected / hacked computers sending people to your website that obviously collects money for something... well, you have to have a name behind money collection. Someone has to own the paypal account or the charge vendor account... They will find you simply enough. In my mind this whole concept is bogus, as you can't hack or infect and send advertisments. That's like advertising Giant Eagle by spraypainting your daily sales on the front of buildings.

The inplications go WAY beyond that

[rutledjw]

SPAMMERS right now are crowing that "we're not doing anything illegal". Aside from using another companies computers/bandwidth/resources without permission and selling products of dubious value - they're right. But all of that is subjective WRT legality.

Now, if they're using hacked computers, they're on the wrong side of the law. Period. We're not talking civil damages any longer. The discussion point is how long they'll be in "Federal pound-me-in-the-ass Prison".

This is the dumbest idea from a spammers viewpoint I've ever read. However, I'm not under the impression many of these guys are intelligent. The only reason they've been able to defeat filters and other mechanisms is either stupid admins or half-hearted implementations.

I personally hope they do it! I'd love to see a few spend some time in our lovely Federal Corrections Facilities.

Advertising (spamming) companies are responsible

[ToadMan8]

UPS can't ship Cocaine. It's illegal to do so. Regardless weather the dealer told them it was powdered sugar or not, UPS is either responsible for being part of the transaction or they can plea bargain out and tattle on the dealer himself.

The advertising companies first of all can't use virii to send spam. Secondarily, and in direct response to your objection, they can't claim they thought their illegal practice is legal because of what they heard from the company they are advertising for. Ignorance is no excuse (to do something illegal).

Re:Folks who work for ISPs will be angered...

[Anonymous Coward]

I used to work for a small local ISP (quit not 10 days ago) and I can tell you we don't care that much to do all you're talking about.

First, our mail system that we started using and are kinda stuck with doesn't do checks on outgoing mail for viruses (iMail). The costs are too high for the small business to add the functionality ourselves.

iMail now has outgoing spam checking, but when we have your name, address, phonenumber, and you have to call us for setup, etc. we have never had any abuse in terms of spam being sent out by our customers. So we keep that turned off. We did implement an incoming email relay that can support incoming virus checking, but I quit before I had that turned on. Which is a shame because that's probably the most cost effective technique (turn it on in amavisd-new, which is already installed and running SpamAssassin).

As far as the rest of it goes there's no way we'd have the resources to support it. If we catch someone that has a virus, sometimes we'll get a copy of the virus at our support address for example, then we call them and let them know where and why they should get it fixed. They usually do. But dial-up customers aren't that profitable.

Re:PEBKAC

[Anonymous Coward]

It may have been an accident, but this has already happened to us with BUGBEAR.B. The virus software vendor for our mailserver sent us an alert to update our virus definitions to protect against this worm. Unfortunately, this arrived minutes before a group of us took the network admin out to lunch for his 50th birthday. So no one got the message. When we returned from lunch, we found nearly every computer in the company infected.

One of our employees had opened an infected attachment. Bugbear selected an old message with an attachment on her machine, replaced the attachment and sent it out to everyone in the company (and of course some beyond). What did it pick? A message from the network administrator asking people to double check the attached spreadsheet to verify the information regarding their computers for our insurance company. If you had tried, you couldn't have designed a message more likely to dupe people into opening it.

Re:The problem

[Anonymous Coward]

This type of approach is already taken in many areas of law - particularly environmental law.

If you generate toxic waste you own it forever. You can pay somebody to dispose of it, but you still own it even when it is 20 feet under dirt. If you pay somebody to bury it properly and they dump it in the Mississippi river you can be sued for cleanup costs.

The result? Companies now screen and audit their disposal firms. Companies don't just look for the cheapest price when they outsource these jobs. As a result we have fewer polluted lakes.

You can't allow companies to get blanket immunity by outsourcing work. Just look at how companies are transforming themselves these days. Pretty soon it will be common for fortune 500 companies to have 3 employees: The CEO, the CFO, and the secretary who pays the monthly bill to the company which handles paying all the other bills and collects the net profit check. All the work would be done by hundreds of outsourcing companies. If a regular "employee" breaks his leg on the job he can sue his "employer" - who is probably a sub-agency who legally only has 3 other employees and only $10,000 in the bank and no other assets. They just declare bankruptcy.