NYT Reports Porn Spam Hijacking Network

twitter writes "This NYT story describes how thousands of PCs have been used as porn spambots and reverse proxy servers, and mentions that they could be used for kiddie porn. Finally, though Microsoft is not mentioned, people might start to understand what a monoculture of poor quality software enables."

Possible Legal Implications Abound

[Anonymous Coward]

There might soon be laws that require a minimum amount of security to insure the general well being of other people connected on the internet. Sort of like minimum safety requirements on cars. I wonder if Microsoft will pass the test?

Monoculture it is, but...

[Bendy Chief]

Isn't there also a responsibility that computer users need to take, given their connectivity these days? If we need certification to operate potentially dangerous complex machinery, why not some minor courses on basic security so you don't have Cleatus and Grandma saturating the world in spam?

I guess that's pretty authoritarian, and there are better ways to beat spam. Still... the elimination of the luser is a shining grail for us all, no? ;)

Re:Monoculture it is, but...

[pheared]

I don't think that requiring certifications in network security for everyone who wants to use the internet will ever fly with the companies that run the lines. Mainly because it won't fly with the users.

However, putting users in tightly controlled segments of the internet (filtering inbound/outbound of most unnecessary garbage and attack vectors) by default would cut down on this problem greatly. The first to complain will be those with esoteric needs and "power users." Require them to read/pass some basic education before allowing them a hall pass into the internet. Since they must abide by the AUP, I don't see a problem with testing them to see if they know it, and how to prevent themselves from being in violation. This entire process could be mostly automated.

Microsoft not mentioned?

[LilJC]

Maybe they didn't come out and say Windows for legal reasons. But get real, Macs and variants of Unix are not affected? If you were going to write this and you write it for those two, and you obviously want it on a lot of machines, what platform would you hack?

Not to mention the obviousness of using such a widespread and vulnerable platform. I think this is what everyone's getting at.

And to think of how many NT4 machines are out there with a root RPC vulnerability that MS refuses to fix. If someone's running NT4, I don't know how likely it is they are going to apply anti-virus patches. I think MS leaves footprints of vulnerabilities for this sort of problem for years after releasing products, regardless of actions others take to try to help.

Broadband providers are partially at fault

[reimero]

In my experience, end-users who are not tech-savvy have little real understanding of online security practices: they tend to ignore basic things such as updating antivirus dat files because they don't know or don't understand. And from my own experience, I know that broadband providers are more interested in pitching all their cool features than they are in educating users how to be safe. Seriously, how hard would it have been for my ISP to have included a Sygate or ZoneAlarm trial on the install CD they had to send out anyway?
What kills me is that it's in the ISP's best interests to encourage safe computer habits, and they don't really emphasize that.

These things really are problems

[amishgeek]

I deal with Starband (Satellite Internet for those unfamiliar), and Have seen problems with spambots/pornbots like this. People get infected with them, and they start spamming.

Here's the thing though, with StarBand, they have an auto-imposed limit of around 500mb/week upload, and if you go over it, you are automagically shut off for a few days. The problem with this, and I have seen it happen, is that the Spam/Pornbots can infect a Starband Customers computer, and easilly make them go over their weekly 500mb upload limit. Thus causing them to lose their internet connection.

This poses a real problem, not only for the end user (The people I deal with are all in the far reaches of Northern Minnesota where Satellite Internet is the ONLY broadband option) but also for the ISP's. Its viruses/bots like this that make it even more necessary for legislation to fight spam.

The writers of the Bots would be the spammers, not the owners of the infected systems. Just because I borrow your car to deliver the paper, does that mean that in reality, you delivered the paper because it was YOUR car?

-I may not me amish, but I am a geek!-

Unfair expectation

[goldspider]

"I wonder if Microsoft will pass the test?"

Hardly a fair question, and I'll use your car safety requirement example to demonstrate.

Back before there were seatbelt laws, many cars simply did not have them. So once those laws were put into place, would it be fair to expect older cars to pass the seatbelt test?

Now if this minimum security law you suggest were to become a reality, it would be Microsoft's responsibility to make sure that future operating systems pass the security test. But you cannot hold them to a standard that does not currently exist.

I've noticed this...

[dapuk]

.. However, only the entry page was proxied (three A-Name entries for the domain - Cable/DSL addresses). URL's mentioned in spam will often point to these, though for heavier content (porn sites), only the initial page will be proxied. The domain listed in the spam message will often be very similar to the linked one from it (e.g. "thepornsite.com (==Proxy)" -> "pornsite.com (==real site, content)") Apparently this prevents most hosting companies/ISP's from shutting them down; and as mentioned in the article, the A-records for the proxy-domain are rotated regularly. A lot of money is paid for this illegal proxying "service" - approximately $500 a month, i've heard. The ones i've seen however, appear to be *nix boxes with SAMBA... though i didn't poke them too much. Thats quite unusual - windows is often a much easier target... But as these all had samba in common (139), i'd guess its a recent vulnerability in that...

It's about time...

[gillbates]

Someone went to jail for running Microsoft Windows.

This isn't as far-fetched as you might think. For instance, the federal child-porn laws are strict-liability laws, which means that if someone is found in possession of child porn, they are guilty, regardless of how it got to their machine. So when these viruses start delivering child porn, some clueless windows user could literally get 5 to 10 years for running their machine without a firewall.

I say this is a good thing. When computer virus victims start getting jail time, the average populace will get serious about computer security. (Which of course, can only be a good thing for Linux.)

You know...

[AntiOrganic]

A properly configured NT/2000/XP systems with the correct security settings and policies in place wouldn't have any problem preventing virii from doing anything.

If Linux were in the mainstream, everyone and their mom would be logged in as root, like Windows users are with administrative accounts anyway. So why even pretend that Linux, should it ever become as mainstream as Windows, would be inherently more secure? The issue here is educating the users who open "FREE COLLEGE WEBCAM HOTTIES.EXE" rather than improving the quality of the software.

Re:Just say Microsoft.

[schon]

What is it with the mass media not wanting to say that a given worm or trojan affects only systems running Microsoft Windows?

Well, this [nowthis.com] explains the NYT article (they don't want to piss off Gates), and I suppose you could assume something similar for the other media outlets.

Microsoft is mentioned...by ommision

[jlrowe]

Finally, though Microsoft is not mentioned, people might start to understand what a monoculture of poor quality software enables."

If you actually read the article, you read:

The rogue program does not affect the Apple Macintosh line of computers or computers running variants of the Unix operating system.

OK, so that leaves what? Windows, OS/2, and a few oddities. And the only likely one of those, the only possible one is Windows.

So, Windows is there, but the NYT went out of their way to *avoid* mentioning it.

Re:FUD

[Zocalo]

Unfortunately, it's not FUD. Recently I've been receiving *huge* amounts of spam, vastly more than normal, and decided to take a closer look at what was being filtered out. There are some very obvious patterns in the extra spam:

• It's pretty much all pornographic or for "enhancement" products.
• The content is very similar - it's clearly the same small set of spams run through a hack to "randomise" the sender and basic subject/content details.
• The originating IPs are *all* assigned to Windows boxes where I could sufficiently NMAP them.
• WHOIS records almost always point to home/SOHO networks; I only found one corporate IP block in around 100 IP lookups.
• There are no SMTP smarthosts being used - it's going direct from a Windows box to my SMTP gateways. Outlook *cannot* do this, so it's coming from malware with a dedicated SMTP engine.
• I've also been seeing a huge increase in the amount of macro viruses inbound - just a guess, but it's probably the bot trying to propogate itself.

Couple this with the 500Mb/s DDoS attack on SpamCop over the last few days and the picture is fairly clear. Someone is thumbing their nose at the US/EU attempts to legislate against spam and sending a message loud and clear. If the antispam community cannot find and nail the person or persons responsible for this, then the eventual legislation is going to have no effect what-so-ever.

So. We have 500Mb/s+ of bandwidth being used in a DDoS, anyone's guess going on the actual spam, kids undoubtably seeing hardcore porn and computers being deliberately compromised and abused. Tell me again that spammers have a right to free speech and it's a victimless crime that doesn't cost anyone anything? They have a right to be force fed Hormel products until they explode like the Glutton in Seven if you ask me.

Re:Broadband providers are partially at fault

[AntiOrganic]

My provider (Optimum Online in New York) decideed to take this initiative by blocking port 139 inbound and outbound, blocking ports for VNC, Terminal Services and NetMeeting, in addition to a lot of others that I happen to use. FTP and HTTP are somewhat understandable, but this shit is ridiculous. I work for a web host and I used to RDP to my computer at home all the time to run diagnostics against our network, and being able to access the SMB share for my website really helped eliminate the trouble of constantly FTPing files.

Needless to say, I'm pissed and contemplating switching to DSL if this continues, and I really wish users could educate themselves so I wouldn't need to be subjected to this bullshit.

Computers are not tools

[Webtommy88]

Beware of the tool talk. A computer is a device, and as this article already illustrates, this DEVICE can perform actions without you knowing. It will continue to perform these actions when you are not using/operating it.

Tools such as a pen or a screw driver work ONLY when you are using it. A screw driver does not screw a screw and cannot stab someone without a person operating it (and hence a TOOL).

The point is devices are inherently more dangerous than tools. One has moral agency over tools (again: stab or screw, its all up to the operator), one has much less control over a device. Which is EXACTLY why people should be educated on how to use and control these devices. While not having moral agency over a device, one most definitely carry partial responsibility for activating a device.

Sorry, what was so wrong with the post?

[expro]

Flame on if you like, but it is quite common for these sorts of things to happen on Windows boxes, and not on Linux boxes, due precisely to the monoculture and the flawed default security model of Windows (actually a number of different flawed models in Windows OS and apps).

Perhaps you could clarify how the comment in this instance was not appropriate. The GNU/Linux default security model that my family run all their machines on does not run arbitrary software with elevated privileges as Microsoft does. It never has. And it is not such a monoculture, resulting in being less susceptible to attack.

These are attacks I have never had to worry about. A neighbor, who typically runs Linux with no breaches of security, tried putting up an IIS server just once to see how it compared, and it was owned by hackers within 15 minutes.

Sure there could be an increase in real security incidents some day with Linux, but not before there are far worse problems with existing Windows platforms (until there is much change to Windows).

Perhaps there just needs to be a windows-only section of Slashdot, so that Windows users can discuss these problems which are less relevant to the rest of us without feeling continuously picked on due to the technical problems with their choice of an OS.

Re:Erm...

[danaris]

The important point is not so much that Microsoft exists and is evil, but that having everyone using any single OS is dangerous, whether that is Windows, Mac OS, Red Hat, BeOS, or any other. The fact that Windows is on nearly every machine in the world is dangerous. If someone writes a virus/worm/trojan/whatever that replicates invisibly, resists antivirus software, and waits silently for a critical mass, then wipes the computers clean all at once, that could cause serious economic damage.

I realize that such an event is somewhat unlikely, but I doubt it's impossible. And the fact that all these computers are the same makes it possible. So he's not attacking Microsoft for itself, but for the monopoly they have.

Dan Aris

There are significant differences...

[expro]

I cannot speak for later versions of Windows since I stopped using them, but I never saw a version of windows that does not force you to completely log off and back on to access privileged functions, encouraging people to run with privileges on all the time, because they cannot just enter the password for privileged activities. Su does not exist, nor does sudo.

Most other modern versions of OS's are significantly better (Lindows early versions were an exception). Just having su and sudo is much better.

OSX has no root enabled by default, and relies on sudo to limit elevated privileges to single operations.

GNU/Linux/XFree86 systems typically give warnings when the user logs in to the window manager as root, give a limited environment with a red background, etc., and on the other hand make it easy for the user to run without elevated privileges most of the time.

And the monoculture is also inherently less even if everyone were to use Linux, because the licensing allows significant derivitive / deviant branches.

Claiming that Linux would be no better if it were as successful as Windows ignores facts.

This is just the tip of the iceberg. I have been on an email team faced with the question, do we allow contents to auto-execute, which actually thought about the problem before blindly implementing it, unlike Microsoft.

Re:Heh

[bmj]

It isn't elitist to say that computers are fairly unique and complex devices. Just because everyone uses one now, improperly for the most part, doesn't mean they should or even can magically becomes television sets with six buttons on the front.

Good point...but...then they shouldn't be sold as such. If you're going to market your computer/operating system as "easy enough for grandma to use" then it better be easy enough for grandma to use.

Products will have a development cycle that gradually make them more and more user friendly. Remember programming with punchcards? Remember the days before UIs? Computers are very much like cars and toasters and VCRs. All you're showing is an elitist attitude. You are obviously a smart person (and I don't say that sarcastically), and you enjoy having a complex machine to work with. Great. But you make up about 5% of the demographic that most software and hardware companies are designing their products for.

There is a place for complex software...there's also a place for simple software that works as advertised. There _will_ be a computer with six buttons on the front sooner rather than later, because that's what the general population wants. Not everyone is a hacker, and like I said, most companies in the industry aren't getting their profits from hackers like you (or me).

By your logic, a VCR should be just as simple to use a shampoo bottle, and thus, so should computers.

Perhaps a bit of overstatement there, eh? I don't expect my shampoo bottle to safely connect to the internet and send email. But if I purchase an operating system that claims it does that, it should do it. I don't need to understand the engineering behind the top of shampoo bottle to open it. Nor do I need a degree in electrical engineering to play a VHS tape. So why should I have to be hacker to safely send and receive emails?

Re:FUD

[Cthefuture]

Same here. However, while most of the mail I'm getting is directly sent and from DSL/cable accounts, none of the boxes have been Windows boxes.

I've examined some of the boxes (by either NMAP, SSH, or telneting into them) and there were a couple routers (Linksys or similar home routers) but many of the boxes are actually Linux.

This seems to suggest one of two things to me: Either Linux boxes are getting hacked, or the spammers are using (multiple?) DSL accounts and Linux to send out their spam (this seems more likely to me).

Re:Microsoft is mentioned...by ommision

[jswatz]

I wrote the article. I didn't go out of my way to avoid mentioning it. I didn't scream it, either. I simply wrote that the other systems are not affected.

I have written specifically about the problems of the software monoculture in many, many stories, and thought that I laid it out in this one as well. If I didn't hit MSFT with a ball-peen hammer, no, and obviously many slashdotters expect to see that at every possible opportunity.

Sorry that I'm not the advocate that you want me to be, but that's not actually part of my job description.

Re:FUD

[jpenny]

I have the good fortune of being one of the return addresses in use - so, I am getting several hundred bounce messages per day.

I have seen nothing but windows boxes as hosts.

I have not seen much porn. DVD burners, sale prices on TVs (in Russian), kitchen appliances (www.kuhny.ru), mosquito killing system, email service www.mail15.com (yeah, right!), anti-spam software (sure, I'll buy anything this spammer offers!)

systems give EHLO of compuserve.com, microsoft.com, or more rarely yahoo.com. Other than that, there is no attempt to disguize headers.

systems are pretty much worldwide. Big hosts are rr.com, attbi.com, attbb.com, kornet.com, a bunch of sites in china, at least three edu's. All in all, I think I have sent out over 1000 spam reports. The response has been underwhelming.

skynet.be deserves special shaming, their "action" consists of sending an automatic response explaining what spam is. No worry that they have clients who are ownzered.

I have been able to get in touch with exactly one owner of a spambot. He did say that he found that he was running MartFinder, Alexa, Avenue A, BFast, Common Hijacker, Double Click, DSO Exploit, Hitbox, Mediaplex, WindowsMediaPlayer.

Unfortunately, none of those look like the villian.

ha ha!

[twitter]

There's nothing in the article to indicate that this is anything but a run-of-the-mill, end user problem (e.g. running a virus).

Someone else has provide technical details [slashdot.org]. This is not run of the mill.

exploit a common hole in Windows, but to indicate that this is a symptom of Windows insecurity with insufficent evidence is unethical.

You can say that wihout laughing? I love you too!