Sobig Worm Attacking RBL Lists?

Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"

DDoS

[lbruno]

Everyone on the various anti-spam mailing lists and newsgroups were thinking that these worms were creating a network of spam proxies.

Maybe they were creating a network of DDoS zombies.

Where's the hard evidence?

[bersl2]

Has anybody done a disassembly of Sobig? How is it even distributed, as a binary or as a script? I don't think we should attribute Sobig to the spammers just yet.

OTOH, I have no friggin' idea what I'm talking about...

Re:DDoS

[Anonymous Coward]

I wonder if there's hope of a distributed/P2P anti-spam network? People are willing to offer cycles for SETI and folding, why not spam fighting? The advantage would be a non-centralized setup (hard to (D)DoS), the disadvantage would mainly be getting people to monitor and service everything (accepting a system into the network, monitoring activity, preventing abuse etc etc), though creation of the software would be a pain as well.

Decentralize the anti-spam setup...IMHO the only way to prevent DoS effectiveness.

Re:And how could they win?

[The_DOD_player]

This is a very valid point. To many users, the absence of spamfilters would pretty much render the email system unusable.

If the spammers are able to shut down spamfiltering services in this way, there will be a significant demand towards getting SMTP replaced by a smater protocol, that will not allow spamming in the form we see it today = spammers lose.

To install new software on all mailservers is quite a task. This is likely to take time, and be quite an interruption = everyone lose.

There's also a great danger that Microsoft would take advantage of the situation, and try to create a new propritary mail protocol based on Palladium, for Windows users only = everyone not using Windows lose.

Re:Where's the hard evidence?

[GoneGaryT]

There have been a number of comments on this topic on a closed list for academic sites here in the UK and the analyses point to Sobig DDoS attacks, specifically against spamhaus.org in these cases. Sobig-F was a very well written piece of binary code, encrypted and compressed to 76k AFAIR, and a description of its functionality [sophos.com] shows this. In particular, the possibility that it could act as a portal for Trojan downloads reinforces the claim.

I was trapping infected workstations by monitoring perimeter firewall logs for DNS calls to the root servers, as this is a feature of its activity. Pity I didn't have time to find out what it wanted to resolve, because that could have been interesting.

Do they go after the companies that use spammers

[ziaz]

I'm guessing this has already been said, but... Instead of focusing on just the spammers themselves, why not target the companies or individuals that from time to time benefit from the spam. I'm assuming there must be some way to track those people receiving money for viagra, enlargements, etc.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:More Harm Than Help

[Skapare]

Oh it's you again. You're still pissed off because your ISP harbors spammers and you think that you're not somehow supporting that by helping your ISP stay in business.

As to your statement about Bayesian filtering ... there are many negative effects. First, it works on the basis of content. What makes mail be spam is not what the content is; it's that the senders are using bulk methods to send to people who didn't want it. I do get some mailings that I have optted in to, which if they were sent to people that don't want them, would be spam to them. Bayesian filtering doesn't work on the basis of what spam really is. Secondly, to even use Bayesian filtering, it becomes necessary to let the spam arrive, using up network and server resources as it comes in. Then the Bayesian filtering has to be run which uses up even more server resources. And finally, if it is considered spam and rejected, then a bounce message has to be queued (taking up disk space), and delivery of it has to be attempted (which for most because it is from real spammers, cannot be delivered, and takes space and delivery attempts for several days). So I will never use Bayesian filtering because it is simply all wrong.

We figured it out this summer

[bigberk]

Anti-spammers figured out what's going on this summer (see news.admin.net-abuse.email). These numerous Windows worms we're seeing are in fact trial software deployments (funded by major spammers) that are in the process of setting up an anonymous, distributed worldwide spam injection network.

You may mistakenly believe, as I did in the past, that spammers are just a bunch of unemployed losers that sit around late night bulk mailing ads for scams. It turns out that in fact they're well funded losers engaged in such a lucrative industry that they can afford to hire good programmers.

The series of windows worms we've seen this year had preset expiry dates -- ending each of the carefully released wild tests. The most recent versions (swen) have very efficient SMTP engines built-in; these are not amateur projects.

Thanks to Microsoft's monopoly of operating systems, spammers can easily deploy software around the world that relays spam. swen demonstrated the power of this software; many people were DDoS'd off the net. I alone received over 40,000 emails carrying the worm.

Except an all-out-spamwar to break out in 2004.

Re:More Harm Than Help

[Anonymous Coward]

The spammers are actually doing everyone else a favor by taking these sites down.

Well, they're sure not doing themselves or their ISPs a favor. Because some of my favorite blacklists are no longer available, I'm agressively adding entries to the local blocklists here, as are thousands of other small-ISP admins. The spammers will likely never get out of the local blocklists.

Proposal for a DDOS-immune RBL

[Pig Hogger]

The idea is to provide a distributed RBL, using only proven recipes and technology.

The list is a re-emplementation of a DNS-dased RBL, so to allow current MTAs to access it without modification.

The RBL servers are distributed, PRIVATE AND SECRET, in order to avoid being DDOSed. The servers are ordinary BIND, whose zone file is updated by a process to be implemented.

Those willing to use the RBL service have to run their own DNS server - they are free, however, to allow other trusted people to use their services; only them are going to be affected by an eventual DDOS, but not other users of the DRBL.

The RBL information is distributed via USENET. USENET has proven it's ability to survive all sorts of attacks in the past. It has survived the church of scientology, therefore it will survive chickenboners. It's distributed nature makes it quite invulnerable to the kind of DDOS attacks that currently affect centralized DNS RBLs.

The list maintainer posts PGP-signed updates to USENET via a network of trusted volunteers who do it from dynamic IP addresses of disposable dialup accounts. For safety, the IP addresses are changed immediately following the posting of updates, in order to avoid being DDOSed.

Authentification agaisnt spoofing and flood attempts is provided by the PGP signature.

The RBL users then scan USENET for the updates, who, once authenticated, are used to update the zone files on their private and secret DNS servers.

DDoS not coming from spammers

[Chatmag]

The DDoS attacks began in earnest about the time there was a shouting match between NANAE, the Usenet Group used by SPEWS, and another web site a few months ago.

I don't believe that the SoBig and MSBlaster and subsequent DDoS attacks were orchestrated by spammers, but I'll hold final judgement. It may still be true, however, I think that a few misguided morons connected to another web site decided to DDoS the blacklists, and that is what we're seeing now. Logically, I can't see spammers bringing more heat down upon themselves than they already have. DDoSing is not going to solve anything, just make the situation worse by shutting down ISP's and sites not involved in the controversy. Just a few days ago in Slashdot there was a story about a spammer from South Florida, including his home address, etc.

As I stated in my report naming the administrator/owner of SPEWS, "Spews No Longer Anonymous", I firmly believe that there are people capable of doing real physical harm to persons on the opposite side, and it is time for this to cease. I'm sure that the authorities are actively seeking the authors of SoBig and MSBlaster, I see one has been apprehended the other day, and once apprehended, their systems would be confiscated for evidence. Should any of those systems hold any DDoS software, that leaves the authorities no alternative but to pursue charges for obstruction of communications, in addition to the charges of authoring a malicious program.

I'm not as much interested in the fate of the blacklists as I am the spillover into the general Internet, and the safety of all concerned, regardless of position. In the long run, I want to see those that are causing the DDoSing to be brought to justice, and that there will be some real dialogue between the factions, rather than the comments I've seen so far from both sides, which in some extreme cases border on terroristic threats.

From "Spews No Longer Anonymous"

The primary reason I devoted my time to tracking down the Administrator of SPEWS was that I saw that if left unchecked, SPEWS would go further out of control. In recent months, SPEWS has managed to anger a good number of persons with the ability to mount a DDoS attack against both SPEWS and Osirusoft, a provider of the SPEWS blacklist. I saw this as an escalation that had an impact beyond the simple email blocks, and believe that in my bringing SPEWS into the light, SPEWS will cease publication of their blacklist, or face what is sure to be a large number of lawsuits by affected companies and individuals. It is well known that SPEWS kept their identity secret in order to avoid lawsuits, and with this revelation, they have no choice but to either act responsibly, or cease operations.

In going through the Usenet NANAE archives, I found many instances of thinly veiled threats by SPEWS supporters against alleged spammers and the "collateral damage" casualties, including one remark that "you're lucky no one has firebombed your NOC". I could see that if left as-is, there would most likely be real physical harm done to either an alleged spammer or SPEWS supporter, and this also motivated me to act to track down the owner of SPEWS.

Who owns the First Amendment?

[fm6]

Blacklists don't suppress speech. No one forces you or your ISP to use the blacklists or to refuse e-mail from IP addresses listed on them. I use blacklists and my server may reject messages from you. So what? You have no Constitutionally guaranteed right to use my server to deliver your message. It's my private property, just as your ISP's server is their property.

It's not quite that simple. It's true that the first amendment mainly serves to keep the government from supressing speech. But private entities have a certain responsibility to tolerate free speech as well, and the courts have always recognized this. If you own a large shopping mall, you can't arbitrarily restrict what people say and do there. If it's large and diverse enough to be considered a "public forum" [umkc.edu] you may just have to put up with people with people collecting signatures or passing out leaflets, as long they don't interfere with the operation of the mall. Or not, depending on how broadly your state courts interpret the first amendment. But in any case, you're wrong to assume that private property rights always trump free speech rights.

But never mind all that, just suppose that we do allow owners of networks and servers absolute control of what passes over their wires. Is that something you really want? Sure, it gives them the power to shut down spam. But it also gives them the power to control what web sites their users can access. Or what their users can put on their own web sites. Now, if hardware is owned by a private company and all its users are employees who are supposed to be using the internet to do their jobs, I suppose you have to grant that company a large measure of control. But if we're talking about public ISPs, then we're talking about something very scary. These ISPs, if they coordinated their efforts, and were allowed to totally control whatever passes over their wires, could do something that governments have repeatedly tried and failed to do: censor the internet.

A few years ago, there was a site called blackdeath.org that offended certain parties with its anti-Christian rants. Who demanded that their ISP pull the plug. When the ISP declined, they went to the ISP's backbone provider [twtelecom.com]. Which happened to be owned by a major media company. Now, media companies are not fans of censorship, but they like offending people even less -- they might complain to the FCC, or worse, stop watching TV. So the backbone provider told the ISP to pull the plug on blackdeath.org, or else they'd lose their own internet service, and be forced out of business. Naturally they complied. Blackdeath.org went dark, briefly came back with a low-bandwidth provider, then finally disappeared forever.

This really scared me at the time, since the internet backbone had been consolidated into just a few big companies, most of them with the same censorship-prone connections as the Time Warner backbone. Since then, the backbone situation has gotten a little more competitive [isp-planet.com]. But with the trend to consolidate more and more communications into fewer and fewer companies, I wouldn't get to sanguine. And I'd look for solutions to the spam problem that emphasizes individual, not central, control over network traffic.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Who owns the First Amendment?

[fm6]

believe that the shopping mall analogy falls down in one key respect: There is no direct cost to the shopping mall if I hand out leaflets.

Few shopping mall owners would agree with you. But that's neither here nor there. If property rights trump leafletting rights, then mall owners don't have to have a good reason for forbidding leafletting. Or any reason.

But the free market will stop them from doing that. If AOL, Earthlink, and MSN all entered into a censorship pact, then other ISPs would capitalize on offering the "Internet uncensored."

Yes, that's a reasonable safeguard as long as there's lots of competition. And I don't mean ISP competition, because ISPs just retail bandwidth that they buy from backbone wholesalers. If you're reduced to 3 or 4 backbone providers (which was the situation 5 years ago), that's a real threat. Nowadays less so.

Which I suppose support your basic argument: that the free market has a healthy ability to create alternate avenues of communication. Which would seem to make serious internet censorship more and more difficult. But by the same token, it also make spam harder and harder to control. In the end "free speech", whether it's "we hold these truths to be self-evident" or "i'm a nigerian banker with money to give away", seems not so much a right as a law of nature.