Researchers Hijack Storm Worm To Track Profits 128
An anonymous reader points out a story in the Washington Post, which begins:
"A single response from 12 million e-mails is all it takes for spammers to turn annual profits of millions of dollars promoting knockoff pharmaceuticals, according to an unprecedented new study on the economics of spam. Over a period of about a month in the Spring of 2008, researchers at the University of California, San Diego and UC Berkeley sought to measure the conversion rate of spam by quietly infiltrating the Storm worm botnet, a vast collection of compromised computers once responsible for sending an estimated 20 percent of all spam."
The academic paper (PDF) is also available. We've previously discussed another group of researchers who were able to infiltrate the botnet for a different purpose.
Re:Double standards? (Score:5, Insightful)
Re:Double standards? (Score:1, Insightful)
Ergo, it is ethical to use the botnet for research. Oh, wait...
Re:Double standards? (Score:3, Insightful)
The best they could really do with the addresses would be to track down the ISPs of the users. The ISPs would then be faced with spending time (== money) to link an IP and time-window to an actual user, and then inform that user.
Their reward for this effort would be to have one of their technical support people spend an hour on the phone explaining to a clueless and scared someone that they needed to reinstall their XP & applications. This, they ultimately would not do.
Re:Double standards? (Score:2, Insightful)
How about some countermesures? I mean, if they can infiltrate the botnet, then is it not possible to track it's traffic? I mean, if the ISP's would do that, then they could block it (the control packages) and the spam clients may loose the spam to send out and idle around?
Well, they probaby also must replicate and send a "Shut up" command to the clients.
Messing with the users is mostly bad (no option), because they are a) mostly technically illiterate (dumb) + don't care and b) there is a whole lot of liability issues (see Sony rootkit).
Ethics of the study (Score:4, Insightful)
the researchers seem to take the legality of their actions under serious consideration. From TFA:
"Measurement Ethics:
We have been careful to design experiments that we believe are both consistent with current U.S. legal doctrine and are fundamentally ethical as well. While it is beyond the scope of this paper to fully describe the complex legal landscape in which active security measurements operate, we believe the ethical basis for our work is far easier to explain: we strictly reduce harm. First, our instrumented proxy bots do not create any new harm. That is, absent our involvement, the same set of users would receive the same set of spam e-mails sent by the same worker bots. Storm is a large self-organizing system and when a proxy fails its worker bots automatically switch to other idle proxies (indeed, when our proxies fail we see workers quickly switch away). Second, our proxies are passive actors and do not themselves engage in any behavior that is intrinsically objectionable; they do not send spam e-mail, they do not compromise hosts, nor do they even contact worker bots asynchronously. Indeed, their only function is to provide a conduit between worker bots making requests and master servers providing responses. Finally, where we do modify C&C messages in transit, these actions themselves strictly reduce harm. Users who click on spam altered by these changes will be directed to one of our innocuous doppelganger Web sites. Unlike the sites normally advertised
by Storm, our sites do not infect users with malware and do not collect user credit card information. Thus, no user should receive more
spam due to our involvement, but some users will receive spam that is less dangerous that it would otherwise be."
However, their premise of "reducing harm" is questionable. How can we be sure that a person who decided to purchase these drugs (against all warnings) really believes that not buying them is the best thing for him? What if this person really wants to purchase a drug that he thinks will enlarge him? Who gives the researchers the right to decide what other people should spend their money on? Under several legal interpretations, forcing a person not to buy something perceived as harmful is not legal: denying to sell cigarettes to a person of legal age may be illegal, under discrimination laws.
The bottom line is that the researchers have a good point regarding the ethics of their study, however this issue is not 100% resolved.
Which leaves two possible solutions. (Score:4, Insightful)
#1. The ISP blocks all outgoing port 25 connections. We've been over this one before. It means more expenses for the ISP so they're not going to do it unless they are forced to do it through law.
#2. The vigilante approach of writing a "virus" that identifies and infects infected computers ... and then removes the existing infection, downloads updates, installs a silent anti-virus app and checks back in at regular intervals for updates. The problem with that is that the people who do it become "criminals" under US law.
Re:the vigilante approach (Score:4, Insightful)
And so next time when malware like that damn Antivirus 2009 trojan is installed, they'll be more likely to follow the instructions: "Your computer is infected, click here to scan your computer."
Re:Spam protection (Score:3, Insightful)
that's a good point. i'm guessing part of the reason why Gmail has such a good spam filter is because they implement collective filtering by allowing users to easily mark spam messages, and also because with such a large user-base they can implement statistical filtering techniques much more effectively.
what i don't get is why ISPs big and small don't just cooperate with each other and trade/pool information needed to fight spam. it would improve everyone's quality of service, so why not work together to achieve common ends. combating spam is one situation where different businesses don't need to compete with one another because they have shared interests.
even if you're just a small ISP with only a few thousand users, if you work with 10-20 different similar sized ISPs to collectively implement a shared spam-filter, you would achieve much better results than what each ISP could obtain on their own. not only are there more e-mails to perform statistical analysis and Bayesian filtering on, but there are also more users to identify/catch the spam messages that slip past the filters. that way the job of catching stray spam e-mails is distributed across a much wider user-base. instead of each user having to mark 10 spam messages a day, perhaps they only have to mark 10 messages a month.
Re:Double standards? (Score:5, Insightful)
Imagine this scenario:
You have Bob. Bob has a thing about catching STDs. No matter how many times he gets cleaned up, he turns around and does something stupid and gets a new one, and in turn passes them on.
Is it unethical to study his infections? The subject won't stop getting the infections, nor will he stop spreading them. However, we can use what we learn from studying the subject further on down the line.
Not quite so black and white is it? I side with the researchers. The botnet will be there either way, and if we actively destroy it a new one will be made in it's place (and possibly improved, preventing study). Might as well learn what we can from it before making a move.
Re:Which leaves two possible solutions. (Score:4, Insightful)
I wondered about #1, also. My ISP blocks *inbound* port 25 but not outbound. They don't want to let me run a server on a dynamic home IP address because they want to charge me for a business use. They also block inbound port 80.
It turns out the reason they don't block outbound 25 is because that would force the spammers to email out through the ISP mail servers which would get them blacklisted. They are fine with letting the home users send spam and get blacklisted. It doesn't cost them anything.
Remove the tcpip stack (Score:4, Insightful)
Consider it a form of quarantine.
Re:I've previously been ridiculed for (Score:1, Insightful)
Your post advocates a
( ) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
(x) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Re:Which leaves two possible solutions. (Score:4, Insightful)
Wouldn't they get blacklisted if a users IP is attached to a block assigned to that ISP?