

P2P Spam? 340
Sgt York writes "In a NYT article (republished in the Houston Chronicle, no subscription required) experts at CERT, F-secure, Trusecure, and the Hall of Justice (see article) think that SoBig.F is a spam scheme in the making. They say that SoBig.F is the 6th variant in an ongoing experiment with the possible goal of setting up a distributed spam network, to be rented out to the highest bidder. If that is their goal, they are well on their way. Another disturbing note in the article is that "In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding one". SoBig.F expires in two weeks. "
Truly P2P if SOBIG.G contains the spam message (Score:4, Insightful)
The authors are probably testing the feasibility of sending out a virus (which
given the number of copies I receive) will happily be opened by people and
then simultaneously sending out spam messages to the same group of people.
There's no need for the SOBIG authors to control the machines after SOBIG has
been executed. They just need to include the spam message in the virus
itself.
That would make it truly P2P spam. Unsuspecting user X who opens SOBIG would
transmit the mechansim for sending more spam and his portion of the spam
deluge. Of course there could be a downside to all this, once the blacklist
people start cutting off EVERY ISP in the world because of spam messages SOBIG
would defeat itself because no one would be getting mail.
John.
Re:Truly P2P if SOBIG.G contains the spam message (Score:5, Insightful)
Re:Truly P2P if SOBIG.G contains the spam message (Score:3, Insightful)
Re:Truly P2P if SOBIG.G contains the spam message (Score:2)
C//
Re:Truly P2P if SOBIG.G contains the spam message (Score:5, Funny)
Re:Truly P2P if SOBIG.G contains the spam message (Score:5, Interesting)
Kjella
Re:Truly P2P if SOBIG.G contains the spam message (Score:5, Insightful)
This could turn into a VERY ugly mess.
Re:Truly P2P if SOBIG.G contains the spam message (Score:5, Insightful)
Will we soon be formally registering all people running an HTTPD in the same fashion?
Re:Truly P2P if SOBIG.G contains the spam message (Score:4, Interesting)
SMTP on the otherhand initiates the connection to send you the data, no matter if you wanted it or not.
I'd be all for an SMTP registry, but at that point it would make more sense just to make a new RFC for SMTPv2 or similar. If it ever came down to a registry there are a few things that are needed.
#1: Free or close to free for a home user. I have a mail server on my home machine that is for outgoing messages only, I've had times where my ISP's mail server has failed to deliver the messages so I use my own. my mail server isn't listening on any port other than 127.0.0.1, so there is no way someone is going to be relaying through it.
#2: A way to verify that registration data is valid. How many times will micky mouse and Donald Duck register an e-mail server just to spam for a few hours?
#3: Reliability. How does the site stay up against a DDOS? Even the root DNS servers are vulnerable to that.
The more I think of it the more I think an SMTPv2 is needed as opposed to dicking around with SMTP to get it more secure. It's the cutover that will be a bitch.
Re:Truly P2P if SOBIG.G contains the spam message (Score:3, Interesting)
1. Do a reverse DNS lookup on the connecting IP and verify in PARANOIA_MODE (a la TCP Wrappers).
2. Attempt to relay through any new servers that haven't already been registered.
3. Require TLS/SSL (this is for everyone's benefit of privacy).
If the connecting server fails those tests, firewall them off. If they pass, register the connecting server IP as an approved sender for, oh, 30 days. That should provide increased security and protection without getting into so
Re:Truly P2P if SOBIG.G contains the spam message (Score:2, Interesting)
Re:Truly P2P if SOBIG.G contains the spam message (Score:2)
Before that happens there will a lot of lawsuits like the one on AOL [slashdot.org] helping virii like SOBIG, the situation you forsee is very unlikely to happen.
Re:Truly P2P if SOBIG.G contains the spam message (Score:2)
With more and more open relays closing, spammers are having to rely more and more on their own servers, out of the country servers, loopholes in free email service's interfaces, etc, in order to get their mail out.
With a shitload of computers at their disposal to send their spam out, they won't have to worry about hiding where it comes from, how they did it, paying for their own bandwith, or p
Re:Truly P2P if SOBIG.G contains the spam message (Score:2)
No, that only provides a one-off spamming opportunity. The big picture is controlling a vast army of zombies to do... something. Spamming is a likely job for this army, as is DDoS. And with a zombie force big enough, the commander could throttle down the individual nodes' output to lessen the chance of discovery. I'd suspect that SoBig.G and possib
Re:Truly P2P if SOBIG.G contains the spam message (Score:2, Interesting)
would defeat itself because no one would be getting mail.
That's exactly the point of SoBig.
It's practicly impossible to stop, except in 2 cases:
a) Everyone (or at least 95-97%) would use Outlook anymore...
b) All holes (of the same nature as Sobig uses) are closed in Outlook...
Can't really make up my mind about wich is more unlikely to happen....I'm not holding my breath for either to happen though.
Re:Truly P2P if SOBIG.G contains the spam message (Score:3, Funny)
[slashdot.org]
ROFL..
huh? (Score:5, Interesting)
I must be missing something because it seems to me that such a business would be immediately sues into oblivion.
Re:huh? (Score:4, Insightful)
Re:huh? (Score:4, Informative)
Although hey, free e-mail addresses.
Re:I think you missed the point (Score:3, Funny)
SpamGrid
Re:I think you missed the point (Score:3, Informative)
Suppose the network is what they're planning to use, instead of selling the email addresses. If I get a penis/breast enlargement pill ad from my co-worker in the next cube over (you know - the person who likes to play with their Bonzai Buddy and watch their comet cursors) it would seem safe to assume that it was spam sent through the worm network. In orde
Re:huh? (Score:3, Informative)
If you get spam that appears to be willingly sent from China, report it to the Ministry of Commerce [mofcom.gov.cn]. Hopefully
Re:huh? (Score:3, Interesting)
I'd be more inclined to think it's a feasability study by some government or other to test for electronic warfare readiness. I wouldn't be surprised if it was the US government. Remember that whatever doesn't kill you makes you stronger. A whole lot of machines that otherwise would never have been updated/patched were cleaned up because of this.
So the highest bidder get's to spam? (Score:5, Insightful)
Re:So the highest bidder get's to spam? (Score:2)
So here's the trick. Let's say some company buys in and is then sued to oblivion. Now let's say I am SCO (insert your own hated company). I can then buy the services but advertise for Red Hat (insert your favorite company). So now
Re:So the highest bidder get's to spam? (Score:2)
Re:So the highest bidder get's to spam? (Score:2)
(and rehired under a different name).
Re:So the highest bidder get's to spam? (Score:3, Interesting)
Cheers,
-- RLJ
Re:So the highest bidder get's to spam? (Score:3, Informative)
This can't be right (Score:2, Insightful)
Re:This can't be right (Score:4, Insightful)
I can say one thing for sure... (Score:5, Funny)
"Now, liken me to Sinestro and you're the Green Lantern..." *shiver*
Oh, that's it (Score:4, Funny)
But nobody can cheapen what Wonder-woman and I had together... mmmmm... that golden lasso...
Who is really behind this (Score:2, Interesting)
It's probably someone out to eventually make every computer a 'trusted computer'
The last thing spammers want to do is lose their ability to spam. If this virus is really intended to help spammers, then it will be in short order that we will al be oredered to use a trusted computer platform( cough* microsoft*cough) and that will be pretty be the end to any sort of freedomes that the net enjoyed in its early and its glory years.
Would like to hear some discussion thanks!
Easier to catch? (Score:2)
ICQ spam (Score:5, Funny)
HotSxzzGrl says: Can we talk?
Or something like that. It's been awhile. God I miss her, though.
Re:ICQ spam (Score:4, Interesting)
Bad plan (Score:4, Interesting)
So I'm not sure I buy that explanation.
Re:Bad plan (Score:3, Insightful)
Unless herbal penis enlargers are now a legit business. Last I checked, no such luck. Maybe if it worked... well, so I'm told.
Re:Bad plan (Score:2)
It is probably no coincidence, then... (Score:4, Interesting)
6 degrees attack (Score:5, Interesting)
Re:6 degrees attack (Score:2)
Lamest. Quote. Ever. (Score:2)
This is why ISPs are changing their SMTP rules? (Score:3, Interesting)
Re:This is why ISPs are changing their SMTP rules? (Score:2)
Re:This is why ISPs are changing their SMTP rules? (Score:2)
Of course you may still need webmail for the cybercafe impaired.
Re:This is why ISPs are changing their SMTP rules? (Score:3, Insightful)
S'ok, though... DaemonPortOptions and a quick 'killall -HUP sendmail' took care of everything.
Illegal Business Practices (Score:3, Interesting)
So why resort to a series of virusus that rip through international networks? Then again, why climb Mt. Everest? Because it was there.
(Note: Obviously the reaches of SoBig and spam in general reach well outside the United States and in all likelyhood, originated elsewhere. Don't think that I am som egocentric American who thinks that the U.S.A. is the only place on Earth. I was just using it as a frame of reference because it is what I am most familiar with.)
if thats the intent (Score:2, Interesting)
creating a network THIS way is counterproductive.
A Bad Thing? (Score:5, Insightful)
With all the techno-dweebs on this site and all the fasntastic opinions about whitelists and blacklists and graylists and modifying SMTP and replacing SMTP and handshakes and authentication and a million other solutions, perhaps someone, somewhere, will finally being to make a dent in actually dealing with the spam problem.
Won't that back-fire? (Score:2)
Somebody will go down, hard.
Re:Won't that back-fire? (Score:2)
And a bit different but back when I used Kazza a fair amount whatever popup generating crap it installed constantly had ads for Orbitz, and they still exist, and probably make money.
SMTP IS DYING/DEAD (Score:4, Interesting)
Welcome to the Internet, 2003.
Next up, authenticated delivery, whitelisting, and the death of the mail server as we know it.
Hmm.... you're just asking for this, aren't you? (Score:3, Funny)
Yet another crippling bombshell hit the beleaguered SMTP community when recently IDC confirmed that SMTP accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that SMTP has lost more market share, this news serves to reinforce what we've known all along. SMTP is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] [samag.com] in the r
Re:SMTP IS DYING/DEAD (Score:3, Insightful)
It's Exchange that seems to be dead. Given the sudden dearth of enlargement offers in my inbox, I have to say "it's a good thing."
Even more patchwork on my friends machines? (Score:3, Interesting)
Can't wait til they fire up their distributed Spam-Network, that will show them. Wonder who will be left to hold their hands? Muahaha!!
Sorry for beeing offtopic but I had to say it.
Cu,
Lispy
I've said this before and I'll repeat myself... (Score:5, Interesting)
Of course Sobig is about spam. Why else does some mysterious but well-financed entity want to control half the desktops of the world?
How about this spam technique, which I predict will occur in 6-9 months' time:
Tampering with real emails, inserting the spam message mixed with the real email.
Does that scare anyone? It makes a mockery of current technology for fighting spam.
Hence, GPG. (Score:3, Insightful)
That's when encryption will be publically adopted.
Re:Hence, GPG. (Score:4, Insightful)
Re:Hence, GPG. (Score:2, Insightful)
If the GPG secret key is on a Windoze user's hard drive, then what stops the virus from waiting in the background, sniffing the passphrase, then invoking GPG itself?
My prediction: viruses will be used for industrial espionage:
1. Infect home PC of target, and do nothing noticeable.
2. Wait until VPN into employer comes up.
3. Fetch secret info and store on hard drive.
4. Wait until VPN link is dropped and regular
Re:Hence, GPG. (Score:2)
Re:Hence, GPG. (Score:2, Insightful)
Re:I've said this before and I'll repeat myself... (Score:2)
Hell, I'm just happy to know the identity of the non-mysterious but well-financed company that controls 95% of the desktops of the world. You know, the one repsonsible for all this mess?
Re:I've said this before and I'll repeat myself... (Score:2)
Does that scare anyone? It makes a mockery of current technology for fighting spam.
Having someone with user-level access to my computer or my correspondants' computers, or with root-level access to our mail servers, would scare me regardless of what they did with that access. If they merely used that access to stick spam in our email that would almost be a relief.
I wonder... (Score:2)
link to NYT article (Score:2, Informative)
Smarter Virus Writers (Score:4, Interesting)
Granted, it still exploits the most obvious problem in computing: the people who use Outlook in its "Automatically Run Attachments" mode, but it would be foolish to ignore the largest and most potentially devastating venue.
Once the guy figures out exactly the heuristic to hit the most targets in the shortest amount of time, he can put a real payload in it, like a file encrypter for
skye
Fixed hosts don't work, but... (Score:5, Insightful)
What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123 [google.com]", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.
For even better effect, use a moderately common word or phrase that Google couldn't remove from its index without causing big problems.
On the non-technical side... I was struck by the post in a previous SoBig discussion that noted that this variant expires on 9/10, and if the F-Secure expert is right, that's not a good sign:
"I think the motivation is clear. It's money," said Mikko Hypponen, director of anti-virus research at F-Secure, an antivirus firm based in Finland that is decoding the illicit program. "Behind Sobig we have a group of hackers who have a budget and money."
If there's a budget and money, then there's organization, and I'm concerned about the organizations that might see 9/11 as a good day to launch a distributed attack.
Re:Fixed hosts don't work, but... (Score:3, Interesting)
Re:Fixed hosts don't work, but... (Score:3, Informative)
This weren't download sites, just name servers (so to speak). And it's not clear if there were only 20 of them.
Re:Fixed hosts don't work, but... (Score:5, Insightful)
OK, let's see how you would do it...
The payload of the original virus would be a encrypted peer-to-peer daemon somewhat like Freenet [freenet.org], except that it would only allow uploads signed with a particular digital signature. The client would of course have to include the public key of that signature, but not the private key.
Once infected a machine would open a listening port and attempt to connect to machines chosen randomly but with a bias to its local class C (as with CodeRed [nai.com]). Once contact has been established the machines would exchange IPs so that each could recontact the other. Each machine would continue to probe for peers until it had found a certain number - say twenty - and then it would remain quiescent, just listening. Periodically (say weekly) it would handshake again with its known peers, and if any failed to handshake twice successively it would seek others until it had again reached quota.
Once the virus was widespread the author would send a signed file to one infected machine. The name of the file would be a unique string (for simplicity of exposition say a serial number, although any systematically unique string would do) so the first file the virus author injected might be 0001, the next 0002 and so on. The machine would accept the file as genuine because it could decrypt it with its local copy of the public key, and would pass it on unchanged to all the other infected nodes it knew about. If a machine had already received 0001 and was offered 0001 by a peer it would refuse it to save time and network congestion - not to be nice to other users, but because if the thing blocked up network bandwidth completely, it wouldn't be able to do it's own dirty work.
The signed files could contain
This would be incredibly difficult to defend against because
Furthermore, the network could be used to launch several sequential attacks, which would not even need to have been planned at the time the virus was written. The author could, in effect, sell use of a flexible, massively distributed mass-UCE/DDoS attack engine to the highest bidder...
Hang on, hang on... just wait until I get a patent on that idea!
Wonderful, 5237 and counting (Score:3, Interesting)
Wonderful, I have gotten 5237 of these things and counting as I type this. If the next one is any better than this version I can expect to see greater volumes of this crap and that is not really a pleasing thought for a Mac user. Yeah, this time we are suffering too.
Just my personal list. (Score:2)
Firewall: incoming/outgoing.
no attachments except compressed files!!
executables have to be AUTHORIZED! to be downloaded and once saved, ONLY THEN, you have ot manually navigate to the folder to execute it.
chmod -R -x c:\
sobig.M kills blacklists? (Score:4, Insightful)
Address collector (Score:2)
This would be a case of me talking out of my ass. Is this posssible, or is it readily detectable?
as long as spam is profitable (Score:2)
Holy Crap (Score:4, Insightful)
Hey, I just thought of that. That'd rock, be much easier and more effective than hunting for pubs. You even have one of your drones host the tracker in the first place.
Anyways, who cares. Patch your machines and shut up. We're seeing as many sobig stories as we are SCO, and it really isnt that big of a deal.
Eventually (Score:2, Insightful)
Re:Eventually (Score:2)
Re:Eventually (Score:5, Insightful)
Could be just be a way to harness email addresses (Score:4, Interesting)
One way to stop the spread of viruses (Score:5, Funny)
SoBIG.G Release Proposal (Score:5, Funny)
Revision : 6.0
Code to be released : Pending Approval
Target Release Date : Sept 9, 2003
Proposed fixes
1. Enhance subject line generator.
(Incorporate statistics from
2. Enhance performance.
3. Incorporate "increase penis length" email.
4. Fix critical product change requests
5. Add string confirming soBIG refers to
average penis size of development team.
RIAA (Score:2, Interesting)
Half (okay, exaggaration) the songs I download are clips for their anti-piracy campaign, which I could careless about. I equate this to spam for penis-enlargement pills. I don't need either of them.
Checkmate (Score:4, Interesting)
It makes Sobig seem more 'sinister' when I think of it in these terms. Sure it's annoying, sure it's a drain on time and resources, but what's going to happen when all the ships are in position and the countdown hits zero?
5, 4, 3...
what about the email lists? (Score:5, Interesting)
Now, add this on top of how the sobig already spoofs emails and you get other people doing your spam for you
-Ab
** I know they can be traced, at least to the last computer, but getting back to the source is tough cause people tend to delete the original virrused email. I know I traced several attacks and helped notify the host companies/universities and got them cleaned up, but after my 7th track, I got fed up and gave up, adjusted my MTA to block all mails with the
If there's a motive, it's political (Score:4, Interesting)
Politically-motivated makes more sense. The current version expires on September 10, so a reasonable assumption is that the big attack comes on September 11.
Declare them to be terrorists . . . (Score:3, Interesting)
I mean, dang, wouldn't it satisfying to think of the wankers behind this stuck in a cell down in Guantanamo?
And just think: The hour of exercise they'd get each day would probably more than they're getting now!
I hope this is true ! (no troll!) (Score:5, Interesting)
Theory doesn't make sense (Score:3, Insightful)
No, if I was looking for a fun conspiracy theory, I would enjoy suspecting that Microsoft has decided that this is a good time have all their customers tighten up their security.
Why Spam? (Score:3, Funny)
Think of all the things you could do with 1000s of slaves getting instructions from systems on the internet.
Occam's Razor (Score:3, Insightful)
Keep in mind that writing and releasing a virus/worm/trojan requires a bit of skill and time and has the nasty side-effect of carrying significant jail time. Spammers don't have skill (or they'd be engineers), spammers don't have time (they have to work around filters all the time) and several years of jail time might not be too appealing to spammers either. Piggybacking on SoBig's backdoor for the purpose of spamming is guaranteed to have some nice FBI folks knocking on your door, confiscating all your equipment and looking for evidence of virus creation. Just a matter of time until you're read your rights from there on.
I know people make a lot out of the fact that SoBig carries its own SMTP client engine. So what though? That feature enables SoBig to also use non-Outlook machines as staging areas. Simple.
Use Occam's Razor [skepdic.com] and some common sense and see SoBig as what it is: a plain old worm somebody wrote to show off to his friends that has nothing to do with spam. Somebody as skilled as the worm writer probably hates spam as much as the rest of us. Not that I'm justifying SoBig in any way, I just removed 570 copies of SoBig.F from my inbox. :-(
Re:Unbelievable (Score:2)
Better mail protocol? Although a lot of spam has faked headers, it certainly isn't a prerequisite. Where there's a will, there's a way. Consider a protocol that required all users to have PGP signatures
Re:Unbelievable (Score:2)
Re:Unbelievable (Score:2)
Re:Unbelievable (Score:2)
-- RLJ
Re:Unbelievable (Score:2)
Re:I'd be more sympathetic to anti-spammers, but.. (Score:4, Funny)
You've just hit on the solution! All we have to do is convince the spammers to replace their sugar [wikipedia.org] pill V1a6ara with a slightly more reactive compound. Something like this [wikipedia.org], perhaps?
Problem is, the spammers are probably stupid enough to try their own product. Darn it.
Re:P2P spam : I confirm (Score:2)