Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Spam

P2P Spam? 340

Posted by CmdrTaco from the bend-over-and-take-it dept.
Sgt York writes "In a NYT article (republished in the Houston Chronicle, no subscription required) experts at CERT, F-secure, Trusecure, and the Hall of Justice (see article) think that SoBig.F is a spam scheme in the making. They say that SoBig.F is the 6th variant in an ongoing experiment with the possible goal of setting up a distributed spam network, to be rented out to the highest bidder. If that is their goal, they are well on their way. Another disturbing note in the article is that "In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding one". SoBig.F expires in two weeks. "
This discussion has been archived. No new comments can be posted.

P2P Spam? More

P2P Spam?

Comments Filter:
  • I think the superheroes involved in the SOBIG fight miss the entire point.
    The authors are probably testing the feasibility of sending out a virus (which
    given the number of copies I receive) will happily be opened by people and
    then simultaneously sending out spam messages to the same group of people.

    There's no need for the SOBIG authors to control the machines after SOBIG has
    been executed. They just need to include the spam message in the virus
    itself.

    That would make it truly P2P spam. Unsuspecting user X who opens SOBIG would
    transmit the mechansim for sending more spam and his portion of the spam
    deluge. Of course there could be a downside to all this, once the blacklist
    people start cutting off EVERY ISP in the world because of spam messages SOBIG
    would defeat itself because no one would be getting mail.

    John.

    • Re:Truly P2P if SOBIG.G contains the spam message (Score:5, Insightful)

      by Brad Mace ( 624801 ) on Tuesday August 26, 2003 @03:13PM (#6797171) Homepage
      They'd need some big balls to associate their company name with a virus. Once the identity of the people unleashing viruses AND sending tons of spam in known, they won't exist for long. For that reason alone I'd say it's much more likely they'd be setting up a distributed spamming network.

    • Re:Truly P2P if SOBIG.G contains the spam message (Score:5, Insightful)

      by RatBastard ( 949 ) on Tuesday August 26, 2003 @03:15PM (#6797192) Homepage
      But teh spam message is not for the person who's computer is infected. It's for every email recipient that that computer user knows. The P2P spam network created in this way would be HUGE and unblockable. Who is going to block every subnet on earth? Not gonna happen. The best we can hope for is that ISPs get smart and start blocking SMTP ports on all ip addresses not registered as SMTP servers.

      This could turn into a VERY ugly mess.

      • Re:Truly P2P if SOBIG.G contains the spam message (Score:5, Insightful)

        by IM6100 ( 692796 ) <elben@mentar.org> on Tuesday August 26, 2003 @03:28PM (#6797357)
        That's interesting. A formal registry of SMTP servers.

        Will we soon be formally registering all people running an HTTPD in the same fashion?

        • Re:Truly P2P if SOBIG.G contains the spam message (Score:4, Interesting)

          by Binestar ( 28861 ) * on Tuesday August 26, 2003 @03:49PM (#6797632) Homepage
          Nah, HTTP doesn't initiate the connections, the clients do, so presumably, those clients want that webpages to be displayed (pop-up's aside).

          SMTP on the otherhand initiates the connection to send you the data, no matter if you wanted it or not.

          I'd be all for an SMTP registry, but at that point it would make more sense just to make a new RFC for SMTPv2 or similar. If it ever came down to a registry there are a few things that are needed.

          #1: Free or close to free for a home user. I have a mail server on my home machine that is for outgoing messages only, I've had times where my ISP's mail server has failed to deliver the messages so I use my own. my mail server isn't listening on any port other than 127.0.0.1, so there is no way someone is going to be relaying through it.

          #2: A way to verify that registration data is valid. How many times will micky mouse and Donald Duck register an e-mail server just to spam for a few hours?

          #3: Reliability. How does the site stay up against a DDOS? Even the root DNS servers are vulnerable to that.

          The more I think of it the more I think an SMTPv2 is needed as opposed to dicking around with SMTP to get it more secure. It's the cutover that will be a bitch.
          • How about a multi-layer checking system?

            1. Do a reverse DNS lookup on the connecting IP and verify in PARANOIA_MODE (a la TCP Wrappers).

            2. Attempt to relay through any new servers that haven't already been registered.

            3. Require TLS/SSL (this is for everyone's benefit of privacy).

            If the connecting server fails those tests, firewall them off. If they pass, register the connecting server IP as an approved sender for, oh, 30 days. That should provide increased security and protection without getting into so
      • Quite a few national ISP's already do port 25 filtering so that customers connected to their network can only use their relays. What's needed on top of that is outbound spam filtering and virus filtering. It doesn't stop at the ISP level, though. If Joe Customer gets a copy of Sobig.f in his inbox, opens it, starts spamming everyone in his address book, but is blocked due to the diligent efforts of his ISP. It doesn't stop him from taking his laptop to work and passing it along to all his friends at his
    • Of course there could be a downside to all this, once the blacklist people start cutting off EVERY ISP in the world because of spam messages SOBIG would defeat itself because no one would be getting mail.

      Before that happens there will a lot of lawsuits like the one on AOL [slashdot.org] helping virii like SOBIG, the situation you forsee is very unlikely to happen.

    • I suppose your side is true, but next to pointless compared to what the experts believe the virus is trying to do.

      With more and more open relays closing, spammers are having to rely more and more on their own servers, out of the country servers, loopholes in free email service's interfaces, etc, in order to get their mail out.

      With a shitload of computers at their disposal to send their spam out, they won't have to worry about hiding where it comes from, how they did it, paying for their own bandwith, or p

    • There's no need for the SOBIG authors to control the machines after SOBIG has been executed. They just need to include the spam message in the virus itself.

      No, that only provides a one-off spamming opportunity. The big picture is controlling a vast army of zombies to do... something. Spamming is a likely job for this army, as is DDoS. And with a zombie force big enough, the commander could throttle down the individual nodes' output to lessen the chance of discovery. I'd suspect that SoBig.G and possib

    • once the blacklist people start cutting off EVERY ISP in the world because of spam messages SOBIG
      would defeat itself because no one would be getting mail.

      That's exactly the point of SoBig.
      It's practicly impossible to stop, except in 2 cases:
      a) Everyone (or at least 95-97%) would use Outlook anymore...

      b) All holes (of the same nature as Sobig uses) are closed in Outlook...

      Can't really make up my mind about wich is more unlikely to happen....I'm not holding my breath for either to happen though.

  • huh? (Score:5, Interesting)

    by captain_craptacular ( 580116 ) on Tuesday August 26, 2003 @03:10PM (#6797113)
    So someones business plan is to admit to writing/distributing the worm and then rent out the affected boxes?

    I must be missing something because it seems to me that such a business would be immediately sues into oblivion.

    • Re:huh? (Score:4, Insightful)

      by wmaker ( 701707 ) on Tuesday August 26, 2003 @03:13PM (#6797166) Homepage
      No one actually knows how he/she got the list though. The person wrote the virus, gains the list, and sells it. No questions asked about HOW he got the e-mail addresses.

    • Re:huh? (Score:3, Informative)

      by jrumney ( 197329 )
      The biggest spam gangs at the moment appear to be working out of Russia, the Baltic States and China, with business fronts in those countries. I suspect the people behind them are the same old American and Dutch individuals that formerly ruled the spam world, but they think they are safe by using offshore bases. What we need is to trace these connections so we've got someone to sue into oblivion.

      If you get spam that appears to be willingly sent from China, report it to the Ministry of Commerce [mofcom.gov.cn]. Hopefully

    • Re:huh? (Score:3, Interesting)

      by Jucius Maximus ( 229128 )
      "So someones business plan is to admit to writing/distributing the worm and then rent out the affected boxes?"

      I'd be more inclined to think it's a feasability study by some government or other to test for electronic warfare readiness. I wouldn't be surprised if it was the US government. Remember that whatever doesn't kill you makes you stronger. A whole lot of machines that otherwise would never have been updated/patched were cleaned up because of this.

  • So the highest bidder get's to spam? (Score:5, Insightful)

    by iplayfast ( 166447 ) on Tuesday August 26, 2003 @03:11PM (#6797132)
    OK, so some company decides to buy. Wouldn't they now be liable for unauthorized use of the computers. Why would a company take the risk? I think this is a red herring, and that it's just another way for worm/virus writers to justify themselves to the world (and themselves).

    • OK, so some company decides to buy. Wouldn't they now be liable for unauthorized use of the computers. Why would a company take the risk? I think this is a red herring, and that it's just another way for worm/virus writers to justify themselves to the world (and themselves).

      So here's the trick. Let's say some company buys in and is then sued to oblivion. Now let's say I am SCO (insert your own hated company). I can then buy the services but advertise for Red Hat (insert your favorite company). So now
    • It's already happening. There are outfits that sell subscriptions to get access to a fresh supply of open proxies for spamming. From what I've heard, their software can also scan for open proxies and report back positive hits to add to the master list. The only difference with SoBig is that someone has set out to create the open proxy resources, rather than scan for existing proxies. So, spammers are already taking the risk of unauthorized use of computers, and getting away with it. And I don't think
    • "What? Our ads are being sent out through illegal means? I am shocked, shocked! Of course, we don't send out ads ourselves; we use a subcontractor. We had know way of knowing that they were breaking the law. They'll be fired at once!"

      (and rehired under a different name).
    • Better yet - let's start a $$$ fund through /. to buy the "services" of the spammers ourselves and spam all these morons w/ the patch.

      Cheers,
      -- RLJ

      • The only patch for this is hitting the stupid users upside the head with a clue by four for running the virus. SoBig.F is a virus, not the MS Blaster worm you are thinking of. I'm sure there are a number of unpatched versions of outlook that automatically ran the virus, but I would be willing to bet the majority were the same old stupid users that have been resonsible for running every other big virus we've seen.
  • Couldn't we then find out who wrote the virus just by interrogating the companies who benefit from the advertising?

    • Re:This can't be right (Score:4, Insightful)

      by 87C751 ( 205250 ) <sdot AT rant-central DOT com> on Tuesday August 26, 2003 @03:52PM (#6797662) Homepage
      Couldn't we then find out who wrote the virus just by interrogating the companies who benefit from the advertising?
      Others have done this [msnbc.com], but what they typically discover is a chain of fronts and cutouts that provide an insulating layer of plausable deniability. As soon as an investigation starts to traverse the chain, key links disolve and the trail goes cold. Besides, Mr. SoBig could easily market his zombie army's services without so much as a single customer even hearing his voice on the phone.

  • I can say one thing for sure... (Score:5, Funny)

    by bopo ( 105833 ) * <bopo@nerpAAA.net minus threevowels> on Tuesday August 26, 2003 @03:13PM (#6797160) Homepage
    Blockquoth the article:
    "You can liken this guy to Lex Luthor and we're all supermen," said Russ Cooper, a security expert at Trusecure in Herndon, Va. "Luckily we've been able to get the kryptonite from around our necks each time so far."
    I certainly know a lot more about this guy's sex life than I did five minutes ago.

    "Now, liken me to Sinestro and you're the Green Lantern..." *shiver*

  • Its not the spammers!
    It's probably someone out to eventually make every computer a 'trusted computer'
    The last thing spammers want to do is lose their ability to spam. If this virus is really intended to help spammers, then it will be in short order that we will al be oredered to use a trusted computer platform( cough* microsoft*cough) and that will be pretty be the end to any sort of freedomes that the net enjoyed in its early and its glory years.

    Would like to hear some discussion thanks!
  • Doesn't it seeem like the more viruses this person/group releases, the easier it will be for them to get caught? Doesn't it seem like if companies use this network to spam, it will be easy to pin down the culprit? Although it sounds like a good story, I don't believe that anyone would be stupid enough to try.

  • ICQ spam (Score:5, Funny)

    by Wiseazz ( 267052 ) on Tuesday August 26, 2003 @03:14PM (#6797173)
    Back when I used ICQ, I used to like getting spammed:

    HotSxzzGrl says: Can we talk?

    Or something like that. It's been awhile. God I miss her, though.

  • Bad plan (Score:4, Interesting)

    by connsmythe96 ( 576445 ) <slashdotNO@SPAMadamkemp.com> on Tuesday August 26, 2003 @03:14PM (#6797174) Homepage
    I don't think many businesses would want to be associated with a virus spam scheme. Even if most people wouldn't know it came from spam, the truth would come out eventually, and that company would be investigated, and then whoever wrote the virus would be found (and jailed). This would be a horrible plan for any business.

    So I'm not sure I buy that explanation.

    • Re:Bad plan (Score:3, Insightful)

      by Wiseazz ( 267052 )
      Most companies that spam me on a regular basis probably aren't interested in PR.

      Unless herbal penis enlargers are now a legit business. Last I checked, no such luck. Maybe if it worked... well, so I'm told.

  • It is probably no coincidence, then... (Score:4, Interesting)

    by bc90021 ( 43730 ) * <bc90021&bc90021,net> on Tuesday August 26, 2003 @03:14PM (#6797175) Homepage
    ... that Sobig.F expires on September 10th, and the next one will probably come out on September 11th.

  • 6 degrees attack (Score:5, Interesting)

    by bigattichouse ( 527527 ) on Tuesday August 26, 2003 @03:14PM (#6797176) Homepage
    I would have assumed that this was a six degrees attack on sensitive structures, given the back doors. Flood the network with viruses, and some moron will eventually lead you to the computer you've been actually targetting.
  • "You can liken this guy to Lex Luthor and we're all supermen," said Russ Cooper, a security expert at Trusecure in Herndon, Va.

  • This is why ISPs are changing their SMTP rules? (Score:3, Interesting)

    by phaetonic ( 621542 ) on Tuesday August 26, 2003 @03:15PM (#6797186)
    I have been noticing a lot of my hosting customers are being restricted to using only their ISPs SMTP server to send e-mail. They will not be able to connect to their colocated/hosted e-mail servers to send e-mail. I believe this is to prevent SOBIG and other types of works from sending out e-mail, but this is making my job quiet hard. I have to configure webmail for all these customers who would rather use Outlook.

  • Illegal Business Practices (Score:3, Interesting)

    by Kenterlogic ( 648880 ) on Tuesday August 26, 2003 @03:15PM (#6797194) Homepage
    Spam is becoming such a huge business that they need to resort to crime to grow. The stretches of Spam have become so extensive and intrusive that they can't even legally think of anything else. My suggestion, like millions of annoyed consumers, would be to just stop spamming. It is a waste of resources both for the spammer and the spamm-e (what the hell, that doesn't look like a word). Furthermore, all the evidence I can gather suggests that it is entirely ineffective.

    So why resort to a series of virusus that rip through international networks? Then again, why climb Mt. Everest? Because it was there.

    (Note: Obviously the reaches of SoBig and spam in general reach well outside the United States and in all likelyhood, originated elsewhere. Don't think that I am som egocentric American who thinks that the U.S.A. is the only place on Earth. I was just using it as a frame of reference because it is what I am most familiar with.)

  • if thats the intent (Score:2, Interesting)

    by rootofevil ( 188401 )
    execution is pisspoor. reference the previous article about viruses/worms being good for us. massive attacks like melissa/iloveyou/sobig/whatever the latest one is gives us another chance to educate our users and friend about not doing things like opening PIFs and EXEs, even from people you know. plus it gets the vulnerability plugged (theoretically anyway).

    creating a network THIS way is counterproductive.

  • A Bad Thing? (Score:5, Insightful)

    by sethadam1 ( 530629 ) * <ascheinberg@gm a i l.com> on Tuesday August 26, 2003 @03:16PM (#6797209) Homepage
    If the entire internet were absolutely smashed with spam, at leats one good thing might emerge - the will to actually combat it realistically!

    With all the techno-dweebs on this site and all the fasntastic opinions about whitelists and blacklists and graylists and modifying SMTP and replacing SMTP and handshakes and authentication and a million other solutions, perhaps someone, somewhere, will finally being to make a dent in actually dealing with the spam problem.
  • I mean, if 2.8 billion people receive the same spam for item X, won't it be obviouos that the makers/sellers/promoters of item X are to blame. When push comes to shove, they will, of course, name names.

    Somebody will go down, hard.
    • Apperantly not, because if spamming wasn't profitable people wouldn't do it.

      And a bit different but back when I used Kazza a fair amount whatever popup generating crap it installed constantly had ads for Orbitz, and they still exist, and probably make money.

  • SMTP IS DYING/DEAD (Score:4, Interesting)

    by Anonymous Coward on Tuesday August 26, 2003 @03:16PM (#6797215)
    This protocol allows anonymous delivery of data within your networks. I predict death of feasibility within 1-2 years. No amount of legislation or threat of legal action can stop the flow from a vast supply of potential "dumb" drones.

    Welcome to the Internet, 2003.

    Next up, authenticated delivery, whitelisting, and the death of the mail server as we know it.

    • Hmm.... you're just asking for this, aren't you? (Score:3, Funny)

      by Anonymous Coward
      It is now official - Netcraft has confirmed: SMTP is dying
      Yet another crippling bombshell hit the beleaguered SMTP community when recently IDC confirmed that SMTP accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that SMTP has lost more market share, this news serves to reinforce what we've known all along. SMTP is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] [samag.com] in the r
    • Erm, my sendmail install seems to still be working, and (checking) yes, it still delivers mail. SMTP seems to still be working.

      It's Exchange that seems to be dead. Given the sudden dearth of enlargement offers in my inbox, I have to say "it's a good thing."

  • Even more patchwork on my friends machines? (Score:3, Interesting)

    by Lispy ( 136512 ) on Tuesday August 26, 2003 @03:16PM (#6797217) Homepage
    Nah, just what I needed. After spending days patching all those Windows PCs from my friends, family and even coworkers I feel kind of tired. I love to come home to my Slackware-Box where everything is just the way I left it and wonder why, oh why, they won't listen to my words? I mean, I told them I would hold their hands while switching. I can't see how someone with a modem connection can honestly stick with something that makes himt download hundreds of MB from http.windowsupdate.com (sorry, i meant http://windowsupdate.microsoft.com, say it one more time and I will scream! ;-).

    Can't wait til they fire up their distributed Spam-Network, that will show them. Wonder who will be left to hold their hands? Muahaha!!

    Sorry for beeing offtopic but I had to say it.

    Cu,
    Lispy
  • Spam merchants and virus/worm writers are collaborating and will collaborate, and build networks that make spam filters entirely useless.

    Of course Sobig is about spam. Why else does some mysterious but well-financed entity want to control half the desktops of the world?

    How about this spam technique, which I predict will occur in 6-9 months' time:

    Tampering with real emails, inserting the spam message mixed with the real email.

    Does that scare anyone? It makes a mockery of current technology for fighting spam.

    • Hence, GPG. (Score:3, Insightful)

      by sethadam1 ( 530629 ) *

      That's when encryption will be publically adopted.

      • Re:Hence, GPG. (Score:4, Insightful)

        by RollingThunder ( 88952 ) on Tuesday August 26, 2003 @03:31PM (#6797407)
        Not necessarily encryption, but more likely signing.

        • Re:Hence, GPG. (Score:2, Insightful)

          by Inode Jones ( 1598 )
          Which will be useless unless you can prove that signing cannot happen without human intervention.

          If the GPG secret key is on a Windoze user's hard drive, then what stops the virus from waiting in the background, sniffing the passphrase, then invoking GPG itself?

          My prediction: viruses will be used for industrial espionage:

          1. Infect home PC of target, and do nothing noticeable.
          2. Wait until VPN into employer comes up.
          3. Fetch secret info and store on hard drive.
          4. Wait until VPN link is dropped and regular
          • It's not even that hard. Just insert Spam into the message before it gets signed but after it was composed. I doubt it would be to hard just take over the signature function of outlook.

      • Re:Hence, GPG. (Score:2, Insightful)

        by IM6100 ( 692796 )
        Not hardly. If and when 'encryption' is publically adopted, it will be with a wobbly plug-in to Outlook Express or something similar. It'll become the new security nightmare.
    • Of course Sobig is about spam. Why else does some mysterious but well-financed entity want to control half the desktops of the world?

      Hell, I'm just happy to know the identity of the non-mysterious but well-financed company that controls 95% of the desktops of the world. You know, the one repsonsible for all this mess?

    • Tampering with real emails, inserting the spam message mixed with the real email.

      Does that scare anyone? It makes a mockery of current technology for fighting spam.

      Having someone with user-level access to my computer or my correspondants' computers, or with root-level access to our mail servers, would scare me regardless of what they did with that access. If they merely used that access to stick spam in our email that would almost be a relief.
  • Will the authors of Sobig.G get it right [slashdot.org] next time?

  • link to NYT article (Score:2, Informative)

    by gskc ( 661798 )
    here is the actual article [nytimes.com]

  • Smarter Virus Writers (Score:4, Interesting)

    by skyknytnowhere ( 469520 ) on Tuesday August 26, 2003 @03:21PM (#6797267)
    Maybe its just that the virus writer is actually starting to follow the kinds of ideas that geeks often toss out. "Oh yeah, if I was making a virus I'd have it..."

    Granted, it still exploits the most obvious problem in computing: the people who use Outlook in its "Automatically Run Attachments" mode, but it would be foolish to ignore the largest and most potentially devastating venue.

    Once the guy figures out exactly the heuristic to hit the most targets in the shortest amount of time, he can put a real payload in it, like a file encrypter for .doc files, or something similarly nasty. And he'll only share the key if we put deposit money in a Swiss bank account! ... hey, that's not a bad idea.

    skye

  • Fixed hosts don't work, but... (Score:5, Insightful)

    by RobertB-DC ( 622190 ) * on Tuesday August 26, 2003 @03:22PM (#6797286) Homepage Journal
    I suspect that the 20 hardcoded download sites in the current variant are a proof-of-concept, not a future strategy. Every time a virus is exposed that tries to download from some fixed location, I've wondered why virus writers would even try such a thing, when it's obvious that white hats will reverse-engineer their code?

    What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123 [google.com]", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.

    For even better effect, use a moderately common word or phrase that Google couldn't remove from its index without causing big problems.

    On the non-technical side... I was struck by the post in a previous SoBig discussion that noted that this variant expires on 9/10, and if the F-Secure expert is right, that's not a good sign:

    "I think the motivation is clear. It's money," said Mikko Hypponen, director of anti-virus research at F-Secure, an antivirus firm based in Finland that is decoding the illicit program. "Behind Sobig we have a group of hackers who have a budget and money."

    If there's a budget and money, then there's organization, and I'm concerned about the organizations that might see 9/11 as a good day to launch a distributed attack.
    • better yet, take the next part of the virus payload and base64 it, then fetch it from the google cache. its unlikely that google would get taken out from the volume of the traffic, but they might purge the documents from the cache when the next variant is reverse engineered.
    • I suspect that the 20 hardcoded download sites in the current variant are a proof-of-concept, not a future strategy.

      This weren't download sites, just name servers (so to speak). And it's not clear if there were only 20 of them.

    • Re:Fixed hosts don't work, but... (Score:5, Insightful)

      by Simon Brooke ( 45012 ) * <stillyet@googlemail.com> on Tuesday August 26, 2003 @04:42PM (#6798351) Homepage Journal
      What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123 [google.com]", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.

      OK, let's see how you would do it...

      The payload of the original virus would be a encrypted peer-to-peer daemon somewhat like Freenet [freenet.org], except that it would only allow uploads signed with a particular digital signature. The client would of course have to include the public key of that signature, but not the private key.

      Once infected a machine would open a listening port and attempt to connect to machines chosen randomly but with a bias to its local class C (as with CodeRed [nai.com]). Once contact has been established the machines would exchange IPs so that each could recontact the other. Each machine would continue to probe for peers until it had found a certain number - say twenty - and then it would remain quiescent, just listening. Periodically (say weekly) it would handshake again with its known peers, and if any failed to handshake twice successively it would seek others until it had again reached quota.

      Once the virus was widespread the author would send a signed file to one infected machine. The name of the file would be a unique string (for simplicity of exposition say a serial number, although any systematically unique string would do) so the first file the virus author injected might be 0001, the next 0002 and so on. The machine would accept the file as genuine because it could decrypt it with its local copy of the public key, and would pass it on unchanged to all the other infected nodes it knew about. If a machine had already received 0001 and was offered 0001 by a peer it would refuse it to save time and network congestion - not to be nice to other users, but because if the thing blocked up network bandwidth completely, it wouldn't be able to do it's own dirty work.

      The signed files could contain

      1. a list of targets and a date/time. When the action date/time in the file was reached, the virus would mount a DDoS attack on the hosts listed in that file for twenty four hours and then delete the file.
      2. the URL of a file to load and then spam out in the same way the virus itself originally spread. Because this file doesn't have to be put up before the virus is launched it could be put up on any defaced site anywhere and need not be tracable back to the author.
      3. a hotfix patch to the virus itself, which would immediately be installed and run.

      This would be incredibly difficult to defend against because

      • in DDoS mode the hosts to be attacked wouldn't be known until the attack file began to propagate - and it could propagate very, very fast indeed, since the peer-to-peer network has connected itself in advance.
      • It would be impossible to introduce 'white' payloads into the network because only the author would have the necessary private key.
      • Because of the upgrade facility, as defences against the virus became available the author could inject into the network 'hot fixes' which would work around these defences.
      • Because the author could inject new signed files into any infected node, it would be very difficult to track down where they were being injected.

      Furthermore, the network could be used to launch several sequential attacks, which would not even need to have been planned at the time the virus was written. The author could, in effect, sell use of a flexible, massively distributed mass-UCE/DDoS attack engine to the highest bidder...

      Hang on, hang on... just wait until I get a patent on that idea!

  • Wonderful, 5237 and counting (Score:3, Interesting)

    by terraformer ( 617565 ) <tpb@pervici.com> on Tuesday August 26, 2003 @03:23PM (#6797294) Journal
    "In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding one". SoBig.F expires in two weeks.

    Wonderful, I have gotten 5237 of these things and counting as I type this. If the next one is any better than this version I can expect to see greater volumes of this crap and that is not really a pleasing thought for a Mac user. Yeah, this time we are suffering too.

  • Set up machines to block all ports except what's requested.

    Firewall: incoming/outgoing.

    no attachments except compressed files!!
    executables have to be AUTHORIZED! to be downloaded and once saved, ONLY THEN, you have ot manually navigate to the folder to execute it.

    chmod -R -x c:\

  • sobig.M kills blacklists? (Score:4, Insightful)

    by glsunder ( 241984 ) on Tuesday August 26, 2003 @03:24PM (#6797307)
    What if the goal (or effect, either way) was to get things to the point where nearly everything was blacklisted for spam? The virus wouldn't have to send real spam, just fake spam in a way that would cause the person's ISP to be put on the blacklists. Once that happened, people would shut off the spam blocking software, and spam would reign supreme.
  • It seems to me that Sobig could just be collecting addresses somehow, perhaps mailing (the address book?) to some address that doesn't exist on the writer's server. Then the writer could just check the logs and see what bounced.

    This would be a case of me talking out of my ass. Is this posssible, or is it readily detectable?

  • expect stuff like this to happen. as long as 2 or 3 jackfucks in alabama are gonna buy whatever arrives in their inbox spam will be profitable since there's no cost to it.

  • Holy Crap (Score:4, Insightful)

    by stratjakt ( 596332 ) on Tuesday August 26, 2003 @03:28PM (#6797356) Journal
    They could be hunting spam relays. They could be looking to anonymously bounce kiddy porn. They could be looking for thousands of boxes to keep their warez .torrent files alive and kicking.

    Hey, I just thought of that. That'd rock, be much easier and more effective than hunting for pubs. You even have one of your drones host the tracker in the first place.

    Anyways, who cares. Patch your machines and shut up. We're seeing as many sobig stories as we are SCO, and it really isnt that big of a deal.

  • Eventually (Score:2, Insightful)

    by zantolak ( 701554 )
    I'd rather not be a doomsayer, but seriously: If all the spam and viruses continue, people will get so sick of it that they'll take serious action. Since the anti-spam laws are both ineffective and draconian, and very few spammers have been successfully shut down, and worms, trojans, and viruses run rampant despite the availability of patches and better OSes: Everyone will be using a strict whitelist, ISPs will remove the ability to send and receive attachments, and HTML email will be disabled because of th
    • I think it will come down to what you said. If I had to pick between two ISP's for my parents, and one was locked down with tight security and strong filters, and audited thier networks, and the other did nothing, I would pick the one with security. Most people do not have the time to remove viruses from their PC's. I think what is happening is like terrorism. Something must be done or the avarage mom and pop will not want to bother with the PC.

    • Re:Eventually (Score:5, Insightful)

      by forkboy ( 8644 ) on Tuesday August 26, 2003 @03:47PM (#6797595) Homepage
      THe other possible scenario is that prosecutors will start going after the company that advertised via the spam. I'd like that solution, I've been saying that should be going on for years...spammers will go away if people are now afraid to use that method of marketing for fear of hefty fines.

  • Could be just be a way to harness email addresses (Score:4, Interesting)

    by abhikhurana ( 325468 ) on Tuesday August 26, 2003 @03:30PM (#6797393)
    I dont know about you but ever since SOBIG has come into picture, my mail box has been full of antivirus alerts from companies whosupposedly got infected mails from my mail ID. Looking at the smtp headers of the infected messages attached in the response, I can see that the mails were never sent from my computer or from any person I know (I dont know any one in Russia for once), but still somehow someone got my address and used it to spread the virus. Which makes me believe that somehow someone who knows me got infected by the virus and the whole address hook was sent to someone somehow.

  • SoBIG.G Release Proposal (Score:5, Funny)

    by GillBates0 ( 664202 ) on Tuesday August 26, 2003 @03:43PM (#6797539) Homepage Journal
    Stream : SoBIG.main
    Revision : 6.0
    Code to be released : Pending Approval
    Target Release Date : Sept 9, 2003
    Proposed fixes :
    1. Enhance subject line generator.
    (Incorporate statistics from /. poll)
    2. Enhance performance.
    3. Incorporate "increase penis length" email.
    4. Fix critical product change requests
    5. Add string confirming soBIG refers to
    average penis size of development team.

  • RIAA (Score:2, Interesting)

    by sorrodos ( 693108 )
    Well, I don't know about p2p spam this way, but I do know the RIAA spams me on Kazaa...

    Half (okay, exaggaration) the songs I download are clips for their anti-piracy campaign, which I could careless about. I equate this to spam for penis-enlargement pills. I don't need either of them.

  • Checkmate (Score:4, Interesting)

    by Andy Smith ( 55346 ) on Tuesday August 26, 2003 @03:45PM (#6797562)
    Sobig always makes me think of the film Independence Day. You know how the aliens positioned their ships at strategic points around the globe and then waited for the countdown to strike simultaneously?

    It makes Sobig seem more 'sinister' when I think of it in these terms. Sure it's annoying, sure it's a drain on time and resources, but what's going to happen when all the ships are in position and the countdown hits zero?

    5, 4, 3...

  • what about the email lists? (Score:5, Interesting)

    by Abm0raz ( 668337 ) on Tuesday August 26, 2003 @03:54PM (#6797686) Journal
    Sobig scans the address book, cached webpages, text files on the harddrive, etc., for email addresses. Has it occurred to anyone that the rapid reproduction and spreading may just be a side effect of a spammer trying to gather the largest email list on earth? Imagine what they could do with a list that size? Even people who are careful with their personal email addresses could lose them to the spammer by their parents getting infected.

    Now, add this on top of how the sobig already spoofs emails and you get other people doing your spam for you ... and it's NEARLY untraceable back to you.**

    -Ab

    ** I know they can be traced, at least to the last computer, but getting back to the source is tough cause people tend to delete the original virrused email. I know I traced several attacks and helped notify the host companies/universities and got them cleaned up, but after my 7th track, I got fed up and gave up, adjusted my MTA to block all mails with the .scr and .pif extensions and curled in a fetal position under my deskand took a nap.

  • If there's a motive, it's political (Score:4, Interesting)

    by Animats ( 122034 ) on Tuesday August 26, 2003 @03:59PM (#6797742) Homepage
    It can't be a business venture, even a spam-based one. It's too high-profile a criminal enterprise. If the people behind it try to collect money, they'll be hunted down and arrested, or worse.

    Politically-motivated makes more sense. The current version expires on September 10, so a reasonable assumption is that the big attack comes on September 11.

  • Declare them to be terrorists . . . (Score:3, Interesting)

    by StefanJ ( 88986 ) on Tuesday August 26, 2003 @04:01PM (#6797767) Homepage Journal
    . . . and let Homeland Security take care of them.

    I mean, dang, wouldn't it satisfying to think of the wankers behind this stuck in a cell down in Guantanamo?

    And just think: The hour of exercise they'd get each day would probably more than they're getting now!

  • I hope this is true ! (no troll!) (Score:5, Interesting)

    by selderrr ( 523988 ) on Tuesday August 26, 2003 @04:05PM (#6797817) Journal
    IMHO, the only way for SMTP to be replaced by something secure & authenticated (a la whitelists) is if the current system goes belly up in the most insane, painful and costly way imaginable. I wish it wasn't so, but reasoning, debate and research have proven useless to convince the powers that be that something needs to be done. MASSIVE, huge spamming, unstoppable is a way that will costs billions without doing any physical harm. If that doesnt trigger change, nothing will.

  • Theory doesn't make sense (Score:3, Insightful)

    by KeithH ( 15061 ) on Tuesday August 26, 2003 @04:07PM (#6797840)
    If this theory were true, then the "test" virii would be much more benign. Since they have been quite noticable, people have been compelled to take steps to close the holes. I would suspect that the next variant will be much less of a nuisance than its predecessors simply because the target market has been substantially reduced.

    No, if I was looking for a fun conspiracy theory, I would enjoy suspecting that Microsoft has decided that this is a good time have all their customers tighten up their security.

  • Why Spam? (Score:3, Funny)

    by beggarstune ( 636814 ) on Tuesday August 26, 2003 @05:01PM (#6798585)
    Is spam that hard to send that someone had to build this virus - in 6 steps, no less - just to send it?
    Think of all the things you could do with 1000s of slaves getting instructions from systems on the internet.
    • DOS attacks on .gov or .mil sites, as well as all the .coms.
    • Blackmail or they get DOSed.
    • Solve complex mathematical problems grid-like - maybe for cracking passwords or something.
    Spam seems to be the mildest thing they can mention to the public - the possibilites for much worse things is there.

  • Occam's Razor (Score:3, Insightful)

    by janolder ( 536297 ) on Tuesday August 26, 2003 @10:09PM (#6801226) Homepage
    Come on boys and girls - I know it's fun to chat about conspiracies, but how likely do you think it is that some spammer creates a reasonably sophisticated worm like SoBig.[A-F] with the intent to create open relays when he can just as well use all the open relays out there instead?

    Keep in mind that writing and releasing a virus/worm/trojan requires a bit of skill and time and has the nasty side-effect of carrying significant jail time. Spammers don't have skill (or they'd be engineers), spammers don't have time (they have to work around filters all the time) and several years of jail time might not be too appealing to spammers either. Piggybacking on SoBig's backdoor for the purpose of spamming is guaranteed to have some nice FBI folks knocking on your door, confiscating all your equipment and looking for evidence of virus creation. Just a matter of time until you're read your rights from there on.

    I know people make a lot out of the fact that SoBig carries its own SMTP client engine. So what though? That feature enables SoBig to also use non-Outlook machines as staging areas. Simple.

    Use Occam's Razor [skepdic.com] and some common sense and see SoBig as what it is: a plain old worm somebody wrote to show off to his friends that has nothing to do with spam. Somebody as skilled as the worm writer probably hates spam as much as the rest of us. Not that I'm justifying SoBig in any way, I just removed 570 copies of SoBig.F from my inbox. :-(

Slashdot Top Deals

"An ounce of prevention is worth a ton of code." -- an anonymous programmer

Close