Heise Online Reveals Trojan / Spam Connection 150
yourruinreverse writes "Virus distributors have been caught red-handed selling IP addresses of trojan-infected machines by editors of the German IT magazine c't. Several individuals appear to have been arrested already after c't, revealing one of the virus writer's nationality as British, passed on the information to Scotland Yard. Check out the German article first, then its translation on Groklaw and maybe also same translation posted in the English section of the Heise website (in order of appearance)."
The future of law enforcement? (Score:5, Insightful)
The Slashdot heading leaves out that it was a College Student who did this primarily. Will this continue to be a pattern in the future? I sure hope so, as law enforcement is typically behind the times, and overworked as it is. This way, order is still maintained without vigilante justice, since those in the know involved proper law enforcment.
Re:The future of law enforcement? (Score:3, Interesting)
I don't know that I wouild count on that. There are lots of CS students with lots of time on their hands. Some trade music files, some write virii, and some track down the people doing the first two (and ocassionally someone writes an OS). Anyone with adiquate knowlege and time can do any of the above, their choice is up to them.
What choice will you make?
Re:The future of law enforcement? (Score:5, Interesting)
This is not really 'vigilante justice', especially in the racist sense which some ACs below saw there. It was someone who was affected (if only when cleaning up someone else's computer) and took the trouble to see what the trojan could do and where it came from. He then went to the only organisation he could think of (C't) which was technically able to understand the problem and had the legal knowledge necessary.
Interesting was that companies like Symantec had also done the analytical work on the trojan(s) (and had posted the results) but had no interest in treating this problem at source (the ISS team). They make their money protecting computers from threats and not attacking those threats at source.
What is going to happen to ISS now?
Re:The future of law enforcement? (Score:3, Informative)
In the US vigilante justice has a history that is associated with racism. Lynchings of whites by whites in the south, Bernie Goetz shooting black kids who tried to rob him, Chinese curfew laws in the west being enforced by white mobs, and so on.
Vigilante justice is anti-democratic, it puts an unpopular minority at the mercy of the majority.
I'm sure the cultural cultists protesting gay marriage in California would love to string up some of th
Re:The future of law enforcement? (Score:2, Interesting)
Re:The future of law enforcement? (Score:3, Insightful)
Re:The future of law enforcement? (Score:3, Insightful)
In this case, C't just did the police work for police too lazy/not knowledgable enough to figure out what to do. But just like the poster said, "In the US vigilante justice has a history that is associated with racism". And he gave some examples of that gay marriage being one of them.
So, I suppose the next question is... (Score:5, Interesting)
Re:So, I suppose the next question is... (Score:5, Informative)
They also has a banner you can add to your site that shows a warning if the viewers ip is in the list. But if fear that people will ignore that and mistake if for the "Warning, your machine is broadcasting an IP..." ad. that used to run.
also check out mynetwatchman [mynetwatchman.com]
Re:So, I suppose the next question is... (Score:2, Insightful)
Re:So, I suppose the next question is... (Score:3, Informative)
People return logs from their routers, there are clients for most system where you send back the list of denied packets. And they do record when the attacks took place. Example. [dshield.org].
But the main focus for the single user is that it sends back daily reports of denied activity against your routers, such as port scanners.
They do have a block list [dshield.org], which is rather short and only contains the worst current offenders over the last 3 days. They are not anal about it like
Re:So, I suppose the next question is... (Score:1)
Used to? One company that was doing it got slapped, but I'm sure I've seen that one recently. (Could be wrong, after a while it's just web page fluff that I haven't bother to block and don't really look at, like the "clock fix" one.)
But you're right that I'd probably ignore anything that looked like that.
Re:So, I suppose the next question is... (Score:1)
you can see the warning here [dshield.org]
Re:So, I suppose the next question is... (Score:1)
I doubt I'd ignore dshield's notice. It wasn't vibrating so it really caught my eye!
Re:So, I suppose the next question is... (Score:1, Insightful)
If your network administrators were worth a damn, they'd be able to find the infected machines on their own.
Yes but... (Score:2)
Dont you have an admin? (Score:2)
Reality Check (Score:2)
Scary thought (Score:2)
Re:Scary thought (Score:1)
Re:So, I suppose the next question is... (Score:2)
Re:So, I suppose the next question is... (Score:5, Informative)
That's exactly what tools like nessus [nessus.org] are for.
Re:So, I suppose the next question is... (Score:1)
While nessus for Unix is open source, nessusd for Windows is commercial.
Re:So, I suppose the next question is... (Score:2, Interesting)
nessus needs a server (nessusd) running on the machine that is being checked.
Um, no, nessud runs on the machine that is doing the checking. Machine being checked doesn't need to be running anything special, just up and accessible.
Re g*parent, seems a public site like that would be a great thing, for the spammers. User enters an IP to scan, say 1 in 1000 with a vuln they report as "none found", then use. Now, a non-public web interface equivalent to the nessus client program, for use on an internal-on
Re:So, I suppose the next question is... (Score:5, Funny)
The question is do the student get any money? (Score:2)
Re:The question is do the student get any money? (Score:2)
Re:So, I suppose the next question is... (Score:2)
I want a front row seat!
A maturing industry... (Score:5, Insightful)
Keep Smiling!
Erick
Re:A maturing industry... (Score:4, Funny)
Actually, virus writers are still geeks so they don't get the women. Never mind.
I new it! (Score:5, Insightful)
Too bad we don't live in a perfect world.
Re:I new it! (Score:2)
We could if we wanted to. Like Kucinich says, "I'm electable, if you vote for me."
Open Relays (Score:1)
So, if you're paying for IP addresses then that's probably not entirely accurate. Unless you're just trying to bring the advertisement directly to the person's screen. I'd believe that.
Re:Open Relays (Score:5, Insightful)
From some of the spam I've been getting, I think that some spammers are playing with zombie relay malware. That allows them to load up a whole spam run on a zombie machine and move on to the next one. I'll bet that their relay software is designed to not look like an open relay to anyone else. Why share the box with other spammers, and why set off open relay detectors?
Caught red-handed? (Score:5, Funny)
So did these guys have IP addresses hanging from their necks like bling blings?
Re:Caught red-handed? (Score:3, Informative)
Re:Caught red-handed? (Score:2)
Also with Linux Root Kit (Score:4, Interesting)
This article does not surprise at all. Thus I already read some months ago in the net of a root kit for Linux, which on the stricken computer installs itself and camouflages and then a special SMTP server starts, which from the outside refers always 1000 email addresses in the way of Client server communication and sends then the Spam. In the connection it sent back even still the Resultcodes to the server.
In the case it was more difficult to pursue the author back because on the one hand the servers were located in several states and on the other hand the companies, to which the IPs/Domains belonged again mail box or dummy firms was.
The problem is that here regular servers were stricken, which did not have dial up IP and thus also not over RBLs are recognized.
Which one from it learns is probably clear: Safety updates bring in, mail content scaning (spamassassin), and feel safe never.
Unfortunately did not know I meant articles any longer to find, otherwise I would have quoted him
Re:Also with Linux Root Kit (Score:4, Funny)
Re:Also with Linux Root Kit (Score:2, Insightful)
Re:Also with Linux Root Kit (Score:2)
I say we set aside one day, and make all our posts to Slashdot via Google translation to some arbitrary language and back to English (non-English speakers can just translate to English directly).
Hang 'em High (Score:4, Insightful)
plain and simple: virus writing will get you in deep shit.
Re:Hang 'em High (Score:1)
Re:Hang 'em High (Score:3, Insightful)
You know, that statement would work a lot better if you gave an actual punishment rather than slang...
e.g. virus writing will put you in jail
Although personally I find it hard to justify jail for virus writers... maybe...
virus writing will lose you your right to use computers for a while, along with a hefty sum of cash
Re:Hang 'em High (Score:2)
Re:Hang 'em High (Score:2)
Hmm, I didn't say no serious punishment... but I don't think jail is necessarily the answer. It costs the country money, it stops them doing productive work, and it may not change their ways.
Jailing people who aren't a continuing threat to society always seems a little odd.
(I don't have any claim to be an expert on such things, nor on what works, though).
I'm not sure laws/punishment are particularly effective against viruses, anyway -- it's such a big 'kick me' sign that viruses will always be written
Re:Hang 'em High (Score:2)
(Er, that last paragraph wasn't an argument for leniency, it was an argument that going after the virus writers isn't a way to stop viruses).
Re:Hang 'em High (Score:2)
Re:Hang 'em High (Score:2)
You know, I think the grandparent post had an excellent suggestion for appropriate punishment of virus writers:
Convicted virus writers should be sentenced to hard labor, shoveling in a manure processing plant, like the evil midget from Mad Max: Jumping the Sharkdome.
Re:Hang 'em High (Score:1)
If they are working with spammers, then I agree, mere jail is much too lenient. At the very least rig the cell to be constantly bombarded with ads.
The outlawed triangle... (Score:4, Insightful)
Re:The outlawed triangle... (Score:4, Insightful)
I used a P2P network once, to get an unavailable piece of music. Had it been on sale in the shops I would have bought it.
Lesson for the RIAA - keep everything available for ever, and find a sensible way of charging for odd copies of one track, then honest people would not need to do this. Of course that might need some understanding of technology, which no-one in your organisation apparently has any more, because you can't distinguish between someone who only wants to play the DVD he has paid for on his non-Microsoft PC and a gangster.
Re:The outlawed triangle... (Score:5, Insightful)
Re:The outlawed triangle... (Score:1)
They're trying to make money by giving the software away. Their main options for income are banner ads, or spyware and other malware. If they used the service model of payment, their central servers would be targeted by the RIAA in a heartbeat--if the RIAA had one.
Re:The outlawed triangle... (Score:1)
This explains much (Score:5, Informative)
A few weeks ago I noticed a HUGE spike in the number of trojan scans against my firewall. I found that the scans were coming from pretty much everywhere (world-wide), and seem to start up almost as quickly as I connect to the net. I have been wondering what was behind such a spike in trojan scan activity; I guess this is my answer.
Fortunately, there are no known trojans on my system, the firewall and the virus checker are doing their jobs.
Excellent work (Score:5, Interesting)
It would be very useful if the police forces had well-publicised points of contact for reporting computer and internet crime. At the moment, the local police station is unlikely to know anything at all, unless you are lucky to meet one of the few policemen who is really into computers, likely as a hobby. The expertise seems mainly to be in Scotland Yard, the department there could do with more funding, more staff, and more publicity, such as a simple means to contact them by email or web. My systems get beseiged by attacks from a handful of IP addresses, and if there was a central point for reporting all these easily, it would not be hard to spot the patterns and take appropriate action. For example, a warning letter from the police might be sufficient to get open mail relays closed, and cable modem users who have been trojaned might pay heed and take proper precautions. This could be largely automated, only where the parties concerned were deliberately committing criminal acts, or who failed to react to a warning, would the full powers of the Computer Misuse Act need to be applied.
Not so long ago there was an idiot on the NTL cable network who was causing continual problems to others because his machine was running continually and had been trojaned, and was being used by hackers elsewhere. Something like that, after a few independent reports, should automatically trigger a "cease and desist" letter, together with some good advice on cleaning up the problem.
It seems to me that it should be quite simple to gather and collate information from the public, which with the ISP's logs would enable the causes of problems to be located and dealt with. I for one don't mind my ISP's files being available automatically to a law-enforcement robot, I rather would get a warning letter or email if something was amiss.
Of course the way to deal with the most recent round of severe problems is to simply ban Outlook. I wonder if the Convicted Monopolist could gain another conviction for deliberately producing software which facilitates contravening the Computer Misuse Act? BTW it would help if other countries enacted similar legislation instead of being misled by fascists like the RIAA into stupidly focussing on those who might want to play a DVD on their Linux computer, for example. In the UK, the CMA has real teeth, sadly it does not get exercised as often as it should, because it provides a means to outlaw certain vile practices. For example, if an installer deliberately cripples another application (we all know some that do, and most come from the Redmond area), that is a criminal offence, and rightly so, yet I have not seen any prosecutions. The wording of the Act would suggest that if installing Windoze as the second OS blows away the ability of Linux/BSD/OS-2 (or whatever) to boot, then an offence is committed. The only defence seems to be that it was done in ignorance. Can you imagine Bill standing in the dock in the Old Bailey, pathetically whining that he was not guilty, he was only ignorant? Justice would be admirably served by that admission.
Re:Excellent work (Score:2)
Indeed. This morning, I received four copies of an "Update your paypal account" credit card number stealing scam email, and while it wasn't difficult to trace the people doing the collection (the ip address is 210.78.22.113, it's running Redhat 6.2 with a 2.2.17 kernel by the way), it's located in Shanghai and I have no idea how to take this further.
Even crashing their box would b
Re:Excellent work (Score:2)
That should be wide open for Mr. Freighttrain.....
Re:Excellent work (Score:1)
Re:Excellent work (Score:3, Insightful)
Then use it to either send email or host a web page critical of the chinese government or praising the the Fulan Gong (sp?)
Then wait for the news report of the chinese government executing these criminals for computer crimes.
Is there a more cheerful thought than dead spammers?
The factor neglected most often.. (Score:5, Insightful)
Re:The factor neglected most often.. (Score:1)
Re:The factor neglected most often.. (Score:2)
Actually, I don't think so. Not data theft on random computers infected with trojans. There is no useful data, or if there is, it's seldom and hard to find. Plain spamming is probably much more efficient, economically.
For example, if you had full access to my PC, you could find my credit card number by scanning the 20GB of files I have (OK, statistically, you would have to scan less than the 20 GB). But that's not really a secret anyway. Yo
And the network operaters still do nothing (Score:5, Interesting)
Lets try it again for a test shall we?
# host www.all-oem.biz
www.all-oem.biz is an alias for all-oem.biz.
all-oem.biz has address 217.81.243.206
all-oem.biz has address 24.98.35.54
all-oem.biz has address 212.83.89.135
all-oem.biz has address 213.33.0.67
all-oem.biz has address 24.6.6.196
And again, what do we have, 2 comcast cable modems working away trying to sell software that APPEARS to be pirated, and is advertised via spam with false headers.
Lets check the DNS shall we, the dns servers for the domain are listed as follows
Name Server:NS1.MOROZREG.BIZ
Name Server:NS2.MOROZREG.BIZ
Name Server:NS3.MOROZREG.BIZ
Name Server:NS4.MOROZREG.BIZ
Name Server:NS5.MOROZREG.BIZ
Each of these name servers is also hosted on compromised machines, mostly broadband connections. Don't take my word for it, haul out nmap [nmap.org] and take a look for yourself. The IP's for these name servers change pretty often. At this time no road runner accounts are showing up. I give it an hour before we get a few more.
In short this is nothing new, and no one should be shocked. Spammers have shown themselves to be an unscrupulous lot. What IS good is that this is starting to get some press. Perhaps this will put pressure on providers to police their networks better. Otherwise more drastic action may be required to be taken by other networks to simply protect themselves.
AngryPeopleRule [angrypeoplerule.com]
Re:And the network operaters still do nothing (Score:5, Informative)
It takes a little more effort to track down what is going on, and large broadband ISP's abuse desks are probably too swamped - which should be no excuse.
Re:And the network operaters still do nothing (Score:1)
Say maybe a dig-diff program...
$ dig-diff spamer.com ns1 ns2 ns3 ns4 ns5
spmer.com is 1.2.3.4 from ns3 and 4.5.6.7 from ns5
*pay* for IPs of infected machines? (Score:1)
RTFA. RTFA. RTFA. (Score:5, Funny)
I'm supposed to RTFA 3 times?
1: You're lucky if one out of every 3 read it once.
2: Is this supposed to be a cascading Slashdotting? Next time just submit the story 3 times with a different link each time.
Re:RTFA. RTFA. RTFA. (Score:1)
If you did a good RTFStory, you'd find the first is the original German article (including some links absent in the translation), the second is the first publication of its translation into English on Groklaw.net, and the third is exactly the same text published on heise.de again. It even has a cute notice at the end which explains which version had become available in what order. Knowing that, you would not have needed to click on all three links: one or two would have sufficed.
Re: 2.
If
Does this surprise anyone? (Score:4, Insightful)
Illegal IP addresses? (Score:4, Interesting)
I run snort on a bunch of systems and have some very large lists of infected IP addresses. I suspect many others do too. Every time snort burps up a new IP address I inform the ISP that "owns" the IP address. The reality is that no one cares. I have been "hit" by 68.162.91.238 over 20 times in the last month by different viruses.
These lists are easy to come by and even easier to generate. If someone is dumb enough to pay good money for a list of infected computers - let me know. I wonder what the going rate is.
If these machines get abused enough maybe, just maybe they'll get fixed.
Re:PWN3D! (Score:5, Funny)
I hope they send them to a British pound-me-in-the-ass prison!
In Britain, this happens in the private schools, not the prisons...
Re:PWN3D! (Score:1)
KFG
Re:PWN3D! (Score:1)
Re:PWN3D! (Score:1)
The reason for the UK term "public school" (Score:4, Informative)
The terminology is a bit unfortunate, now that private tuition doesn't happen and state schools are more public than "public schools", but that's how the English language works
Schools entirely paid for by taxes are "state schools" (as in "separation of Church and State", not as in "Washington state").
Re:PWN3D! (Score:1)
Re:PWN3D! (Score:1)
Re:PWN3D! (Score:1, Offtopic)
And what do u have against Indians anyway ???
Nothing whatsoever. My sig is about the growning resentment exhibited on /. against India and Indians; I think some of this resentment is bordering on racist, and I'm worried by it. The fact that you are an Indian and you disagree with me does not make this problem go away.
Public/private explanation- a pedant writes (Score:2)
Re:PWN3D! (Score:2)
Re:PWN3D! (Score:2)
Who said I hate the Muslem regimes? I don't agree w/ any theocracy or gov't that kills women for adultery or simply doesn't believe in women's rights. I don't hate them simply because of their religion, I don't think much of any religion. Check out that whole separation of church and state the groups here in the US always beat the christian fanatics w/.
Still couldn't find anything on regi
Re:PWN3D! (Score:1)
The US is a lot more dangerous than North Korea or China.
(Regarding the topic of registration, if you look closely you'll find that I never write about things I cannot back up. I was not prepared for CNN removing the link to the article where I got this from, and it is nowhere to be found. If the cause for that was a respected journalist making things up, or pressure o
Re:PWN3D! (Score:2)
Anyway whether or not Wolf Blitzer made it up or you can't remember who said it, it did *not* happen. Muslim men have all of the same freedoms everyone else does.
Get off your ass and go see what the women's rights situation is like now, not a thousand years ago. One of my best friends
Re:PWN3D! (Score:1)
Yes, I've both read the Quran and a lot about Islam - out of curiosity, and to be sure not to fall for common western myths.
The US considers any country capable of producing WMDs a threat, and has reserved the right to attack first to protect itself.
Sweden can, easily, make WMDs. Do you see the faulty logic here?
Re:PWN3D! (Score:2)
Re:PWN3D! (Score:2)
Re:PWN3D! (Score:2)
Re:PWN3D! (Score:1)
(I'm not Moslem, but I study subj
Re:PWN3D! (Score:1)
Re:Theo article (Score:2)
Proletariat of the world, unite to kill spammers. The more painful and slower, the better.
Re:Theo article (Score:5, Insightful)
Viruses are finally sophisticated enough to create botnets, and spammers have become more and more desperate for ways to pump their e-mail out.
Re:Theo article (Score:4, Interesting)
I saw a book in the shop the other day called "Writing Secure Code" or something similar. When I saw the publisher, I did not even bother to pick it up for a look, as the company concerned (Guess who?) has a solidly demonstrated long-term track record of gross incompetence in that area.
Re:Theo article (Score:1)
Looking back, it struck me that the most frequent and clever of e-mail attacks relied more on the old-fashioned tricks and guile of the con artist than on any particular technical vulnerability in Windows or Outlook Express.
The greatest surprise was to receive a "plain text" newsletter from a open source project well known
Re:Theo article (Score:1, Funny)
Re:Theo article (Score:3, Insightful)
Because there has always been an easier way to do it. Spammers used dial accounts, then spoofed dial accounts, then their own servers, then hijacked servers. As human beings became aware of each new spammer tactic that tactic would become unavailable.
At some point humans will have to face the fact that spammers are not human and adopt a shoot on sight policy to end this terrible scourge.
AMerican Media (Score:3, Insightful)
I guess it has to do with ratings. It's unfortunate that editing the content of the news increases viewership. You see I, a US citizen, want to see ALL of the news, but unfortunately, our corporate news outlets censor a lot of what's going on to boost ratings! That's why I read foreign news sources as much as I can.
Re:AMerican Media (Score:5, Interesting)
Re:AMerican Media (Score:2)