Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Spam Security The Almighty Buck Your Rights Online

Heise Online Reveals Trojan / Spam Connection 150

yourruinreverse writes "Virus distributors have been caught red-handed selling IP addresses of trojan-infected machines by editors of the German IT magazine c't. Several individuals appear to have been arrested already after c't, revealing one of the virus writer's nationality as British, passed on the information to Scotland Yard. Check out the German article first, then its translation on Groklaw and maybe also same translation posted in the English section of the Heise website (in order of appearance)."
This discussion has been archived. No new comments can be posted.

Heise Online Reveals Trojan / Spam Connection

Comments Filter:
  • by bc90021 ( 43730 ) * <bc90021&bc90021,net> on Saturday February 21, 2004 @11:26AM (#8349427) Homepage
    "With the help of c't, a student of computer science has tracked down the authors of a computer virus. The editorial staff were able to establish contact with the virus distributors and buy IP addresses of infected machines. Because one of the virus distributors has been located in Great Britain, c't has passed on all information to Scotland Yard. By now, individuals in several countries have been arrested."

    The Slashdot heading leaves out that it was a College Student who did this primarily. Will this continue to be a pattern in the future? I sure hope so, as law enforcement is typically behind the times, and overworked as it is. This way, order is still maintained without vigilante justice, since those in the know involved proper law enforcment.
    • Will this continue to be a pattern in the future? I sure hope so

      I don't know that I wouild count on that. There are lots of CS students with lots of time on their hands. Some trade music files, some write virii, and some track down the people doing the first two (and ocassionally someone writes an OS). Anyone with adiquate knowlege and time can do any of the above, their choice is up to them.

      What choice will you make?
    • by Vlad_the_Inhaler ( 32958 ) on Saturday February 21, 2004 @12:36PM (#8349828)
      I did not read the article online, but assume it is the same as was in the copy of C't which I read this morning.

      This is not really 'vigilante justice', especially in the racist sense which some ACs below saw there. It was someone who was affected (if only when cleaning up someone else's computer) and took the trouble to see what the trojan could do and where it came from. He then went to the only organisation he could think of (C't) which was technically able to understand the problem and had the legal knowledge necessary.

      Interesting was that companies like Symantec had also done the analytical work on the trojan(s) (and had posted the results) but had no interest in treating this problem at source (the ISS team). They make their money protecting computers from threats and not attacking those threats at source.

      What is going to happen to ISS now?
  • by Xystance ( 660413 ) on Saturday February 21, 2004 @11:26AM (#8349430) Homepage
    When will they post a website that has an engine that will allow us to submit IP addresses / MAC addresses to find out whether they are infected? I have the entire IP table of where I work... knowing what machines have been compromised through trojans would be helpful... Either way... Go Heise!
  • by erick99 ( 743982 ) * <homerun@gmail.com> on Saturday February 21, 2004 @11:31AM (#8349452)
    Maybe this isn't so surprising. Virus writers are becoming, as the gangsters in movies like to say, "a business man." Capitalism will grow in any sort of soil. I'm not supporting this by any means, but, sociologically, it sure makes a point about how any "industry" or endeavor will eventually start to emulate more legitimate enterprises.

    Keep Smiling!

    Erick

  • I new it! (Score:5, Insightful)

    by megalogeek ( 519027 ) on Saturday February 21, 2004 @11:31AM (#8349454)
    OK, we all knew it, but maybe this will be enough incentive for the major news outlets to pick the story up. In an ideal world people would see this story, realize that much of the spam they get can be blamed on viruses and patch their systems.

    Too bad we don't live in a perfect world.
  • I thought that people have been saying that open relays (which, effectively a machine with a RAT on it is) were not to blame for spam these days.

    So, if you're paying for IP addresses then that's probably not entirely accurate. Unless you're just trying to bring the advertisement directly to the person's screen. I'd believe that.
    • Re:Open Relays (Score:5, Insightful)

      by AndroidCat ( 229562 ) on Saturday February 21, 2004 @12:34PM (#8349806) Homepage
      Most spammers don't use open relays these days. They use open proxies, which are different. (No logging in the Received lines of the email, and no store/forward--it's the spammer's machine doing the real work.)

      From some of the spam I've been getting, I think that some spammers are playing with zombie relay malware. That allows them to load up a whole spam run on a zombie machine and move on to the next one. I'll bet that their relay software is designed to not look like an open relay to anyone else. Why share the box with other spammers, and why set off open relay detectors?

  • by twoslice ( 457793 ) on Saturday February 21, 2004 @11:40AM (#8349491)
    The phrase "red-handed," meaning, as the Oxford English Dictionary puts it, "in the very act of crime, having the evidences of guilt still upon the person," A murderer caught "red-handed" still had the blood of his victim on his hands. We have, since the 18th century, also used "red-handed" to describe any criminal caught in the act or bearing irrefutable evidence of guilt.

    So did these guys have IP addresses hanging from their necks like bling blings?

  • by rqqrtnb ( 753156 ) on Saturday February 21, 2004 @11:40AM (#8349492)
    Hello!

    This article does not surprise at all. Thus I already read some months ago in the net of a root kit for Linux, which on the stricken computer installs itself and camouflages and then a special SMTP server starts, which from the outside refers always 1000 email addresses in the way of Client server communication and sends then the Spam. In the connection it sent back even still the Resultcodes to the server.

    In the case it was more difficult to pursue the author back because on the one hand the servers were located in several states and on the other hand the companies, to which the IPs/Domains belonged again mail box or dummy firms was.

    The problem is that here regular servers were stricken, which did not have dial up IP and thus also not over RBLs are recognized.

    Which one from it learns is probably clear: Safety updates bring in, mail content scaning (spamassassin), and feel safe never.

    Unfortunately did not know I meant articles any longer to find, otherwise I would have quoted him :(
  • Hang 'em High (Score:4, Insightful)

    by Anonymous Coward on Saturday February 21, 2004 @11:44AM (#8349508)
    ...i'm sorry to say it, but goddamn, an example needs to be made of these fools.

    plain and simple: virus writing will get you in deep shit.
    • And use a strong cable... like an IEEE-1284, for example. Should be able to hold several hundred pounds at least.
    • Re:Hang 'em High (Score:3, Insightful)

      by 26199 ( 577806 ) *

      You know, that statement would work a lot better if you gave an actual punishment rather than slang...

      e.g. virus writing will put you in jail

      Although personally I find it hard to justify jail for virus writers... maybe...

      virus writing will lose you your right to use computers for a while, along with a hefty sum of cash

      • You aren't seeing this in in the proper perspective. Virus and trojan authors are at best simple vandals, at worst they are information and resource thieves of the highest caliber. Why should they be treated any differently than anyone else that causes significant damage to organizations and individuals around the world, often for no better reason than proving that they can? Go rob a bank of a couple million for the fun of it, and you won't see daylight for a long time. Cause a hundred or a thousand tim
        • Hmm, I didn't say no serious punishment... but I don't think jail is necessarily the answer. It costs the country money, it stops them doing productive work, and it may not change their ways.

          Jailing people who aren't a continuing threat to society always seems a little odd.

          (I don't have any claim to be an expert on such things, nor on what works, though).

          I'm not sure laws/punishment are particularly effective against viruses, anyway -- it's such a big 'kick me' sign that viruses will always be written

          • (Er, that last paragraph wasn't an argument for leniency, it was an argument that going after the virus writers isn't a way to stop viruses).

          • Well, you're correct that jail may stop them from doing productive work ... but it will also keep them from unproductive work, such as authoring more trojans. And anyone that knowingly and with malice aforethought releases one of those things simply deserves to be strung up by his testicles. A harsh jail sentence may (or may not) serve as an adequate deterrent for other potential virus authors, but from the standpoint of simple justice it may be warranted. The guy that wrote Melissa seemed genuinely igno
      • You know, that statement would work a lot better if you gave an actual punishment rather than slang

        You know, I think the grandparent post had an excellent suggestion for appropriate punishment of virus writers:

        virus writing will get you in deep shit

        Convicted virus writers should be sentenced to hard labor, shoveling in a manure processing plant, like the evil midget from Mad Max: Jumping the Sharkdome.

      • .. I find it hard to justify jail for virus writers ..

        If they are working with spammers, then I agree, mere jail is much too lenient. At the very least rig the cell to be constantly bombarded with ads.

  • by LostCluster ( 625375 ) * on Saturday February 21, 2004 @11:50AM (#8349533)
    I think we've hit the point where three outlawed industries are now joining forces to support each other. P2P file sharing is an application consumers want but just isn't legal. Therefore, the writers of P2P applications just can't use legal means to collect money for it, they have to get paid under the table. Spyware and virus writers have the same goal, find any way possible to get their software onto your computer so they can get it to do their bidding. To them, how they get their payload isn't important How do they get paid? Well, who most needs distributed computing resorces with scattered IP addresses and bandwidth? Spammers. So, they'll gladly pay the creators of bot nets for their services, in a way no ethical buyer ever word. So there you have it, the connection between P2P and spam...
    • by tiger99 ( 725715 ) on Saturday February 21, 2004 @12:17PM (#8349644)
      Sadly, it tends to be as you say, although P2P is not inherently illegal, it is only when you share someone else's property that it becomes so.

      I used a P2P network once, to get an unavailable piece of music. Had it been on sale in the shops I would have bought it.

      Lesson for the RIAA - keep everything available for ever, and find a sensible way of charging for odd copies of one track, then honest people would not need to do this. Of course that might need some understanding of technology, which no-one in your organisation apparently has any more, because you can't distinguish between someone who only wants to play the DVD he has paid for on his non-Microsoft PC and a gangster.

    • by datadood ( 184067 ) on Saturday February 21, 2004 @12:25PM (#8349694)
      Insightful? In what way is P2P filesharing 'illegal'? It might get used for copyright infringement, but that doesn't mean the tool itself is illegal. Think crowbar.
    • Nothing illegal about p2p software--just how some people use it. Writers of p2p software can try to use legal means to collect money, but who the hell would pay for their registered copy when there's so many other free versions or cracked copies?

      They're trying to make money by giving the software away. Their main options for income are banner ads, or spyware and other malware. If they used the service model of payment, their central servers would be targeted by the RIAA in a heartbeat--if the RIAA had one.

    • P2P is not inherently illegal. It is just a copying technology. If you make P2P illegal, photocopy machines should long have been illegal. And of course, might as well make FTP and NNTP illegal. And while you are at it, since all web browsing is inherently copying, make HTTP illegal.
  • This explains much (Score:5, Informative)

    by GeckoFood ( 585211 ) <geckofoodNO@SPAMgmail.com> on Saturday February 21, 2004 @11:53AM (#8349546) Journal

    A few weeks ago I noticed a HUGE spike in the number of trojan scans against my firewall. I found that the scans were coming from pretty much everywhere (world-wide), and seem to start up almost as quickly as I connect to the net. I have been wondering what was behind such a spike in trojan scan activity; I guess this is my answer.

    Fortunately, there are no known trojans on my system, the firewall and the virus checker are doing their jobs.

  • Excellent work (Score:5, Interesting)

    by tiger99 ( 725715 ) on Saturday February 21, 2004 @12:04PM (#8349592)
    It is about time that something like this happened, and I hope the courts deal with them severely.

    It would be very useful if the police forces had well-publicised points of contact for reporting computer and internet crime. At the moment, the local police station is unlikely to know anything at all, unless you are lucky to meet one of the few policemen who is really into computers, likely as a hobby. The expertise seems mainly to be in Scotland Yard, the department there could do with more funding, more staff, and more publicity, such as a simple means to contact them by email or web. My systems get beseiged by attacks from a handful of IP addresses, and if there was a central point for reporting all these easily, it would not be hard to spot the patterns and take appropriate action. For example, a warning letter from the police might be sufficient to get open mail relays closed, and cable modem users who have been trojaned might pay heed and take proper precautions. This could be largely automated, only where the parties concerned were deliberately committing criminal acts, or who failed to react to a warning, would the full powers of the Computer Misuse Act need to be applied.

    Not so long ago there was an idiot on the NTL cable network who was causing continual problems to others because his machine was running continually and had been trojaned, and was being used by hackers elsewhere. Something like that, after a few independent reports, should automatically trigger a "cease and desist" letter, together with some good advice on cleaning up the problem.

    It seems to me that it should be quite simple to gather and collate information from the public, which with the ISP's logs would enable the causes of problems to be located and dealt with. I for one don't mind my ISP's files being available automatically to a law-enforcement robot, I rather would get a warning letter or email if something was amiss.

    Of course the way to deal with the most recent round of severe problems is to simply ban Outlook. I wonder if the Convicted Monopolist could gain another conviction for deliberately producing software which facilitates contravening the Computer Misuse Act? BTW it would help if other countries enacted similar legislation instead of being misled by fascists like the RIAA into stupidly focussing on those who might want to play a DVD on their Linux computer, for example. In the UK, the CMA has real teeth, sadly it does not get exercised as often as it should, because it provides a means to outlaw certain vile practices. For example, if an installer deliberately cripples another application (we all know some that do, and most come from the Redmond area), that is a criminal offence, and rightly so, yet I have not seen any prosecutions. The wording of the Act would suggest that if installing Windoze as the second OS blows away the ability of Linux/BSD/OS-2 (or whatever) to boot, then an offence is committed. The only defence seems to be that it was done in ignorance. Can you imagine Bill standing in the dock in the Old Bailey, pathetically whining that he was not guilty, he was only ignorant? Justice would be admirably served by that admission.

    • It would be very useful if the police forces had well-publicised points of contact for reporting computer and internet crime.

      Indeed. This morning, I received four copies of an "Update your paypal account" credit card number stealing scam email, and while it wasn't difficult to trace the people doing the collection (the ip address is 210.78.22.113, it's running Redhat 6.2 with a 2.2.17 kernel by the way), it's located in Shanghai and I have no idea how to take this further.

      Even crashing their box would b
      • 2.2.17 is much older than the current 2.2 tree, which is at 2.2.25.

        That should be wide open for Mr. Freighttrain.....
      • Not all that hard to do... send them a copy of the Lion worm or Ramen. Or just a mail bomb with 4 gigs of /dev/zero compressed into a .zip.
      • Re:Excellent work (Score:3, Insightful)

        by sik puppy ( 136743 )
        Don't crash the box, root it.

        Then use it to either send email or host a web page critical of the chinese government or praising the the Fulan Gong (sp?)

        Then wait for the news report of the chinese government executing these criminals for computer crimes.

        Is there a more cheerful thought than dead spammers?

  • by Anonymous Coward on Saturday February 21, 2004 @12:13PM (#8349626)
    The machines infected with the trojans can be used as spam relays.. sure - but at the same time theyre also a gold mine for fraud, just think about all the data stored on the hard drives available for download - financial data, all kinds of private documents.. this worries me more than spam. I think data theft will become a hotter topic in the near future.
    • Maybe, but data theft might actually spur the owners of virus ridden pcs to actually DO something. Right now they aren't too bothered by the fact that their beloved pc is attacking and spamming the rest of 'that internet thingy', grand scale data theft and extortion WILL make a lot more clueless people aware of the problem of trojans.
    • I think data theft will become a hotter topic in the near future.

      Actually, I don't think so. Not data theft on random computers infected with trojans. There is no useful data, or if there is, it's seldom and hard to find. Plain spamming is probably much more efficient, economically.

      For example, if you had full access to my PC, you could find my credit card number by scanning the 20GB of files I have (OK, statistically, you would have to scan less than the 20 GB). But that's not really a secret anyway. Yo
  • by cluge ( 114877 ) on Saturday February 21, 2004 @12:17PM (#8349646) Homepage
    This is no suprise for people involved in the anti-spam community. It has been discussed for some time in NANAE [google.com]. What is REALLY sad is that some networks really don't seem to care, or don't have the time to police against this sort of thing. When I was Joe Jobbed [spamfaq.net] by one of these spam gangs, using infected machines for webservers, I reported it to RR and comcast security. They were hosting their site all-oem.biz on several obviously compromised machines AND using my e-mail address in advertisements about their company. What did I get for my trouble? E-mail after e-mail that said - "To the best of our knowledge, the incident that was the basis of your complaint was neither posted by an individual using the Road Runner (Or Comcast) system, nor is it in any way related to the Road Runner (or Comcast) system or content maintained by Road Runner." What was funny is that if you did a dig on the domain being advertised it ALWAYS contained a road runner cable modem account.

    Lets try it again for a test shall we?
    # host www.all-oem.biz
    www.all-oem.biz is an alias for all-oem.biz.
    all-oem.biz has address 217.81.243.206
    all-oem.biz has address 24.98.35.54
    all-oem.biz has address 212.83.89.135
    all-oem.biz has address 213.33.0.67
    all-oem.biz has address 24.6.6.196

    And again, what do we have, 2 comcast cable modems working away trying to sell software that APPEARS to be pirated, and is advertised via spam with false headers.

    Lets check the DNS shall we, the dns servers for the domain are listed as follows

    Name Server:NS1.MOROZREG.BIZ
    Name Server:NS2.MOROZREG.BIZ
    Name Server:NS3.MOROZREG.BIZ
    Name Server:NS4.MOROZREG.BIZ
    Name Server:NS5.MOROZREG.BIZ

    Each of these name servers is also hosted on compromised machines, mostly broadband connections. Don't take my word for it, haul out nmap [nmap.org] and take a look for yourself. The IP's for these name servers change pretty often. At this time no road runner accounts are showing up. I give it an hour before we get a few more.

    In short this is nothing new, and no one should be shocked. Spammers have shown themselves to be an unscrupulous lot. What IS good is that this is starting to get some press. Perhaps this will put pressure on providers to police their networks better. Otherwise more drastic action may be required to be taken by other networks to simply protect themselves.

    AngryPeopleRule [angrypeoplerule.com]

    • by kiolbasa ( 122675 ) on Saturday February 21, 2004 @12:57PM (#8349978) Homepage
      I'll bet dollars for doughnuts Comcast and Road Runner never see their own IPs when they do queries on that spammer's domain. I first learned of this trick from NANAE poster "Spamless," so you can look it up for a more thorough explanation (can't find it myself just now). The short story is that the spammer's DNS responds differently depending on the IP that makes the request. When the ISP checks those DNS records, they get something in South America, or China, or another ISP, anything other than them. The cable modem machine is just a proxy.

      It takes a little more effort to track down what is going on, and large broadband ISP's abuse desks are probably too swamped - which should be no excuse.
  • There's a good side to this - spammers pay for addresses, meaning their costs go up. I guess you can get a fairly good list of infected machines, for free, just by tracking nanas [google.com]. Just to show you how commercialized the internet has become :)
  • by MyHair ( 589485 ) on Saturday February 21, 2004 @01:22PM (#8350181) Journal
    Check out the German article first, then its translation on Groklaw and maybe also same translation posted in the English section of the Heise website (in order of appearance).

    I'm supposed to RTFA 3 times?

    1: You're lucky if one out of every 3 read it once.

    2: Is this supposed to be a cascading Slashdotting? Next time just submit the story 3 times with a different link each time.

    :-)

    • Re: 1.

      If you did a good RTFStory, you'd find the first is the original German article (including some links absent in the translation), the second is the first publication of its translation into English on Groklaw.net, and the third is exactly the same text published on heise.de again. It even has a cute notice at the end which explains which version had become available in what order. Knowing that, you would not have needed to click on all three links: one or two would have sufficed.

      Re: 2.

      If /. had tak
  • by olivercromwell ( 654085 ) on Saturday February 21, 2004 @01:49PM (#8350355)
    This doesn't surprise me in the least. While it sickens me, I don't find this to be that startling. I, for one, have always thought the people who write malware are scum. They may try to justify their actions with lame claims of: 'Oh, i only did it to show how weak the system is', or 'I am only trying to learn more about the internal workings of the O/S'. But, let's face it, they are little more than little creeps with serious social behavioural problems. They know what they are doing is wrong, yest can find any manner of reason to justify their behaviour. In the end, they are criminals, scum, and a**es. That some are now selling harvestedd ip addresses to spammers should come as no surprise at all. I just wish I knew a way to punish them that would not only satisfy the gravity of their offence, but would also serve as a good deterrent. A pox on all of them.
  • by sglines ( 543315 ) on Saturday February 21, 2004 @03:54PM (#8351213) Homepage Journal
    Selling infected IP addresses may be immoral but what is illegal about it?

    I run snort on a bunch of systems and have some very large lists of infected IP addresses. I suspect many others do too. Every time snort burps up a new IP address I inform the ISP that "owns" the IP address. The reality is that no one cares. I have been "hit" by 68.162.91.238 over 20 times in the last month by different viruses.

    These lists are easy to come by and even easier to generate. If someone is dumb enough to pay good money for a list of infected computers - let me know. I wonder what the going rate is.

    If these machines get abused enough maybe, just maybe they'll get fixed.

"For the love of phlegm...a stupid wall of death rays. How tacky can ya get?" - Post Brothers comics

Working...