how-to block ads
|
Sleeve1
join:2005-05-09
Saint Louis, MO
| reply to Steve
Re: The Fight - It's Payback Time!
Good thoughts Steve. I would be happy to post this code, but it does have a high potential for abuse if it got in the wrong hands. This is exactly why I chose NOT to code this in pearl or PHP.
Flash does not access your hard drive or registry directly. Macromedia controls this with utmost care given to security. Virii can be coded in pearl but not in Flash. It is impossible to get around this thus the Flash alternative is as safe as you can get.
Have you run it yet Steve? | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by sleeve  :Have you run it yet Steve? No: I don't ever run code from random people on the internet. Ever. I don't know enough about Flash to trust it when I don't know what it does.
This is not any reflection on you, but a security paranoia that has served me well for a long time.
The potential for abuse is a fair concern, and I'm not sure how one could release DoS tool but see that it be used only for good. So I guess I'll be left with waiting for some of the spam in question and rolling my own in perl. I did this some time ago for an unrelated web-form-submittal purpose, so modifying the code should be straightforward.
This whole approach is less useful when the webform saves the entry in a database along with IP - easy to DELETE FROM spamee WHERE IP = '10.1.1.3'.
But if it's a mailform that generates one email per submission, it sounds like a positively lovely idea.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
1 edit | reply to Sleeve1
Steve has a point there - if the forms are being submitted to a database somewhere, I'd bet that the spammers will have some mechanism for logging ip address, and filtering out any entries coming from any address submitting repeated entries.
Did you have any research done in an open forum, say News.Admin.Net-Abuse.Email, to see if this spammer might be vulnerable to this sort of action?
Any thought to making your Flash app submit forms in an irregular pattern, to lessen the possibility of it being detected by the spammers?
You know what would really rule - if you could somehow hijack a botnet. Imagine the effect of submitting from thousands of different computers worldwide? 
Anyway, it being Monday and I being too daring for my usual self, I downloaded your app. I ran it thru Avast and A2, then submitted to Jotti and Virustotal, and got back nothing interesting.
I ran it for a minute or so, it claims to have submitted 249 requests with 3 failed loads. Watching my router log, I only saw 6 outgoing packets, to www.xxxxxx.com, during that time.
I did a brief Google on www.xxxxxx.com (address munged), and got a bunch of hits in NANAS, so it's indeed a bad guy.
I may run this overnite after I go to bed, but I would like you to try and explain why I only logged 6 TCP port 80 packets during a period where the app claimed to have posted 246 forms? I want to know I'm not wasting my bandwidth.
--
Cheers,
Chuck
»nitecruzr.blogspot.com/ | |
Sleeve1
join:2005-05-09
Saint Louis, MO
| cacroll-
thank you for the feedback. I will do my best to answer your questions.
quote:
Any thought to making your Flash app submit forms in an irregular pattern, to lessen the possibility of it being detected by the spammers?
The current version uses a database of over 36,000 US cities and over 70,000 mixed ethnic names and creates random addresses based on 2 formats with real zip codes and real area codes matched to the city. This kind of realizm is necessary to fool the address verification software some of these spammers use (it works quite well). The script selects random elements in each array to build the data and submits it. How irregular did you have in mind?
quote:
I would like you to try and explain why I only logged 6 TCP port 80 packets during a period where the app claimed to have posted 246 forms? I want to know I'm not wasting my bandwidth.
Try opening up your CMD prompt and doing a 'netstat -n'. You will see that 2 threads are created per target and in this case all 3 targets lead to the same IP address so you should see 6 threads going to the same IP on port 80. This version keeps the sockets open while submitting data because of increased CPU efficiency. Maybe your router log was showing 6 outbound connections and not 6 packets.
You can actually see confirmation files in your "C:\Documents and Settings\%user%\Local Settings\Temporary Internet Files\Content.IE5" folder. These files are served by the webhost after receiving POST data from my Flash app so you can confirm each submit is successful thus being assured that you are not wasting bandwidth. It's actually a double whammy on the spammer because not only does this script submit bogus data which dillutes their database, it also leeches bandwidth from the webhost which can cost them big money if they exceed their limits!
If you are interested, download the trial version of DU meter which allows you to monitor your bandwidth usage in real time. I am on a 5mbit/384k cable connection and I max out after reaching about 40 objects per second. That's 3456000 submits per day! No one can handle that rate for very long.
A known flaw lies in using Mozilla or Netscape. For some reason they are half as fast when submitting data and if the app is left running for a period of 24 hours or longer, Mozilla will go into a 100% CPU usage situation and cease to work. IE 5.5 or higher will work for weeks and weeks without this problem.
Sleeve | |
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
2 edits | said by sleeve :cacroll- thank you for the feedback. I will do my best to answer your questions. quote:
Any thought to making your Flash app submit forms in an irregular pattern, to lessen the possibility of it being detected by the spammers?
How irregular did you have in mind? quote:
I would like you to try and explain why I only logged 6 TCP port 80 packets during a period where the app claimed to have posted 246 forms? I want to know I'm not wasting my bandwidth.
Try opening up your CMD prompt and doing a 'netstat -n'. You will see that 2 threads are created per target and in this case all 3 targets lead to the same IP address so you should see 6 threads going to the same IP on port 80. This version keeps the sockets open while submitting data because of increased CPU efficiency. Maybe your router log was showing 6 outbound connections and not 6 packets. You can actually see confirmation files in your "C:\Documents and Settings\%user%\Local Settings\Temporary Internet Files\Content.IE5" folder. These files are served by the webhost after receiving POST data from my Flash app so you can confirm each submit is successful thus being assured that you are not wasting bandwidth. It's actually a double whammy on the spammer because not only does this script submit bogus data which dillutes their database, it also leeches bandwidth from the webhost which can cost them big money if they exceed their limits! If you are interested, download the trial version of DU meter which allows you to monitor your bandwidth usage in real time. I am on a 5mbit/384k cable connection and I max out after reaching about 40 objects per second. That's 3456000 submits per day! No one can handle that rate for very long.
I was thinking of the activity pattern, if their database detected a constant stream of requests from the same ip like they did yours. If you sent a half a dozen, then waited a few minutes, then sent a couple more, I'd bet you could fly under their radar.
I'm not interested in doing any DOS, and with my bandwidth, that's not gonna happen. I'm just thinking of the database poisoning, that's only going to happen with a sustained attack over a long period of time. If they become aware of our activity, they'll start filtering it before much happens. If we vary the attack, and they don't filter it, we're more likely to get their database well poisoned. Of course, that will happen much easier with more action from here.
Remember Slammer in January 2003? Imagine how long Slammer might have run, if it had been coded to throttle itself. Of course, it wouldn't have infected any more computers, but it could have been out there for a very long time before being detected.
You're right, I'm looking at connections. Oddly, the 6 are all different connections at my end, all going against port 80 on the spammer end.
I have DUMeter, so I will watch it the next time I run it. Could be I didn't see anything cause of the other stuff was happening here.
And I'm running this from Opera, my browser of least privilege. Gives me an ugly black and white set of boxes, but I'm not looking for pretty here.
Anyway, so far I'm at 9 Failed Loads / 298 Total Requests. Will let you know what else I get. Probably not going to be a lot (dang PacHell DSL).
-------
I let it run for 1/2 hour or so, now at 1798 / 82. I was watching the data fly by (not so quickly as for you) and noted a number of 4 and 6 character zip codes. Surely the spammer's server will catch those?
-------
And another full hour, and now at 6300 / 137. | |
Sleeve1
join:2005-05-09
Saint Louis, MO
| Yes, the spammer will catch those. Thank you for the heads up on that one. I'll have to see why that is happening.
Did you notice that the websites are no longer available? I wonder if the server gave up?
I have some new targets if anyone is interested. This time it's several fake pharmacies trying to obtain CC info from victims in order to clean out their account and then steal their identity. E-mail me if you are interested. Shadowboxer156@hotmail.com | |
|
