PSC Newsletter 20 Sept 2003
Are YOU a spammer?
by Kevin McAleavey, BOClean laboratory team leader
It might come as a surprise to many when they are contacted by their
Internet Service Provider only to be told that complaints have been
received of email abuse, and it turns out to be coming from THEIR
computer, and therefore their access has been cancelled. We don't mean
folks that have been infected with one of those everyday, commonplace
Microsoft(R)(tm)(branding used without authorization) worm viruses,
we mean actual SPAM being sent from YOUR IP address. It's been
happening a LOT lately, and just got worse as the result of a new
higher-level nasty out there than has previously the case.
While the media is now spinning "SWEN" as the biggest thing since
SOBIG, the reality is "SWEN" is just another variant of GIBE, written
by the notorious "BEGBIE" of the Czech Republic with the usual modus
operendi of "From MICROSOFT - Install this patch NOW" which of course
begets another "ho-hum" in the continuing Microsoft daily
"plague'o'creepy crawlers" from us here. Begbie *always* signs his
work, though it's encrypted - he likes to take some "kernel memory"
space to spraypaint his name in there, but not visible in the FILE or
in ordinary "process memory." He's as predictable as so many
others. That's why our "ho hum" count of variants so far exceed our
"mother trojans" in our lists.
"SWEN" is in reality "GIBE the latest" and it amuses us to no end how
it's "NEW" ... nope. Maybe to the antivirus industry, but not to us.
BOClean 4.11 identifies it as the BEGBIE trojan, but in our most
recent database update, we added "SWEN" to that designation for
clarity. We've had to rename OTHER "Begbies" in our listings of the
past to match names obfuscated by the antivirus companies who have
ADMITTED in the past their desire to rename nasties from the actual
names given by their authors after "discovering" them days, weeks or
months AFTER "zero day." Sorry, our software is examined by network
administrators and industrial customers who TRACK nasties and they
EXPECT the "known name" of nasties to be used, and we'd better be
there on "zero day" or we've got hell to pay. See here:
»
www.newsfactor.com/perl/ ··· 662.html By comparison, these "daily worms", even those such as SOBIG which
were suspected of being the first wave in an assault of spammer
takeovers of machines according to the pundits, are not news at all
anymore. At worst, your ISP will cut you off and tell you "update your
antivirus and clean your machine, these things happen." They DO
understand that. And while these rapidly-spreading infections of your
Outlook Express (and curiously FEW other email/newsreader programs)
get plenty of attention, not so for far more insidious nasties that
are unmentioned and undetected in the meanwhile.
And with YOUR finger on the trigger, caught "red-handed" by your IP
address appearing on the abuse complaints that your ISP *must* solve
or your ISP gets "blackholed" for spamming, YOUR provider has no other
choice than to terminate your account and wish you well as you find
ANOTHER place to connect to the internet. LEGITIMATE ISP's take these
complaints MIGHTY seriously, and point to their "terms of service"
that you may or may not have realized you violated for sending "SPAM"
from your computer. If you think getting in trouble for MP3 files is a
"big deal," you don't want to know what they do to "spammers."
Ever get an email with absolute gibberish and a broken link? These
are the spammers that I'm talking about testing out their "new
servers" hijacked from innocent folks who happen to have the next best
thing to a spam-friendly ISP with "T-1 service" and far cheaper ...
they use BROADBAND! Subscribers who have almost the bandwidth of a T-1
available without the bill. Taking over YOUR machine is FREE for them
IF they can get a spam "remailer" onto YOUR computer. Much cheaper
than a T-1 bill. YOU'RE paying for THEIR bandwidth. Spamming trojans
have been around for a while now. BOClean has handled such "treats"
as "SPAMJACK," "SPAMPROXY," "DENSMAIL," "INFECTEDMAIL" and others for
quite some time.
On Friday, we received a brand new one called "MASSMAIL" which was
included in BOClean immediately upon its discovery. This one was
discovered by the folks at spywareinfo.com as have a few other nasties
lately. MASSMAIL is a complete spam engine with its own post office
inside YOUR machine. Its original source remains unknown, but it DOES
contact a master at 66.111.48.41 to obtain a list of people to spam
(the IP belongs to "United Colocation Group" of San Francisco, a
reportedly "spam-friendly" provider), whereupon it collects addresses
and the spam to be sent out and uses YOUR machine to do it. Spamhauses
are ILLEGAL in California. "Oh, the IRONY." Heh.
What tipped off the original victim was that they were receiving
strange warnings from the bad email addresses in the spam list, which
clearly indicates that this particular spam engine is "amateur hour."
However, it ran for quite some time right past firewalls, antiviruses
and other security software. Upon receipt of the files belonging to
it, BOClean detected this as a variant which was named by its author
as "MASSMAIL." The original reporting "victim" got an early warning
PRIOR to their ISP coming after them, primarily because their Norton
antivirus popped up windows indicating that it was scanning outgoing
email for viruses although the victim hadn't SENT any email at the
time. ALERT computer user there. Norton did NOT detect the trojan
however. Read about it here:
»
forums.spywareinfo.com/i ··· ic=11708 MASSMAIL is comprised of a number of pre-written "tools" which were
flung together. It also used a LEGITIMATE ActiveX control called
ANSMTP.DLL which is used as a legitimate mail server. The executable
itself consisted of a number of prewritten libraries including a TCP
host which connected to, and listened for the 66.111.48.41 respondent
with email to send. The number of unique behaviors to this particular
backdoor Spamhaus provided us with 14 heuristic points to spot any
similar "tools" in the future. It was genuine "script kiddies turned
pro" cut and paste. And now that the offending IP has been identified,
variants will obviously need to follow which will not match antivirus
"file signatures."
BOClean detects and defeats this little nasty and any of its future
progeny. Worms spreading through Outlook Express and those who make
the mistake of clicking on an attachment from someone they might know
which contains a file of any kind which wasn't pre-arranged are old
hat. Nowadays, you need to watch out for spammers who are tired of
being shut down by their ISP's or having to pay for bandwidth to send
you those "miracle pill," "diet," "refinance" treats who have now
gotten into the "hey! They have broadband, let's take over their
computer and use THAT" types. A bad situation is mutating into
something far worse, completely out of the spotlight of the media. But
hey, what ABOUT that "SWEN?" BOClean's made him "well hung" too.
