Some interesting developments on the spam-malware front. First, c't has an interesting bit of news, which Jeroen Roovers has translated for us from the German. Virus writers are in the business of selling IP addresses of captured zombie computers. c't reports on some specific instances where some arrests have just been made.
It may motivate those using Windows computers to make sure that they are not infected with trojans, including MyDoom, when you learn that the authors of malware harvest your IP address and then sell it to spammers, who then use your computer to send illegal spam or for other loathesome uses.
Here is the translation of the c't article:
Uncovered: Trojans as Spam Robots
c't has gathered evidence that virus writers are selling the addresses of computers infected with trojans to spammers. The spammers use the infected systems to illegally distribute commercial e-mail messages -- without the knowledge of their owners. Furthermore, the network of trojans forms a powerful tool which the distributors of the viruses can use to, for example, launch distributed DoS attacks.
With the help of c't, a student of computer science has tracked down the authors of a computer virus. The editorial staff were able to establish contact with the virus distributors and buy IP addresses of infected machines. Because one of the virus distributors has been located in Great Britain, c't has passed on all information to Scotland Yard. By now, individuals in several countries have been arrested.
In this case, a trojan was installed on thousands of computers with the help of the virus "Randex". This small program contacted its "master" through the chat protocol IRC. From its master it received commands to for example look for CD keys of games, launch SYN Flood attacks from the infected machine or secretly load additional software. This way, the trojan was also able to install a SOCKS proxy server which can be used to relay spam through the infected PCs. The virus also infects local subnets using the Windows Directory Service.
In an interview with c't, an investigating officer of Scotland Yard commented: "We fear that this is just the beginning. In the case in question, the authors and distributors of the viruses already no longer do their work just for fun or ego. The scene is becoming more professional and has recognised how much money can easily be gained illicitly this way."
You can find an article about the investigation in today's broadcast of c't magazin.tv. In the coming edition of c't, you can find a detailed description of the events (available in shops from Monday, February 23).
In other news, Earthlink is bringing suit against 16 people and businesses, a group of spammers called the Alabama Group, described by Earthlink as "the most professional and technologically sophisticated group of e-mail spammers that EarthLink says it has ever encountered." Mostly they used stolen credit cards, allegedly, to open fraudulent accounts, and each account sent spam:
"'They co-located computer equipment at a tiny Alabama ISP,' Wellborn said. 'Then they set it up in such a way that the e-mailer could remotely contact that equipment and cause it to dial in to EarthLink' to send spam."
In one case, a zombie computer was used to send spam, and it's the first case I've seen where an ISP is suing a spammer for remotely using someone else's computer to send spam. There could be more than just civil penalties, obviously. The new CAN-SPAM law has severe penalties, up to 5 years in jail, plus fines, and that's for comparatively minor offenses like using a phony address, plus possible loss of any personal or real property associated with the act of spamming. If a spammer harvested email addresses off the Internet, or used a computer program to randomly generate them, these are considered "Aggravated Violations" which can triple the fines. This isn't even starting on the analysis of what a spammer is facing for stealing credit cards, using someone else's computer without their knowledge, etc.Here is a Wired article on spammers grabbing computers for their own use. So, evidently this is the new thing when it comes to spam, and it is what MyDoom is being used for.
Here is another article on the new phenomenon, which has come about because open relays have pretty much been closed down, and that left spammers looking for a new way to spew out the email you don't want:
"Any Internet-connected computer could be running a proxy spam relay, but most of the malicious programs are written specifically for PCs that run Windows.
"In the past, some spammers had sought out and exploited Internet-connected computers with misconfigured networking software. The latest and growing threat is code purposely written to create spam relay proxies as it is spread by malicious viruses.
"'It's just going to get worse,' said Ken Schneider, chief technology officer at spam-filtering company Brightmail Inc. 'Traditionally, virus writers were driven more by reputation and trying to impress each other. Now there's an economic motive.'
"Just last week, a proxy program called Mitglieder began installing itself on computers infected by last month's Mydoom outbreak, said Mikko Hypponen, manager of antivirus research at F-Secure in Finland. He said such programs can also sneak in if computer owners fail to install patches to fix known Windows flaws.
"The shift in spamming methods even prompted the Federal Trade Commission to issue a consumer alert last month. The advisory encouraged consumers to use antivirus and firewall programs and to check 'sent mail" folders for suspicious messages.'