The Worms, Zombies, Joe Jobs & Spammers Rant

[DB]

A couple weeks ago I noticed the tell-tale signs of the beginning of a Joe Job in the form of bounced e-mails, not the first time I've seen one and undoubtedly not the last. A little research into the "enlargement pills" website being advertised showed it was owned and hosted in China and had gone by other domain names in the not too distant past... in fact they hadn't even bothered to update the title graphic on the current iteration of the site. In all, a pretty typical fly-by-night, snake-oil website which could be set-up again with about the same amount of effort it would take to have it closed down. Next I turned my attention to the bounced e-mails, most of which didn't contain the original headers and thus were about as worthless as the spam itself (but that would be the subject of a different rant). Of those which did include the original headers, a pattern started to emerge... they mostly appeared to be coming in small groups originating from ISPs: AOL, Comcast, RoadRunner, Telus, Adelphia, Charter, etc. The only conclusion I can arrive at is that these are zombie boxes which have been co-opted by spammers in an effort to create a distributed spamming network. This is hardly a new concept, a Google search for "distributed spamming" will turn-up many references, some several years old. But this is the first time I've noticed it occurring in a fairly large way, I've had well over 800 bounces in two weeks... enough to get my attention. And coming at about the same time as the MyDoom virus/worm/trojan, which reportedly packs a backdoor routine, its really gotten me thinking about the connection between trojans and spammers, they seem like a very cozy match.

First consider what we already know about spammers: they have no ethics, are somewhat technologically sophisticated and are always looking for ways to circumvent anti-spam filters. One of the more effective spam blocking measures are the IP blacklists, some users of EFM have reported success in the high 90% range using only a few of the blacklists provided. So it stands to reason that spammers would be anxious to defeat these blacklists and distributed spamming is a very powerful way to accomplish this goal. By only sending out small, one-time runs though compromised hosts, the blacklists could be rendered useless. In fact, they become worse than useless, they are detrimental because most of the blocked IPs would belong to cable/DSL/dial-up users, IPs which are not always static and thus could be blocking e-mail from completely innocent parties. Distributed spamming also defeats the "Bill Gates pay-per-spam" plan since the apparent originator of the spam is no longer the actual spammer, but rather a zombie computer... the owner of which would ultimately get the bill (and a wake-up call to be more security minded... maybe not such a bad thing after all).

So given that zombie computers could be a powerful weapon in a spammer's arsenal, I have to wonder about the real motivation behind some of the e-mail viruses and server worms we see, are they all just the work of pranksters, hackers or in the case of MyDoom, disgruntled Linux and Windows programmers? And even if this is the case, will it remain so given the profit motive spammers have to develop even more sophisticated trojans? What really concerns me is that MyDoom doesn't even take advantage of any software exploits, it relies completely on social engineering... an area that spammers, who are also marketers, could become particularly adept at.

Another concern I have is that the most common remedy I hear for these trojans is to "run an updated virus scanner." As others in this forum have been quick to point out, while virus scanners are not necessarily a bad thing, they can offer a false sense if security. This is particularly true given the rate at which a virus can be spread over the Internet... by the time it is identified, a signature developed and the individual scanners updated, much of the damage can already be done. And imagine a scenario where instead of a few points of origin, an existing distributed spam network is employed to launch the "seed infection"... it could be quite widespread within 24 hours, and take out the autoupdating capabilities of many virus scanners with it (similar to what the B variant of MyDoom reportedly does). I liken virus scanners to the fire department... they are very good at putting out fires, but have very limited abilities to prevent fires from starting. Doubling the number of fire trucks isn't going to cut down on the number of fires started. A better approach to fire prevention is education: Don't play with matches. I also believe education is the key to preventing the spread of trojans.

Okay, I hear what many of you are saying: "But DB, there are too many ignorant people and many of them don't want to be educated." I agree, in part. One of my old time high school buddies fits the profile perfectly, he could be the poster boy for Ignorant Netizen of the Year. He's quick to ask for free tech support when his hard drive crashes, but ask for something in return such as using the "Bcc:" field rather than the "To:" or "Cc:" fields when mass forwarding an e-mail to my private address and he acts like it's the greatest imposition he's ever heard. After all, the Net is just a playground for exchanging rude jokes and insults... "netiquette" is for sissys who can't run with the big dogs. Viruses? No big deal, just get someone to come over and reformat his hard drive. Try to educate this guy? He'll just say "ya worry too much about nuttin'." So yes, I fully agree some people are lost causes. But many of my other friends are not, and in time I believe "poster boy" will either bow to peer pressure or become ostracized. (Either way, the next time he calls asking for free tech support, I think the solution may involve iron filings and his power supply.)

Education in regard to e-mail virus/trojans doesn't have to require a graduate-level lecture in computer science, it could be summed-up in one sentence: Never click on any attachment you didn't specifically ask for. Granted, the corollary would have to be something like: It's socially unacceptable to send files that haven't been requested. That may be a hard point to sell, but it would be a good place to start. For those who are willing to learn a little more, like what kinds of files can contain "bad stuff" and which are relatively harmless, some e-mail file exchanging would be perfectly acceptable (eg. JPEGs of the grandchildren to grandma). I honestly believe that the "social" part is the only long term solution. We're able to live in communities off the net because we have accepted certain social mores and folkways... granted, not everyone conforms and we still have crime and anti-social behavior, but on the whole most of us manage to get along with our neighbors and not set the block on fire every couple of months. I see no reason why, in time, we can't "socialize the Internet." But we have to first be willing to try... to take responsibility for what we do and set examples for those who are following in our footsteps. Suggesting virus scanners or demanding better network filters seems like a cop-out, and it plays right into the hands of the spammers because they know they can defeat the technical solutions well enough to stay in business. And if my guess is right, if spammers start turning more to social engineering and distributed e-mailing, then the best counter defense will be reverse social engineering, IOWs: clues for the clueless.

On a sidenote: Back around 1997 I was a frequent user of ICQ and after a while got really fed-up with all the inane rumors being spread. So one day I went through the history file and collected a couple dozen of the most ridiculous messages and posted them on a webpage along with simple, common sense debunking (and a heaping dose of sarcasm mixed with humor to keep it interesting). I wasn't expecting to accomplish much, maybe send the link to the people on my contact list when they forwarded a rumor... at best maybe the folks in my little corner of the ICQ network would wise-up. That much of the plan worked, in a fairly short time period I stopped getting nearly any rumors. Then the URL to my webpage started getting forwarded... and forwarded and forwarded. Within a month, my little website hosted on Mindspring got ToS'ed due to excessive bandwidth usage. In fact, that's what eventually lead me to FutureQuest, after a brief stay at Xoom and then several bad experiences with commercial hosts (already ranted about that elsewhere in the forum). Anyway, my little "ICQ Lies" page hasn't stopped the spread of rumors, but I think it did put a dent in them. Over the years I've heard from thousands of people who say that sending the URL to people on their contact list has significantly cut down on the flood of rumors they were receiving. Given the attention which the ICQ pages were getting, I also wrote some security oriented pages geared toward newbies (ie. they are written in a language called "English"). Those pages also generated a lot of positive feedback, particularly from newbies who said they had heard of "trojans" and "backdoors" but never really understood what they were. But what REALLY has encouraged me lately was hearing back from one of those former newbies and finding out that she is now quite versed in the workings of networks and trojans and setting up her own educational website. The way I see it, my website is just a drop in the ocean, practically insignificant on its own, but if it can inspire other people to pick-up the torch and run with it, then it really can make a difference, if only indirectly. And that's kind of the whole point behind this post... elsewhere in the forum the question has been raised: who is going to come up with the solution to stop spam? Well, I doubt it's going to be any one person or small group of academicians/engineers ... and I'm quite certain it won't be Bill Gates. If a solution is going to be found, it will be a group effort. And that group will keep growing until spam becomes an anachronism of a bygone era.

But least you think I'm a starry-eyed optimist, I also think spam will probably be replaced by something else just as annoying... as long as there are gullible people there will also be opportunists to pray upon them. But that's no reason not to work on the current problem, which is getting worse, not better. I'm willing to do my small part, how about you?

*rant mode off*

[Chipmunk]

Bravo!

Would you, and anyone else, be kind enough to provide some links to good "newbie" to intermediate level tutorials? I stumbled across your excellent "The Importance of File Extensions" several months ago, and it's one of the few good, newbie-level ones I've read. Another thing I'd like is reference material on "safer" freeware alternatives to MS email software.

Ultimately, education and communication are the only ways we'll stem this tide. We as non-newbies have the responsibility to at least try to teach. ISPs, schools, and the media make only a token, largely ineffectual effort, but we can fill that void. Yeah, there are those like your "buddy" who choose to be infants, and who need to face the consequences of those choices, or be restricted to the net equivalent of a "playpen". Other newbies just need a list of "do not"s, some patient handholding, and gentle reinforcement. It's amazing how receptive some users are to simple written guidelines. Others whine, decide the rules don't apply to them, and need to experience a few "you've been banned for Terms of Service abuse" bounce messages (easy to do on FQ!).

Just to give some hope on the spam front:
Over the last 3 weeks, we've had a 99.7% total kill rate on spam. EFM's blocklists alone killed 95.6%, SA and a simple grep-for-URL-in-body filter caught the rest.