recent posts

Social Networking Accounts Prized By Cybercrooks
RedBox Warns of Credit Card Skimmers
Opera Updates and a Black Tuesday Preview
Beware Targeted Data-Stealing Tax Scam
Consumers Report $239 Million Lost To Cyber Fraud In '07

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Spammers Duke It Out In Online Turf War

Just as thugs and drug dealers jealously guard their street corners with destructive turf wars, online spammers and other shadowy characters have been known to attack one another for control over virtual real estate. This week, security experts spotted a nasty tussle brewing between criminals who operate two of the largest networks of hijacked computers used to blast out spam.

This latest cyber crime feud stars the folks behind the massively successful "Storm worm," and the crooks responsible for unleashing the recent Mpack online attack tool. The Storm worm surfaced earlier this year, initially posing as video clips of a European windstorm that killed dozens of people. Computers infected with it were merged into a botnet whose sole purpose appears to be using them to relay junk e-mail. Storm also plants a "rootkit," or set of files designed to hide the malicious software from security programs and prevent its removal.

This month's Mpack attack tool apparently removes a number of rootkits from computers it infects, to make room for its own. Rootkits have a tendency to make infected systems unstable and prone to crashing, and multiple rootkits on a single machine often render the host unusable.

Apparently, the Storm worm folks weren't too happy about this development. They are currently attacking the Web server that Mpack uses to fetch configuration files for spam runs, according to MyNetWatchman, a company that monitors hacking and spamming activity.

The individuals behind the Storm worm have launched similar attacks against security researchers and groups working to stymie the operations of cyber criminals. It's nice to see the bad guys training the big guns on each other for a change.

By Brian Krebs |  June 29, 2007; 3:39 PM ET From the Bunker
Previous: Web Worm Whacks MySpace Users | Next: Credit Freeze Now an Option for D.C. Residents

Comments

Please email us to report offensive comments.



Last night I received about 800-1000 bounced messages from my email account. I ran a number of scans, but it looks like all of the messages were spoofed and nothing was sent from my computer. This is the third time this domain name has been hit.

Not really anything I can do on my end, but I noticed there have been entries of my domain in a spammer blacklist. So there are repercussions. I have to submit a report to two of the lists and explain that I have never sent any unsolicited commerical email to get them removed.

Hopefully these spam cartels can take each other out.

Posted by: PJ | June 29, 2007 6:17 PM

In the second paragraph, shouldn't the hyperlink at "botnet" go to http://en.wikipedia.org/wiki/Botnet ?

Posted by: Cole Kitchen | June 30, 2007 10:30 AM

Spam is another complacency issue, but complicated by obfuscation. So, first, a clarification:

UBE -- Unsolicited Bulk E-mail -- is more than one substantially the same missive sent to one or more addressees, without the express informed consent of the holder of that/those target INBOXes. That for which you gave informed consent is not spam, even if you don't want it any more. The bulk mail for which you did not give informed consent is spam, even if it is now interesting, and you might have given consent if given the opportunity.

It is really that simple.

The content: Analysis of the content of a suspected spam is only useful in determining whether it is from someone to whom you gave informed consent, and whether it matches the informed consent you gave. It doesn't matter if it is a religious message, a political message, an offer of a product or service, a pump-n-dump stock "tip" or some phish attempting to steal your private information. It doesn't even matter if it has a virus or spyware payload. It matters if you gave informed consent for it.

The spammer is the person who is supposed to be in control of the system which sent spam to you. There may be another spammer actually controlling that machine as a "bot", but it is the person who is supposed to be in control of that machine who is the spammer. It may be a "granny" who thinks she only sends mail to keep up with grandkids photos. It may be your auditor, software supplier, or even your Internet Service Provider (ISP). It may be due to badly designed and/or set up mail software (bounces of messages you did not send), or some run-away webmail interface.

With spam levels reaching the high-80s% to 99% of all e-Mail sent, people are actually withdrawing from any participation in e-Mail, because of it. Spam is killing the "killer-app" of the internet. Spam makes Sorbanes-Oxley compliance more difficult, and costs both business and private users more in both out-of-pocket and time costs.

Roger Ebert's "Boulder Pledge" has been largely consigned to history, and the AGIS IDP (Internet Death Penalty) along with it. Spammers, today, are often considered "too big to block", and those watchmen (and ladies) trying to identify the spammers to provide warning, are often under attack.

The only spam blocking that has ever worked well is blocking the sender of it. ISPs could cut off infected "bots" if the legitimate mail they carry, and indeed, their very business depended upon them eliminating the spam leaving their networks. The "IDP" above means shunning networks that spew spam or other abuse -- refusing their traffic of any kind. When enacted and broadly followed, it puts financial pressure on the spammer. It lasts until that spammer is no longer present on the internet from that address range, unless the reaction by the spam spewer is immediate. When enacted against an Internet Service Provider, that provider no longer has that service to sell. And, when it is their own spam, they no longer have that pipeline to send it to you. Without the IDP, there is no significant pressure on the ISP (or other entity) to stop the spam.

So, how does YOUR connectivity stack up?

At http://www.spamhaus.org/sbl/index.lasso is one of the references on the internet where you can look up your ISP to see how spammy they are. How bad is your ISP? Are you supporting a spammer with your business? Worse, is your ISP in the top ten spammers on the internet: http://www.spamhaus.org/statistics/networks.lasso

Does your ISP support the worst spamgangs in the world? Like those in Brian's article above? Check http://www.spamhaus.org/statistics/spammers.lasso

Or are you complacent about spam? Somebody else's problem? Do you realize how much safer your e-Mail would be, if a grassroots cleanup took the worst spammers off the internet? Are you part of that grassroots?

Posted by: Thoroughly Disgusted | July 1, 2007 11:34 AM

seems washington post has some botnets on its system my firewall currently is blocking outgoing to 12.129.147.65 .. this prior to my visiting the site... goggle got me here
firewall is zonealarm pro security suite aren't bots just soooo much fun

good luck on the tracking down of said botnet

Posted by: john | August 31, 2007 8:29 PM

The comments to this entry are closed.

 
 

©  The Washington Post Company