Spammers exploit high-speed connections, careless users

[InfoSec News <isn () c4i org>]

http://www.usatoday.com/tech/news/computersecurity/2004-02-16-zombie-menace_x.htm

[I've said it once, I'll say it again, the home and small business 
users of high-speed broadband internet services need a financial 
incentive to use firewalls and anti-virus. 

The only way that's going to happen, is to tell the users, if you use
an authorized firewall and A/V solution, you will pay less on your
monthly internet service than if you just plugged your cable modem
into the back of your computer.

Joe Sixpack doesn't care about internet security, he's too busy
looking for the latest version of Paris Hilton's movie to learn about
the latest worm clogging things up, I'm willing to bet people would be
more willing to save few bucks in the long run over having to teach
them why you really need a firewall and A/V software.  - WK]

-=-

By Anick Jesdanun
Associated Press
2/16/2004

NEW YORK - Next time you're looking for a culprit for all that junk
mail flooding your inbox, have a glance in the mirror. Spammers are
increasingly exploiting home computers with high-speed Internet
connections into which they've cleverly burrowed.

E-mail security companies estimate that between one-third and
two-thirds of unwanted messages are relayed unwittingly by PC owners
who set up software incorrectly or fail to secure their machines.

David Lawrence, 43, owns such a computer, which turned into a "spam
zombie" when a virus infected it in October. Five or six spammers were
using his cable modem to remotely send pitches for products like
Viagra and boosters for cell phone signals.

"Spammers and the people who write these viruses ... is their life so
void that they feel they have to mess up other people?" said Lawrence.  
"To me, it's criminal."

The self-employed businessman from Tifton, Ga., said he learned of his
computer's culpability when his Internet service got suspended. "I
called to find out what was going on because I knew I had the bill
paid," he said.

Lawrence is by no means alone.

Hundreds of thousands of computers worldwide have been infected by
SoBig and other viruses that are programmed to spawn gateways, known
technically as proxies, to relay spam. Though Lawrence had antivirus
software, he hadn't kept it updated.

It's ironic to the president of the security Web site
myNetWatchman.com, Lawrence Baldwin, that those afflicted by spam are
also often its couriers.

"That's further encouragement, justification for taking responsibility
for your own system," said Baldwin. "If you don't, you can be part of
the very problem you're complaining about."

Any Internet-connected computer could be running a proxy spam relay,
but most of the malicious programs are written specifically for PCs
that run Windows.

In the past, some spammers had sought out and exploited
Internet-connected computers with misconfigured networking software.  
The latest and growing threat is code purposely written to create spam
relay proxies as it is spread by malicious viruses.

"It's just going to get worse," said Ken Schneider, chief technology
officer at spam-filtering company Brightmail Inc. "Traditionally,
virus writers were driven more by reputation and trying to impress
each other. Now there's an economic motive."

Just last week, a proxy program called Mitglieder began installing
itself on computers infected by last month's Mydoom outbreak, said
Mikko Hypponen, manager of antivirus research at F-Secure in Finland.  
He said such programs can also sneak in if computer owners fail to
install patches to fix known Windows flaws.

The shift in spamming methods even prompted the Federal Trade
Commission to issue a consumer alert last month. The advisory
encouraged consumers to use antivirus and firewall programs and to
check "sent mail" folders for suspicious messages.

Others say home users should also keep their Windows operating systems
up to date by visiting windowsupdate.microsoft.com.

"If your computer has been taken over by a spammer, you could face
serious problems," the FTC advisory wrote. "Your Internet Service
Provider (ISP) may prevent you from sending any e-mail at all until
the virus is treated, and treatment could be a complicated,
time-consuming process."

In the early days, spammers sent out junk messages directly from their
machines. ISPs easily found them and closed their accounts.

Spammers then looked for so-called open relays.

These are typically mail servers at ISPs, often in Asia or South
America, carelessly configured so that anyone on the Internet can send
mail through them without needing a password. The relays make messages
appear to have come from an ISP, not the spammer.

But ISPs and anti-spam activists soon identified many of the
open-relay machines and either pressured their owners to stop or
blocked messages from them.

Stymied by a more concerted effort by ISPs to lock down their Internet
mail servers, the spammers turned to the less vigorously protected
home machines.

They are abundant and simple to find. Spammers can cover their tracks
and become virtually untraceable.

"It pains me to say it, but it's very clever of the spammer to have
thought of this, getting legitimate PCs to send spam on their behalf,"  
said Andrew Lochart, director of product marketing at e-mail security
company Postini.

Steve Atkins, chief technology officer at the anti-spam consultancy
Word to the Wise, said some ISPs continue to be plagued by open-relay
techniques, but spammers generally don't bother with them anymore
because it's so much easier to have success with home machines.

Where much of the spam previously flowed through China, South Korea,
Brazil and other countries whose ISPs left many relays open, it's now
being hastened by a North American trend: more high-speed cable and
DSL connections at home.

Such proxies are especially frustrating for ISPs to identify and
block, said Mary Youngblood, abuse team manager at EarthLink Inc. She
said some stay open only for a few hours and disappear by the time
ISPs catch on, while newer ones reconfigure themselves constantly like
chameleons on a single machine.

The more versatile the open proxy, the longer it takes to isolate.

John Levine, co-author of "Fighting Spam for Dummies," said the
proliferation of proxies could force ISPs to take such measures as
limiting how many messages a customer can send in a given time period.

In the meantime, ISPs are often being forced to cut off their own
customers.

"As a customer, to have someone just arbitrarily shut me off, that
would more than mildly displease me," said Walt Wyndroski, network
operations manager for CityNet, which had shut down Lawrence. "We try
to think from the customer's standpoint, but we also have to look at
the larger view of the health of the network itself."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.