Spammers are Virus Makers?

[John Coutts]

In case anyone has doubts about whether or not hijacked machines are being used
to spread Spam, I downloaded some statistics for our mail server from our
filtering service for Feb. 24, 2004.

84.4% of the IP addresses blocked were used only once.

89.7% of the IP addresses quarantined were used only once.

These statistics pretty much match our own Black List server.

It is difficult not to come to the conclusion that backdoor virus makers and
Spammers are one of the same.

J.A. Coutts

 

[Frans Meijer]

In case anyone has doubts about whether or not hijacked machines are being used
to spread Spam, I downloaded some statistics for our mail server from our
filtering service for Feb. 24, 2004.

84.4% of the IP addresses blocked were used only once.

89.7% of the IP addresses quarantined were used only once.

These statistics pretty much match our own Black List server.

It is difficult not to come to the conclusion that backdoor virus makers and
Spammers are one of the same.

Actually it is difficult to come to that conclusion based on your data. Your
data seems to suggest that these forms of abuse are acted upon in 80-90% of
the cases.

What would be more 'conclusive' is a percentage of hosts that send virusses
some time before sending spam.

 

[kurt wismer]

Actually it is difficult to come to that conclusion based on your data.
Your data seems to suggest that these forms of abuse are acted upon in
80-90% of the cases.

What would be more 'conclusive' is a percentage of hosts that send
virusses some time before sending spam.

if the number of instances of spam trapped is large (like 100s of
thousands) and 90% are 1 time only IPs, that is very suggestive of
'owned' boxes used to send out spam (because there just can't be that
many spammers)... and it's hard to get back doors onto that many boxes
without some sort of self-replication mechanism helping it along...

 

[John Coutts]

if the number of instances of spam trapped is large (like 100s of
thousands) and 90% are 1 time only IPs, that is very suggestive of
'owned' boxes used to send out spam (because there just can't be that
many spammers)... and it's hard to get back doors onto that many boxes
without some sort of self-replication mechanism helping it along...

****************** REPLY SEPARATER *******************
You hit the nail on the head. All the most recent virus's (especially MyDoom)
installed back doors. People question why MyDoom shut itself down on Feb. 12.
It terminated itself because it's job was essentially done (installation of the
back door), and by shutting down it does not attract as much attention.

It could conceivably be argued that these statistics were only for a single
day, and that the same IP could be used again tomorrow. Well, here are the
weekly statistics:

Week of Feb. 18, 2004 to Feb. 24, 2004
81.1% of IP addresses quarantined were used only once
79.1% of IP addresses blocked were used only once

and they tell pretty much the same story. Where on earth would a spammer get
that many different IP addresses that he could afford to use them only once a
week?

 

[Gabriele Neukam]

On that special day, John Coutts, ([email protected])
said...

You hit the nail on the head. All the most recent virus's (especially MyDoom)
installed back doors. People question why MyDoom shut itself down on Feb. 12.
It terminated itself because it's job was essentially done (installation of the
back door), and by shutting down it does not attract as much attention. ....
Where on earth would a spammer get
that many different IP addresses that he could afford to use them only once a
week?

There is even proof that worm and trojan programmers (BTW: they even
aren't the best in these professions) sell hijacked machines to
spammers.

The heise Verlag (a German publisher of computer related paper
magazines) published a report in its most recent issue of the "c't",
from page 18 on, how a student found the machine of one of his
cohabitants in their student's home to be infected with a randex
variant, and disassembled it.

The student managed to locate the "creator" of this thing, made in a
click-click way, from a SD-Bot construction kit, and talked him into
confessing that he programmed the trojan. It was an IRC-Drone that would
spread by using weak passwords on shares, download a proxy software
named "winsock32.exe", steal C&C Generals CD keys and allow for DDoS
attacks. After a while the author found that spammers will pay for open
proxy addresses and sold his hostages to them.

Of course, after identifying the programmer, he was reported to the
police. It was only possible to get hold of him, because he was so dumb
to brag about his deeds. Other which don't talk, will probably stay
undetected.


Gabriele Neukam

(e-mail address removed)