Tweet
If your computer is unprotected and on the Internet, it could be used to send spam out through YOUR Internet connection. Don't believe me, read on...
Everyone hates spam. (Well, everyone except for those who profit from spamming, but then those are the spammers, and we hate them too!) But did you know that spammers have been enlisting the services of virus writers to create viruses which, when they infect your computer, turns it into a spam relaying zombie? Several high-profile viruses over the past few months were likely created just for this purpose. Sobig, Mimail, Bagle, Mydoom. Names ring a bell? These viruses either open a backdoor into your system, or download additional code from Internet sites to install backdoor trojans.
Once one of these trojans is installed and running on your computer, it either listens for a connection from a spammer, or sends information to the spammer, advertising its presence. Once a spammer finds the zombie, he uses it to send out spam mail, from the infected zombie computer. The end user is normally unaware that this is happening, until his ISP terminates his Internet service. With the increasing popularity of home broadband, high-speed Internet connections, more and more machines are popular targets for hackers and spammers.
So why am I posting this? Because I have FIRST HAND experience with this phenomenon. Ever since the Mydoom.A worm started spreading in late January, thousands of infected PCs have had a backdoor opened by Mydoom. This backdoor allows any .EXE file to be sent to it, and it is executed automatically. As a test, I set up a "honeypot", basically a machine set up to "act" like it was infected with Mydoom and accepting connections on the backdoor. However, instead of executing the incoming code, it would store it for later examination. I ran this honeypot for about a month, and it captured hundreds of nasties. Not all of them are detected by popular anti-virus software. And some of them are designed primarily to be spam proxies.
In particular, a recent trojan, a variant of Agobot, called Phatbot, appeared. It opens a proxy on TCP port 65506. When I learned of this, and started seeing scans on this port, I was curious and planted a honeypot on this port as well. At first there wasn't much interesting going on, mostly connections made but no data passed. Then, tonight, the flood gates opened. A dozen or so spammers latched on to my honeypot, thinking it was one of their precious spam zombies, and started hammering on it like I've never seen before. Fortunately, my honeypot didn't respond to their queries so no spam was transferred, but spammers are stupid. I was seeing close to 3,000 hits per hour on the port. I quickly shut down the honeypot and blocked the port on the firewall, hoping that the "Sorry, we're closed" sign would cause them to turn away. They didn't. They pelted my firewall like mosquitoes against a screen on a hot summer night. How clueless. In order to stop the relentless attacks, I had to release my IP and request a new one (my ISP uses dynamic IP addresses, so this wasn't hard to do).
But, anyone who opened a Mydoom attachment, or a Bagle attachment, could be sending out spam as we speak. Possibly thousands of emails an hour. Anyone tracing the source of the spams are going to find the trail leads to an innocent, ignorant user's computer, NOT the spammer or hacker who is really the guilty party. Spammers like unprotected computers because they can route their crap through them and not be caught. There are hundreds of thousands of these zombie machines all over the internet. I know my post won't stop the majority of them, but if it makes one infected user, or ten infected users clean up his/her system and install a firewall, I'll feel I've made a small, though not insignificant dent in the problem.
I urge everyone on here to check their systems. If you don't have a firewall, install one. If you don't have anti-virus software, get some. If you have anti-virus, and you're not keeping it up to date, get it up to date. And for Heaven's sake, if your computer is infected, do something about it. Reformat and reinstall if you have to. Get a firewall up before reconnecting to the net, then run Windows Update and install ALL the critical patches. That may sound harsh, but it's the most surefire way to get rid of some of these nasties.
I'll be glad to provide additional information to anyone who needs it. I'll post a couple quick links to places that have free firewall and anti-virus software so you have a place to go.
This is a long post, but I feel it's important to get this information out to as many people as I can.
A good, free firewall is Zone Alarm. Download it from here: http://www.zonelabs.com
A free anti-virus program, called AVG, is available from Grisoft here: http://www.grisoft.com
If you have broadband, you may want to invest in a router. It can act as a hardware firewall, though you should still run a software firewall to protect against outbound threats.
If anyone has any questions about this, freel free to ask me. This is a long rant, and I'm getting tired. Thanks for listening.
KJP
Official Computer Geek and Techno-Wiz Guru of HTGuide - Visit Tower of Power
My HT Site
Everyone hates spam. (Well, everyone except for those who profit from spamming, but then those are the spammers, and we hate them too!) But did you know that spammers have been enlisting the services of virus writers to create viruses which, when they infect your computer, turns it into a spam relaying zombie? Several high-profile viruses over the past few months were likely created just for this purpose. Sobig, Mimail, Bagle, Mydoom. Names ring a bell? These viruses either open a backdoor into your system, or download additional code from Internet sites to install backdoor trojans.
Once one of these trojans is installed and running on your computer, it either listens for a connection from a spammer, or sends information to the spammer, advertising its presence. Once a spammer finds the zombie, he uses it to send out spam mail, from the infected zombie computer. The end user is normally unaware that this is happening, until his ISP terminates his Internet service. With the increasing popularity of home broadband, high-speed Internet connections, more and more machines are popular targets for hackers and spammers.
So why am I posting this? Because I have FIRST HAND experience with this phenomenon. Ever since the Mydoom.A worm started spreading in late January, thousands of infected PCs have had a backdoor opened by Mydoom. This backdoor allows any .EXE file to be sent to it, and it is executed automatically. As a test, I set up a "honeypot", basically a machine set up to "act" like it was infected with Mydoom and accepting connections on the backdoor. However, instead of executing the incoming code, it would store it for later examination. I ran this honeypot for about a month, and it captured hundreds of nasties. Not all of them are detected by popular anti-virus software. And some of them are designed primarily to be spam proxies.
In particular, a recent trojan, a variant of Agobot, called Phatbot, appeared. It opens a proxy on TCP port 65506. When I learned of this, and started seeing scans on this port, I was curious and planted a honeypot on this port as well. At first there wasn't much interesting going on, mostly connections made but no data passed. Then, tonight, the flood gates opened. A dozen or so spammers latched on to my honeypot, thinking it was one of their precious spam zombies, and started hammering on it like I've never seen before. Fortunately, my honeypot didn't respond to their queries so no spam was transferred, but spammers are stupid. I was seeing close to 3,000 hits per hour on the port. I quickly shut down the honeypot and blocked the port on the firewall, hoping that the "Sorry, we're closed" sign would cause them to turn away. They didn't. They pelted my firewall like mosquitoes against a screen on a hot summer night. How clueless. In order to stop the relentless attacks, I had to release my IP and request a new one (my ISP uses dynamic IP addresses, so this wasn't hard to do).
But, anyone who opened a Mydoom attachment, or a Bagle attachment, could be sending out spam as we speak. Possibly thousands of emails an hour. Anyone tracing the source of the spams are going to find the trail leads to an innocent, ignorant user's computer, NOT the spammer or hacker who is really the guilty party. Spammers like unprotected computers because they can route their crap through them and not be caught. There are hundreds of thousands of these zombie machines all over the internet. I know my post won't stop the majority of them, but if it makes one infected user, or ten infected users clean up his/her system and install a firewall, I'll feel I've made a small, though not insignificant dent in the problem.
I urge everyone on here to check their systems. If you don't have a firewall, install one. If you don't have anti-virus software, get some. If you have anti-virus, and you're not keeping it up to date, get it up to date. And for Heaven's sake, if your computer is infected, do something about it. Reformat and reinstall if you have to. Get a firewall up before reconnecting to the net, then run Windows Update and install ALL the critical patches. That may sound harsh, but it's the most surefire way to get rid of some of these nasties.
I'll be glad to provide additional information to anyone who needs it. I'll post a couple quick links to places that have free firewall and anti-virus software so you have a place to go.
This is a long post, but I feel it's important to get this information out to as many people as I can.
A good, free firewall is Zone Alarm. Download it from here: http://www.zonelabs.com
A free anti-virus program, called AVG, is available from Grisoft here: http://www.grisoft.com
If you have broadband, you may want to invest in a router. It can act as a hardware firewall, though you should still run a software firewall to protect against outbound threats.
If anyone has any questions about this, freel free to ask me. This is a long rant, and I'm getting tired. Thanks for listening.
KJP
Official Computer Geek and Techno-Wiz Guru of HTGuide - Visit Tower of Power
My HT Site
. I got so fed up with the attempts that I d/l a portblocker. Then I disabled the portblocker and volia`, we have more infected computers out there. Getting to be a big pain. Oh boy, as I'm typing this another attempt on 65506. My favorite quote peeps : “Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.” - Albert Einstein
Comment