[Dshield] Spam related but kind of interesting

JD lists at webcrunchers.com
Fri Dec 26 20:04:10 GMT 2003


On Dec 26, 2003, at 6:14 AM, Chris Brenton wrote:

> So when I 550 the spammers inbound message, _another_ relay tried again
> 20 minutes later. The time interval varies between 10-50 minutes, but
> the pattern is always the same (at least from this one spammer). I'm
> sure this is to get around banned IPs. Obviously this speaks of an
> intelligent master-->zombie config which tells me these zombies have to
> be calling home at the end of a run to report the results of their
> spamming attempt. It also speaks to a rather large network, as I've
> never seen this spammer use the same IP twice.

Sounds like what you are getting is from a shitload of infected zombies
as you described above.   How are you able to sniff this traffic?
Are you logging all of this?    can you pinpoint the exact time it
started?    If so,  look just before that time,  to see just when a scan
might have taken place,   you might even be lucky enough to nail a
real un-spoofed IP address.    if so,  it might be the IRC server the
hackers/spammers are working through.

> I'm starting to wonder if these boxes were taken over via social
> engineering, as I'm not seeing a consistent pattern to the OS or the
> config. If so, that could mean this spammer is responsible for one of
> the back door e-mails that have been floating around. This is kind of
> smart as they are less likely to get trapped in a honeypot because they
> are not hitting random systems, just the ones with someone behind the
> keyboard who clicks through.
>
> Anyone have any additional thoughts or ideas on this?

I would venture to say you are possibly right.   I've known for years 
that
certain spam gangs in my "radar" have been setting up their own boxen
at co-lo sites,  but not actively using them.   Most are Linux,  and 
can be
configured to make fingerprinting difficult.

This is now becoming yet another way for spammers to smut their stuff.
They would setup a shitload of boxen on inactive networks on standby,
then when the time is right (usually on holidays - when the ISP is least
likely to notice),  they go for a one night stand and spam like crazy,  
but also
use the boxen for a trojan controller,  through another secret IRC 
somewhere
else,  which is the real one running the bot to control the zombies.  
The next
day,  they shut everything down and wait for the dust to settle.

John




More information about the list mailing list