Paul Roberts, IDG News Service
Friday, July 11, 2003
Spammers based in Russia are using stealth and a sophisticated new
Trojan horse program to turn home workstations into unwitting hosts in
a pornography and spam distribution ring, say security experts.
The deceptive and potentially illegal practice came to the attention
of experts in late June and has been a topic of conversation among
spam fighters on Internet discussion groups since then, says Joe
Stewart, senior intrusion analyst with LURHQ, a Chicago-based managed
security services company.
Wandering Web Sites
Someone sending out spam e-mail pointing to spoofed PayPal Web sites
and Russian pornography sites appeared to be able to change the
addresses of his sites every few minutes, says Richard Smith, an
Internet security and privacy consultant based in Boston.
Smith stumbled on the problem in early July while investigating e-mail
messages pointing to a phony PayPal site. It was being used to harvest
personal financial information from customers of the online payment
service.
He reported the issue to the ISP that appeared to be the source of the
phony Web address. Then, Smith was surprised to see the same Web
domain associated with a different Internet address belonging to a
different ISP a few minutes later, and still another address a few
minutes after that.
"I said, 'Whoa! That's interesting'," Smith recalls.
After writing a program to monitor the Web sites associated with the
pornography and bogus PayPal domains, Smith collected the IP addresses
of hundreds of systems being used as hosts for the illicit content,
each for only a few minutes at a time.
The trick lies in a sophisticated Trojan horse program placed on the
remote systems and used by the spammer, according to Stewart. He
obtained a copy of the program from an infected system belonging to an
employee of one of LURHQ's customers.
The program, which Stewart dubbed "migmaf," acts as both a proxy
server for spam and a reverse proxy server for a master Web server
serving the spoofed and pornographic content, Stewart says.
Domain names and e-mail addresses for the pornography sites point to
Russia as the source, Smith says.
How Scam Works
In its capacity as a proxy server, the Trojan forwards outgoing spam
from its source to the intended recipient, replacing the source
address with its own IP address and covering the spammer's tracks.
As a reverse proxy server, the Trojan receives requests from spam
recipients who, for example, click on a link to a pornographic Web
site, and passes that along to the master Web server. That server
responds with the requested Web page and sends its content along to
the compromised computer, which then serves it to the requesting
machine, Stewart says.
Users never know where the content they're receiving is really coming
from, and the Web site's owners are shielded from pressure by their
ISP to shut down the site, according to Smith and Stewart.
Because such behind-the-scenes activity might eventually arouse the
suspicions of victims, each compromised user machine acts as a Domain
Name Service (DNS) host for the illicit Web domains for only 10
minutes. Then it is replaced by another compromised system known to
the spammer, Smith says.
To continually move Web properties around, the spammer installs DNS
software on the compromised machines, turning them into their own DNS
servers. Then, using features of DNS, the spammer sets a short
expiration, or "time to live" setting on what is referred to as the
DNS "host name mappings," which specify a relationship between a
domain name, such as www.ebay.com and a numeric Internet address,
Smith said.
Using online domain registration services like Network Solutions and
automated scripts, the spammer updates the host mapping information at
regular intervals, replacing the DNS address for one compromised
machine with that of another, Smith says.
Source of Trouble
Such techniques are attractive to spammers who wish to bypass IP
address blacklists, the most widely used antispam technology, says
Linus Upson, a spam expert for antispam company Qurb.
"As a spammer, you care about deliverability--getting spam into
people's mailboxes. A solution like this nullifies the most widely
used antispam technology," Upson says.
For spammers involved in fraudulent activity, hiding the source of the
spam is a way to avoid getting caught, he adds.
Neither Stewart nor Smith knew how the Trojan came to be installed on
the affected systems.
A virus such as W32.Sobig could drop it on systems, or a malicious
Active X control on a Web site could plant it on vulnerable machines,
Smith says. Or, the program could be distributed through the Internet
Relay Chat (IRC) network or peer-to-peer networks like Kazaa, Stewart
says.
While the new Trojan cannot spread itself like a virus, migmaf has
features that report the statistics of systems it compromises back to
the master Web server, according to an analysis by Stewart. The Trojan
can report on its current state and monitor the available bandwidth on
an infected system, Stewart says.
Spreading the Word
By dissecting a copy of the Trojan, Stewart traced the location of the
master Web server to a system owned by Houston Web-hosting company
Everyones Internet.
Everyones Internet did not respond to a request for comment, but
Stewart says the master Web server has been deactivated. Smith says
both the false PayPal and pornography Web sites are down.
Nevertheless, the new distribution system makes it extremely difficult
to track a source of illicit content and spam, according to Smith.
"It took Joe Stewart seven days to locate that server. It usually
takes a couple minutes," Smith says.
Like Kazaa and other peer-to-peer networks, the new spam network is
distributed and lacks a single point of failure, which will make it
difficult to dismantle, Smith adds.
They gave the sample Trojan program to major antivirus companies,
which are developing signatures to detect the stealth program, Stewart
says. However, he suspects multiple versions of the migmaf Trojan
exist, so it will be difficult to provide antivirus signatures for
them all.
Users are advised to install personal firewalls on any unprotected
home PCs, especially those with "always on" broadband Internet
connections, both security experts advise.
Even if the new Trojan becomes installed on a system, firewall
software can block the spammer's master server from communicating with
the infected host and making it a distribution point for spam or
pornography, they say.