On Wednesday 22 October 2003 12:56 pm, Anne Wilson wrote: > > Since the worm uses it's own smtp engine or co-opts the Windows one > > it may not matter whether she sent anything, and it would have been > > possible for the worm to send copies of itself to any system that > > it could find with it's own scanning facility. With her address I > > do believe. Without any record in sent mail. > > Not a nice thought. <snip> > > Anne
Not sure if anyone else is aware of this or not, but discussions on the net.admin.abuse.email newsgroups are pointing to a new spammer scam going around. Some not-very-nice hackers in former Soviet states, including Bulgaria, Latvia, and others have gotten together with spammers for financial reasons. Might also be related to Russian organized crime, etc. At any rate, they have created a couple of different trojan horse programs, these do not show up on anti-virus scanners because they do not self-propagate. They get installed when people visit certain seeded websites that cause unsecure installations of IE (which they all are to my knowledge) to download and install the trojan code. Once the machine has been compromised, it basically broadcasts its IP to select locations or IRC channels and these hackers add it to a list of zombied hosts that they use to route DNS requests as well as install unsecured open proxy software to in order to bounce spam through to avoid DNS blacklists. Estimates by one Polish member of one of these gangs is that they are now in control of about 400,000 windows machines running broadband connections in the US. The only way to find them is to portscan the entire machine looking for listening SOCKS proxies. Traffic from these machines is responsible for the shutdown of Osirusoft.com due to a DDoS attack from massive numbers of zombie PC's. Monkeys.com is also offline after withstanding the first wave of attacks, only to be hit again. Anyone running broadband on Windows that doesn't have a firewall that denies incoming connections on all but known ports is probably open to be compromised since you will never know that the site that you go to does not have nasty code waiting. Currently, there is one known exploit for IE that remains unpatched so no version of that software can be considered secure against the installation of a trojan. The patch that was put out by MS was confirmed to not actually fix the vulnerability. If someone starts having issues and antivirus software doesn't locate the problem, they may want to consider that the machine may have been compromised by a trojan. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
