Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Petri Helenius
Avleen Vig wrote:

Personally I'm in favour of specific port filtering, and charging a
(small) premium ($10 a month?) for be able to run servers on residential
broadband connections.
 

So you are happy to pay a $10 premium for your VoIP phone if it allows 
inbound
calls?

Pete




Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Suresh Ramasubramanian
[EMAIL PROTECTED] writes on 10/10/2003 4:39 PM:
Why don't you come to the next NANOG in Miami
in February and give a presentation on how people
are doing these things? The trouble with a mailing 
list discussion is that it wanders all over the place.
But at NANOG you could focus on the network
operational issues of these networks of compromised
machines.
If somebody (preferably from the asia-pac region) wants to come to 
APRICOT 2004 in Kuala Lumpur - also in Feb 2004 - and do a presentation 
on this subject at the APCAUCE meet there, do let me know ASAP.

FYI, APCAUCE (http://www.apcauce.org) has a two day program at APRICOT - 
a workshop and a conference track on spam ...

	srs

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Michael . Dillon

>With all due respect, we have a *problem*. End user machines on 
>broadband connections are being misconfigured and/or compromised in 
>frightening numbers.  These machines are being used for everything 
>from IRC flooder to spam engines, to DNS servers to massive DDoS 
>infrastructure. If the ability of a teenager to launch a gb/s DDoS, 
>or of someone DoSing mailservers off the internet with a trojan that 
>contains a spam engine is not operational, perhaps it's just me 
>that's confused.

Why don't you come to the next NANOG in Miami
in February and give a presentation on how people
are doing these things? The trouble with a mailing 
list discussion is that it wanders all over the place.
But at NANOG you could focus on the network
operational issues of these networks of compromised
machines.

--Michael Dillon













Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Michael . Dillon

>I mentioned before that it doesn't really make much sense with web 
>hosting because the port can easily be changed so it's not very effective 

>at all. 

Stop thinking of policing the user and start
thinking of providing a security service. The
default setting of the security service might
include a block on port 80 inbound, but if the
user needs to enable this traffic, give them a
web form that they can use to reconfigure their
settings.

Or, if you can't handle such a variety of
individual ACLs on your equipment, give them
the option of buying a broadband router with 
a recommended default config and un-blocked
service.

If the user has to intervene in order to enable
a server type application to function, that
makes it a lot harder for trojan exploits to
take hold.

--Michael Dillon




Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Niels Bakker

* [EMAIL PROTECTED] (Andy Ellifson) [Fri 10 Oct 2003, 01:04 CEST]:
> 
> And as soon as you call law enforcement what happends?  The spammer is
> located offshore.  Then what?

This hasn't stopped the FTC before.  Recently it named a Dutch
national in a complaint: http://www.ftc.gov/opa/2003/09/fyi0357.htm


-- Niels.


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Dr. Jeffrey Race

On Thu, 9 Oct 2003 18:40:35 -0400, John Capo wrote:

>  I spent
>the rest of the day googleing for case law that might be applied
>to the network operators providing connectivity to the trojaned
>boxes being used for illegal activities, identity theft.  Didn't
>accomplish much except wasting the day.

This is a trivial legal exercise and I remain surprised the
infamous "plaintiff's bar" has not started suing these scum.
Some of the obviously relevant legal bases are negligent enablement,
unjust enrichment, attractive nuisance.

Talk to any lawyer; he'll tell you.   I am sure there are BIG BIG
damages to be had for a little litigation.

Jeffrey Race



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Lou Katz

On Thu, Oct 09, 2003 at 05:20:10PM -0700, Margie Arbon wrote:
> 
> --On Thursday, October 09, 2003 7:54 PM -0400 Susan Harris 
> <[EMAIL PROTECTED]> wrote:
> 
> >
> >Folks, let's move this discussion onto one of the many lists that
> >focuses on spam:
> >
> >  http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list
> >forspam prevention and discussion
> >  http://www.abuse.net/spamtools.html -- spam tools list for
> >softwaretools that detect spam
> >  net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet
> >lists
> >
> 
> I am curious as to why open proxies, compromised hosts, trojans and 
> routing games are not considered operational issues simply because 
> the vehicle being discussed is spam.
> 
> With all due respect, we have a *problem*. End user machines on 
> broadband connections are being misconfigured and/or compromised in 
> frightening numbers.  These machines are being used for everything 
> from IRC flooder to spam engines, to DNS servers to massive DDoS 
> infrastructure. If the ability of a teenager to launch a gb/s DDoS, 
> or of someone DoSing mailservers off the internet with a trojan that 
> contains a spam engine is not operational, perhaps it's just me 
> that's confused.

I think that in the case of spam, it is not some teenager, but rather
adult, vicious, sociopathic criminals. They are not fooling around, folks.


-- 
-=[L]=-


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Damian Gerow

(I dislike meta-discussion, but since it /is/ applicable to the list...)

Thus spake Sean Donelan ([EMAIL PROTECTED]) [09/10/03 21:32]:
> Susan did not say it wasn't an operational issue.  She said there are
> other lists which focus on that issue.

Agreed.

> There are many subjects of interest to operators which occasionally
> flare up on NANOG, but then move to other lists.  BIND issues concern
> network operations, but a namedroppers list exists for the topic.
> Peering is of operational interest, but the model-peer mailing list
> exists for the topic. Network time synchronization if of interest to
> operators but then the ntp newsgroup exists for the topic.  Network
> security is of interest to operators, but then nsp security mailing
> lists exists for the topic.  Address hijacking is of interest to
> operators, but then the hijack mailing list exists for the topic.

So if there's a more specific list for every operational issue, should we
just shift discussion off to those lists?  Should NANOG exist simply as a
live resource for 'What mailing list should I consult for ...'?


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Sean Donelan

On Thu, 9 Oct 2003, Margie Arbon wrote:
> I am curious as to why open proxies, compromised hosts, trojans and
> routing games are not considered operational issues simply because
> the vehicle being discussed is spam.

Susan did not say it wasn't an operational issue.  She said there are
other lists which focus on that issue.

There are many subjects of interest to operators which occasionally
flare up on NANOG, but then move to other lists.  BIND issues concern
network operations, but a namedroppers list exists for the topic.
Peering is of operational interest, but the model-peer mailing list
exists for the topic. Network time synchronization if of interest to
operators but then the ntp newsgroup exists for the topic.  Network
security is of interest to operators, but then nsp security mailing
lists exists for the topic.  Address hijacking is of interest to
operators, but then the hijack mailing list exists for the topic.

Not every operators' forum must discuss spam.  There is a reason why
more than one mailing list or forum on different topics exist on the
Internet.

I now return you to your meta-discussion whether the topic is on topic
for a particular forum.  If you believe in zero tolorance, should the
forum moderator report us to our ISPs for network abuse and terminate
our Internet connection for discussion something the forum moderators
considers off topic?



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Avleen Vig

On Thu, Oct 09, 2003 at 07:44:35PM -0500, Laurence F. Sheldon, Jr. wrote:
> > Two-three years ago the warnings were ignored because it was only
> > IRC. Now it's only spam.  What does it take to make the Network
> > Operators and NANOG decide that things that are a "very bad thing" on
> > one protocol generally can bite you later on another if you ignore it
> > because it's only  > here>?
> 
> I believe that to be one of the most succint summaries of the issues
> as I have read.

Not only that, but it's arguable that the problem is now significantly
worse.
Now IRC networks are *still* under attack, AND spam is a problem.
And reading from the wired article, hard-to-trace, possibly very illegal
websites are in the mix also.
What next, national security compromised because someone created a
massive P2P system with all these trojaned systems, and uploaded the
list of names of CIA operatives? Nice.
It's not inconceivable.

Personally I'm in favour of specific port filtering, and charging a
(small) premium ($10 a month?) for be able to run servers on residential
broadband connections.
Aunt Maggie in Florida doesn't NEED to run a server of any kind, and it
would probably make my life easier trying to solve problems for her.

-- 
Avleen Vig
Systems Administrator
Personal: www.silverwraith.com
EFnet:irc.mindspring.com (Earthlink user access only)


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Laurence F. Sheldon, Jr.

Margie Arbon wrote:

> I am curious as to why open proxies, compromised hosts, trojans and
> routing games are not considered operational issues simply because
> the vehicle being discussed is spam.
> 
> With all due respect, we have a *problem*. End user machines on
> broadband connections are being misconfigured and/or compromised in
> frightening numbers.  These machines are being used for everything
> from IRC flooder to spam engines, to DNS servers to massive DDoS
> infrastructure. If the ability of a teenager to launch a gb/s DDoS,
> or of someone DoSing mailservers off the internet with a trojan that
> contains a spam engine is not operational, perhaps it's just me
> that's confused.
> 
> Two-three years ago the warnings were ignored because it was only
> IRC. Now it's only spam.  What does it take to make the Network
> Operators and NANOG decide that things that are a "very bad thing" on
> one protocol generally can bite you later on another if you ignore it
> because it's only  here>?

I believe that to be one of the most succint summaries of the issues
as I have read.


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Margie Arbon
--On Thursday, October 09, 2003 7:54 PM -0400 Susan Harris 
<[EMAIL PROTECTED]> wrote:

Folks, let's move this discussion onto one of the many lists that
focuses on spam:
  http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list
forspam prevention and discussion
  http://www.abuse.net/spamtools.html -- spam tools list for
softwaretools that detect spam
  net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet
lists
I am curious as to why open proxies, compromised hosts, trojans and 
routing games are not considered operational issues simply because 
the vehicle being discussed is spam.

With all due respect, we have a *problem*. End user machines on 
broadband connections are being misconfigured and/or compromised in 
frightening numbers.  These machines are being used for everything 
from IRC flooder to spam engines, to DNS servers to massive DDoS 
infrastructure. If the ability of a teenager to launch a gb/s DDoS, 
or of someone DoSing mailservers off the internet with a trojan that 
contains a spam engine is not operational, perhaps it's just me 
that's confused.

Two-three years ago the warnings were ignored because it was only 
IRC. Now it's only spam.  What does it take to make the Network 
Operators and NANOG decide that things that are a "very bad thing" on 
one protocol generally can bite you later on another if you ignore it 
because it's only ?

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=
Margie Arbon   Mail Abuse Prevention System, LLC
[EMAIL PROTECTED]  http://mail-abuse.org








Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Susan Harris

Folks, let's move this discussion onto one of the many lists that focuses
on spam:

  http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list for
   spam prevention and discussion
  http://www.abuse.net/spamtools.html -- spam tools list for software
   tools that detect spam
  net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists

Thanks -- Susan



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread John Capo

Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
> 
[snip]
> it?  Convince registrars to kill domains that are clearly being used by 
> thieves?

>From a post on NANE, here's what the registar for vano-soft.biz had
to say on Oct 1:

> In order to terminate service of this domain name we will need a strong
> sampling of complaints.  Please fax a complaint to 858.560.9417 and include
> your complaint, name, email address and any supporting evidence you have.
> It is not our intent to keep a domain active that promoted criminal activity
> but we do take the suspension of a domain name very seriously.  Thank you in
> advance for you cooperation and I can assure you that your faxed complaint
> will be taken seriously.

Anyone with half a clue can see that vano-soft.biz is using a network
of zombies. Obviously domaindiscover.com/buydomains.com has no clue.

I started the day with a few hundred bounces from vano-soft's spam
runs due to forged sender addresses in one of my domains.  I spent
the rest of the day googleing for case law that might be applied
to the network operators providing connectivity to the trojaned
boxes being used for illegal activities, identity theft.  Didn't
accomplish much except wasting the day.

John Capo



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Mike Hyde

It looks like they are using there little team of zombie machines that
are doing the port 80 redirect to also respond to DNS requests:

;; AUTHORITY SECTION:
vano-soft.biz.  120 IN  NS  ns3.uzc12.biz.
vano-soft.biz.  120 IN  NS  ns4.uzc12.biz.
vano-soft.biz.  120 IN  NS  ns5.uzc12.biz.
vano-soft.biz.  120 IN  NS  ns1.uzc12.biz.
vano-soft.biz.  120 IN  NS  ns2.uzc12.biz.

;; ADDITIONAL SECTION:
ns3.uzc12.biz.  7200IN  A   24.91.206.103
ns3.uzc12.biz.  7200IN  A   12.206.49.107
ns4.uzc12.biz.  7200IN  A   12.227.146.168
ns5.uzc12.biz.  7200IN  A   66.21.211.204
ns5.uzc12.biz.  7200IN  A   165.166.182.168
ns1.uzc12.biz.  7200IN  A   24.243.218.127
ns1.uzc12.biz.  7200IN  A   12.239.143.71
ns1.uzc12.biz.  7200IN  A   66.90.158.89
ns1.uzc12.biz.  7200IN  A   12.229.122.9
ns2.uzc12.biz.  7200IN  A   24.107.74.166
ns2.uzc12.biz.  7200IN  A   207.6.75.110

103.206.91.24.in-addr.arpa domain name pointer
h00402b45512d.ne.client2.attbi.com.

168.182.166.165.in-addr.arpa domain name pointer
rhhe16-168.2wcm.comporium.net

110.75.6.207.in-addr.arpa domain name pointer
d207-6-75-110.bchsia.telus.net



On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote:
> At 10:51 AM -0500 10/9/03, Chris Boyd wrote:
> >A few minutes later, or from a different nameserver, I get
> >
> >Name:vano-soft.biz
> >Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
> >   12.252.185.129
> >
> >This is a real Hydra.  If everyone on the list looked up 
> >vano-soft.biz and removed the trojaned boxes, would we be able to 
> >kill it?
> 
> I think in this instance your best approach may be to go after the 
> name servers.  Anything else is going to be a game of whack-a-mole. 
> Our spam filtering software actually uses the address of a domain's 
> name server in it's scoring system.  Sometime's that's the only way 
> we've been able to reliably detect a spammer.



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Dr. Jeffrey Race

On Thu, 9 Oct 2003 10:28:30 -0700 (PDT), Andy Ellifson wrote:

>And as soon as you call law enforcement what happends?  The spammer is
>located offshore.  Then what?

This is an easy one.  Again, see 





Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Michael Airhart
How many times have you received SPAM selling a product from a U.S. based 
company?  I have received plenty follow the money Hank has it right.

M
(speaking only for myself)

Oops... Try this again...

And as soon as you call law enforcement what happends?  The spammer is
located offshore.  Then what?
--- Hank Nussbacher <[EMAIL PROTECTED]> wrote:
>
> On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
>
> > * "Follow the money" - find out the spammer / the guy who he spams
> for,
> > from payment information etc.Sic law enforcement on them.
> >
> > srs
>
> I think we can all safely assume that the people behind this are most
> probably on NANOG or reading the archives and are now aware of your
> idea
> :-)
>
> -Hank
>



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Dr. Jeffrey Race

On Thu, 09 Oct 2003 14:36:53 -0400, Mike Tancsa wrote:

>OrgName:CyberGate, Inc.

This is a notorious spam-enabler about which I had a quarrel
with AT&T management several years back to get them thrown off 
the AT&T network.  I had to take it to their lawyers since the
abuse staff would do nothing.

Jeffrey Race




Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Mike Tancsa
At 03:42 PM 09/10/2003, [EMAIL PROTECTED] wrote:
On Thu, 09 Oct 2003 12:01:35 EDT, "McBurnett, Jim" 
<[EMAIL PROTECTED]>  said:

> Can Broadband ISP's require a Linksys, dlink or other
> broadband router without too many problems?
So now instead of a misconfigured PC, you're going to have a misconfigured 
router
front-ending a misconfigured PC?
PCs of the MS variety by default are "misconfigured" and dangerous out of 
the box. (i.e. they dont have their patches installed and have questionable 
defaults).  Routers of the soho variety generally are not.  No its NOT 
perfect, but I would gladly take b) over a) any day of the week.

---Mike 



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Dr. Jeffrey Race

On Thu, 9 Oct 2003 12:55:36 -0400 (EDT), [EMAIL PROTECTED] wrote:

>Trouble is, how do you stop this? 

You use the same principles that are successfully applied every in society
(except the Internet) to prevent the negligent from injuring the public.

 

and (if you have a moment for some chuckles as well as some deep insights
into what ails our favorite organism)

 

(Brief extract: "One needs only to enforce existing contracts and management 
 charters (e.g. ICANN's) and to apply the basic principles of civilization 
 to the Internet.  No one would fly an airline run like today's Internet.
 Why should we tolerate such misoperation of an ever more critical resource 
 in modern life?  Spam is not inevitable.  It is the predictable consequence
 of  management decisions to use the Environmental Polluter business model 
 . . . .)

It's not a technical problem and there are NO technical solutions.  The
only one that works is what is used in every other type of human
activity.

Jeffrey Race




Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Valdis . Kletnieks
On Thu, 09 Oct 2003 12:01:35 EDT, "McBurnett, Jim" <[EMAIL PROTECTED]>  said:

> Can Broadband ISP's require a Linksys, dlink or other
> broadband router without too many problems?

So now instead of a misconfigured PC, you're going to have a misconfigured router
front-ending a misconfigured PC?

Or are you planning to require that the ISP provide/maintain/configure the router?



pgp0.pgp
Description: PGP signature


RE: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Mike Damm


Actually, running a web server on 8290 isn't as easy as 80. SpamAssassin
tests (WEIRD_PORT) for this, as do many other filtering packages.

Forcing spammers to use non-standard ports will greatly increase their rate
of detection, and in turn help to solve the spam problem.

-Mike


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 09, 2003 9:56 AM
To: Joe Boyce
Cc: [EMAIL PROTECTED]
Subject: Re: Wired mag article on spammers playing traceroute games with
trojaned boxes


On Thu, 9 Oct 2003, Joe Boyce wrote:

> VA> Personally, I think preventing residential broadband customers from
hosting 
> VA> servers would limit a lot of that. I'm not saying that IS the
solution. 
> 
> It's not like those customers are aware they are hosting servers, they
> most likely were exploited and are now unaware they are hosting
> websites.

That's obviously the case.  No spammer has "thousands" of legitimately 
purchased DSL/Cable connections.  The article pretty clearly says they're 
exploiting insecure windows (isn't that redundant?) boxes.

Trouble is, how do you stop this?  Just blocking common ports like 80 by
default (unless the customer plans to actually run a web server and asks
for the filter to be removed) won't work.  The spammers can just as easily
spam with urls containing ports (http://blah.biz:8290/) if they find 80
is filtered or find that filtering has become common.

So other than waiting some infinitely long time for a secure out of the 
box version of windows (and for everyone to upgrade), how do you stop 
this?  Widespread deployment of reflexive access lists?  Force all 
broadband customers to use NAT and let them forward ports or entire IPs to 
their private IP servers if they have any?  Wait for the legal system to 
catch and prosecute a few people who do this and deter others from trying 
it?  Convince registrars to kill domains that are clearly being used by 
thieves?
  
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


RE: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Fred Baker
At 09:01 AM 10/9/2003, McBurnett, Jim wrote:
Can Broadband ISP's require a Linksys, dlink or other
broadband router without too many problems?
The router vendors would like that to happen :^) 



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Mike Tancsa


Looks like attachments wont go through, so I will repost without the 
attachment. If anyone wants a copy, let me know

---Mike

At 01:28 PM 09/10/2003, Andy Ellifson wrote:


Oops... Try this again...

And as soon as you call law enforcement what happends?  The spammer is
located offshore.  Then what?
Actually, in the case of the wired article (removeform.com), it seems to be 
connected to a site in Florida.  I asked my programmer ([EMAIL PROTECTED]) 
to decode the obfuscated java script/page that is served up by one of the 
zombies (On FreeBSD fetch -B 18192 -o danger.html 
http://www.removeform.com/d - I got it from 207.5.215.72  at the time).  I 
have attached it as a zip file with its contents. You will note that the 
form post goes back to

form action="http://207.36.47.68/cgi-bin/addinfo.cgi";

OrgName:CyberGate, Inc.
OrgID:  CYBG
Address:3250 W. Commercial Blvd. Suite 200
City:   Ft. Lauderdale
StateProv:  FL
PostalCode: 33309
Country:US
---Mike




--- Hank Nussbacher <[EMAIL PROTECTED]> wrote:
>
> On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
>
> > * "Follow the money" - find out the spammer / the guy who he spams
> for,
> > from payment information etc.Sic law enforcement on them.
> >
> > srs
>
> I think we can all safely assume that the people behind this are most
> probably on NANOG or reading the archives and are now aware of your
> idea
> :-)
>
> -Hank
>



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Suresh Ramasubramanian
Andy Ellifson writes on 10/9/2003 10:58 PM:

Oops... Try this again...

And as soon as you call law enforcement what happends?  The spammer is
located offshore.  Then what?
99% of them are americans - and mostly from Florida at that.  See 
http://www.spamhaus.org/rokso/

they might subcontract stuff offshore (to India and China, where a lot 
of legitimate software development / BPO etc work is also going), sure.

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Andy Ellifson


And as soon as you call law enforcement what happends?  The spammer 

--- Hank Nussbacher <[EMAIL PROTECTED]> wrote:
> 
> On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
> 
> > * "Follow the money" - find out the spammer / the guy who he spams
> for,
> > from payment information etc.Sic law enforcement on them.
> > 
> > srs
> 
> I think we can all safely assume that the people behind this are most
> probably on NANOG or reading the archives and are now aware of your
> idea
> :-)
> 
> -Hank
> 



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Suresh Ramasubramanian
Michael G writes on 10/9/2003 10:27 PM:

Also, after doing some preliminary digging, it would seem that the
GTLD.BIZ servers have very low TTLs on a lot of their domains.  In fact,
7200 seems high compared to some other ones I found.
Any correlation with the unusually high proportion of .biz domains that 
are being registered by spammers?

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread jlewis

On Thu, 9 Oct 2003, Joe Boyce wrote:

> VA> Personally, I think preventing residential broadband customers from hosting 
> VA> servers would limit a lot of that. I'm not saying that IS the solution. 
> 
> It's not like those customers are aware they are hosting servers, they
> most likely were exploited and are now unaware they are hosting
> websites.

That's obviously the case.  No spammer has "thousands" of legitimately 
purchased DSL/Cable connections.  The article pretty clearly says they're 
exploiting insecure windows (isn't that redundant?) boxes.

Trouble is, how do you stop this?  Just blocking common ports like 80 by
default (unless the customer plans to actually run a web server and asks
for the filter to be removed) won't work.  The spammers can just as easily
spam with urls containing ports (http://blah.biz:8290/) if they find 80
is filtered or find that filtering has become common.

So other than waiting some infinitely long time for a secure out of the 
box version of windows (and for everyone to upgrade), how do you stop 
this?  Widespread deployment of reflexive access lists?  Force all 
broadband customers to use NAT and let them forward ports or entire IPs to 
their private IP servers if they have any?  Wait for the legal system to 
catch and prosecute a few people who do this and deter others from trying 
it?  Convince registrars to kill domains that are clearly being used by 
thieves?
  
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Vinny Abello
At 12:53 PM 10/9/2003, you wrote:

On 9 Oct 2003, at 12:19, Vinny Abello wrote:

Personally, I think preventing residential broadband customers from 
hosting servers would limit a lot of that. I'm not saying that IS the 
solution. Whether or not that's the right thing to do in all 
circumstances for each ISP is a long standing debate that surfaces here 
from time to time. Same as allowing people to host mail servers on cable 
modems or even allowing them to access mail servers other than the ISP's.
"Hosting a server" looks very similar to "using an ftp client in active 
mode", "playing games over the network" or "using a SIP phone" to the 
network. Enumerating all permissible "servers" and denying all prohibited 
ones arguably requires an unreasonable shift of intelligence into the 
network. Allowing inbound connections by default and blocking specific 
types of traffic reactively has been demonstrated not to be an adequate 
solution, I think.

A more aggressive policy of blocking all inbound connections (and 
analogues using connectionless protocols) essentially denies direct access 
between edge devices, which implies quite an architectural shift.

I think it's more complicated than "prevent residential users from hosting 
servers".
Absolutely, and I was just referring to certain things, not all inbound 
access. I mentioned before that it doesn't really make much sense with web 
hosting because the port can easily be changed so it's not very effective 
at all. Blocking people from hosting mail servers that receive mail and 
can't send mail directly could be enforced much more easily than the web 
example so my original thought doesn't really apply all that much to web 
stuff, but then again I stated I didn't say that IS the solution to 
anything. Just a thought that's been kicked around forever that we've all 
heard. :)

Vinny Abello
Network Engineer
Server Management
[EMAIL PROTECTED]
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and 
those that don't.



RE: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread David Keith

>On Thursday, October 9, 2003, at 12:24  PM, Suresh Ramasubramanian wrote:
>

> Nope - the guy would get more trojaned boxes, no shortage of unpatched
> windows machines on broadband.
>
> There are two ways to go here -
>
> * Nullroute or bogus out in your resolvers the DNS servers for this
> domain --> two problems here.  One is that the spammer doesn't use
> vano-soft.biz in the smtp envelope, and second, he abuses open
> redirectors like yahoo's srd.yahoo.com

This may apply w/r/t something I've been seeing for the last couple of days.
I've been seeing e-mails into our server with the following characteristics:

1).  Sent to invalid user on our domain
2).  Sent from varying origins; usually, groups of three arriving ~ every
half hour
3).  Origin IP on mostly home broadband networks in US
4).  Frequently, purported sender's e-mail address non-US domain although
originating from US domain, with the language of the e-mail text matching
the purported sender's domain (lots of German spam...guess that's the
current flavor).
5).  Invalid user send-to addresses arriving in groups in alphabetical order
(nice list processing)

It looks like person(s) responsible is using distributed network of trojaned
pcs, varying send-to mail servers every 3 messages or so.  This way, spam
arrives at purported sender's address as undelivered mail bounce with our
address in the SMTP envelope, in low enough volume (they hope) not to
trigger filtering based on source IP.

I wonder about how long until legitimate mail servers start getting
blackholed because of bounce messages?

David Keith




Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Joe Abley


On 9 Oct 2003, at 12:19, Vinny Abello wrote:

Personally, I think preventing residential broadband customers from 
hosting servers would limit a lot of that. I'm not saying that IS the 
solution. Whether or not that's the right thing to do in all 
circumstances for each ISP is a long standing debate that surfaces 
here from time to time. Same as allowing people to host mail servers 
on cable modems or even allowing them to access mail servers other 
than the ISP's.
"Hosting a server" looks very similar to "using an ftp client in active 
mode", "playing games over the network" or "using a SIP phone" to the 
network. Enumerating all permissible "servers" and denying all 
prohibited ones arguably requires an unreasonable shift of intelligence 
into the network. Allowing inbound connections by default and blocking 
specific types of traffic reactively has been demonstrated not to be an 
adequate solution, I think.

A more aggressive policy of blocking all inbound connections (and 
analogues using connectionless protocols) essentially denies direct 
access between edge devices, which implies quite an architectural 
shift.

I think it's more complicated than "prevent residential users from 
hosting servers".

Joe



RE: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Geo.

>>There are two ways to go here -

* Nullroute or bogus out in your resolvers the DNS servers for this
domain --> two problems here.  One is that the spammer doesn't use
vano-soft.biz in the smtp envelope, and second, he abuses open
redirectors like yahoo's srd.yahoo.com <<

There is another option, create an email filter and block any email that
includes the text ".biz/" in any email.

That will do two things, it will stop the spams from being received in the
first place and it will cause one heck of a headache for the .biz domain so
they clean up their act and deal with their problems.

Geo.



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Andy Ellifson


Oops... Try this again...

And as soon as you call law enforcement what happends?  The spammer is
located offshore.  Then what?

--- Hank Nussbacher <[EMAIL PROTECTED]> wrote:
> 
> On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
> 
> > * "Follow the money" - find out the spammer / the guy who he spams
> for,
> > from payment information etc.Sic law enforcement on them.
> > 
> > srs
> 
> I think we can all safely assume that the people behind this are most
> probably on NANOG or reading the archives and are now aware of your
> idea
> :-)
> 
> -Hank
> 



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Gregory Hicks


> Date: Thu, 9 Oct 2003 10:51:08 -0500
> Subject: Re: Wired mag article on spammers playing traceroute games with 
trojaned boxes
> From: Chris Boyd <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> 
> 
> 
> On Thursday, October 9, 2003, at 10:04  AM, Suresh Ramasubramanian 
> wrote:
> 
> >
> > http://www.wired.com/news/business/0,1367,60747,00.html
> >
> > -- 
> > srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
> > manager, outblaze.com security and antispam operations
> >
> >
> >
> 
> I found one of these today, as a matter of fact.  The spam was 
> advertising an anti-spam package, of course.
> 
> The domain name is vano-soft.biz, and looking up the address, I get
> 
> Name:vano-soft.biz
> Addresses:  12.252.185.129, 131.220.108.232, 165.166.182.168, 
> 193.165.6.97
>12.229.122.9
> 
> A few minutes later, or from a different nameserver, I get
> 
> Name:vano-soft.biz
> Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
>12.252.185.129
> 
> This is a real Hydra.  If everyone on the list looked up vano-soft.biz 
> and removed the trojaned boxes, would we be able to kill it?

This is NOT a hydra.  The IP addresses are the same but presented
differently.  This happens because of THIS setup in DNS:

vano-soft.biz.  IN A 131.220.108.232
IN A 165.166.182.168
IN A 193.165.6.97
IN A 12.229.122.9
IN A 12.252.185.129

This setup is called "Round-robin" because the name server provides the
first IP address FIRST to the first query; the second IP address first
to the second query; the third IP address first to the third query; ...
to the fifth query.  Then it starts over with the first IP Address in
response to the sixth query...

In each case, ALL IP addresses are provided in response to each query.

Yes, the TTL may be a bit low, but it is a workable setup...

And no, I am NOT condoning what vano-soft.biz is doing, just trying to
explain why, when you checked the first time, you got one answer, and
when you checked sometime later, you got a different answer...

(Donning flameproof underwear...)

Regards,
Gregory Hicks

---

"The trouble with doing anything right the first time is that nobody
appreciates how difficult it was."

When a team of dedicated individuals makes a commitment to act as
one...  the sky's the limit.

Just because "We've always done it that way" is not necessarily a good
reason to continue to do so...  Grace Hopper, Rear Admiral, United
States Navy



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Richard D G Cox

On Thu, 9 Oct 2003 12:01:35 -0400
"McBurnett, Jim" <[EMAIL PROTECTED]> wrote:

| I think even if we get all the ones for this domain name today,
| assuming we can muster even man hours to get it today, another
| 5000 will be added tomorrow.  And looking at my list We have US
| (a very small ISP and a large ISP) RIPE, and LACNIC.

This malware is not new, but is only just becoming widely visible.
It succeeds solely because of the "Dynamic-DYS" (real-time updating)
functionality built into the dot-biz registry.

Certainly it can be killed, but the techniques to achieve that are
better discussed OFF this list - for both AUP and other valid reasons.
As soon as this exploit is killed, no doubt another, similar, exploit
would follow.  We therefore need a more generic solution to the issue.

| This not only affects this instance but global security as a whole.
| Just a few days ago, Cisco was taken offline by a large # of Zombies,
| I am willing to say that those are potentially some of the same
| compromised systems.

Empirical evidence would seem to support your view.  Even where they are
not the same zombies, networks that allow this type of zombie to remain
in place are just as likely to allow DDoS zombies to continue undisturbed.

The problem is that many ISPs filter all issues of this nature through
their abuse teams, rather than sending them directly to their security
specialists.  Most abuse teams have neither the time nor experience to
investigate, and this particular trojan has been written to make it too
easy for abuse teams to dismiss reports of its activity, and then to
justify taking no action - that is exactly what the writers of the
malware intended to happen.

A step change in attitude from providers who offer 24/7-on connectivity
is what is needed now, and agreement to separate all network security
issues from their abuse desk procedures should be number one priority.

-- 
Richard Cox



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Jack Bates
Vinny Abello wrote:

Personally, I think preventing residential broadband customers from 
hosting servers would limit a lot of that. I'm not saying that IS the 
solution. Whether or not that's the right thing to do in all 
circumstances for each ISP is a long standing debate that surfaces here 
from time to time. Same as allowing people to host mail servers on cable 
modems or even allowing them to access mail servers other than the ISP's.

The issue comes in defining a server. You can block <1024 access, but 
spammers don't have to reference port 80 in their emails. You can 
mandate NAT, but this breaks commonly used systems (especially for 
broadband) like DirectPlay. One of the selling points for broadband is 
gaming. Yet some gaming systems were designed to make connections both 
ways and dynamic port forwarding doesn't work in all senarios.

-Jack



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Michael G

On Thu, 2003-10-09 at 09:11, Vinny Abello wrote:
> 
> They're using extremely low TTL's on most of their records. Typically 2 
> minutes to accomplish this. The thing is I would imagine at least ONE of 
> those NS servers cannot change within a 2 hour window whereas the others 
> can change every 2 minutes. If you identify the server that only changes 
> every 2 hours and track what it's replaced with every 2 hours, you're 
> likely to find a rotating list of master servers... Another question is why 
> is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 
> 2 hours and submitting those to the GTLD servers. Maybe it's just me, but 
> that's the first time I've seen a registrar set such a low TTL on an NS 
> record. If NeuLevel is any good they would likely have some sort of 
> information to identify the owner of the domain, even if the information is 
> invalid listed on their whois server. They might have a credit card 
> transaction although that too could always be a stolen credit card number.
> 
> Any other ideas or different angles/experiences?
> 

Looks like there was a slight misinterpretation of the DNS records.  The
2hr TTL is on the NS record from the registrar (NeuStar/*.GTLD.BIZ),
which means it would take up to 2 hours to switch DNS servers (probably
longer, due to red tape).  However, the DNS servers aren't what's being
rotated.  It's the data that they are giving that's rotating, hence the
2 minute ttl.  ALL of the nsX.uzc12.biz servers record changes will be
seen w/in 2 minutes, not just one of them.

Also, after doing some preliminary digging, it would seem that the
GTLD.BIZ servers have very low TTLs on a lot of their domains.  In fact,
7200 seems high compared to some other ones I found.

--Gar



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Suresh Ramasubramanian
Hank Nussbacher writes on 10/9/2003 10:00 PM:

I think we can all safely assume that the people behind this are most
probably on NANOG or reading the archives and are now aware of your idea
:-)
vano-soft has been extensively discussed on other forums (spam-l, nanae 
etc) for quite some time.  But yeah - it's stayed at the "discussion" 
level so far.

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Kee Hinckley
At 10:51 AM -0500 10/9/03, Chris Boyd wrote:
A few minutes later, or from a different nameserver, I get

Name:vano-soft.biz
Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
  12.252.185.129
This is a real Hydra.  If everyone on the list looked up 
vano-soft.biz and removed the trojaned boxes, would we be able to 
kill it?
I think in this instance your best approach may be to go after the 
name servers.  Anything else is going to be a game of whack-a-mole. 
Our spam filtering software actually uses the address of a domain's 
name server in it's scoring system.  Sometime's that's the only way 
we've been able to reliably detect a spammer.
--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Vinny Abello
At 12:31 PM 10/9/2003, Joe Boyce wrote:


Thursday, October 9, 2003, 9:19:37 AM, you wrote:



VA> Personally, I think preventing residential broadband customers from 
hosting
VA> servers would limit a lot of that. I'm not saying that IS the solution.
VA> Whether or not that's the right thing to do in all circumstances for each
VA> ISP is a long standing debate that surfaces here from time to time. 
Same as
VA> allowing people to host mail servers on cable modems or even allowing 
them
VA> to access mail servers other than the ISP's.

It's not like those customers are aware they are hosting servers, they
most likely were exploited and are now unaware they are hosting
websites.
Yes, that was kind of my point, although as a co-worker pointed out, many 
spamvertised sites run on alternate ports so I guess that wouldn't really 
matter all that much anyway. So it wouldn't help if an unknowing host was 
hosting a web site on port 37241 which was sent as a link in spam... http 
traffic can of course (as I'm surprised nobody's pointed out yet) run on a 
myriad of TCP ports just like practically any service. Maybe going back to 
securing broadband networks would help somewhat as well... Of course 
everything boils down to the end user which is what I've always believed 
in, but end users will not likely change in the way they run their 
computers. Network operators often times have to take some of these issues 
up by enforcing a policy for the good of the customer. I'm still not saying 
that is RIGHT to do in all circumstances, but it's an option that logically 
would reduce some (not all by any means) of the problems out there with 
people having owned machines.

Vinny Abello
Network Engineer
Server Management
[EMAIL PROTECTED]
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and 
those that don't.



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Hank Nussbacher

On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:

> * "Follow the money" - find out the spammer / the guy who he spams for,
> from payment information etc.Sic law enforcement on them.
> 
>   srs

I think we can all safely assume that the people behind this are most
probably on NANOG or reading the archives and are now aware of your idea
:-)

-Hank



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Jeremy T. Bouse
I can kinda agree with this idea for the most part. In past ISP
environments I've worked in and had input in decisions we did redirect
SMTP traffic back to our mail servers or blocked out-right access to
mail servers outside our control but there were always some special
cases. Just as stopping residential broadband customers from hosting
servers. I know in my personal situation I do have servers hosted on my
residential ADSL connection, but this is known by the provider and I'm
also paying for a static subnet that they're hosted on. I think for the
general dynamically addressed broadband connections this might be a wise
idea, but for those that are paying for static IPs or even static
subnets those blocks should be left alone. Granted this would probably
include most cable modem and a fair amount of DSL customers.

Regards,
Jeremy T. Bouse

On Thu, Oct 09, 2003 at 12:19:37PM -0400, Vinny Abello wrote:
> Personally, I think preventing residential broadband customers from hosting 
> servers would limit a lot of that. I'm not saying that IS the solution. 
> Whether or not that's the right thing to do in all circumstances for each 
> ISP is a long standing debate that surfaces here from time to time. Same as 
> allowing people to host mail servers on cable modems or even allowing them 
> to access mail servers other than the ISP's.
> 


pgp0.pgp
Description: PGP signature


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Joe St Sauver

Hi,

#I think even if we get all the ones for this domain name today,=20
#assuming we can muster even man hours to get it today, another
#5000 will be added tomarrow.

Actually, we wrote a little tool to systematically track the 
dotted quads associated with the vano-soft domain name. We have
been seeing a steady stream of new dotted quads advertised for
that host, but no where near thousands per day.

There have also been some Usenet posts talking about this particular
site and the methodology it uses; see: 

http://groups.google.com/groups?selm=
pan.2003.10.03.19.40.44.564854%40frontiernet.net&output=gplain

Regards,

Joe


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Suresh Ramasubramanian
Vinny Abello writes on 10/9/2003 9:41 PM:

They're using extremely low TTL's on most of their records. Typically 2 
minutes to accomplish this. The thing is I would imagine at least ONE of 
those NS servers cannot change within a 2 hour window whereas the others 
They are using a whole lot of stuff that's basically dynamic DNS.

low TTL on an NS record. If NeuLevel is any good they would likely have 
some sort of information to identify the owner of the domain, even if 
They seem to have a spammer infestation though.

	srs

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Joe Boyce


Thursday, October 9, 2003, 9:19:37 AM, you wrote:



VA> Personally, I think preventing residential broadband customers from hosting 
VA> servers would limit a lot of that. I'm not saying that IS the solution. 
VA> Whether or not that's the right thing to do in all circumstances for each 
VA> ISP is a long standing debate that surfaces here from time to time. Same as 
VA> allowing people to host mail servers on cable modems or even allowing them 
VA> to access mail servers other than the ISP's.

It's not like those customers are aware they are hosting servers, they
most likely were exploited and are now unaware they are hosting
websites.

Regards,

Joe Boyce
---
InterStar, Inc. - Shasta.com Internet
Phone: +1 (530) 224-6866 x105
Email: [EMAIL PROTECTED]



RE: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Vinny Abello
At 12:01 PM 10/9/2003, McBurnett, Jim wrote:


->
->I found one of these today, as a matter of fact.  The spam was
->advertising an anti-spam package, of course.
->
->The domain name is vano-soft.biz, and looking up the address, I get
->
->Name:vano-soft.biz
->Addresses:  12.252.185.129, 131.220.108.232, 165.166.182.168,
->193.165.6.97
->   12.229.122.9
->
->A few minutes later, or from a different nameserver, I get
->
->Name:vano-soft.biz
->Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97,
->12.229.122.9
->   12.252.185.129
->
->This is a real Hydra.  If everyone on the list looked up
->vano-soft.biz
->and removed the trojaned boxes, would we be able to kill it?
->
->--Chris
I got :
Canonical name: vano-soft.biz
Addresses:
  165.166.182.168
  193.92.62.42
  200.80.137.157
  12.229.122.9
  12.252.185.129
I think even if we get all the ones for this domain name today,
assuming we can muster even man hours to get it today, another
5000 will be added tomarrow.
And looking at my list We have US(a very small ISP and a large ISP)
RIPE, and LACNIC.
I wonder if the better question should be:

Can Broadband ISP's require a Linksys, dlink or other
broadband router without too many problems?
That is what it will take to slow this down, and then only if
ALL of ISP's do it.
This not only affects this instance but global security
as a whole. Just a few days ago, Cisco was taken
offline by a large # of Zombies, I am willing to
say that those are potentially some of the same
compromised systems.
Thoughts?
Personally, I think preventing residential broadband customers from hosting 
servers would limit a lot of that. I'm not saying that IS the solution. 
Whether or not that's the right thing to do in all circumstances for each 
ISP is a long standing debate that surfaces here from time to time. Same as 
allowing people to host mail servers on cable modems or even allowing them 
to access mail servers other than the ISP's.

Vinny Abello
Network Engineer
Server Management
[EMAIL PROTECTED]
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and 
those that don't.



Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Suresh Ramasubramanian
Chris Boyd writes on 10/9/2003 9:21 PM:

A few minutes later, or from a different nameserver, I get

Name:vano-soft.biz
Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
  12.252.185.129
This is a real Hydra.  If everyone on the list looked up vano-soft.biz 
and removed the trojaned boxes, would we be able to kill it?
Nope - the guy would get more trojaned boxes, no shortage of unpatched 
windows machines on broadband.

There are two ways to go here -

* Nullroute or bogus out in your resolvers the DNS servers for this 
domain --> two problems here.  One is that the spammer doesn't use 
vano-soft.biz in the smtp envelope, and second, he abuses open 
redirectors like yahoo's srd.yahoo.com

* "Follow the money" - find out the spammer / the guy who he spams for, 
from payment information etc.  Sic law enforcement on them.

	srs

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Vinny Abello
At 11:51 AM 10/9/2003, Chris Boyd wrote:


On Thursday, October 9, 2003, at 10:04  AM, Suresh Ramasubramanian wrote:

http://www.wired.com/news/business/0,1367,60747,00.html

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations

I found one of these today, as a matter of fact.  The spam was advertising 
an anti-spam package, of course.

The domain name is vano-soft.biz, and looking up the address, I get

Name:vano-soft.biz
Addresses:  12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97
  12.229.122.9
A few minutes later, or from a different nameserver, I get

Name:vano-soft.biz
Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
  12.252.185.129
This is a real Hydra.  If everyone on the list looked up vano-soft.biz and 
removed the trojaned boxes, would we be able to kill it?
They're using extremely low TTL's on most of their records. Typically 2 
minutes to accomplish this. The thing is I would imagine at least ONE of 
those NS servers cannot change within a 2 hour window whereas the others 
can change every 2 minutes. If you identify the server that only changes 
every 2 hours and track what it's replaced with every 2 hours, you're 
likely to find a rotating list of master servers... Another question is why 
is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 
2 hours and submitting those to the GTLD servers. Maybe it's just me, but 
that's the first time I've seen a registrar set such a low TTL on an NS 
record. If NeuLevel is any good they would likely have some sort of 
information to identify the owner of the domain, even if the information is 
invalid listed on their whois server. They might have a credit card 
transaction although that too could always be a stolen credit card number.

Any other ideas or different angles/experiences?

; <<>> DiG 9.2.2 <<>> +trace a vano-soft.biz.
;; global options:  printcmd
.   80336   IN  NS  l.root-servers.net.
.   80336   IN  NS  m.root-servers.net.
.   80336   IN  NS  i.root-servers.net.
.   80336   IN  NS  e.root-servers.net.
.   80336   IN  NS  d.root-servers.net.
.   80336   IN  NS  a.root-servers.net.
.   80336   IN  NS  h.root-servers.net.
.   80336   IN  NS  c.root-servers.net.
.   80336   IN  NS  g.root-servers.net.
.   80336   IN  NS  f.root-servers.net.
.   80336   IN  NS  b.root-servers.net.
.   80336   IN  NS  j.root-servers.net.
.   80336   IN  NS  k.root-servers.net.
;; Received 449 bytes from 216.182.1.1#53(216.182.1.1) in 40 ms
biz.172800  IN  NS  A.GTLD.biz.
biz.172800  IN  NS  B.GTLD.biz.
biz.172800  IN  NS  C.GTLD.biz.
biz.172800  IN  NS  D.GTLD.biz.
biz.172800  IN  NS  E.GTLD.biz.
biz.172800  IN  NS  F.GTLD.biz.
;; Received 228 bytes from 198.32.64.12#53(l.root-servers.net) in 270 ms
vano-soft.biz.  7200IN  NS  NS1.UZC12.biz.
vano-soft.biz.  7200IN  NS  NS2.UZC12.biz.
vano-soft.biz.  7200IN  NS  NS3.UZC12.biz.
vano-soft.biz.  7200IN  NS  NS4.UZC12.biz.
vano-soft.biz.  7200IN  NS  NS5.UZC12.biz.
;; Received 223 bytes from 209.173.53.162#53(A.GTLD.biz) in 150 ms
vano-soft.biz.  120 IN  A   200.80.137.157
vano-soft.biz.  120 IN  A   12.229.122.9
vano-soft.biz.  120 IN  A   12.252.185.129
vano-soft.biz.  120 IN  A   165.166.182.168
vano-soft.biz.  120 IN  A   193.92.62.42
vano-soft.biz.  120 IN  NS  ns5.uzc12.biz.
vano-soft.biz.  120 IN  NS  ns1.uzc12.biz.
vano-soft.biz.  120 IN  NS  ns2.uzc12.biz.
vano-soft.biz.  120 IN  NS  ns3.uzc12.biz.
vano-soft.biz.  120 IN  NS  ns4.uzc12.biz.
;; Received 287 bytes from 204.210.76.197#53(NS4.UZC12.biz) in 130 ms
Vinny Abello
Network Engineer
Server Management
[EMAIL PROTECTED]
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and 
those that don't.



RE: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread McBurnett, Jim


->
->I found one of these today, as a matter of fact.  The spam was 
->advertising an anti-spam package, of course.
->
->The domain name is vano-soft.biz, and looking up the address, I get
->
->Name:vano-soft.biz
->Addresses:  12.252.185.129, 131.220.108.232, 165.166.182.168, 
->193.165.6.97
->   12.229.122.9
->
->A few minutes later, or from a different nameserver, I get
->
->Name:vano-soft.biz
->Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 
->12.229.122.9
->   12.252.185.129
->
->This is a real Hydra.  If everyone on the list looked up 
->vano-soft.biz 
->and removed the trojaned boxes, would we be able to kill it?
->
->--Chris


I got : 
Canonical name: vano-soft.biz
Addresses:
  165.166.182.168
  193.92.62.42
  200.80.137.157
  12.229.122.9
  12.252.185.129

I think even if we get all the ones for this domain name today, 
assuming we can muster even man hours to get it today, another
5000 will be added tomarrow.
And looking at my list We have US(a very small ISP and a large ISP) 
RIPE, and LACNIC.

I wonder if the better question should be:

Can Broadband ISP's require a Linksys, dlink or other
broadband router without too many problems?

That is what it will take to slow this down, and then only if 
ALL of ISP's do it.

This not only affects this instance but global security 
as a whole. Just a few days ago, Cisco was taken 
offline by a large # of Zombies, I am willing to
say that those are potentially some of the same 
compromised systems.


Thoughts?
Jim


Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread Chris Boyd


On Thursday, October 9, 2003, at 10:04  AM, Suresh Ramasubramanian 
wrote:

http://www.wired.com/news/business/0,1367,60747,00.html

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


I found one of these today, as a matter of fact.  The spam was 
advertising an anti-spam package, of course.

The domain name is vano-soft.biz, and looking up the address, I get

Name:vano-soft.biz
Addresses:  12.252.185.129, 131.220.108.232, 165.166.182.168, 
193.165.6.97
  12.229.122.9

A few minutes later, or from a different nameserver, I get

Name:vano-soft.biz
Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
  12.252.185.129
This is a real Hydra.  If everyone on the list looked up vano-soft.biz 
and removed the trojaned boxes, would we be able to kill it?

--Chris