[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Asrg] 0: A Midrange-technical Look At The Underworld's Vectors

To: asrg at ietf.org, discussion at lists.euro.cauce.org
Subject: [Asrg] 0: A Midrange-technical Look At The Underworld's Vectors
From: "Sabahattin Gucukoglu" <mail at sabahattin-gucukoglu.com>
Date: Sun, 20 Jun 2004 23:18:08 +0100
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: I need more of this!
Priority: normal
Sender: asrg-bounces at ietf.org

Hi all,

I have a real problem with spam.  My hatred of spammers and spam is almost 
allergic.  Anyway, I wanted to share this with you.

I have recently begun to bluntly and aggressively portscan hosts 
connecting to my mail system (after coming back from two days of the fever 
and finding my mailbox chock full of turds) to deliver spam.  I really 
needed some other avenue of understanding and/or attack, even if only to 
satisfy my curiosity, to get some well-deserved score on a spammer or to 
slow him down, and to rack up general stats about what exactly I was up 
against.  Scans were also done against web servers advertised in spam.  My 
results have been... interesting, to say the least!

Well, I'm happy to say that, my anger now blunted to normal levels again 
and my listings resuming in SpamSources for the benefit of all, my time 
was not wasted.  In particular, I have some information and queries about 
an interesting vector of spam delivery that is not an open relay or an 
open proxy in its more traditional form.  It is understood to be a form of 
spam distributing malware installed on a victim's host, designed to 
obfuscate its purpose and existence and to reduce workload for the 
spammer.  It accounts for the mysterious "missing trace field" problem so 
readily discussed by RBL maintainers.  The presence of the port 
advertising this plaintext near-SMTP service is almost always accompanied 
by a vulnerable Windows installation (say a duff MSRPC or IIS) or the 
ports of a file sharing network like Kazaa or EDonkey.  These hosts are 
scattered hither and yon, and the ports they listen on are random.  The 
sorry tail that comes to mind is that of the gullible click-click-clicker, 
or the even sorrier tail of the unpatched system.  We can therefore say 
two things about this service immediately:

1.  It is spammer-made.  I'll elaborate later on this.
2.  It phones home.  Again, elaboration follows, but the random port is a 
giveaway.  This means that simply scanning for proxies and relays on known 
ports is quite simply not sufficient any longer.

To be clear on the types of host observed and their characteristics, we'll 
list my findings here.  Of course, any information from anyone about 
these, especially ISPs who I've p***ed off by aggressively scanning 
sensitive hosts within, is always welcome.  No malice was ever intended, 
except those who deserved it.  Yes, I am law-abiding, but not impassive.  
Sorry if anyone here got inconvenienced.  You know where I am.

1.  The spammer.  Yes, sir... a real spammer.  This guy is running a 
machine more locked up than the national safety deposit box.  The IP is 
almost always in SPEWS or SBL.  It was rarely found to be firewalled, but 
it is safe to say that the spammer is fully prepared for the worst.  The 
system is patched, the services are few.  IPID sequencing gives a clear 
picture of a constantly-spewing machine unloading its turds worldwide if 
it is not running Linux, which is occasionally (and surprisingly!) the 
case.  I strongly suspect these machines to be manned and operated by a 
real person.

2.  The webserver.  These are always found to be server versions of MS 
products or Apache (probably pirated and cracked - found a few ripjac 
listeners here and there) running either on Windows or Linux.  Again, they 
are well locked up, and most were protected by packet filters after a 
time.  I brute-force attacked one such machine's FTP service (patched, non-
MS) and it immediately packet-dropped me out, I believe due to the 
operator's noticing my obvious attack from what was obviously not an open 
proxy.  No, I did not get in.  More's the pity.  These machines have 
nameservers and sometimes FTP service as well.  Many of these machines are 
servicing more than one domain.  Domain name servers are usually specified 
as both primary and secondary in the global registries and the data in 
records is wild and spurious and rarely ever accurate.  In particular, 
cached answers at my ISP's resolvers coming directly from the nameservers 
are rarely ever accurate or useful, more likely is that glue records 
stored by the registry reference the machines in question and the web and 
nameservers are referenced by the same name.

3.  Compromised host.  As mentioned above, the spammer is a lazy person 
and cares only for his spam's widest audience.  He is therefore ready to 
plunder any machine's open proxy server, if it runs one with its connect 
method enabled, or a Socks proxy.  He will use any open relay server, 
though these are becoming fewer and fewer by the month - ISPs really are 
bothered about them.  Open relays (true mail systems misconfigured or not 
configured to be closed) give us the spammer's original IP, which was 
frequently found to be an open proxy.

Analysis of my own packet filter logs do show occasional scans for common 
proxy ports from spiradic sources, so it is fair to say that these are a 
much-desired resource by the blackhats, and even the norms who desire 
privacy.  Ironic that in my white-hat seating, I should have wanted them 
myself to bypass my intrusion lockouts by victimised targets of my 
annoyance.  To be very fair and complimentary, most ISPs are very quick to 
act on abuse complaints, usually shutting said services down very quickly 
after their being reported.  This meant that my scan was hardly over and 
the proxy hand-checked before the host was unplugged.  I have never found 
an open connect proxy that is sufficiently fast for my purpose, and I 
think it likely that more important things will prevail such that my 
interest in continuing this little project will be minimal.  They exist in 
considerably fewer number than the mysterious service described next.  
They listen normally on common ports, though a few are known to be 
backdoor listeners that function exclusively as connect proxies and listen 
on higher, out-of-the-way ports.

Finally, these compromised hosts ran another, more mysterious kind of 
service.  A random port, usually in the privileged range (or at least 
below 5000) on Windows, would apparently be an SMTP service.  This service 
would always offer the same greeting, I recall, "220 mail.jean.pv", a 
minimalistic response to every command except those not recognised, "250 
OK" (except data, "354 Go!", and three important characteristics essential 
to spamming:
1.  Victim host is an open relay.  Always.
2.  Victim host randomises helo greeting (not that used in the banner), 
always uses helo.  Host never fully qualified, random alphanumeric 
sequence.
3.  Host doesn't include trace field describing receipt of the mail.  
This, of course, is the most essential characteristic.

These boxes would occasionally mess up and fail to deliver the message 
completely, which explains the commonly occuring "blank message".

We can say, then, that this is a fully-compliant SMTP agent with the 
benefits of an open proxy.  Nasty piece of work, to be sure.  They're all 
over the place, and we haven't a clue what port they're listening on - 
they're randomly selected, and I'll put my money to the fact that someone, 
somewhere gets to know which port it is.  Even more horrible.

In next week's episode ... what it felt like to be chucked in the slammer 
for knowingly breaking the law for the good of all and in pure self-
defence of my mailbox, and then subsequently publicly announcing the fact. 
 Until then...

If anyone can help me explore these findings and/or confirm any aspects, 
or if anyone can tell me the exact nature and types of these mysterious 
compromises, I would be very interested to hear from you.  AV vendors have 
proven particularly non-descriptive in their descriptions, but I really 
want to classify the types of mail I am getting, and from whence.  It is 
unlikely that I will be doing much more of this exploration because other 
projects, including AGRIP and my token draft proposal, are more important. 
 Even so, you're info would be appreciated.  Please don't ask me for exact 
numbers and details, I don't have them.  These checks are done as soon as 
the system connects and I will be stopping them shortly - I've seen 
enough.  Maybe someone else can take up the auditing position if 
interested.

One final thing - open proxies have their uses, and most of them are bad 
ones.  Take a look at this - I might just set a few up somewhere: 
http://www.proxypot.org/

Cheers,
Sabahattin
-- 
Thought for the day:
    Bagpipes (n): an octopus wearing a kilt.


Sabahattin Gucukoglu
Phone: +44 20 7,502-1615
Mobile: +44 7986 053399
http://www.sabahattin-gucukoglu.com/
Email/MSN: <mail at Sabahattin-Gucukoglu.com>


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Prev by Date: [Asrg] FTC report...
Next by Date: Re: [Asrg] [IP] do-not-email list canned
Previous by thread: [Asrg] FTC report...
Next by thread: [Asrg] deloyment speed
Index(es):
- Date
- Thread