A Busy Month for Attackers

From anti-spam lawsuits to ever-more-clever hacking techniques, June was yet another month full of vulnerabilities for unsuspecting users.

June was an eventful month, and much of what took place may set precedents in the evolution of the battle against the computer underground.

It all began in early June. In the space of two weeks, Microsoft brought eight court actions against almost 200 spammers. Microsoft believes the defendants to be guilty of violating U.S. federal anti-spam legislation. According to the company's lawyers, the defendants tricked e-mail users by sending messages with faked addresses and subject lines. In addition, the messages were sent from third party computers so recipients were unable to determine the real source of the messages.

Research done by an American company, MX Logic, shows that in May, only one percent of electronic advertising met the criteria laid down by federal anti-spam legislation. This was lower than in April, when three percent of electronic advertising was in compliance. Fifteen percent of pornographic messages sent were in compliance with the law; the other 85 percent did not comply with the Federal Trade Commission ruling that all such correspondence should be marked ‘Sexually Explicit’ in the subject line.

Each action was brought against groups of approximately 20 defendants, who have not been identified. Throughout the world, Microsoft has brought approximately 80 such cases against spammers, but it is difficult to identify the motivation behind such actions. Does the company wish to bring these accused to justice, or are its lawyers laying the foundations for the future, to send a warning to anyone thinking of joining the ranks of the spammers? Could it simply be a marketing gimmick, an attempt to demonstrate Microsoft’s concern over the spam issue?

At the same time, another notable event took place in Canada: a local spammer, 25-year-old Eric Head, settled a lawsuit by agreeing to pay a fine. Head apologized for his actions, having been named by Yahoo! (which brought the case to court) as one of the portal’s most active spammers. Head promised to cease spamming, and to participate in children’s educational programs, telling them about the dangers of the Internet.

Yahoo! brought the case against Head, his father, and his brother, in March 2004. The portal accused the Head family of spamming Yahoo! mail users on a grand scale. In the space of a month, the spammers sent more than 94 million unsolicited messages.

The Heads managed to reach an agreement with Yahoo!, paying the portal compensation which came to not less that $100,000. The exact sum is not known, but the Heads’ lawyers stated that a six-figure sum was involved. In spite of having three defendants from the same family, for Yahoo! Eric was the main target of allegations. He made a statement through his lawyer in which he expressed “his deep regret for any inconvenience he may have caused anyone.”

“I urge everyone who is involved in the commercial bulk e-mail business to cease all operations unless and until they are completely compliant with the requirements of the new United States anti-spam laws," Eric said through his lawyer. The agreement between Yahoo! and the Head family was reached several weeks ago, and approved by the court. According to the spammers' lawyer, the agreement should not be seen as an acknowledgement of guilt.

The court case was one of many brought by Yahoo!, Microsoft, America Online, and EarthLink, although the Heads were the only accused in Canada.

In 1998, the then-19-year-old Eric organised a spam business named Gold Disk Canada. He concentrated on harvesting e-mail addresses and selling them to spammers. Head would sell 100,000 addresses for $29.99 (Canadian), while 10 million addresses cost $1,599.99. Some time later, Head would also create several programs to harvest e-mail addresses.

European Mail Problems

Meanwhile, in Europe, it was clear that official bodies were incapable of combating spam in an organised fashion. Philipp Gerard, a member of the EU Information Directorate, believes that lack of co-operation between the multitude of anti-spam organizations meant that efforts to stem unwanted commercial messages were ultimately ineffective.

At an anti-spam conference held in London, Gerard announced that in order to implement anti-spam laws, the industry would have to play a part. Current estimates say spam comprises 70 percent of all e-mail traffic. "We see different initiatives going in all different directions and the effectiveness is maybe not there," Gerard said.

In 2002, the European Union passed a directive that ruled that many methods used by spammers are illegal. Currently, approximately 54 percent of all EU e-mail traffic is unsolicited commercial advertising. Gerard noted that many European countries have already adopted the EU directive, but that the directive alone will not stop the flood of spam. “Legislation is just part of the answer.” According to Gerard, net service firms should include steps to combat spamming in their contracts; this would indicate the business world’s disapproval of spam.

Companies would also do well to organise complaint procedures, which would help the EU collect information about the scope of the spam problem. "I spend a lot of time convincing public authorities that spam is a problem and if people do not complain, how can we convince them that there's a problem?" Gerard wonders.

Nevertheless, Internet service firms and manufacturers of anti-spam solutions should remember that legitimate e-mailing marketing does exist. Gerard believes that stopping spam is essential for the future of Europe as an electronic marketplace.

Attacks for Sale

Meanwhile, the computer underground is not sitting idle -- its members are on the attack. In Russia, a cybercriminal grouping openly announced on the Internet that clients could order a DDoS attacl to block competitor sites. The cost: $150.

“We are pleased to be able to offer you a quality service; we can bring down any site with a DDoS attack,” reads the cybercriminals’ advertisement. According to the price list included in the message, a 6 hour DDoS attack would cost the client $60, whereas an attack lasting a full 24 hours was priced at $150. “I can bring down any site, including Microsoft. But I’d get the beating of a lifetime for that,” the anonymous organizer of DDoS attacks told a correspondent from Vedomosti, the Russian business publication. Nevertheless, the hacker agreed to attack the Microsoft site for the sum of $80,000. The quote for attacking the Russian president’s site, http://www.kremlin.ru, was initially $2,000, but the final price settled on was half that.

Law enforcement bodies believe the offer to carry out DDoS attacks for a fee is nothing more than a trick. “Any individual can simply register a dozen pseudonyms on the Internet and use these as cover. The offer to conduct a DDoS attack for payment up front is rubbish, but there will always be one idiot who takes the bait and pays up,” said a spokesperson for the Russian police force. No one has yet been brought to justice in Russia for carrying out a DDoS attack, but there are frequent arrests for fraud in connection with such offers.

The most famous DDoS attack on DNS root servers took place in 2002. The load on the server increased significantly, and the processing of standard requests either slowed noticeably or came to a complete halt. The most recent widely publicized DDoS attack was conducted on a range of Russian hosts and programming sites; this attack continued for over a month in January and February 2004.

It was never established who organised the attack, although subsequently an individual in Estonia did accept responsibility. In the course of investigation, it became clear that the attack had been conducted using up to 10,000 machines of victims around the world, all infected with Trojans. Special bots had been installed on this network, which then flooded the site under attack with multiple requests.

Hacking the Hackers

A second serious scandal took place among the virus writers themselves. The author of the popular Trojan OptixPro (a utility for unsanctioned remote administration) had to explain himself to several hundred thousand hacker wannabes who used his program. Several months after the Trojan was placed on a Web server, and downloaded by 270,000 visitors, it came to light that the author of the program was able to control all machines infected by his Trojan.

As with any other Trojan, hackers first have to download the program to the potential victim machine. This was done by disguising the Trojan as an e-card or photograph, to trick the user or by using a special program to install the Trojan. The hacker gets a password from the OptixPro server, meaning that other users of the Trojan will not be able to track activity on the victim's machine. However, as it turned out, the author of OptixPro, known as Sleaze (s13az3) had a master, 38-character password. This made it possible for him to monitor any machine infected with his program.

Sleaze asserts that he never used his master password to gain control over the machines of those who downloaded OptixPro. According to him, the master password was simply for his own safety; if the FBI had managed to find clues as to his identity, he would have published the master password. This would have made his program less popular, and himself of less interest to the authorities.

Gone Phishing

The last event in this action-packed month: a dedicated group, the Trusted Electronic Communications Forum, was founded to combat phishing. Dozens of major financial, telecom, and IT companies, including AT&T, Charles Schwab, DirecTV, and IBM, are founding members. The group aims to develop standards will try to create standards for technology to fight phishing, identify theft, and spoofing, and work with governments to prosecute scammers.

Phishing occurs when mass mailings are sent, purportedly from major companies. Recipients are asked to include personal data when replying. Often such messages will include a link to a fake Web site, where the recipient will be asked to enter bank account details, electronic payment account details, or other confidential information. Such sites are usually identical to the site of the company that has supposedly asked for the user’s personal data. Phishing e-mails often claim that this data is needed as the company network has crashed or because databases need updating. Once personal information is sent or entered on a fake site, it will be forwarded to the organisers of the fraud.

To date, 57 million users have received such messages in the U.S. alone.