It might come as a surprise to many when they are contacted by their Internet Service Provider only to be told that complaints have been received of email abuse, and it turns out to be coming from THEIR computer, and therefore their access has been cancelled. We don't mean folks that have been infected with one of those everyday, commonplace Microsoft(R)(tm)(branding used without authorization) worm viruses, we mean actual SPAM being sent from YOUR IP address. It's been happening a LOT lately, and just got worse as the result of a new higher-level nasty out there than has previously the case.
While the media is now spinning "SWEN" as the biggest thing since SOBIG, the reality is "SWEN" is just another variant of GIBE, written by the notorious "BEGBIE" of the Czech Republic with the usual modus operendi of "From MICROSOFT - Install this patch NOW" which of course begets another "ho-hum" in the continuing Microsoft daily "plague'o'creepy crawlers" from us here. Begbie *always* signs his work, though it's encrypted - he likes to take some "kernel memory" space to spraypaint his name in there, but not visible in the FILE or in ordinary "process memory." He's as predictable as so many others. That's why our "ho hum" count of variants so far exceed our "mother trojans" in our lists.
"SWEN" is in reality "GIBE the latest" and it amuses us to no end how
it's "NEW" ... nope. Maybe to the antivirus industry, but not to us.
BOClean 4.11 identifies it as the BEGBIE trojan, but in our most
recent database update, we added "SWEN" to that designation for
clarity. We've had to rename OTHER "Begbies" in our listings of the
past to match names obfuscated by the antivirus companies who have
ADMITTED in the past their desire to rename nasties from the actual
names given by their authors after "discovering" them days, weeks or
months AFTER "zero day." Sorry, our software is examined by network
administrators and industrial customers who TRACK nasties and they
EXPECT the "known name" of nasties to be used, and we'd better be
there on "zero day" or we've got hell to pay. See here:
http://www.newsfactor.com/perl/story/15662.html
By comparison, these "daily worms", even those such as SOBIG which were suspected of being the first wave in an assault of spammer takeovers of machines according to the pundits, are not news at all anymore. At worst, your ISP will cut you off and tell you "update your antivirus and clean your machine, these things happen." They DO understand that. And while these rapidly-spreading infections of your Outlook Express (and curiously FEW other email/newsreader programs) get plenty of attention, not so for far more insidious nasties that are unmentioned and undetected in the meanwhile.
And with YOUR finger on the trigger, caught "red-handed" by your IP address appearing on the abuse complaints that your ISP *must* solve or your ISP gets "blackholed" for spamming, YOUR provider has no other choice than to terminate your account and wish you well as you find ANOTHER place to connect to the internet. LEGITIMATE ISP's take these complaints MIGHTY seriously, and point to their "terms of service" that you may or may not have realized you violated for sending "SPAM" from your computer. If you think getting in trouble for MP3 files is a "big deal," you don't want to know what they do to "spammers."
Ever get an email with absolute gibberish and a broken link? These are the spammers that I'm talking about testing out their "new servers" hijacked from innocent folks who happen to have the next best thing to a spam-friendly ISP with "T-1 service" and far cheaper ... they use BROADBAND! Subscribers who have almost the bandwidth of a T-1 available without the bill. Taking over YOUR machine is FREE for them IF they can get a spam "remailer" onto YOUR computer. Much cheaper than a T-1 bill. YOU'RE paying for THEIR bandwidth. Spamming trojans have been around for a while now. BOClean has handled such "treats" as "SPAMJACK," "SPAMPROXY," "DENSMAIL," "INFECTEDMAIL" and others for quite some time.
On Friday, we received a brand new one called "MASSMAIL" which was included in BOClean immediately upon its discovery. This one was discovered by the folks at spywareinfo.com as have a few other nasties lately. MASSMAIL is a complete spam engine with its own post office inside YOUR machine. Its original source remains unknown, but it DOES contact a master at 66.111.48.41 to obtain a list of people to spam (the IP belongs to "United Colocation Group" of San Francisco, a reportedly "spam-friendly" provider), whereupon it collects addresses and the spam to be sent out and uses YOUR machine to do it. Spamhauses are ILLEGAL in California. "Oh, the IRONY." Heh.
What tipped off the original victim was that they were receiving
strange warnings from the bad email addresses in the spam list, which
clearly indicates that this particular spam engine is "amateur hour."
However, it ran for quite some time right past firewalls, antiviruses
and other security software. Upon receipt of the files belonging to
it, BOClean detected this as a variant which was named by its author
as "MASSMAIL." The original reporting "victim" got an early warning
PRIOR to their ISP coming after them, primarily because their Norton
antivirus popped up windows indicating that it was scanning outgoing
email for viruses although the victim hadn't SENT any email at the
time. ALERT computer user there. Norton did NOT detect the trojan
however. Read about it here:
http://forums.spywareinfo.com/index.php?showtopic=11708
MASSMAIL is comprised of a number of pre-written "tools" which were flung together. It also used a LEGITIMATE ActiveX control called ANSMTP.DLL which is used as a legitimate mail server. The executable itself consisted of a number of prewritten libraries including a TCP host which connected to, and listened for the 66.111.48.41 respondent with email to send. The number of unique behaviors to this particular backdoor Spamhaus provided us with 14 heuristic points to spot any similar "tools" in the future. It was genuine "script kiddies turned pro" cut and paste. And now that the offending IP has been identified, variants will obviously need to follow which will not match antivirus "file signatures."
BOClean detects and defeats this little nasty and any of its future
progeny. Worms spreading through Outlook Express and those who make
the mistake of clicking on an attachment from someone they might know
which contains a file of any kind which wasn't pre-arranged are old
hat. Nowadays, you need to watch out for spammers who are tired of
being shut down by their ISP's or having to pay for bandwidth to send
you those "miracle pill," "diet," "refinance" treats who have now
gotten into the "hey! They have broadband, let's take over their
computer and use THAT" types. A bad situation is mutating into
something far worse, completely out of the spotlight of the media. But
hey, what ABOUT that "SWEN?" BOClean's made him "well hung" too. :)
___________________________________________________________________________
You are receiving this email as part of our Opt-In Newsletter program.
You have either opted in with us or through Digital River. We value
your privacy. If you wish to stop receiving these, please email
newletter@nsclean.com with the subject of OPT-OUT and ONLY the email
address(es) to be deleted in the body of the message. If you have
received multiple copies of the mailing in error, please email
newsletter@nsclean.com with the subject of MULTIPLE and list ONLY the
email address(es) to be deleted in the body of the message, we will
retain the primary address and send one copy to you in the future. Thank
you.
©2003 Privacy Software Corporation. All rights reserved.