From proxies to zombies
Some of you remember how I’ve been ranting about open proxies, and my desire to have them shut down to make it harder for linkspammers to misuse them.
But spammers are always on the move. Towards new techniques, always trying to stay one step ahead of spam hunters and the receivers of their spam.
So now using zombies as a delivery mechanism is getting more and more common. We saw one spam run at the beginning of my spam hunting. Alexander Morozov/Dyakon appears to have rented a botnet to do a vile trackback spam campaign. That was probably the noisiest spam campaign ever. More bloggers complained about it than ever, because of the content of the sites he was spamvertizing. It also provoked my first real blog spam post.
But since that campaign, we seldom saw zombies used by linkspammers. That’s changing right now. More and more, we see machines that seem to be zombies used in linkspamming.
Lately I’ve noticed how some zombies also appear to end up on free open proxy lists. They have proxies on random high ports.
What this means, is that the focus of this blog is changing - again. Not only do I want to make people aware of the danger of open proxies and how they are misused. I also want to make sure regular people are aware of the danger of trojans and spyware.
If you practice unsafe computing, you’re a sitting duck for trojans that make you into a zombie.
And your machine will be riddled by Adware and Spyware. I was shocked when I watched the the video made by Ben Edelman, of how a computer was more or less trashed by visiting only ONE website! Found through Spywareblog. The video may seem a bit slow at times. He’s waiting for more stuff to be installed before he checks. And since this is an “evidence video” he doesn’t cut the dead air out.
When you watch that video, imagine how easy it would be to sneak a backdoor trojan into your machine… In fact, I almost got one myself a few months ago (my antivirus caught it in time), just because I had java enabled in Firefox. I suggest you disable java, and only enable it when you need it, for specific websites. Then disable it afterwards.
October 23rd, 2005 at 6:21 am
I’ve made exactly the same observation on the sites I administer and this turn towards zombies seems quite reasonable to me (from a spammer’s perspective): Proxies have the disadvantage of keeping the same ip address in most cases, becoming unusable pretty quick (=> lots of time has to be spent with updating proxy server lists) and appearing on black lists almost immediately after discovery (=> spam doesn’t reach target).
The zombies in the logs I got access to are almost exclusively from dialup ranges and Windows machines. But as you write, scanning them with Nmap often doesn’t reveal any prominent proxy ports, just ranges where the router or “desktop firewall” chooses to reply with “deny” or “reject”.