Windows Spam Proxy Viruses

Windows Spam Proxy Viruses Phil Rodrigues and Keith Bessette University of Connecticut MIT Security Camp August 21, 2003

Introduction

Introduction • I have been accused of being a salesman • IPAUDIT • I have been accused of being a preacher • BLOCK WINDOWS NETWORKING

Motivational Speaker • Now I am a motivational speaker: • You are all smart people with the right (free) tools and good intentions • Together we can make a difference!

Desperate Times

Desperate Times • Win PopUp alerts to RPC-DCOM vulnerable hosts (thanks Eric Jacobsen) • Hacking hosts that were DOSing our NetReg box (thanks Rich Graves) • Sending Spam like this:

My Spam Experience the results you've always wanted with a MASSIVE scientific breakthrough: Best of all... There Are NO Agonizing Hanging Weights, NO Tough Exercises, NO Painful And Hard-To-Use Pumps, And There Is NO Dangerous Surgery Involved. But the best part is when you reveal yourself in all your glory to the woman in your life. When she sees how massive and manly, how truly long and hard you are, she will surrender and give you everything you have always wanted.

What We Noticed

What We Noticed • I’ve been answering abuse@uconn.edu for about two years now. • Noticable increase in amount of inbound spam complaints over the course of the Spring: • Exciting Full-Color Chart ahead!

Worm Ate my Homework Jan = 2 Feb = 15 Mar = 12 Apr = 70

What we Noticed (con’t) • April ’03 started nmap the hosts we got complaints about and found unexpected ports open • amap them and usually found: • http-proxy • smtp-proxy • ?? probably RAT • Visited some and found they were mostly virus related: SoBig, LovGate, Jeem

How We Detected It

How We Detected It • IPAudit graphs looking for outgoing scans • local hosts that contact many more remote hosts than they got answers from • IPAudit client/server report that told us: • Highest mail connections • ssh • telnet • http • https

How We Detected It (con’t) • Daily totals were a good start, but we needed more detail - short bursts got lost in steady volume • Jon Rifkin made IPAudit graph that showed outbound SMTP connections per min. • Allowed us to quickly see a change in the normal mail traffic we expected.

How We Detected It

How We Caught It

How We Caught It • Would block high-SMTP connection hosts as we saw them • Hint: don’t name stuff "plum" or "bilbo" • Got our hands on a host and pulled the infected files off of it. • Randomly got jeem.

How We Caught It (con’t) • Jeem had only infected about 13 hosts on campus • it was not extremely common. • 4 of its hosts had sent out >2,000,000 pieces of spam over a few hours • It was extremely active!

How Jeem Works

The Jeem Process Initialization • After the initial infection, 3 ports are opened on the infected host • An attempt to ping Microsoft occurs • Sends a HTTP GET command to an update.pl script on the Master Server • GET /update12.pl?magic=515273856672&ox=2-5-0-2195&tm=289&id=-1&cache=1057100466 ...

Jeem Process Initialization Con’t • Master Server generates an ID for the infected host and passes all the new info to a Control Server by calling another update.pl script on the Control Server. • [prxmagic]westads.com#westads.com#westads.com#K#2#/vcgi/danny/update.cgi#/vcgi/danny/update.pl#/vcgi/danny.pl#P#1#193728# • No further contact between the Master Server and Control Server can be seen.

Pre-Spam • MySQL is running on the Control Server • After 60 minutes, the infected host pings MSFT, and then sends a HTTP GET command to the Control Server • Script from the Control Server tells the infected host to sleep for 30 minutes • [prxmagic]westads.com#westads.com#westads.com#K#2#/vcgi/danny/update.cgi#/vcgi/danny/update.pl#/vcgi/danny.pl#P#sleep#193728#

Pre-Spam Con’t • The Control Server then makes quick contact with the remote control Jeem port • HTTP GET commands continue to be sent to the Control Server every 30 minutes • This allows the established connection to be kept open and alive through firewalls • Signifies that the infected host is alive and ready for commands

Spam • We ASSUME the Relaying Servers contact a Control Server through SSH/MySQL • A Relay Server sends a packet containing a command ‘connect ip:25’ • This opens a connection between the infected host and the indicated mail server • Other packets containing <mail to:> and other SMTP commands are sent from a Relay Server to the infected host and passed on to the mail server

Spam Con’t • All ACK commands from the mail server are sent back to the infected host and then to the Relay Server • If 100Mb are sent inbound to the infected host, the infected host sends out 100Mb • The Relay Server keeps this connection open by using a SACK Permitted option flag • SACK Permitted allows an established connection to remain open with knowledge that data will be sent in non-contiguous blocks • Most of the mail servers used were setup to accept mail only from hosts w/ properly configured DNS entries

Control Server Relay Hosts SSH / MYSQL? HTTP? Master Server HTTP / JEEM SMTP Mail Server HTTP SMTP JEEM Infected Host

Jeem on the Network 137.099.092.210 = Infected Host MMM.SSS.000.159 = Master Server CCC.SSS.129.048 = Control Server RRR.HHH.104.130 = Relay Host RRR.HHH.015.111 = Relay Host 064.012.137.152 = Mail Server (AOL)

Jeem on the Network LocIP RemIP Ptl LPrt RPrt InBy OuBy Fir Las 137.099.092.210 MM.SS.000.159 6 1054 80 3541 662 1 2 137.099.092.210 CCC.SS.129.048 6 1056 80 481 548 1 2 137.099.092.210 CCC.SS.129.048 6 5119 1061 272 206 2 2 137.099.092.210 CCC.SS.129.048 6 1062 80 481 549 1 2 137.099.092.210 CCC.SS.129.048 6 5119 2618 272 206 2 2 137.099.092.210 CCC.SS.129.048 6 1066 80 481 549 1 2 137.099.092.210 CCC.SS.129.048 6 5119 4157 272 206 2 2 137.099.092.210 CCC.SS.129.048 6 1250 80 481 551 1 2 137.099.092.210 CCC.SS.129.048 6 5119 3988 272 206 2 2 137.099.092.210 RR.HH.104.130 6 5119 1591 1269 1288 2 1 137.099.092.210 064.012.137.152 6 1251 25 1783 2042 1 2 137.099.092.210 RR.HH.015.111 6 5119 4486 2502 1495 2 2 137.099.092.210 064.012.138.152 6 1252 25 1396 2573 1 2 137.099.092.210 RR.HH.015.111 6 5119 1183 2770 1735 2 2 137.099.092.210 064.012.138.089 6 1253 25 1636 2896 1 2

Who We Spoke To

Who We Spoke To • Emailed Michael Tokarev, Anti-Spam King of Russia • May 20, 2003 NY Times • “Last October, Michael Tokarev, a Russian computer programmer active in the worldwide antispam effort, noticed a lot of spam in Russian that offerred bulk-mailing services. The messages were identical, but they came from many different computers. He investigated and found they were forwarded by a program, calling itself Jeem, that had not been seen before”. • “First of all, congratulations to you all for this job.”

Who We Spoke To • Michael Tokarev: • “But.. the time was lost already. Waay lost. Jeems are NOT in a wide use anymore. They're still pops up sometimes, and the site/home SHOULD be alive and working to pick up jeems to use them. But their usage dropped dramatically. New "technologies" has been developed for this same purpose.”

June 2003 • 70,328: 1080 (socks-proxy) • 51,735: 6588 (analog-x) • 11,862: 2280,2281,2282,2283 (sobig.c) • 9,079: 21 (vuln FTP USER) • 8,874: 7441 (ms proxy 1.0) • 8,036: 8080 (http-proxy)

July 2003 (incomplete) • 47,477: 1080 (socks-proxy) • 32,095: 7441 (ms proxy 1.0) • 23,951: 6588 (analog-x) • 15,872: 3380, 3381, 3382 (sobig.e) • 13,638: 2280, 2281, 2282 (sobig.c) • 11,123: 3330, 3331, 3332 ???

Who We Spoke To (con’t) • Asked NOX folks what we should do • Advised to take it seriously and reports it to Feds, or State Police, or ISP • Spoke to FBI

How They Helped Us

How They Helped Us • Took us seriously • We gave them a technical summary and packet capture • Had learned some lessons from IRC DOS attack earlier in the spring • Agent Marty McBride from New Haven met with us to go over the details

How They Helped Us (con’t) • Contacted the ISP that was hosting the master server with freeze order • Domain was changing hands and server was going away!

How They Helped Us (con’t) • Former ISP would keep files intact and the new ISP would make sure the master server continued to work • Tested: the scripts Control Server have changed directories, and the update.pl etc scripts continue to function

What Changes We Made

What Changes We Made • We no longer want to infect the world with our SMTP-engine mail viruses. • Block Outbound TCP 25 (SMTP) from ResNet • Even better…

Changes (con’t) • Register all knowm mail servers on campus (easy with IPAudit) • Block Outbound SMTP from every non-mailserver

Conclusions

Conclusions • Spam is becoming public enemy #1 • Viruses are an attractive way to make money • Spam-proxy viruses are becoming very common - most of the recent big ones all have some form of mail or web proxy built into them • Block outbound SMTP from your own ResNet at the least, if not whole campus

Conclusions con’t • Take the time to look into things that happen and learn more about them • Work with each other and with the Feds • Together we can make the Internet a better place!

Contact Info • Phil Rodrigues • phil.rodrigues@uconn.edu • Keith Bessette • keith.bessette@uconn.edu

Windows Spam Proxy Viruses

Windows Spam Proxy Viruses

Presentation Transcript

Spam

Spam, Spam, Spam, Spam….

Spam

SPAM

Section 12: Fighting Spam, Viruses, and Hacks

SPAM

Viruses, Worms and Spam Definitions

Proxy

SPAM

Proxy Server not Responding Windows 8

Semalt: Free Spam Filters For Windows

Spam

Spam, Spam, Spam, Spit and Spim

How To Fix Windows 10 Proxy Error?