Another DNS blacklist is taken down

Steve Linford linford at spamhaus.org
Mon Sep 29 19:11:32 UTC 2003


[at the risk of angering the moderator, quite rightly since this 
thread is bordering on OT - apologies moderator!]

At 14:04 -0400 (GMT) 29/9/03, Dan Armstrong wrote:

>  These BLs that leveraged their "wild west" style, unaccountable
>  [rant probably directed at 'spews' snipped]
>  I think it's a cop out to think that it was the spammers themselves
>  who did this. Spammers are not smart enough to do things like that...

Ehm, we actually have proof the spammers are doing the dDoS, at least 
against Spamhaus. We can even see the spammer doing it on his IRC 
channel, we know how many zombies he's controlling, where they are, 
where he's connected from and even his aliases and account names, we 
have enough on him to put the Feds at his door ...should the Feds 
ever get interested.

MessageLabs have also compared the long list of servers participating 
in the dDoS against Spamhaus, with their database of known 
virus-infected hosts. The test came back today showing that almost 
all the hosts attacking Spamhaus have all been recently identified by 
MessageLabs as being infected with the Fizzer worm.

We had in fact also been wondering if, as well as being responsible 
for sending SoBig the spammers might be responsible for other viruses 
as well. In particular we wondered how so many spammers were now 
hosting their spamvertised web sites on rapidly-appearing zombies all 
over the net, that answered that too, since the summary of Fizzer 
(one of the most widespread viruses in the world) is:

     Fizzer is a complex e-mail worm that appeared on May 8,
     2003. The worm can spread itself in e-mails and in the
     Kazaa P2P (peer-to-peer) file-sharing network. The
     Fizzer worm contains a built-in IRC backdoor, a DoS
     (Denial of Service) attack tool, a data-stealing Trojan
     (uses external keylogger DLL), an HTTP server and other
     components. The worm has the functionality to kill the
     tasks of certain anti-virus programs. Additionally, the
     worm has automatic updating capabilities.

The world has to wake up to the fact that spammers are no longer 
stupid, there's a lot of money to be made spamming so crackers and 
script kiddies have joined them. We've had open relays, we've had 
open proxies, the future of mass spamming is by way of 
ever-more-powerful viruses.

-- 
   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org



More information about the NANOG mailing list