By Will Sturgeon, 4 August 2004 17:35
NEWS The number of home PCs compromised and infected with Trojans is increasing, and coupled with the move to always-on broadband connections the situation is playing right into the hands of spammers. And what's more, organised gangs are making money selling on the processing power of compromised home PCs.
'Open relays' enable spammers to effectively 'launder' their emails by sending them through a compromised PC or server - therefore adding a further level of complexity to any 'paper trail' that might lead back to them. According to research from network specialist Sandvine, around 85 per cent of email leaving residential broadband-connected PCs is spam.
Similarly, an army of infected machines - or bot-nets - is being created by viruses such as MS Blast, MyDoom and Sobig, with the potential to harvest processing power for spammers' illegal operations.
And considering IDC claims 44 per cent of PCs in Europe are now in the home, where security and awareness of threat is typically lower, the size of this army could be vast. Home users have been slow to understand threats and many have been remiss in updating or even installing antivirus software which could reduce the likelihood of their conscription into this 'army'.
Answering a reader question for today's 'Security Q&A', Paul Wood, information analyst at MessageLabs, said this power is particularly useful for generating huge lists of potential email addresses.
Wood said: "Spammers will often select a few target domains and then buy up capacity on 'bot-nets' - networks of virus-infected home broadband machines, often controlled by criminal gangs. These mercenary zombies can be hired for as little as $60 for six hours, or $2,000 per week. These bot-nets provide enough combined computing power and bandwidth for them to be able to spam almost every email address imaginable."
Comments
There are 17 comments. Join the discussion
1. Burgess Taylor
I still don't understand why ISPs don't provide firewall software as a standard part of the package.
And they could also block port 25 except to their own mail servers, unless requested otherwise...
2. Stuart Colville
Why don't isps set up a system that checks the IP addresses assigned to internet connections for mailservers on port 25?
There could be a system in place where if you have say an ADSL account with a static IP and you are running a mail server that you submit its hostname and then the ISP will do open relay checks on it.
Other than that ISPs should then block port 25.
As long as there's a way you can get port 25 open if you need it legitimately then that should do it.
The ISP's need to take some action to stop this going on.
3. nigel perry
What is so difficult about designing computer systems which are able to trap unauthorised output?
One is bound to suspect that the industry has become dependent upon spam traffic and has no incentive to stop it.
It is time for consumers to provide that incentive by switching to better suppliers.
4. Malcolm Ripley
Ah well at least I'm 100% certain my home PC isn't sending spam. I can also be 100% confident that that will remain the case for the forseeable future. Not only that but all users of my type of computer have the same confidence. How is this possible, simple : I don't use microsoft-windows, my machine is RISCOS (a british OS on british hardware using a british designed CPU)
5. Ian J. Kennedy
Blocking incoming connections on port 25 would stop open mail relays, not the Zombie PCs. ISPs should be prepared to suspend or cancel the Internet accounts of customers of PCs infected with Viruses or Trojans. If you receive an email infected with a virus, look at the "Received From" lines in the message headers. Trace the responsible ISP using a "whois" lookup on the IP address and forward the email, complete with all the header information to them.
Maybe if enough of us start complaining they'll take some responsibility for educating their customers!
6. Brian Burkill
One of the reasons home users wont install anti virus and firewall software is because they have to pay for it.
Having bought the machine in the first place, with all the bundled software that comes with them, they see it as why should they now have to fork out for subscriptions to AV software.
And, lets be frank, the anti virus companies ARE making money out of it, so is there an incentive there for them to allow spam to continue. As long a viruses exist, then the people who write the software to beat it will continue to make money.
7. Tim. Pickford-Jones
And what is so difficult about a router with Network Address Translation and a firewall to stop the propagation even if one is unlucky enough to get infected?
8. Alex
The way this article is written sounds like either the author doesn’t know anything about computers and the internet, or this article is written for people that don’t even use computers (or AOL users.. same level). With terms like zombie computers and gangs. You might as well turn this into another teenage hacking movie while you’re at it.
9. anonymous
The sender of the previous comment has raised a point that has occurred to me on a number of occasions. Especially after it was reported that Microsoft was willing to make available the entire database of Hotmail users ID's to spammers willing to pay $20,000.
Also, when Yahoo.com first linked up with BT Openworld & started handling, or rather mishandling BTO users e-mail. They made the full BTO ID's available on the Internet until the resulting howl of protest made them include an option to 'hide' the ID. The only problem being that for anyone misguided enough to use Yahoo Messenger the ID is of revealed to all.
They of course must think that all users are totally stupid, especially British users....!
Would you trust them?
10. anonymous
Not surprised home users reaim at big risk from trouble. Just read your aritcle on bot nets etc and my brain was scambled by the time i got to the end of it!
11. Roger Bayldon
What does one do about this?
Also how vulnerable are Macintosh Powermacs?
12. Nick Cole
One simple asnwer:
ISPs should NOT pass on email that is generated with unregistered domain names as reply addresses and that do not relate to the account holder. If all email required a registered account (centrally as with domain names?) then the ability of spammers to lay their 'false' paper trail would be eliminated.
The main problem is that the cost of sending mail is all but nothing unlike when marketeers had to buy stamps.
In any event the trail is not as difficult to follow as people think. Spamming is about advertising. For there to be any point in it the spam must point back to a recipient or host (use View Source). using WHOIS this will give the address and telephone number, etc of whoever sponsored the spam. If these are unworkable, as the domains are often registered (usually by only a handful of rogue registrars such as R159-LRMS) solely for the short term purpose of that campaign, then a report can be submitted to ICANN and INTERNIC which will have that site shut down, and they will be alerted to the scale of the problem and perhaps realise that free speech for the spammer is a cost and burden to the recipient.
Mind you if the idiots who buy services or products from the spammers stopped doing so then it would also soon stop.
13. John Woods
Spam is solved, apart from the politics: google 'hashcash', for example. We just need mail-relays to massively deprioritize non-'stamped' mail, where the stamp is a one-time, non-reusable, non-forgeable hash of the message which takes a significant defined amount of CPU time.
Zombies are harder to deal with. After 10 years in the industry, and 10 before where I was extremely involved, I still don't know for sure whether all the processes on my PC are legitimate, or whether all the outbound traffic is.
14. anonymous
After reading all the comments so far one wonders again wonders how culpable the major consumer ISP's are in all this. Perhaps one answer would be to start by stopping the rollout of broadband to home users. Commence a program of restricting Internet usage to business users only. Painful to some perhaps, but quite bluntly is it really necessary for home users to have access to the Internet. For let us face it 99.999% of content on the Internet is rubbish. Too much of the alleged educational content is flawed if not downright misleading, etc.
Need I say more?
15. Bob K.
To the Semi-retired consultant...
Seems you need to go back into retirement permanantly, and stop consulting. You obviously don´t consider that the future of IT depends on customers investing in future technology. Is technology just for the "overpaid consultants" one may ask. (excuse the pun) The simple truth is that the ISPs need to do more to the security of their systems and start by providing the following security measures...
1) Verifying email accounts before
they are allowed to send emails...
2) combine this with security
software and settings at the
ISP,i.e.
a) email virus checks at server
level
b) proper firewall filtering
c) last but not least locking
accounts detected as sending
viruses and/or not running an
updated anti-virus program
and / or misusing email.
As an IT Manager / Consultant I try to pro-actively stay with the latest greatest in tech. I do however agree that putting the burden of all these IT problems on the normal user is the wrong answer. (you cannot teach a horse to fly, nor can you make him drink)
One exception I will make however, is educating the users to such a degree as to the correct usage of email and to a facing a few facts about which of their received emails need to be deleted without opening them.. This alone would bring the number of attacks to a 50% decrease alone....
Last Note: If email is used for what it is intended for and security is better over time, hackers / spammers could find that misusing this function will bring them less results and they may stop or at least decrease their activity...... (thats an educated guess)
16. anonymous
Funny how Yeehaw can and do block IM traffic from other companies sources and block e-mail facilities on 'free profiles' but its another story when spammers get your addy from them. Don't they monitor this traffic and curtail it themselves? Why not apply blocks to e-mail spam instead and open up to genuine IM traffic from other hosts?
17. Dave Stanton
I think the biggest problem is that ordinary "Joe Public" don't know enough about antivirus and firewall programs, or how to use them. I know of at least six different families who have bought systems from PC World and then paid £39.99 for delivery and setup. If they can't even connect their systems up (where most plugs/sockets are colour coded or shaped to go in one way only, how on earth are they going to deal with setting up antivirus or firewall programs?
When faced with a message from the firewall such as "Generic host process for Win32 services is asking to access the internet. Do you want to allow or not?" they are goint to poo themselves aren't they (well, maybe not, but you get my drift :o))
Until AV, antitrojan, antispy and firewalls can do their thing without any user intervention at all, then the situation will not get any better.