An email box folder of spam messages.
Spamming is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, mobile phone messaging spam, Internet forum spam and junk fax transmissions.[citation needed]
Spamming is economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming is widely reviled, and has been the subject of legislation in many jurisdictions.[citation needed]
The people that create electronic spam are called spammers.
E-mail spam
E-mail spam, also known as unsolicited bulk email (UBE) or unsolicited commercial email (UCE), is the practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients.
Spam in e-mail started to become a problem when the Internet was opened up to the general public in the mid-1990s. It grew exponentially over the following years, and today comprises some 80 to 85% of all the email in the world, by conservative estimate [2]; some sources go as high as 95%.
Pressures to make e-mail spam illegal has been successful in some jurisdictions, but less so in others. Spammers take advantage of this fact, and frequently outsource parts of their operations to countries where spamming will not get them into legal trouble.
Increasingly, e-mail spam today is sent via "zombie networks", networks of virus- or worm-infected personal computers in homes and offices around the globe; many modern worms install a backdoor which allows the spammer access to the computer. At the same time, it is becoming clear that malware authors, spammers, and phishers are learning from each other, and possibly forming various kinds of partnerships.
E-mail is an extremely cheap mass medium, and professional spammers have automated their processes to a high extent. Thus, spamming can be very profitable even at what would otherwise be considered extremely low response rates.
Instant Messaging spam, sometimes termed spim (a portmanteau of spam and IM, short for instant messenger), makes use of instant messaging systems, such as AOL Instant Messenger, ICQ or Windows Live Messenger. Many IM systems offer a user directory, including demographic information that allows an advertiser to gather the information, sign on to the system, and send unsolicited messages. To send instant messages to millions of users requires scriptable software and the recipients' IM usernames. Spammers have similarly targeted Internet Relay Chat channels, using IRC bots that join channels and bombard them with advertising.
Messenger service spam has lent itself to spammer use in a particularly circular scheme. In many cases, messenger spammers send messages to vulnerable machines consisting of text like "Annoyed by these messages? Visit this site." The link leads to a Web site where, for a fee, users are told how to disable the Windows messenger service. Though the messenger service is easily disabled for free, the scam works because it creates a perceived need and offers a solution. Often the only "annoying messages" the user receives through Messenger are ads to disable Messenger itself. It is often using a false ID to get money or credit card numbers. Another place where people spam or get spammed is on Online Social Networks such as Myspace and Bebo.
Chat spam can occur in any live chat environment like IRC and in-game multiplayer chat of online games, and in any other form of chat the masses are able to view. It consists of repeating the same word or sentence many times to get attention or to interfere with normal operations. It is generally considered very rude and may lead to swift exclusion of the user from the used chat service by the owners or moderators.
The application of the name "Spam" to unwanted communication originates in Chat-room spam. Specifically, it was developed in the chat-rooms of People-Link in the early 1980s as a technique for getting rid of unwelcome newcomers. When someone would enter a chat-room full of friends who were in mid-conversation, and when the newcomer tried to turn the conversation in an unwelcome direction, two veteran members of the room would begin typing in the Monty Python “Spam” routine at high speed. They would fill the screen with “Spam Spam Spam eggs Spam Spam and Spam” etc, and make all other communication impossible. The other members of the room would just wait quietly until the newcomer got disgusted and moved on to a different room.
Mobile phone spam is directed at the text messaging service of a mobile phone. This can be especially irritating to customers not only for the inconvenience but also because of the fee they may be charged per text message received in some markets. The term "SpaSMS" was coined at the adnews website Adland in 2000 to describe spam SMS.
Many online games allow players to contact each other via player-to-player messaging, chatrooms, or public discussion areas. What qualifies as spam varies from game to game, but usually this term applies to all forms of message flooding, violating the terms of service contract for the website.In this context, spam is sometimes perceived as a backronym for stupid, pointless, annoying message (sometimes the A is thought to stand for anonymous).[citation needed
Spamdexing (a portmanteau of spamming and indexing) refers to the practice on the World Wide Web of modifying HTML pages to increase the chances of them being placed high on search engine relevancy lists. These sites use "black hat search engine optimization techniques" to unfairly increase their rank in search engines. Many modern search engines modified their search algorithms to try to exclude web pages utilizing spamdexing tactics.
Blog spam, or "blam" for short, is spamming on weblogs. In 2003, this type of spam took advantage of the open nature of comments in the blogging software Movable Type by repeatedly placing comments to various blog posts that provided nothing more than a link to the spammer's commercial web site.[3] Similar attacks are often performed against wikis and guestbooks, both of which accept user contributions.
Video sharing sites, such as YouTube, are now being frequently targeted by spammers. The most common technique involves people (or spambots) posting links to sites, most likely pornographic or dealing with online dating, on the comments section of random videos or people's profiles.
Another frequently used technique is using bots to post messages on random users' profiles to a spam account's channel page, along with enticing text and images, usually of a suggestive nature. These pages may include their own or other users' videos, again often suggestive. The main purpose of these accounts is to draw people to their link in the home page section of their profile.
YouTube has blocked the posting of links but people can still manage to get their message across by replacing all instances of a period with the word "dot." For instance, typing out example dot com instead of example.com bypasses the filter set in place. In addition, YouTube has implemented a CAPTCHA system that makes rapid posting of repeated comments much more difficult than before, due to abuse in the past by mass-spammers who would flood people's profiles with thousands of repetitive comments.
Another form of such spam is posting a message which claims to elicit an occurrence, such as an easter egg, the loss of a loved one, or being haunted by a ghost, unless a demand is met by copying and pasting the message a certain number of times within a time limit. A prime example is as follows: "Post this in 5 videos in an hour or you shall die." Such posts target the gullible, but those who are more familiar with them usually respond with derision. Some sites include a feature that allows users to mark certain comments as spam or rate unwelcome comments with a low score, with the intent that spam posts will receive a negative rating.
Yet another kind is actual video spam, giving the uploaded movie a name likely to draw attention, anything currently popular, but the video is totally unrelated, sometimes offensive, and sometimes just a video clip of nothing but the link to the spammer's site they're promoting
E-mail and other forms of spamming have been used for purposes other than advertisements. Many early Usenet spams were religious or political. Serdar Argic, for instance, spammed Usenet with historical revisionist screeds. A number of evangelists have spammed Usenet and e-mail media with preaching messages. A growing number of criminals are also using spam to perpetrate various sorts of fraud,[4] and in some cases have used it to lure people to locations where they have been kidnapped, held for ransom, and even murdered.[5]
Experts from SophosLabs analysed spam messages, which were caught by some companies' spam filters, these being a part of the Sophos global spam monitoring network. They found that during the third quarter of 2007 the USA was the leader in the number of spam messages around the world. According to Sophos experts 28.4% of global spam comes from the U.S. The second place in the list of spammer-countries is South Korea, bringing 5.2% of global spam.
The list of top 12 countries that spread spam around the globe is presented below:
History
It is widely believed the term spam is derived from the 1970 Monty Python SPAM sketch, set in a cafe where nearly every item on the menu includes SPAM luncheon meat. As the server recites the SPAM-filled menu, a chorus of Viking patrons drowns out all conversations with a song repeating "SPAM, SPAM, SPAM, SPAM... lovely SPAM, wonderful SPAM", hence "SPAMming" the dialogue. The excessive amount of SPAM mentioned in the sketch is a reference to British rationing during World War II.[citation needed] SPAM was one of the few meat products that avoided rationing, and hence widely available.
Although the first known instance of unsolicited commercial e-mail occurred in 1978[7] (unsolicited electronic messaging had already taken place over other media, with the first recorded instance being via telegram in May 1864[8]), the term "spam" for this practice had not yet been applied. In the 1980s the term was adopted to describe certain abusive users who frequented BBSs and MUDs, who would repeat "SPAM" a huge number of times to scroll other users' text off the screen.[9] In early Chat rooms services like PeopleLink and the early days of AOL, they actually flooded the screen with quotes from the Monty Python Spam sketch. This was used as a tactic by insiders of a group that wanted to drive newcomers out of the room so the usual conversation could continue. It was also used to prevent members of rival groups from chatting -- for instance, Star Wars fans often invaded Star Trek chat rooms, filling the space with blocks of text until the Star Trek fans left.[10] This act, previously called flooding or trashing, came to be known as spamming.[11] The term was soon applied to a large amount of text broadcasted by many users.
It later came to be used on Usenet to mean excessive multiple posting—the repeated posting of the same message. The unwanted message would appear in many if not all newsgroups, just as SPAM appeared in all the menu items in the Monty Python sketch. The first usage of this sense was by Joel Furr in the aftermath of the ARMM incident of March 31, 1993, in which a piece of experimental software released dozens of recursive messages onto the news.admin.policy newsgroup. This use had also become established—to spam Usenet was flooding newsgroups with junk messages. The word was also attributed to the flood of "Make Money Fast" messages that clogged many newsgroups during the 1990s.[citation needed]
Commercial spamming started in force on March 5, 1994, when a pair of lawyers, Laurence Canter and Martha Siegel, began using bulk Usenet posting to advertise immigration law services. The incident was commonly termed the "Green Card spam", after the subject line of the postings. The two went on to widely promote spamming of both Usenet and e-mail as a new means of advertisement—over the objections of Internet users they labeled "anti-commerce radicals." Within a few years, the focus of spamming (and antispam efforts) moved chiefly to e-mail, where it remains today.[12] Arguably, the aggressive email spamming by a number of high-profile spammers such Sanford Wallace of Cyber Promotions in the mid-to-late 1990s contributed to making spam predominantly an email phenomenon in the public mind.
There are three popular false etymologies of the word "spam". The first, promulgated by Canter & Siegel themselves, is that "spamming" is what happens when one dumps a can of SPAM luncheon meat into a fan blade. The second is the backronym "shit posing as mail." The third is similar, using "stupid pointless annoying messages."[citation needed] Most suitable seems to be the Esperanto interpretation: The term spamo (with the o-ending designating nouns) makes sense as "senpete alsendita mesaĝo", which means "message being sent to someone without being asked for".
In 1998, the New Oxford Dictionary of English, which had previously only defined "spam" in relation to the trademarked food product, added a second definition to its entry for "spam": "Irrelevant or inappropriate messages sent on the Internet to a large number of newsgroups or users."[13]
Hormel Foods Corporation, the makers of SPAM luncheon meat, do not object to the Internet use of the term "spamming". However, they did ask that the capitalized word "SPAM" be reserved to refer to their product and trademark.[14] By and large, this request is obeyed in forums which discuss spam. In Hormel Foods v SpamArrest, Hormel attempted to assert its trademark rights against SpamArrest, a software company, from using the mark "spam", since Hormel owns the trademark. In a dilution claim, Hormel argued that Spam Arrest's use of the term "spam" had endangered and damaged "substantial goodwill and good reputation" in connection with its trademarked lunch meat and related products. Hormel also asserts that Spam Arrest's name so closely resembles its luncheon meat that the public might become confused, or might think that Hormel endorses Spam Arrest's products. Hormel did not prevail. Attorney Derek Newman responded on behalf of Spam Arrest: "Spam has become ubiquitous throughout the world to describe unsolicited commercial e-mail. No company can claim trademark rights on a generic term." Hormel stated on its website: "Ultimately, we are trying to avoid the day when the consuming public asks, 'Why would Hormel Foods name its product after junk email?'"[15]
Hormel also made two attempts that were dismissed in 2005 to revoke the mark "SPAMBUSTER".[16]
Hormel's Corporate Attorney Melanie J. Neumann also sent SpamCop's Julian Haight a letter on August 27, 1999 requesting that he delete an objectionable image (a can of Hormel's SPAM luncheon meat product in a trash can), change references to UCE spam to all lower case letters, and confirm his agreement to do so.[17]
The European Union's Internal Market Commission estimated in 2001 that "junk e-mail" cost Internet users €10 billion per year worldwide. [18]
The California legislature found that spam cost United States organizations alone more than $13 billion in 2007, including lost productivity and the additional equipment, software, and manpower needed to combat the problem.[19]
Spam's direct effects include the consumption of computer and network resources, and the cost in human time and attention of dismissing unwanted messages. In addition, spam has costs stemming from the kinds of spam messages sent, from the ways spammers send them, and from the arms race between spammers and those who try to stop or control spam. In addition, there are the opportunity cost of those who forgo the use of spam-afflicted systems. There are the direct costs, as well as the indirect costs borne by the victims - both those related to the spamming itself, and to other crimes that usually accompany it, such as financial theft, identity theft, data and intellectual property theft, virus and other malware infection, child pornography, fraud, and deceptive marketing.
The cost to providers of search engines is not insignificant:
"The secondary consequence of spamming is that search engine indexes are inundated with useless pages, increasing the cost of each processed query."[1]
The methods of spammers are likewise costly. Because spamming contravenes the vast majority of ISPs' acceptable-use policies, most spammers have for many years gone to some trouble to conceal the origins of their spam. E-mail, Usenet, and instant-message spam are often sent through insecure proxy servers belonging to unwilling third parties. Spammers frequently use false names, addresses, phone numbers, and other contact information to set up "disposable" accounts at various Internet service providers. In some cases, they have used falsified or stolen credit card numbers to pay for these accounts. This allows them to quickly move from one account to the next as each one is discovered and shut down by the host ISPs.
The costs of spam also include the collateral costs of the struggle between spammers and the administrators and users of the media threatened by spamming. [20]
Many users are bothered by spam because it impinges upon the amount of time they spend reading their e-mail. Many also find the content of spam frequently offensive, in that pornography is one of the most frequently advertised products. Spammers send their spam largely indiscriminately, so pornographic ads may show up in a work place e-mail inbox—or a child's, the latter of which is illegal in many jurisdictions. Recently, there has been a noticeable increase in spam advertising websites that contain child pornography.
Some spammers argue that most of these costs could potentially be alleviated by having spammers reimburse ISPs and individuals for their material.[citation needed] There are two problems with this logic: first, the rate of reimbursement they could credibly budget is not nearly high enough to pay the direct costs; and second, the human cost (lost mail, lost time, and lost opportunities) is basically unrecoverable.
E-mail spam exemplifies a tragedy of the commons: spammers use resources (both physical and human), without bearing the entire cost of those resources. In fact, spammers commonly do not bear the cost at all. This raises the costs for everyone. In some ways spam is even a potential threat to the entire e-mail system, as operated in the past.
Since e-mail is so cheap to send, a tiny number of spammers can saturate the Internet with junk mail. Although only a tiny percentage of their targets are motivated to purchase their products (or fall victim to their scams), the low cost may provide a sufficient conversion rate to keep the spamming alive. Furthermore, even though spam appears not to be economically viable as a way for a reputable company to do business, it suffices for professional spammers to convince a tiny proportion of gullible advertisers that it is viable for those spammers to stay in business. Finally, new spammers go into business every day, and the low costs allow a single spammer to do a lot of harm before finally realizing that the business is not profitable.
Some companies and groups "rank" spammers; spammers who make the news are sometimes referred to by these rankings. The secretive nature of spamming operations makes it difficult to determine how proliferated an individual spammer is, thus making the spammer hard to track, block or avoid. Also, spammers may target different networks to different extents, depending on how successful they are at attacking the target. Thus considerable resources are employed to actually measure the amount of spam generated by a single person or group. For example, victims that use common antispam hardware, software or services provide opportunities for such tracking. Nevertheless, such rankings should be taken with a grain of salt.
General costs of spam
In all cases listed above, including both commercial and non-commercial, "spam happens" due to a positive Cost-benefit analysis result.
Cost is the combination of
Overhead: The costs and overhead of electronic spamming include bandwidth, developing or acquiring an email/wiki/blog spam tool, taking over or acquiring a host/zombie, etc.
Transaction cost: The incremental cost of contacting each additional recipient once a method of spamming is constructed, multiplied by the number of recipients. (see CAPTCHA as a method of increasing transaction costs)
Risks: Chance and severity of legal and/or public reactions, including damages and punitive damages
Damage: Impact on the community and/or communication channels being spammed (see Newsgroup spam)
Benefit is the total expected profit from spam, which may include any combination of the commercial and non-commercial reasons listed above. It is normally linear, based on the incremental benefit of reaching each additional spam recipient, combined with the conversion rate.
Spam is prevalent on the Internet because the transaction cost of electronic communications is radically less than any alternate form of communication, far outweighing the current potential losses, as seen by the amount of spam currently in existence. Spam continues to spread to new forms of electronic communication as the gain (number of potential recipients) increases to levels where the cost/benefit becomes positive. Spam has most recently evolved to include wikispam and blogspam as the levels of readership increase to levels where the overhead is no longer the dominating factor. According to the above analysis, spam levels will continue to increase until the cost/benefit analysis is balanced[citation needed].
In Crime
Spam can be used to spread computer viruses, trojan horses or other malicious software. The objective may be identity theft, or worse (eg. advance fee fraud). Some spam attempts to capitalise on human greed whilst other attempts to use the victims inexperience with computer technology to trick them (eg. Phishing, Vishing).
On May 31st, 2007, one of the world's most prolific spammers, 27-year-old Robert Alan Soloway, was arrested by federal authorities. Described as one of the top 10 spammers in the world, Soloway is charged with 35 counts, including mail fraud, wire fraud, e-mail fraud, aggravated identity theft and money laundering. Prosecutors allege that Soloway used millions of "zombie" computers to distribute millions of spam e-mails in 2003. The computers are called "zombies" because their owners are not aware that they are being used for malicious activity. This is the first case in which federal prosecutors used identity theft laws to prosecute a spammer for taking over someone else’s internet domain name.[1]
Scammers developed software which involves an attractive blonde girl who shows up on the screen promising striptease if the user enters the CAPTCHA code that is often required to tell humans from computers. After entering the code several times the woman didn't take off all her clothes, instead the program restarted again. Trend Micro researchers are worried that the scam will be used to attack financial institutions which use the CAPTCHA safeguard. [23]
Political issues
Spamming remains a hot discussion topic. In 2004, the seized Porsche of an indicted spammer was advertised on the Internet;[2] this revealed the extent of the financial rewards available to those who are willing to commit duplicitous acts online. However, some of the possible means used to stop spamming may lead to other side effects, such as increased government control over the Internet, loss of privacy, barriers to free expression, and the commercialization of e-mail.[citation needed]
One of the chief values favored by many long-time Internet users and experts, as well as by many members of the public, is the free exchange of ideas. Many have valued the relative anarchy of the Internet, and bridle at the idea of restrictions placed upon it.[citation needed] A common refrain from spam-fighters is that spamming itself abridges the historical freedom of the Internet, by attempting to force users to carry the costs of material which they would not choose.[citation needed]
An ongoing concern expressed by parties such as the Electronic Frontier Foundation and the ACLU has to do with so-called "stealth blocking", a term for ISPs employing aggressive spam blocking without their users' knowledge. These groups' concern is that ISPs or technicians seeking to reduce spam-related costs may select tools which (either through error or design) also block non-spam e-mail from sites seen as "spam-friendly". SPEWS is a common target of these criticisms. Few object to the existence of these tools; it is their use in filtering the mail of users who are not informed of their use which draws fire.[citation needed]
Some see spam-blocking tools as a threat to free expression—and laws against spamming as an untoward precedent for regulation or taxation of e-mail and the Internet at large. Even though it is possible in some jurisdictions to treat some spam as unlawful merely by applying existing laws against trespass and conversion, some laws specifically targeting spam have been proposed. In 2004, United States passed the CAN-SPAM Act of 2003 which provided ISPs with tools to combat spam. This act allowed Yahoo! to successfully sue Eric Head, reportedly one of the biggest spammers in the world, who settled the lawsuit for several thousand U.S. dollars in June 2004. But the law is criticized by many for not being effective enough. Indeed, the law was supported by some spammers and organizations which support spamming, and opposed by many in the antispam community. Examples of effective anti-abuse laws that respect free speech rights include those in the U.S. against unsolicited faxes and phone calls, and those in Australia and a few U.S. states against spam.[citation needed]
In November 2004, Lycos Europe released a screensaver called make LOVE not SPAM which made Distributed Denial of Service attacks on the spammers themselves. It met with a large amount of controversy and the initiative ended in December 2004
Rat
A Remote administration tool is used to remotely connect and manage a single or multiple computers with a variety of tools, such as:
Screen/camera capture or control
File management (download/upload/execute/etc.)
Shell control (usually piped from command prompt)
Computer control (power off/on/log off)
Registry management (query/add/delete/modify)
Other product-specific function
Direct Connection
A direct-connect RAT is a simple setup where the client connects to a single or multiple servers directly. Stable servers are multi-threaded, allowing for multiple clients to be connected, along with increased reliability. A diagram below is shown to better illustrate the concept
Reverse connection RATs are a new technology that came around about the same time that routers became popular. A few advantages of a reverse-connection RAT are listed below:
No problems with routers blocking incoming data, because the connection is started outgoing for a server
Allows for mass-updating of servers by broadcasting commands, because many servers can easily connect to a single client.
RAT Trojan Horses
Many trojans and backdoors now have remote administration capabilities allowing an individual to control the victim's computer. Many times a file called the server must be opened on the victim's computer before the Trojan can have access to it. These are generally sent through email, P2P file sharing software, and in internet downloads. They are usually disguised as a legitimate program or file. Many server files will display a fake error message when opened; to make it seem like it didn't open. Some will also kill antivirus and firewall software. RAT Trojans can generally do the following:
Download, upload, delete, and rename files
Format drives
Open CD-ROM tray
Drop viruses and worms
Log keystrokes
Hack passwords, credit card no.
Hijack homepage
View screen
View, kill, and start tasks in task manager
Hide desktop icons, taskbar and files
Print text
Play sounds
Randomly move and click mouse
Record sound with a connected microphone
Record video with a connected webcam
Some RAT Trojans are pranks that are most likely being controlled by a friend or enemy on April fool’s day or a holiday. Prank RATS are generally not harmful, and won't log keystrokes or hack. They usually do wimsical things like flip the screen upside-down, open the CD-ROM tray, and swap mouse buttons. However, they can be quite hard to remove.
Popular RAT Trojans
ProRat
AutoSpY
Nuclear RAT
Amitus
Bandook
Bifrost
Poison Ivy
Optix.Pro
Kleptography
Kleptography is the study of stealing information securely and subliminally. Kleptography is a natural extension of the theory of subliminal channels.[1]
Kleptography was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology---Crypto '96. A kleptographic attack is a forward-engineering attack that is built into a cryptosystem or cryptographic protocol. The attack constitutes an asymmetric backdoor that is built into a smartcard, dynamically linked library, computer program, etc. The attacker that plants the backdoor has the exclusive ability to use the backdoor. In other words, even if the full specification of the backdoor is published, only the attacker can use it. Furthermore, the outputs of the infected cryptosystem are computationally indistinguishable from the outputs of the corresponding uninfected cryptosystem. So, in black-box implementations (e.g., smartcards) the attack may go entirely unnoticed. The asymmetry ensures that a well-funded reverse-engineer can at most detect the asymmetric backdoor but not use it.
In contrast, a traditional, more common backdoor is called a symmetric backdoor. Anyone that finds the symmetric backdoor can in turn use it.
Kleptographic attacks have been designed for RSA key generation, the Diffie-Hellman key exchange, the Digital Signature Algorithm, and other cryptographic algorithms and protocols. The attacker is able to compromise said cryptographic algorithms and protocols by inspecting the information (if available) that the backdoor information is encoded in (e.g., the public key, the digital signature, the key exchange messages, etc.) and then exploiting the logic of the asymmetric backdoor using his or her secret key (usually a private key).
Kleptography is a subfield of Cryptovirology since an asymmetric backdoor is a form of cryptotrojan. Related fields include Cryptology and Steganology. Kleptography extends the theory of subliminal channels that was pioneered by Gus Simmons [Si84,Si85,Si93].
Backdoor (computing)
A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.
Overview
The threat of backdoors surfaced when multiuser and networked operating systems became widely adopted. Petersen and Turn discussed computer subversion in a paper published in the proceedings of the 1967 AFIPS Conference.[1] They noted a class of active infiltration attacks that use "trapdoor" entry points into the system to bypass security facilities and permit direct access to data. The use of the word trapdoor here clearly coincides with more recent definitions of a backdoor. However, since the advent of public key cryptography the term trapdoor has acquired a different meaning. More generally, such security breaches were discussed at length in a RAND Corporation task force report published under ARPA sponsorship by J.P. Anderson and D.J. Edwards in 1970.[2]
A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. A famous example of this sort of backdoor was as a plot device in the 1983 film WarGames, in which the architect of the "WOPR" computer system had inserted a hardcoded password (his dead son's name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game–like simulation mode).
An attempt to plant a backdoor in the Linux kernel, exposed in November 2003, showed how subtle such a code change can be.[3] In this case a two-line change appeared to be a typographical error, but actually gave the caller to the sys_wait4 function root access to the system.[4]
Although the number of backdoors in systems using proprietary software (that is, software whose source code is not readily available for inspection) is not widely credited, they are nevertheless periodically (and frequently) exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission.
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).
Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer (generally a PC on broadband running insecure versions of Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spammers can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM measures — and, in that case, as data gathering agents, since both surreptitious programs they installed routinely contacted central servers.
A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering, etc.). Also, it is computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks have been termed kleptography; they can be carried out in software, hardware (for example, smartcards), or a combination of the two. The theory of asymmetric backdoors is part of a larger field now called cryptovirology.
There exists an experimental asymmetric backdoor in RSA key generation. This OpenSSL RSA backdoor was designed by Young and Yung, utilizes a twisted pair of elliptic curves, and has been made available.
Ken Thompson's Reflections on Trusting Trust[5] was the first major paper to describe black box backdoor issues, and points out that trust is relative. It described a very clever backdoor mechanism based upon the fact that people only review source (human-written) code, and not compiled machine code. A program called a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job.
Thompson's paper described a modified version of the Unix C compiler that would:
Put an invisible backdoor in the Unix login command when compiled, and as a twist
Also add this feature undetectably to future compiler versions upon their compilation as well.
Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was never released into the wild. It was released to a sibling Bell Labs organization as a test case; they never found the attack.[citation needed]
In theory, once a system has been compromised with a back door or Trojan horse, such as the Trusting Trust compiler, there is no way for the "rightful" user to regain control of the system. However, several practical weaknesses in the Trusting Trust scheme have been suggested. (For example, a sufficiently motivated user could painstakingly review the machine code of the untrusted compiler before using it. As mentioned above, there are ways to counter this attack, such as subverting the disassembler; but there are ways to counter that defense, too, such as removing the hard disk and physically examining the program's binary disk image — security is always a metaphorical arms race.)
Botnet is a jargon term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of "zombie" computers controlled remotely by hackers. This can also refer to the network of computers using distributed computing software.
While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised computers (called zombie computers) running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping".
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections, ranging from dial-up, ADSL and cable, and a variety of network types, including educational, corporate, government and even military networks. Sometimes, a controller will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently, as most script kiddies do not have the knowledge to take advantage of it.
Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet[1] and the Norwegian ISP Telenor disbanded a 10,000-node botnet.[2] Large coordinated international efforts to shut down botnets have also been initiated.[3] It has been estimated that up to one quarter of all personal computers connected to the internet are part of a botnet.[4]
Organization
Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers who consider themselves as having legitimate access to a group of bots. Such controllers rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships. Often conflicts will occur between the controllers as to who gets the individual rights to which machines, and what sorts of actions they may or may not permit.
Formation and exploitation
Using a botnet to send spam
This example illustrates how a botnet is created and used to send email spam.
A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a trojan application -- the bot.
The bot on the infected PC logs into a particular IRC server (or in some cases a web server). That server is known as the command-and-control server (C&C).
A spammer purchases access to the botnet from the operator.
The spammer sends instructions via the IRC server to the infected PCs, ...
...causing them to send out spam messages to mail servers.
Botnets are exploited for various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam (see Spambot), click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.
The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the largest amount of "high-quality" infected machines, like university, corporate, and even government machines.[citation needed]
Botnet lifecycle
Bot-herder configures initial bot parameters such as infection vectors, payload, stealth, C&C details
Register DDNS
Bot-herder launches or seeds new bot(s)
Bots spreading -- growing
Losing bots to other botnets
Stasis -- not growing
Abandon botnet and sever traces
Unregister DDNS
Single bot's lifecycle
Establish C&C
Scanning for vulnerable targets to install bots
Take-down
Recovery from take-down
Upgrade with new bot code
Idle
Types of attacks
Denial-of-service attack where multiple systems autonomously access a single Internet system or service in a way that appears legit, but much more frequently than normal use and cause the system to become busy.
Adware exists to advertise some commercial entity actively and without the user's permission or awareness.
Spyware is software which sends information to its creators about a user's activities.
E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.
Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.
Preventive measures
If a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS Fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from Passive OS Fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware.
Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, & Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points, often hard-coded into the botnet executable. Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually direct the offending subdomains to an inaccessible IP address.
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decides on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet.
Several security companies such as Symantec, Trend Micro, FireEye, Simplicita and Damballa have announced offerings to stop botnets. While some, like Norton Anti-Bot (aka Sana Security), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional antivirus. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing (re-directing) DNS entries, or completely shutting down IRC servers.
Newer botnets are almost entirely P2P, with command and control embedded into the botnet itself, and the single point of failure being a domain name - often registered with obscure registrars that may lack policies, and with stolen credit cards and fake identities.
Zombie computer
From Wikipedia, the free encyclopedia
(Redirected from Zombie computers)
Jump to: navigation, search
This article is about computers that have been compromised by malware. For other meanings, see Zombie (disambiguation).
A zombie computer (often abbreviated as zombie) is a computer attached to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a "botnet", and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the vector tends to be unconscious, these computers are metaphorically compared to a zombie.
(1) Spammer's web site (2) Spammer (3) Spamware (4) Infected computers (5) Virus or trojan (6) Mail servers (7) Users (8) Web traffic
Zombies have been used extensively to send e-mail spam; as of 2005, an estimated 50–80% of all spam worldwide was sent by zombie computers.[1] This allows spammers to avoid detection and presumably reduces their bandwidth costs, since the owners of zombies pay for their own bandwidth.
For similar reasons zombies are also used to commit click fraud against sites displaying pay per click advertising. Others can host phishing or money mule recruiting websites.
Zombies have also conducted distributed denial of service attacks, such as the attack upon the SPEWS service in 2003, and the one against Blue Frog service in 2006. In 2000, several prominent Web sites (Yahoo, eBay, etc) were clogged to a standstill by a distributed denial of service attack mounted by a Canadian teenager. An attack on grc.com is discussed at length, and the perpetrator, a 13-year old probably from Kenosha, Wisconsin, identified on the Gibson Research Web site. Steve Gibson disassembled a 'bot' which was a zombie used in the attack, and traced it to its distributor. In his clearly written account about his research, he describes the operation of a 'bot' controlling IRC channel
An open proxy is a proxy server which is accessible by any Internet user.
Generally, a proxy server allows users within a network group to store and forward internet services such as DNS or web pages so that the bandwidth used by the group is reduced and controlled. With an "open" proxy, however, any user on the Internet is able to use this forwarding service.
By using some open proxies (the so-called "anonymous" open proxies), users can conceal their true IP address from the accessed service, and this is sometimes used to abuse or interrupt that service, potentially violating its terms of service or the law; open proxies are therefore often seen as a problem. However, anonymous open proxies are also used to increase anonymity or security when browsing the web or using other internet services: a user's true IP address can be used to deduce information about that user and to hack into his or her computer. Furthermore, open proxies can be used to circumvent efforts at Internet censorship by governments or organizations. Several web sites exist which provide constantly updated lists of open proxies.[1]
It is possible for a computer to be running an open proxy server without knowledge of the computer's owner. This can be the result of misconfiguration of proxy software running on the computer, or of infection with malware (viruses, trojans or worms) designed for this purpose.
Many open proxies run very slowly, sometimes below 14400 baud (14.4 kbit/s), or even below 300 baud, while other times the speed may change from fast to slow every minute. Some, such as PlanetLab proxies, run faster and were intentionally set up for public use.
Because open proxies are often implicated in abuse, a number of methods have been developed to detect them and to refuse service to them. IRC networks with strict usage policies automatically test client systems for known types of open proxies.[2] Likewise, a mail server may be configured to automatically test mail senders for open proxies, using software such as proxycheck.[3] Increasingly, mail servers are configured out of the box to consult various DNSBL servers in order to block spam; some of those DNSBLs also list open proxies.
A closed proxy is one that is only accessible to specific individuals. It is possible to use someone else's computer in order to hide one's identity and/or location.