Spyware messenger spammers

[Lloyd From Brisbane]

OK, so I've been getting the Messenger spam for www.spw3e.com,
www.spw4.com, www.spw8.com etc etc spammers for a while. Spamslammer
logs & larts (hey, somebody's gotta hit them where it hurts). This
time they're on worldpath.net, but have fake domain info pointing to
Aliant.CA has the host (which they aren't). Larting worldpath is about
as effective as chopping down a tree with a toothpick, so upstream to
MCI/Alter. MCI comes back saying that the origin of the messages is
127.0.0.1 so since I'm sending them to myself, they won't shut down
the website. They say I must have a virus or spyware that's doing it,
but my scans turn up nothing. Getting a process explorer to look
further into my instances of svchost but pretty sure my system is
clean.

Now the fact that as they've been booted off of ISP after ISP in the
past and the ad morphs to reflect the change in domain name suggests
that it is real messenger spam, but the question here is, are there
virii out there that contact some home base, get a current version of
an ad, then use the local messenger service to send the ad to the
user's own machine (and possibly others)? The volume of comcast spam
suggests zombied machines are spewing email everywhere, so why not
messenger spam too? If so, are users really spamming themselves
because of spyware and if people are sending it to themselves
unwittingly, does that mean the spammer who propagated the spyware
should not have his site taken down?

Seems to me that if they're executing unauthorized code on people's
machines to promote their "you are infected, please pay us to make it
go away" extortion racket, it might be a federal offense in the US,
even though the virus is acting on the victim's own machine both in
the US and oveseas.

Thoughts?

LFB

 

[Locke Nash Cole]

Why don't you just disable the Messenger service and be done with it?

-L

 

[Steve]

OK, so I've been getting the Messenger spam for www.spw3e.com,
www.spw4.com, www.spw8.com etc etc spammers for a while. Spamslammer
logs & larts (hey, somebody's gotta hit them where it hurts). This
time they're on worldpath.net, but have fake domain info pointing to
Aliant.CA has the host (which they aren't). Larting worldpath is about
as effective as chopping down a tree with a toothpick, so upstream to
MCI/Alter. MCI comes back saying that the origin of the messages is
127.0.0.1 so since I'm sending them to myself, they won't shut down
the website. They say I must have a virus or spyware that's doing it,
but my scans turn up nothing. Getting a process explorer to look
further into my instances of svchost but pretty sure my system is
clean.

Now the fact that as they've been booted off of ISP after ISP in the
past and the ad morphs to reflect the change in domain name suggests
that it is real messenger spam, but the question here is, are there
virii out there that contact some home base, get a current version of
an ad, then use the local messenger service to send the ad to the
user's own machine (and possibly others)? The volume of comcast spam
suggests zombied machines are spewing email everywhere, so why not
messenger spam too? If so, are users really spamming themselves
because of spyware and if people are sending it to themselves
unwittingly, does that mean the spammer who propagated the spyware
should not have his site taken down?

Seems to me that if they're executing unauthorized code on people's
machines to promote their "you are infected, please pay us to make it
go away" extortion racket, it might be a federal offense in the US,
even though the virus is acting on the victim's own machine both in
the US and oveseas.

Thoughts?

LFB

LFB:

Here is an easy way to disable Messenger:

http://grc.com/stm/shootthemessenger.htm

Good luck,

Steve

 

[Bill Cole]

OK, so I've been getting the Messenger spam for www.spw3e.com,
www.spw4.com, www.spw8.com etc etc spammers for a while. Spamslammer
logs & larts (hey, somebody's gotta hit them where it hurts). This
time they're on worldpath.net, but have fake domain info pointing to
Aliant.CA has the host (which they aren't). Larting worldpath is about
as effective as chopping down a tree with a toothpick, so upstream to
MCI/Alter. MCI comes back saying that the origin of the messages is
127.0.0.1 so since I'm sending them to myself, they won't shut down
the website. They say I must have a virus or spyware that's doing it,
but my scans turn up nothing. Getting a process explorer to look
further into my instances of svchost but pretty sure my system is
clean.

If the origin of those messages really is 127.0.0.1, your machine cannot
be clean. You may not immediately recognize what you have as a problem,
but packets from 127.0.0.1 can't travel over the Internet with any sort
of reliability. Any sanely configured network device drops such packets
arriving over a wire to the world.

Now the fact that as they've been booted off of ISP after ISP in the
past and the ad morphs to reflect the change in domain name suggests
that it is real messenger spam, but the question here is, are there
virii out there that contact some home base, get a current version of
an ad, then use the local messenger service to send the ad to the
user's own machine (and possibly others)?

There are infestations of many types that do that. Whether they get
called spyware, adware, viuruses, or worms depends on who you ask and
who the authors have sweet-talked. The commercial AV vendors will rarely
call any software that has a known commercial author by any of the usual
names like 'virus' 'trojan' or 'worm.'

Note that some programs that people intentionally load are given away by
their developers for free because they have adware or spyware components
that are used to support development. Gator, Kazaa, and others have used
that model with varying levels of transparency about what they are
doing. On the high end of that scale you have Qualcomm offering a
'Sponsored' version of Eudora that has a little ad window that has to be
open all the time, and Microsoft requiring activation for XP, which is
most easily done by letting XP communicate freely with the scum in
Redmond when it is installed.

The volume of comcast spam
suggests zombied machines are spewing email everywhere, so why not
messenger spam too? If so, are users really spamming themselves
because of spyware and if people are sending it to themselves
unwittingly, does that mean the spammer who propagated the spyware
should not have his site taken down?

I think so, but I don't make or enforce the rules for any ISP presently,
and have no desire to ever do so again...

Seems to me that if they're executing unauthorized code on people's
machines to promote their "you are infected, please pay us to make it
go away" extortion racket, it might be a federal offense in the US,
even though the virus is acting on the victim's own machine both in
the US and oveseas.

Thoughts?

It certainly sounds like you have some sort of spyware/adware on your
machine.

The best solution, although an extreme one, is to stop running Windows
and switch to some operating system with a non-ridiculous security model
and track record. There is no other OS where such malware is an actual
problem, particularly if you're not running a server. Just about all of
the reasonable alternatives for a desktop machine today are modeled on
or derived from Unix: MacOS, Linux, FreeBSD, Solaris.

If you are not willing to give up on the garbageware OS from Redmond,
you have a more complex problem. Start by acquiring and updating at
least 2 different anti-virus programs (I have no positive
recommendations, but F-Prot, Norton, and McAfee seem to not suck too
much) and at least 2 different anti-spyware programs (I like AdAware and
Spybot, both of which are free.) Once you have those loaded and updated,
remove your system from the network and start scanning it. Some of the
particularly nasty trojans will notice and kill off certain scanning
programs, and others include network backdoors that are effectively
remote control systems, making it possible for the remote controller to
stop any scan you are doing. Anything that is found by any of those
programs should be examined and considered very closely, and for the AV
programs there is virtually no danger in having them whack anything they
find. For the spyware scanners, things are a little different. If you
use software that happens to also have an adware component, you need to
decide whether the use you make of the software is worth the ads.

As for safety measures, it's back to the first suggestion: dump Windows.
If you can't or won't do that, at least dump the garbage that MS
provides for using the Internet, Internet Explorer and Outlook Express.
Together they have formed the route for most of the persistent malware
infections of non-server machines, and unless you are willing and able
to dig deeply into the details of their security configuration and
disable default behaviors in about a dozen areas, you will remain at
risk from them. Safer and otherwise better alternatives exist, despite
all of the best efforts of MS to kill them.

 

[null]

It certainly sounds like you have some sort of spyware/adware on your
machine.

The best solution, although an extreme one, is to stop running Windows

Best solution for whom? I use Windows without any spyware or malware
problems at all. I know of others that do as well.

As for safety measures, it's back to the first suggestion: dump Windows.
If you can't or won't do that, at least dump the garbage that MS
provides for using the Internet, Internet Explorer and Outlook Express.

There's more to it than just dumping IE and OE. It's also a matter of
using your head, acquiring some knowledge, and practicing "safe hex".


Art
http://www.epix.net/~artnpeg

 

[Bart Bailey]

I use Windows without any spyware or malware
problems at all. I know of others that do as well.

I'm one of those folk;
95b on the dialup machine,
98se on the dsl machine,
xp-pro (fat) on the media machine.
No malware issues here.

 

[FromTheRafters]

(e-mail address removed) (Lloyd From Brisbane) wrote:
[snip]

[...] ... but the question here is, are there virii

Hmmm - 'man' with an extra (i) - Triclops?

There are infestations of many types that do that. Whether they get
called spyware, adware, viuruses, or worms depends on who you ask and
who the authors have sweet-talked. The commercial AV vendors will rarely
call any software that has a known commercial author by any of the usual
names like 'virus' 'trojan' or 'worm.'

I was surprised that they actually called 'FriendGreeting' a worm. It was
only slightly more automatic than a chain letter.

[snip]

...and for the AV programs there is virtually no danger in having them
whack anything they find.

<gulp!> FPs notwithstanding. (yeah, "virtually" no danger because AV
scanners are "virtually" flawless).

"Bridge for sale" - pay now, take ownership as soon as I'm done painting it.

For the spyware scanners, things are a little different. If you
use software that happens to also have an adware component, you need to
decide whether the use you make of the software is worth the ads.

Yes, compared to AV detections, adware and spyware detection programs
require more brainwork by the user to determine what action to take if any.

[snip]

 

[FromTheRafters]

I'm one of those folk;
95b on the dialup machine,
98se on the dsl machine,
xp-pro (fat) on the media machine.
No malware issues here.

98 here, and my scanner says I'm riddled with malware. ;o)

....but I'm okay with that.

 

[Bart Bailey]

98 here, and my scanner says I'm riddled with malware. ;o)

...but I'm okay with that.

Then it's not an issue for you.
BTW: My zoos all reside on removable media,
and not on any fixed storage devices.
Although I've seen the coating slough off a disk, I've never seen an
intact application manage to escape and end up running on any of my
systems. <g>