Spammers based in Russia are using stealth and a sophisticated new trojan program to turn home workstations into unwitting hosts in a pornography and spam distribution ring, according to security experts.
The deceptive and potentially illegal practice came to the attention of experts in late June and has been a topic of conversation among spam fighters on Internet discussion groups since then, according to Joe Stewart, senior intrusion analyst with LURHQ, a Chicago-based managed security services company.
Experts observed that one spammer who was sending out spam e-mail pointing to spoofed PayPal Web sites and Russian pornography sites appeared to be able to change the addresses of his Web sites every few minutes, according to Richard Smith, an Internet security and privacy consultant based in Boston.
Smith stumbled upon the problem in early July while investigating e-mail messages pointing to a phony PayPal site that was being used to harvest personal financial information from customers of the online payment service.
After reporting the address of the site that he believed was the source of the phony Web site to the ISP (Internet service provider) responsible for that address, Smith was surprised to see the same Web domain associated with a different Internet address belonging to a different ISP a few minutes later, and still another address a few minutes after that.
"I said, 'Whoa! That's interesting'," Smith recalled.
After writing a program to monitor the Web sites associated with the pornography and bogus PayPal domains, Smith collected the IP addresses of hundreds of computers being used as hosts for the illicit content, each for only a few minutes at a time.
The trick lies in a sophisticated trojan program placed on the remote systems and used by the spammer, according to Stewart, who obtained a copy of the program from an infected system belonging to an employee of one of LURHQ's enterprise customers.
The program, which Stewart dubbed "migmaf," acts as both a proxy server for spam and a reverse proxy server for a master Web server serving the spoofed and pornographic content, Stewart said.
Domain names and e-mail addresses for the pornography sites point to Russia as the source, Smith said.
In its capacity as a proxy server, the trojan forwards outgoing spam from its source to the intended recipient, replacing the source address with its own IP (Internet Protocol) address and covering the spammer's tracks.
As a reverse proxy server, the trojan receives requests from spam recipients who, for example, click on a link to a pornographic Web site, and passes that along to the master Web server. That server responds with the requested Web page and sends that content along to the compromised computer, which then serves it to the requesting machine, Stewart said.
Users never know where the content they're receiving is really coming from, and the Web site's owners are shielded from pressure by their ISP to shut down the site, according to Smith and Stewart.
Because such behind-the-scenes activity might eventually arouse the suspicions of victims, each compromised user machine acts as a DNS (Domain Name Service) host for the illicit Web domains for only 10 minutes, before being replaced by another compromised system known to the spammer, Smith said.
Sign up to receive InfoWorld Resource Alerts
Recommend This
