Network News

X My Profile
View More Activity

Fraudsters Declare War on Anti-Scam Services

Spammers have been attacking and threatening several of the groups and individuals who have been performing some of the most important work in hobbling online scams, spam and computer viruses.

The SANS Internet Storm Center on Thursday found a piece of malicious code (called "sans.exe") designed to update a group of several thousand infected computers that SANS has been monitoring. The code includes text strings that suggest an attack on the center if two of its crime fighters don't stop interfering with his money-making spam operations. The message, in part, read:

"You better f*** off especially that [SANS chief technology officer] Johannes Ullrich (phone and e-mail address deleted) and Kevin Hong (phone and e-mail address deleted). I really don't have anything against you, just piss off alright?" [sic]

"I guess we always felt like this [was] going to happen at some point," Ullrich said in an online chat with Security Fix this morning. "Adding taunts like this to their code isn't what you would expect from a professional criminal trying to stay low profile. [It] points to a more juvenile 'hooligan' mentality," than hardened cyber crook.

Last month, a number of anti-spam Web sites came under a sustained "distributed denial of service" (DDoS) attack, an electronic assault during which the attackers use thousands of compromised personal computers to overwhelm a target with so much bogus traffic that the PCs can't accommodate legitimate visitors.

The attacks were made possible by tens of thousands - perhaps millions - of computers infected by the recent e-mail virus known as the "Storm worm. The virus links all infected computers into a peer-to-peer data network using the same technology as the eDonkey file-sharing network. The attackers later instructed the networked machines to attack sites such as spam trackers Spamhaus and the personal Web site of Joe Stewart, the SecureWorks researcher who conducted some of the most detailed analysis of the Storm worm.

The Web sites for CastleCops -- an all-volunteer, online scam fighting community -- also have been under a consistent denial-of-service attack for the past couple of weeks. Its main site and user forum are not working again this morning. Security Fix has spotlighted the laudable work this volunteer group does in bringing down phishing Web sites and analyzing new malicious software.

CastleCops co-founder Robin Laudanski said the intermittent site shutdowns have been inconvenient, but added that they have bolstered support for the group from within the security community.

"I take [the attacks] as a compliment because if we weren't putting a dent in the bad guys' pocketbooks, we wouldn't be getting attacked," Laudanski said. "It means we're being a pain, and that we're doing something right."

By Brian Krebs  |  February 23, 2007; 1:40 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Mass. Bill Would Make Retailers Pay for Data Breaches
Next: Congressman Wants Answers About TSA Site


You'd think that anti-spam websites would at least run an OS that's better protected against DDoS, viruses, etc.

Before OS X, there used to be an annual contest called "Hack a Mac" in which there was a monetary prize for changing the contents of a webpage. To my recollection, no one ever won the prize.

Posted by: Gary | February 23, 2007 2:48 PM | Report abuse

ISC Emergency Backup:
(notice that it is text only to prevent malware infection).

Directly from a SANS diary entry(
Published: 2007-02-23,
Last Updated: 2007-02-23 04:53:15 UTC
by Jason Lam (Version: 1)
Just like any security minded organization, ISC have done our own emergency preparedness work. In situations where our main website cannot be accessed, we will be turning to alternative location (separate hosting location),

We suggest you keep this page bookmarked and keep it handy just in case if anything ever happens. If we ever need to broadcast message from our alternative site, the messages would be PGP signed.

Let's hope we never need to use the alternative site...... But we are never really sure.

Posted by: Leonard | February 23, 2007 2:53 PM | Report abuse

THe anti spam web sites are down not to flaws in their web site design, but due to overwhelming bogus web traffic sent their way by spam linked PC's. It has nothing to do with the server software OS (OS X , LInux, Windows) they are using, which is probably Linux Apache in most cases.

Posted by: Harry | February 23, 2007 3:30 PM | Report abuse

Harry, "sans.exe" indicates that it was a Windows site being attacked, doesn't it?

Posted by: Gary | February 23, 2007 4:00 PM | Report abuse

Allow me to clarify. Gary -- the sans.exe was the name of the Windows executable the spammer in this case was using to control his army of infected machines. It has nothing to do with what operating system or server software may or may not be in use on the various Web sites that were attacked.

Posted by: Bk | February 23, 2007 4:16 PM | Report abuse

Gary, I read this a little differently. I was under the impression that "sans.exe" was a trojan or patch to already installed trojans that would run on the spammer's existing botnet. I took it to mean that "sans.exe" could simply indicate that the program to install the trojan or patch was intended to run on and infect computers running Windows. These computers would then begin a DDoS attack on anti-spam web sites.

Posted by: Steve | February 23, 2007 4:31 PM | Report abuse

Gary - Do you know anything about DDOS attacks? Because it seems that you do not. DDoS attacks don't care about what OS you are using, they are only concerned about choking the bandwidth that you have. So it does not matter what OSes these anti-spam sites are using OR how highly secured they are, b/c if a DDoS attack happens, most websites will feel some sort of effect from it.

Now you may be referring to the compromised systems that are performing the DDoS attacks. Then the OS does matter in this case, since typically Linux-flavored systems (ie, Macs) are not as prone to being easily compromised.

Posted by: Pat | February 23, 2007 4:47 PM | Report abuse


You might want to cite your sources re 'Hack a Mac' as #1) no one seems to have the great memory you have; #2) neither Wiki nor Google come up with references to it; and #3) before OS X the Mac was the easiest target of all and not too many years before that your 'Mac' wasn't even online.

Posted by: Rick | February 24, 2007 7:50 AM | Report abuse


'Harry, "sans.exe" indicates that it was a Windows site being attacked, doesn't it?'

Of course not. It indicates a Windows client is being hacked. Or do you presume Windows code can't interact with the Internet in general? :D

Posted by: Rick | February 24, 2007 7:52 AM | Report abuse

Looks like some folks here do not know how a DDoS workes. Anyway, they use compromised pc's which do the attack over the internet: no matter which OS an ISP uses.
Certantly, the compromised pc's are running some kind of Windows, that's for sure, given the filemae sans.exe (You cannot misuse another OS like OS X or Linux that easy.)

Posted by: ritslinux | February 24, 2007 10:32 AM | Report abuse

The Hack a Mac contest can easily be found with a Google search.
It dates from the mid-90s

Posted by: Gary | February 24, 2007 2:31 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company