Mimail worms attack anti-spam sites
By Matt Whipp
Posted on 3 Nov 2003 at 15:24
Graham Cluley, Sophos: 'Are the people who fill everyone's email inboxes with spam also behind this virus?'
The latest incarnations of the Mimail worm - versions E and H - are more than just irritants that use up bandwidth by sending themselves on to others in your address books. Additionally, they have components that deliver DoS (denial of service) attacks to anti-spam sites SPEWS (Spam Early Warning System) and The Spamhaus Project.
'These Mimail worms attempt to knock anti-spam resources off the internet. This is a clear attack on everyone who uses Internet email for legitimate purposes,' said Graham Cluley, senior technology
consultant for Sophos. 'Are the people who fill everyone's email inboxes with spam also behind this virus? It's hard to know for certain.'
This would not appear to be the first brush with spam for virus writers. In June, UK-based MessageLabs discovered that senders of spam were using viruses to hijack computers with backdoor trojans and then use these pawns to send out their own spam.
MessageLabs spokesman Paul Wood said the company is analysing the activities of Mimail E and H. 'We haven't reached any conclusions yet,' he said. 'But there doesn't appear to be anything standing out at the moment.'
He said the company is currently working very closely with The SpamHaus project to protect it from a spate DoS attacks of late, but there's little that can currently be pinned down to have originated from Mimails E and H.
'The vast majority of addresses have been Fizzer-infected machines,' he said.
The point of attacking these anti-spam sites with DoS attacks is 'to circumvent the blacklist problem,' said Wood. Those that have signed up to services that filter out emails originating from a spam blacklist will find their connections time out if a DoS attack on that service uses enough bandwidth to render any email filtering too slow to be useful.
However, by far the most common method for spammers to get around spam blacklists is through the use of open proxies: using unprotected or infected systems hooked up to the Internet to send spam for them - thus using IP addresses not blacklisted.
Wood described the practice as the 'air supply' that keeps spammers in business. Although spam levels have remained at the 55 per cent level of email traffic since a meteoric rise from January to May this year, what has changed is the use of open proxies.
Wood said that of the spam currently in circulation, 70 per cent of it is sent through open proxies, with three quarters of these being infected, rather than poorly configured, computers.
When Service Pack 2 comes out for Windows XP later this year it will turn on the XP Firewall by default (and turn off Windows Messenger Service - blocking Netsend spam). Wood said: 'That would certainly go some way addressing the problem.' He said it might help prevent inbound attacks, but not outbound data - and if your machine is already infected, XP's firewall reinforcement may not have turned up in time.
See also:
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
