Cloaking Device Made for Spammers
(Wired) Call them spackers — they’re the new breed of computer crackers who earn a living in cahoots with spammers. The latest innovations developed by such mercenary hackers on behalf of the junk e-mail profession are techniques that enable spammers — or scam artists for that matter — to create websites that are essentially untraceable.
One group in Poland is currently advertising “invisible bulletproof hosting” in online forums for spammers. For $1,500 per month, the group says it can protect a site from network sleuthing tools used by spam opponents, such as traceroute and whois.
Until now, antispammers have relied on such tools to identify the numeric Internet protocol address behind a website advertised by spam. In the past, shutting down a site used to sell spammed products — or to rip off gullible online users via phishing schemes — was often just a matter of notifying the hosting company responsible for the IP address.
But the new technique makes these tools futile, according to experts familiar with the method.
The beauty of invisible hosting, according to Tubul, a representative of the Polish group who would not provide his full name, is that the untraceable site can even be located on servers operated by major Web hosting firms with tough antispam policies.
When asked on an online chat for a demonstration of the stealth hosting service, Tubul provided the address of a website selling generic Viagra and other drugs.
“Try to find the real IP,” he said. “This host is in rackshack.net, the most antispam ISP.”
A traceroute to the site indicated that it was being hosted on a computer apparently using cable modem service from Comcast.
“Fake,” said Tubul.
Indeed, when a traceroute to the site was performed moments later, it appeared to be hosted on a computer with a DSL connection from Verizon.
Another site, hosted by the Polish group. offers free credit consultations. Traceroutes to the site, removeform.com, also provided ever-changing results, ranging from a computer connected to a DSL line in Israel to another provided by EarthLink. However, the title of the site’s home page consistently read “Yahoo Web Hosting,” suggesting it was actually located on a server run by the Internet giant.
According to Tubul, his group controls 450,000 “Trojaned” systems, most of them home computers running Windows with high-speed connections. The hacked systems contain special software developed by the Polish group that routes traffic between Internet users and customers’ websites through thousands of the hijacked computers. The numerous intermediary systems confound tools such as traceroute, effectively laundering the true location of the website. To utilize the service, customers simply configure their sites to use any of several domain-name system servers controlled by the Polish group, Tubul said.
While the price may be steep, such services “definitely” will frustrate antispammers and others who try to track down the true address of rogue Internet sites, according to Joe Stewart, a security researcher with Lurhq.
“You’re not going to have much success trying to follow IP addresses through hacked hosts,” said Stewart. “About all you can do is try to follow the money — sign up for whatever it is they’re selling and try to figure out who’s behind the whole thing.”
The use of such stealth hosting techniques has become widespread among spammers, according to Steve Linford, leader of the Spamhaus Project, which maintains a blacklist of known junk e-mail operations. Linford blamed the development of the new methods on the recent alliances between spammers and computer crackers.
“Hackers used to detest spammers, but now that spamming has become such a big business, it’s suddenly cool to be a spammer,” Linford said. He said the junk e-mail business has also recently attracted “engineers who have been laid off or fired, and people who really know what they’re doing with networking and DNS.”
The lure of money has also apparently attracted virus writers to the spamming business. Linford said he believes that the Fizzer mass-mailing Internet worm was the work of a virus writer affiliated with a spam operation. In addition, Stewart and others said they believe that the first variant of the recent Sobig computer worm is designed to turn compromised PCs into spam proxy servers.
In a further effort to compromise new systems and add them to their arsenal, Tubul’s group appears to be using its “spamvertised” sites to infect visitors with a malicious program. Recent reports in online antispam discussion groups indicate that an invisibly hosted site called miracleformen.com was attempting to install a suspicious executable file on visitors’ computers using a vulnerability in Microsoft’s Internet Explorer browser.
Bulk e-mailers and scam artists began utilizing the services of crackers who control large networks of compromised computers about a year ago, according to Stewart. This past summer, hijacked PCs were used to host porn and credit card phishing sites, according to research by Stewart and security consultant Richard M. Smith.
One strategy for mitigating the invisible-hosting problem, said Thor Larholm, a security researcher with Pivx Solutions, would be for Internet service providers or domain registrars to blacklist the DNS servers used by such outfits, effectively cutting them off from the Internet.
But Tubul said his group changes its DNS servers regularly to protect against such tactics.
While many ISPs do not seem to understand the severity of the invisible-hosting problem, Linford said law enforcement authorities have begun investigating.
“These people are not just violating ISPs’ rules,” said Linford. “These are guys who really need to do some time in jail.”
