Compromised Home Computers Used To Hide Spamvertised Sites
from the getting-worse dept
There have been plenty of stories about how spammer and hackers have been teaming up to install trojan horse programs on thousands of home computers, but it’s been a little unclear what some of them are being used for. There are stories of how they’re being used as open proxies to send out spam, and others where the computers are actually hosting porn or other spamvertised content. The latest scam is that the trojans are being used to confound tracing tools to track down where a spamvertised site is hosted. One popular anti-spam technique is to track down the location of spamvertised sites and get them knocked offline. By making it impossible to determine the actual IP address of the site, it means that spammers can host the sites at popular hosting sites (even the most “antispam” ones around) and not worry about being kicked off. The article also points out that spammers are getting nastier with things like this because out of work hackers – who used to hate spammers – are being drawn by the reports of spam money.
Comments on “Compromised Home Computers Used To Hide Spamvertised Sites”
huh?
I found this article somewhat baffling. You can’t connect to a site without having an IP address to connect to. So how can a site’s IP address be a secret?
Re: huh?
I’m not sure I fully understand it, but it sounds to me like the IP address is constantly changing, but each time, it’s pointing to an individual computer – then, that computer goes out and collects the actual website contents from an established hosting company and presents it from the computer. Thus, you don’t need the actual IP address of the website, but the (ever-changing) intermediary that grabs the site in question.
Re: huh?
The method is quite simple. The “trojaned computers” have a HTTP proxy installed on them. Presumably the purpose of the worms mentioned was to install this proxy. All that remaines is for the spammer to get a DNS record which points to the proxies.
The bit that is not explained in the article is how the proxies know the IP number of the real site. I suspect that there is a central point somewhere which distributes these to the proxies.
I would think that there is a method of finding the real site in some cases (e.g. if the real site is hosted by Yahoo). For the real site to be invisible it needs to be set up so that it accepts requests only from the proxies. This means that the the spammer would have to have access to the HTTP server’s access control lists. This would not be possible at most hosters. Therefore I suspect that the real site (at the real IP) will appear on Google.