Re: New types of Trojans coming

On 03, 2005 at 09:45:26AM -0800, Professional Software
Engineering wrote:

> At 18:16 2005-02-03 +0100, Dallman Ross did say:
> >http://news.zdnet.com/2100-1009_22-5560664.html
> >
> >Precis: Spam levels expected to rise with suddenness
> >soon, as blacklists become less effective.
> 
> Er, spammers have been using trojans for a while now already.  Yes,
> traditionally, the user's own PC is converted into a mail server and
> it delivers mail directly.

Yes, and that's a crucial difference.

> However, viruses have for some time used the user's own ISP mail
> server (or at least that of the forged address snarfed from their
> saved email) to deliver messages, thereby lending some apparent
> legitimacy to the message (for instance, you can't block them using a
> dial-up list type DNSBL, because the machine passing the message to
> your host is an actual ISP mailserver, not the user's own machine).

The forgeries are a good tip for Virus Snaggers(tm), for example.  It
looks for them.

But, look: if a worm or zombie spam now gets sent by the virtual
server coded into the Trojan/zombie/worm program itself, it's one
thing.  The mail typically arrives at the recipient's server with
a fake server name and very few Received headers.  (Vsnag looks for
that kind of thing too.)  But if the mail is going to go out via
the ISP's usual channels, then the heuristic for identifying it
gets a bit tougher.  That's what caught my interest.

--

-- 
dman