When evil is branded, it thinks of weapons. Spammers think DDos attacks.
Written by Daniel   
Tuesday, 12 June 2007 16:29
Antispam groups come under heavy DDoS attack
ARS Technica
By Jeremy Reimer | Published: June 12, 2007 - 03:05PM CT

Spammers have been taking over unsuspecting computer users' machines for years in order to send out unwanted e-mails, but recently they have been getting even more aggressive. The SANS Institute (SysAdmin, Audit, Network, Security) recently reported that a large, distributed denial-of-service (DDoS) attack has targeted several organizations that attempt to fight spam: Spamhaus, SURBL (Spam URI Realtime Blocklists), URIBL (Realtime URI Blacklist), and Rules Emporium (the host site for the open-source SpamAssassin program). As of this writing, the Rules Emporium and URIBL are still under attack and are unreachable.

The attacks are similar to last year's DDoS assault on BlueSecurity (makers of the community-based antispam tool BlueFrog) and are believed to be using the same malware to do their nasty work. The software in question is called Storm, which is a trojan distributed as an e-mail attachment. When a user opens the attachment and runs the trojan, it attempts to link up to other infected hosts via peer-to-peer networking. Once a connection is made, it downloads a series of five second-stage executables which set up an SMTP relay, an e-mail address stealer, an e-mail virus spreader, a DDoS attack tool, and finally an updated copy of the Storm Worm dropper. The master component is run from a kernel rootkit driver that embeds itself into Windows' services.exe process.

The DDoS component retrieves its target list from a hard-coded web site embedded in the body of the trojan, which can change depending on who the spammers want to target next. Previous targets have included not only antispam sites such as BlueSecurity, but also rival spamming groups such as Warezov.... More

