German Spam?

Choose Language

Visit our Computer Help Blog

German Language SPAM Outbreak Again ....

My servers have once again been hit by a major outbreak of German language spam. It's all racist hatred in nature according to Yahoo (I translated some of it on Lycos Translation myself to verify this fact.) It is being controlled by web-bots on computers infected with the Trojan.Ascetic.C virus (a Sober worm variant) which was named on May 15, 2005 and has been around since the last attack of this spam last year with the previous version of the worm. It is also now known as W32.Sober.P@mm, Win32.Sober.O [Computer Associates], Email-Worm.Win32.Sober.q [Kaspersky Lab], W32/Sober.q@MM [McAfee], Troj/Sober-Q [Sophos], WORM_SOBER.U [Trend Micro]. I have been getting 100's of these emails daily, and have been controlling them using MailWasher. The spam doesn't actually carry the Trojan. This is a Trojan horse that uses its own SMTP engine to send spam email to addresses gathered from the compromised computer. The email may be in either English or German. I simply add the spam originator temporarily to my blacklist and it selects all of them for simple deletion. I'll delete the blacklisted names after the outbreak is over automatically using MailWasher's features since the apparent senders of the emails have been spoofed. If you do this yourself don't bounce the spam since the sender is not responsible - simply infected. A flaw in RealPlayer may be partially to blame for this outbreak once again. The attack lasted about 8 weeks last year, and is expected to "go away" as before. There's elections in Germany soon, and it's the 60th. anniversary of Hitler's demise. The Neo-Nazi movement is probably behind these hate attacks.

I have collected all the research I can Google in the following transcripts for you to browse easily.

SPAM in German is Still SPAM

There have been many reports that German language SPAM is being received in large quantities. Analysis by the ISC's Johannes Ulrich shows the content of the samples received to be political in nature, and seem to have been generated by DSL/Cable connected systems, a possible indication that a virus or botnet is being used to propagate the SPAM.

Of note, one of the e-mails contained the phrase "Comment by the author of Sober"

There is malware behind this. It is a version of Sober (Trojan.Ascetic.A). Right now, only one virus scanner identifies it as such. The version we're aware of uses the filename 'datacrypt.exe'.
(DoC says ... you can quickly search drive C: for datacrypt.exe to locate this file for a fast check to see if you're infected)

See Norton's website at http://securityresponse.symantec.com/avcenter/venc/data/trojan.ascetic.a.html for details on detection and removal.

(source: http://isc.sans.org/diary.php?date=2004-06-10)

German spam source found, Real Player services vulnerability

We have had one report of a user receiving traffic on multicast addresses 244.1.0.0 with a negative source port and a destination port of 4. Some firewalls translate the source port to 0. We are interested in any one else seeing similar traffic and packet traces.

The source of German right wing spam making its round on the Internet the last few days has been identified as a variant of the sober worm. It is identified by a file called datacrypt.exe and is launched in the registry HKLM/software/microsoft/windows/currentversion/run/ The infection method is the same as Sober.G. On start up it connects to a time server in Berlin and then begins Trojan.Ascetic to send email messages.

Reports are being received relating to vulnerabilities in Realplayer services. You may wish to block the ports listed below that the realplayer services uses on firewalls. That will not completely mitigate this vulnerability as it could be triggered by downloading (via http, ftp ...) a realplayer movie and running it locally. I would recommend until realplayer is patched on any vulnerable system that you disable realplayer as the default application for opening .RA, .RM, .RV or .RMJ. In XP you can do that by browsing to your c: drive and selecting a folder then from the tool bar select folder options and file types. Look for files opened by realplayer and change those to be opened by another application or to not have a default application.

Well Known ports used by realservers.

TCP port 7070 for connecting to pre-G2 RealServers TCP port 554 and 7070 for connecting to G2 RealServers UDP ports 6970 - 7170 (inclusive) for incoming traffic only

(Source: http://isc.sans.org/diary.php)

Spam Zombies to blame for German spam bomb yesterday
- German Spam Floods Inboxes

02:00 AM Jun. 11, 2004 PT

E-mail users around the world got a rude awakening Thursday when a spammer flooded their inboxes with nationalist, borderline-racist propaganda in German.

The messages -- which appeared to blame immigrants, prisoners and welfare recipients for Germany's problems -- hit recipients in California, Finland, Germany and the Netherlands, according to initial reports on antispam mailing lists. Some recipients reported receiving just a few messages, while others reported being overwhelmed by thousands of pieces of the spam.

In comparison to other propaganda that can be found on the Internet, the messages are relatively mild. "Bankruptcy of the health service by foreigners" read the subject line of one message. "What Germany needs is more German children," argued another.

But it wasn't the context of the messages that had some observers troubled. Rather, it was the method by which they were transmitted: through spam zombies.

Zombies are personal computers that have been infected with a virus that allows spammers to control them from a remote location for the purposes of sending out mass quantities of spam. These infected machines allow spammers to send much more e-mail than they could with their own e-mail server. It also makes it harder for authorities to trace the source of the messages.

Technologists said they believe political activists may be finding these qualities more and more attractive as they seek to spread their message beyond local boundaries. For e-mail users, that could mean more propaganda is on the way.

"It's the online equivalent to those guys who scream at you in subways, only now they have spamware to amplify their crazed ramblings," said Steven Champeon, technology chief of consulting firm www.hesketh.com. "I can't wait to start getting mail regarding that pressing town-meeting issue in East Overshoe, Wyoming, that has no bearing on me or my life and about which I can do nothing."

IronPort spam strategist Julian Haight, founder of the company's SpamCop antispam service, confirmed that Thursday's blast had the markings of a zombie-aided mailing. "We're seeing the same message sent from a variety of IP addresses, which tells me that it was sent from a farm of zombies," he said. "Chances are that somebody with a political agenda is contracting with a spammer from start to finish."

Unfortunately for the unwilling recipients of such messages, tracking down the senders can be next to impossible. In addition to being able to hide behind spam zombies, the senders have another thing going for them: They're not leaving a money trail.

"Usually, you expect some punch line about which bank you can send your money to," said Haight. "But there's nothing like that in these messages." The usual tactic of buying a product and waiting to see who collects the money is, therefore, not an option in this case.

In other words, unless technologists modify the underlying architecture of the Internet to prevent zombie attacks, political activists have at their disposal a perfect megaphone, one that can't be turned off.

Said Champeon, "Welcome to the new Internet."

(Source: http://www.wired.com/news/technology/0,1282,63806,00.html)