Symantec's U.S.-based security team said spammers are using a multitude of Windows systems compromised by the worm to send massive amounts of unsolicited e-mail, clogging the messaging systems of major ISPs across the globe.
Symantec believes a variation of the Randex worm first discovered in August has inserted a backdoor Trojan named mprox, discovered September 30, into a large number of Windows-based systems.
Editor's note: Subsequent to this story, Telstra said it believed the Swen virus/worm was responsible for the sudden surge in e-mail traffic experienced on the BigPond network.
Windows-based systems infected by mprox provide spammers with an open relay or "proxy server" for sending e-mail and other messages.
"Spammers are using these distributed proxy servers to send out massive amounts of spam and we're seeing this in lots of locations -- we're seeing heavy traffic," said Vincent Weafer, senior director of Symantec Security Response.
Randex attempts to propagate by seeking out systems near its host and attempting to login to them using simple passwords. Each system it annexes is infected with the Trojan.
Most varieties of Randex affect Windows 2000, Windows NT and Windows XP systems, and according to security researchers the worm was designed to be controlled remotely through an Internet Relay Chat (IRC) channel.
According to Weafer, ISPs began reporting the surge in unsolicited e-mail last week, around the same time that Bigpond's e-mail woes began.
"Our initial report on this went out on around the 30th of September but we're definitely continuing to see this occur out there, so I think this is the source of what you're seeing with the Australian ISPs. It would make perfect sense and there was definitely an increase in global traffic," said Weafer.
If Symantec's reasoning is correct, it appears that some of the spam clogging Telstra's e-mail service could be coming from the customer end of its network. It stands to reason that this may be hampering Telstra's spam filtering software.
While the problem has affected ISPs globally, it appears to have hit Telstra particularly hard. Both Optus and OzEmail customers have reported experiencing e-mail delays in recent days but Bigpond customers report that their e-mail traffic to their inboxes has been slowed to less than one a day.
Telstra now says that it may not be able to restore a regular service level for several weeks and some customers are already demanding financial compensation from Telstra for loss of business.
Our company warned of this in our September, 2003 public newsletter, which was reprinted on a number of sites and sent along to ZD in the US at that time. MASSMAIL was one of several we had covered in our BOClean antitrojan product, and as of this moment, we've "captured" over 60 different spam relays/proxies which are currently covered. We're seeing several a week, all of which are different from one another.
If I may take the liberty, I shall include the complete text of our September 2003 newsletter which we sent out to our subscribers for your perusal ...
Date: Sat, 20 Sep 2003 15:54:09 -0400
From: Nancy McAleavey
X-Mailer: Mozilla 4.75 [en] (Win98; U)
X-Accept-Language: en
To: news@nsclean.com
Subject: PSC Newsletter-Are You a Spammer?
Are YOU a spammer?
by Kevin McAleavey, BOClean laboratory team leader
It might come as a surprise to many when they are contacted by their
Internet Service Provider only to be told that complaints have been
received of email abuse, and it turns out to be coming from THEIR
computer, and therefore their access has been cancelled. We don't mean
folks that have been infected with one of those everyday, commonplace
Microsoft(R)(tm)(branding used without authorization) worm viruses,
we mean actual SPAM being sent from YOUR IP address. It's been
happening a LOT lately, and just got worse as the result of a new
higher-level nasty out there than has previously the case.
While the media is now spinning "SWEN" as the biggest thing since
SOBIG, the reality is "SWEN" is just another variant of GIBE, written
by the notorious "BEGBIE" of the Czech Republic with the usual modus
operendi of "From MICROSOFT - Install this patch NOW" which of course
begets another "ho-hum" in the continuing Microsoft daily
"plague'o'creepy crawlers" from us here. Begbie *always* signs his
work, though it's encrypted - he likes to take some "kernel memory"
space to spraypaint his name in there, but not visible in the FILE or
in ordinary "process memory." He's as predictable as so many
others. That's why our "ho hum" count of variants so far exceed our
"mother trojans" in our lists.
"SWEN" is in reality "GIBE the latest" and it amuses us to no end how
it's "NEW" ... nope. Maybe to the antivirus industry, but not to us.
BOClean 4.11 identifies it as the BEGBIE trojan, but in our most
recent database update, we added "SWEN" to that designation for
clarity. We've had to rename OTHER "Begbies" in our listings of the
past to match names obfuscated by the antivirus companies who have
ADMITTED in the past their desire to rename nasties from the actual
names given by their authors after "discovering" them days, weeks or
months AFTER "zero day." Sorry, our software is examined by network
administrators and industrial customers who TRACK nasties and they
EXPECT the "known name" of nasties to be used, and we'd better be
there on "zero day" or we've got hell to pay. See here:
http://www.newsfactor.com/perl/story/15662.html
By comparison, these "daily worms", even those such as SOBIG which
were suspected of being the first wave in an assault of spammer
takeovers of machines according to the pundits, are not news at all
anymore. At worst, your ISP will cut you off and tell you "update your
antivirus and clean your machine, these things happen." They DO
understand that. And while these rapidly-spreading infections of your
Outlook Express (and curiously FEW other email/newsreader programs)
get plenty of attention, not so for far more insidious nasties that
are unmentioned and undetected in the meanwhile.
And with YOUR finger on the trigger, caught "red-handed" by your IP
address appearing on the abuse complaints that your ISP *must* solve
or your ISP gets "blackholed" for spamming, YOUR provider has no other
choice than to terminate your account and wish you well as you find
ANOTHER place to connect to the internet. LEGITIMATE ISP's take these
compl