http://www.wired.com/news/infostructure/0,1377,44611,00.html By Brian McWilliams 2:00 a.m. June 20, 2001 PDT For the past four weeks, a Windows-based Trojan program dubbed NewsFlood has been swamping some Internet discussion groups with a heavy stream of bogus child pornography advertisements. The attack is the Usenet equivalent of a denial-of-service attack. It doesn't destroy files on the victims' PCs and is not designed to automatically infect other systems. But NewsFlood can ruin the signal-to-noise ratio of an online discussion group with its ads, which invite readers to visit three pornography sites and carries subject lines such as "Girls of 13-16" and "12-15 yo. girls on nudie webcam." And in a bit of an ironic twist, one of the 11 newsgroups targeted is alt.comp.virus (ACV) -- a popular resource of virus information for PC users, virus writers and anti-virus software professionals. Like fans of most unmoderated Usenet newsgroups, ACV participants have learned to tolerate a good layer of spam marbled into their favorite Internet discussions. But this has been a little much. "(ACV) is quickly eroding into a non-source," said Mary Landesman, product marketing manager for In Defense and editor of the anti-virus software site at About.com. "It used to be the first place I checked for info. Now it's a dreaded last resort." Other newsgroups with their addresses hard-coded into the program's source include two hacking discussion groups, alt.2600 and alt.hackers.malicious. Also listed in the NewsFlood source are alt.politics.bush and alt.religion.scientology. Stephen Gielda, president of security information company PacketDerm LLC, received a copy of the program last week by e-mail from an anonymous sender. After studying the code, which arrived in the form of a 28Kb file named StartMenu.exe, Gielda posted an analysis of its workings to some of the affected newsgroups on Saturday and also provided copies of the code to anti-virus software vendors. Gielda said the code included no clues as to the identity of the program's authors or to their motivation in writing the program. Jesus Sardinas, the operator of GlobalPix -- one of the pornography sites touted by the program -- insisted that he had no connection to NewsFlood's author, and that his service does not include child pornography. "I am very interested in knowing who is wasting their time advertising my site. I do not have any partner programs or click-through programs, so whoever is doing this is definitely not making any money from me," Sardinas said. He reported that complaints from newsgroup users caused GlobalPix's Internet service provider, EarthLink Network, to shut down the GlobalPix site for 36 hours until Sardinas could convince the company he was not responsible for the spam. According to Nick FitzGerald, an anti-virus researcher and regular contributor to alt.comp.virus who has studied the source code to NewsFlood, the program appears to have infected an undetermined number of users and is silently commandeering their computers and newsgroup accounts to create the porn-spam flood. FitzGerald said the Trojan randomly generates legitimate-looking return e-mail addresses, organization names and message subject lines from a list. It also carefully words the messages to avoid detection by simple filtering systems. Ian Hammeroff, a spokesperson for Computer Associates, said the anti-virus software firm has not received any infection reports directly from users and considers NewsFlood to be a low risk, because it is not self-propagating and because it only affects Internet newsgroups. The firm is nonetheless adding detection for NewsFlood to all of its products. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 02:33:01 PDT