![[SpamCop.net - protecting the internet through technology]](/images/05logo.png){kind=small}
SpamCop FAQ : Help for abuse-desks and administrators :
Recently (April/May 2003), we have been seeing a new type of spam. It appears to originate on normal Windows computers, sometimes inside corporate firewalls. We theorize that spam-sending "malware" has been installed accidentally by careless users or even through the exploitation of security holes (cracking). Thus, these Windows computers suffer yet another "infection".
There appear to be several different types of software, or modes to it's operation. In one mode, it sends directly on port-25 to recipient mailservers. In another, it uses the Microsoft Outlook proprietary mail-sending protocol to send out via Hotmail mailservers. This protocol is handled over WebDAV, and the headers will show Hotmail servers using the DAV protocol. Most common recently, the software (or more likely, it's user, the spammer) uses the mailserver provided by your own ISP.
In any case, it leaves little trace as to its origin and is undetectable from the outside. The only clue is the IP address and the date/time of the occurance. The real confusion begins when the infected system is part of a network using Network Address Translation (NAT) to proxy connections for internal hosts. It should be emphasized that some modes of operation bypass outbound mailservers and send directly to the recipient system or via Hotmail's servers.
Blocking port-25 at the firewall can stop the first mode, but it is very difficult to stop the DAV protocol method globally, since that is transmitted over normal port-80 (www) connections. It is also problematic blocking a system from the mailserver which it is authorized to use - the system can no longer send legitimate mail.
If you have any more information about this problem, please post it in the forum and it will be added to this FAQ. Specifically, it would be nice to bring this malware into "the lab" and figure out its exact operating parameters - how to remove it, how to detect it, and what it does exactly. One theory about how it is controlled - it may poll a secret URL to receive instructions on what spam to send, and who to send it to. Another theory is that it logs onto a secret IRC channel to receive commands (an tried-and-true control method).
Update:
One possible route of infection may be exploitation of a buffer overflow in Microsoft IIS 5.0. Microsoft has released a patch to correct this exploit. Information and links to the patch are available at
http://isc.incidents.org/analysis.html?id=183
[Append to This Answer]