Blocklist Removal Center
Contacts  |  Official Statements  |  FAQs  |  News Blog   
Bookmark and Share Spammers Release Virus Programmed to Attack Spamhaus
Statement

Category: Report
Updated: 2022-04-10
Statement Ref: S010

Blocklist Help

Blocked? To check, get info and resolve listings go to
Blocklist Removal Center

Associated Documents

How Blocklists Work
Legal Questions
Glossary
In June 2003 Spamhaus warned governments and industry that Russian/East-European spam gangs had progressed from spamming through open proxies to developing substantively sophisticated computer viruses designed to infect hundreds of thousands of end-user/home-user computers sitting on residential broadband/ADSL lines with malicious code turning each infected machine into a 'zombie' machine, AKA a 'bot', controlled by the spam gang.

On November 1st 2003, a Russian/East-European spam gang released a Trojan worm virus codenamed W32.Mimail.E. Like other Trojan worm viruses released before it, W32.Mimail.E was designed to install a malicious program (in this case a file called "foo.exe") which used users' address books to sent a copy of itself onwards to each email address it found. There however the similarities with previously released spam viruses ended, because the job of W32.Mimail.E was not to use the infected host computer as an anonymous spam relay, but to immediately begin attacking the Spamhaus website, www.spamhaus.org.

Two days later, on 3rd November 2003, a second virus codenamed W32.Mimail.H was released. It too carried out a Distributed Denial of Service (DDoS) attack against www.spamhaus.org.

On December 1st 2003, yet another MiMail virus W32.Mimail.L was released, like the others it too conducts a dDoS on www.spamhaus.org, but it also goes further. W32.MiMail.L claims to come "From" a spamhaus.org address 'billing@spamhaus.org' and the message the virus delivers is designed to provoke the biggest reaction possible from millions of victims: the Subject of the virus email is "We are going to charge your credit card". The message tells users that unless they respond by emailing a spamhaus.org address, Spamhaus "will bill your credit card for amount of $22.95 on a weekly basis. Free pack of child porn CDs is already on the way to your billing address."

In early 2003 spammers, crackers and virus writers joined forces to launch the first known spam virus, W32.SoBig.E, a Trojan designed to infect computers worldwide to create an arsenal of proxies/zombies through which spammers could send billions of spams anonymously. Up to 60% of all spam is now sent using virus-infected computers.

While SoBig was the most famous spam virus, a more sinister virus known as Fizzer was released before it in May 2003 by a now known group of spammers into "porn & pills" spamming, dDoS cyber-attacks and credit card fraud. Fizzer (W32.HLLW.Fizzer) is a wide-spread Trojan worm which spreads by emailing itself to contacts in Microsoft Outlook and Windows address books. The purpose of Fizzer is to install a minature web server (on which spammers then host rapidly-moving "porn & pills" web sites linked to from spams), an IRC backdoor enabling the spammer to control the infected machine, and a DoS attack tool specifically for attacking anti-spam organizations.

As spam from virus-infected computers soared in mid 2003, spammers began using their new armies of infected 'zombies' to mount attacks against anti-spam systems including Spamhaus which stood in the way of them spamming millions of Internet users.

Beginning in early July 2003, Spamhaus servers came under massive distributed Denial of Service (dDoS) attacks by thousands of virus-infected computers throughout the Internet. Over the course of the summer we sustained intensive dDoS attacks from a number of different spam gangs, but were able to thwart the attacks thanks to our large distributed network capable of absorbing attacks, and thanks in no small part to the engineering skills of the server administrators running Spamhaus' servers. Other anti-spam systems weren't so lucky, during August and September 2003, four anti-spam systems were forced into closure under overwhelming dDoS attacks.


Statements Index

Debunking Popular Myths About Spamhaus

Spammers Release Virus Programmed to Attack Spamhaus

Fraudulent fake DNSBL uncovered: Protected Sky (bad.psky.me)

Fraudulent fake DNSBL uncovered: nszones.com

EMarketersAmerica vs. The Spamhaus Project

Case Answer: e360Insight vs. The Spamhaus Project

TRO Answer: e360Insight vs. The Spamhaus Project

Case Dismissed: Ames & McGee v The Spamhaus Project

Spamhaus IPv6 Blocklists Strategy Statement

Report on the criminal 'Rock Phish' domains registered at Nic.at

Spamhaus Position on CAN-SPAM Act of 2003


Copyright © 2022 The Spamhaus Project SLU. Reproduction from "Spammers Release Virus Programmed to Attack Spamhaus" is permitted provided you quote the source as "The Spamhaus Project" and provide a link to the source url: https://www.spamhaus.org/organization/statement/10/spammers-release-virus-programmed-to-attack-spamhaus
© 1998-2022 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy