Make Love not Spam now a nasty Trojan
Virus writers have begun distributing their wares in emails that pose as Lycos's abandoned "Make love not spam" screensaver.
The fake screensaver emails contain an attachment with a RAR SFX archive that has embedded key logger Trojan inside, antivirus firm Sophos warns. Infected emails come in emails with subject lines such as "Be the first to fight spam with Lycos screen" and an attachment called "Lycos screensaver to fight spam.zip".
Upon successful installation, the key logging Trojan (Mdropper-IT) sends a message to an Indonesian email address confirming its status. The screensaver file, rather than displaying the Lycos screensaver, displays a blank screen.
"Make Love Not Spam" was designed to bombard spam websites with requests, so increasing their bandwidth charges without - in theory - shutting them down. Security firms criticised Lycos's use of "vigilante tactics" especially when two of the targeted websites became unavailable. Several major internet backbone providers and ISP blocked access to Lycos' www.makelovenotspam.com website over concerns over its questionable legality.
Lycos denied it was doing anything wrong, much less creating a DDoS attack platform, but it suspended screensaver downloads after spammers began redirected traffic back to makelovenotspam.com.
This won't necessarily stop people falling for the VX ruse, unfortunately; fake Lycos screensavers will likely become a staple of social engineering tricks for weeks to come
December 3
Lycos Europe appears to have taken down its controversial MakeLoveNotSpam site - temporarily, at least. The site now displays a graphic and the words "STAY TUNED." References to the site have also been removed from the Lycos Europe home page, where it was prominently featured, monitoring firm Netcraft reports.
Lycos this week released a screen saver that bombards spam websites with data to increase their cost of running such sites. But according to Netcraft the campaign has already knocked out some sites completely.
Lycos so far maintains that it has been careful to avoid completely shutting down the sites it targets as such distributed denial of service attacks (DDoS) are considered illegal in many European countries and the US.
Lycos has also shifted IP addresses from 83.241.136.230 to 213.115.182.123, which are both hosted by Starring, a Swedish advertising agency which is apparently working with Lycos Europe on the site.
The IP transfer is almost certainly the result of spammers redirecting traffic back to www.makelovenotspam.com, which means Lycos unintentionally launches a denial-of-service attack against its own anti-spam campaign web site.
To prevent further attacks by users, several major internet backbone providers and ISP’s are now blocking access to the Lycos web site, including Global Crossing's worldwide network.
DECEMBER 1st :
Lycos's vigilante attack on spammers has been hit by a vigilante attack. Spammers are suspected.
Lycos is offering a screensaver which, once downloaded, would launch a Distributed Denial of Service attack against spam websites. A DDoS attack makes constant requests to a specific part of a website until it gets overloaded and falls over. Such attacks are illegal in most countries. Security firm FSecure advises people not to download the program because of legal concerns.
The "makelovenotspam" campaign was launched yesterday but within hours the front page was replaced with the message "Yes, attacking spammers is wrong. You know this, you shouldn't be doing it. Your IP address and request have been logged and will be reported to your ISP for further action."
At the time of writing the site - www.makelovenotspam.com - was unavailable.
Lycos told ZDNet that no attack had happened. Chief spin doctor Malte Pollman said: "This is a hoax. We have obviously reached our goal and are getting to the spammers. On our servers we don't have any logs of an attack." The company also denied it was launching denial of service attacks - just that it was reducing bandwidth to five per cent.