Artists Against 419 Releases Mugu Marauder

An anonymous reader writes "Similar in scope to the (now defunct) screensaver created by Lycos that targeted spam sites, the newly-released Mugu Marauder is intended to take fraudulent bank sites off the air by sponging up their bandwidth. Mugu Marauder can be downloaded at www.aa419.org/mm/ It's currently only available for Windows, though a Linux port is allegedly in the works."

FP

[michaelhood (667393)]

Beware of getting slammed by your ISP with a "friendly" letter, after consuming tons of bandwidth using something like this.

Re:FP

[by Anonymous Coward]

Great, instead of contacting the hosting companies involved we DDOS them. Most scammers use shared hosting (usually signing up with a fraudulent credit card) and hence any such attacks can affect the whole server taking out hundreds of web sites, and even a whole subnet if network traffic is high too.

I disagree, It's actually a good idea

[by Anonymous Coward]

Most scammers use shared hosting (usually signing up with a fraudulent credit card) and hence any such attacks can affect the whole server taking out hundreds of web sites

That's a bonus!!!! If those affected website owners complain enough then the ISP will pull the offender!

Re:FP

[andynz (686071)]

A lot of the 419 sites use cheap or free hosting services. The goal of these tools is to exceed the allocated bandwith of the site, and possibly to make the hosting companies take notice. Every site targeted has already been brought to the attention of the hosting companies involved. If they cannot be bothered doing anything about it they should be prepared for the consequences.

Re:FP

[Jugalator (259273)]

Beware of getting slammed by your ISP with a "friendly" letter, after consuming tons of bandwidth using something like this.

So, how much data do you send/receive?

It's hard to judge the relevancy of what you say without knowing that.

Re:FP

[Jugalator (259273)]

Off-topic? Maybe I should clarify:

With "you" I meant "you as a user of this tool".

So...

How much data do this software transfer?

1 MB / month? As much as it can?

This is highly relevant to the "getting slammed by ISP for consuming tons of bandwidth", especially since this software may not consume "tons of bandwidth" at all. It would be very helpful to know how much it consumes.

Re:FP

[BlkSprk (840773)]

You can set how much of your bandwidth it uses. I uncapped it and im pulling some 376 KiB/S... im having fun testing bandwidth

Ha!

[by Anonymous Coward]

Why not just post a link to them on Slashdot.

Yay (*sigh*)

[n0dalus (807994)]

Once these sites get hit they redirect the dns towards legitamate services and change addresses.
So this will probably just end up DDoS'ing the real banks instead of the fake ones, these fake banks move around a lot and create extra damage in their wake as a result of something like this.
Fighting fire with fire just doesn't work like it should.

Re:Yay (*sigh*) - Attack the IP, not the domain

[MTO_B. (814477)]

Well, as a starter, most of these fraudalent sites work IP based because they dont have the real domain.
So I'm guessing this problem you mention would not happen if you just attack the IP. When you attack the IP you'd be attacking their server, even if they point their domains to some other site.

Re:Yay (*sigh*) - Attack the IP, not the domain

[liquidpele (663430)]

Some have domains, some don't... but attacking the IP is definatly best.
I think a better solution would be to input false data in the forms over and over again from random spoofed IP addresses so any info they get is bogus. Can you spoof IPs to do that? I'm not sure if the tcp/ip would required a handshake and what not first.. but it would be cool.

Re:Further...

[numark (577503)]

I bet that if they redirected the DNS to your server's IP, you wouldn't be referring to it as a "null address."

Re:Further...

[lachlan76 (770870)]

You will however be the target of a DDoS.

another dumb idea

[RMH101 (636144)]

Just like the Lycos screensaver that strangled spammer's bandwidth by not-quite-DDOS-ing them, this is a stupid idea. Legally you'd be opening yourself up to all kind of problems running this kind of thing: ISPs don't tend to take to kindly to this sort of denial of service attack.
It's not sexy, or headline-grabbing, but the correct way to go about this is the same as it's always been: go after the ISPs to pull their accounts. If they're RFC-ignorant, add their IP blocks to the usual blacklists until they comply or are connected to an intranet.

Re:another dumb idea

[ForestGrump (644805)]

The idea behind AA419 DDOS is that the hosting providers have been either unresponsive or unwilling to pull their accounts.

The extreme measure is to consume the alloted bandwidth to the account and thus take the fake bank offline.

Grump

Re:another dumb idea

[maztuhblastah (745586)]

As an actual member of 419eater, I feel compelled to feed the troll, or at least respond to it. As it stands, we have code that spiders the sites and checks if a bandwidth limit exceeded page has been reached. When it has, the hitlist is updated to no longer have that target on it. We have yet to have a hoster tell us we're DDOS'ing them...mainly because we have never, and will never DDOS them. We only try to exceed the bandwidth limit, not knock out the server.

-maztuh

Re:another dumb idea

[StillNeedMoreCoffee (123989)]

Well bandwidth on the internet is an issue. Using it up for this type of "operation" is stealing bandwidth from everyone else. Then there is always the problem with trusting that your code does what you say and that all the sites targeted are ones that are evil.

Who makes that choice? Do the sites have any recourse to appeal if you make a wrong decision?

Is the code which turns someones PC into your Zombie ever at risk of your benevolent control being taken over by someone else, or someone in your group wi

Linux/unix version

[CvD (94050)]

Copy & paste the sites that are listed on the front page of the link in the article into a file called sites.txt, each on one line, and then run the following command:

while true; do wget -q -i sites.txt --delete-after ; done

A daemonized version shouldn't be that hard to write, just have it parse the URLs on the front page out every day, and re-run wget on the new list.

Happy marauding...

Re:Linux/unix version

[fire-eyes (522894)]

For more fun use the -U flag for wget, passes the string on as the referrer.

Such as:

-U "SLASHDOTTED 1.0/A"

-U "AND IF YOU DON'T LIKE IT, THEN HEY FUCK YOU"

-U "[insert long string here to flood logs]"

etc.

Lad Vampire

[apikoros (774290)]

I like this, but prefer the lad vampire [aa419.org] at the same site. There is something somehow more satisfying about watching the images flash by.

Just put it in a browser tab and let it run!

Re:Lad Vampire

[spoonyfork (23307)]

I abhor vigilantism but lad vampire [aa419.org] itself is an interesting, if not informative, concept. I wonder if the stock images used by the faux banks on their sites were legally paid for? If not, that kind of copyright infringement could be a potential legal argument brought against them, exposing their falsehood.

I giggled when I read one of the fake banks was named fichnet.net [fichnet.net]. At least some of the scammers have a sense of humor.

Gee, thats great

[gowen (141411)]

Vigilante justive via DDOS. Well, that won't set a horrible precedent for people knobbling the web site's of those they don't like. Who's next? Radical pro-life groups DDOS'ing websites with abortion information?

(Yes, I know this has a slippery-slope element to it, but there are plenty of activist groups out there willing to be vigilantes, because they believe their actions to be either unambiguously moral, or divinely inspired.)

Re:Gee, thats great

[geminidomino (614729)]

Umm, no. It's a slippery slope. There was no ad hominem anywhere in the GP post.

Re:Gee, thats great

[gowen (141411)]

Or that. It was an example, not and exhaustive list. Would you like me to have enumerate *every* possible example?

In short, I'm merely pointing out that accepting certain types of anti-social, vigilante behaviour (DDOS) *only* because we belive in their cause (hurting scammers) leads us very difficult moral ground when people with whom one does not agree use the same tactics.

Think about it.

[Sheetrock (152993)]

One successful 419 scam (where they soak some victim for hundreds of thousands of dollars) will pay quite handily for one of these fake websites, DoS or no DoS.

On the other hand, the rest of us pay thrice: once for the victimization of regular people not yet wise to this game, once for the waste of bandwidth because of the huge amount of spam being sent out for this scam, and now once for do-gooders pumping loads of worthless data back through our shared Internet at these websites, which are replaced faster than they go down.

On the surface it looks like a good idea, but it's just adding to the damage like all these other vigilante anti-spam tactics. A better technical solution already exists; switch from e-mail to instant messaging within a company and save all your instant messages.

Re:Think about it.

[macshit (157376)]

A better technical solution already exists; switch from e-mail to instant messaging within a company and save all your instant messages.

You've got to be kidding...

That's like switching to pogo sticks because you're afraid of car-jacking.

How about instead: (1) use less brain-dead mail clients, and (2) educate your employees so they're not (quite) so brain-dead themselves. The advantage of being a company is that you can actually do these sorts of things.

[I know, I know, some companies demand brain-death. I suppose it's pogo sticks for them.]

Is this

[by Anonymous Coward]

legal?

Re:Is this

[DaHat (247651)]

Probably not.

It's kinda like stealing pot from a dealer, chances are, he's not going to report the theft.

Regardless of what is worse, 419ing of DoSing, both are bad and both are illegal, and just like copyright infringement on P2P, people will try to justify it "it's not like I am going to pay for it anyway" and "they already have enough money".

Leave well alone

[mattbee (17533)]

I don't care who you're or how pretty the screensaver, just don't download programs for network abuse like this and expect your ISP to take it lightly. If you really want to take action against a phising site, call the ISP hosting it and complain to them. Same principle, less innocent parties affected along the way. If you don't get a response from that ISP, call the ISP further upstream... this is how we deal with network abuse; it's slow but it's legal, and it works.

Re:Leave well alone

[Leperous (773048)]

Or if the ISPs don't respond, pretend you're a reporter for a newspaper, or some other "authority" that'll make them at least look into it.

Re:Leave well alone

[Pastis (145655)]

I've just done it yesterday and they closed the account within minutes.

See here: http://support.beamhost.co.uk/helpdesk/view.php?t i cketid=6360&auth=8f64e9b4

The site is probably going to reopen somewhere else. But I've probably spent less time than it takes for them to reopen it.

What's needed is a program that automates that.
You feed it an URL and the program automatically search for a contact email (e.g. abuse@) and prepares an email for you to send.

Then as most phishing sites are introduced by sp

Why a binary?

[eddy (18759)]

>It's currently only available for Windows,

Why? I once saw a webpage that did this using only javascript. A simple page reload would give you updated arrays of images which your browser then loaded over and over and over again to exhaust the spamvertized sites bandwidth.

This is just an insanely stupid idea

[October_30th (531777)]

Similar in scope to the (now defunct) screensaver created by Lycos that targeted spam sites

And will probably work just as well... vigilante justice never works and should not be tolerated.

Re:This is just an insanely stupid idea

[October_30th (531777)]

Not until such punitive action has a basis in the law which, in turn, are set by your national, democratically elected body.

What you're referring to is the tyranny of the majority. In a representative democracy even the majority can't dictate all the rules - and that's a very good thing.

DDOSing is *not* illegal.

[hummassa (157160)]

At least, not in my jurisdiction. Anyway, is it illegal in the US? As in, is it a criminal offense? Down here, a DDOS may be considered a civil illicit...

Please somebody DDoS them.

[Kickasso (210195)]

aa419.org, that is. They apparently think it's legal and acceptable, so they won't complain.

Re:Please somebody DDoS them.

[cliffy2000 (185461)]

They're on Slashdot's front page. Isn't that cruel enough?

Re:Somebody else is a dumbass.

[DrunkenTerror (561616)]

From http://aa419.org/content/bandwidth.php [aa419.org]:

"Every image on our web site is hosted on a 419er's server."

So when you load their website, it also pulls images from 419-scam sites. Do you understand?

Apparently...

[Tuxedo Jack (648130)]

It assigns a UID when the installer is run.

Each one is something like this:

620ad934fc97bebb65f77bc883211351

That makes me wonder - just what does each one represent?

Spamming back the scammers?

[Serious Simon (701084)]

What about a program that enables you to automatically send fake responses to a 419-scam e-mail, using different FROM: addresses and variable contents, so they cannot be easily identified as such?

Imagine a 419-scammer sitting in an internet café in Lagos, getting thousands and thousands of mails appearing to be from people genuinely interested in the proposal, and having to follow up on them all just in case one or two are from real persons...

doesn’t work with websense

[capoccia (312092)]

websense (at least how it's configured here) blocks access to all the sites mugu is trying to download from. i'll have to try it from home.

Why the pan?

[Joseph_Daniel_Zukige (807773)]

The implementation sucks. Who needs a screensaver?

But there's a seed of a good idea here, if you throttle it. It would not take any serious bandwidth hogging to crud up the phishing net with data that the phisher has to carefully check by hand because it could lead the police to him/her. Likewise the spammers. Eat their profits by eating their time.

Taking networks down to squash the cockroach is bad, but there is no reason not to lay a little boric acid out, so to speak.

No mention of today's flash mob or Linux scripts??

[goldfndr (97724)]

The site is currently sponsoring a flashmob [aa419.org] in celebration of Chinese New Year. It started 2005-02-08 at 16:00:01 GMT and lasts 48 hours.

One of the links from the flashmob page is for bash scripts suitable for Linux/*nix [aa419.org] (and presumably OS X et al).

Block list

[blackest_k (761565)]

It makes far more sense for a centralised block list, regularly updated, hosted by a reputible body.

A small change in functionality to your web browser so that when you attempt to connect to a site on your blocklist. your browser informs you and the reason why and then asks you if you want to proceed anyway.

its a much more economic use of resources and could be added to by local police agencys as victims become known or perhaps a phishing notify button added to our browsers.

when we wander upon a site thats dodgy that url can be passed on to the hosts of the blocking lists, a site would be verified to prevent malicious use and if checked out as being ok, it wouldnt be reexamined till a certain number of other referals took place.

No waste of bandwidth, no denial of service attack on any site just a hazard warning in your browser that the site may be harmful.

perhaps the banking sites might even care to host such a list.

They released him?

[famebait (450028)]

You mean to say Artists Against 419, after finally capturing Dr. Mugu Marauder, are now releasing him?

As always the "experts" assume too much.

[mugu_marauder (857722)]

It is nice to know that the IT industry is full of experts who fail to do the first thing when presented with something new..... Try researching things guys. 1. The Mugu Marauder operates exactly the same as a web browser repeatedly refreshing with no cache on a specified list of target URL's (normally images because they typically have a large filesize compared to HTML pages). 2. The UID number generated for the application is used to tally stats for individual users, so just drop the paranoia. 3. FFS The sites targetted ARE NOT related in any way to legitimate banks. As I said if you did a little research before sprouting your "me too" crap you might realise just EXACTLY The Artists Against 419 are fighting against. 4. A DoS attack is defined as the act of deliberately trying to make a service on the attacked machine unavailable by flooding it with requests, sometimes using deliberately corrupted data packets. Now, I dont know where you tool come from or whether you sympathize with cyber criminals or are simply too dense to comprehend ths. We are downloading images from *CRIMINAL* fake banks after having tried to contact the hoster and shut down these *CRIMINALS* in vain at least two times or mopre. Then, and then only, do we actually start trying to deliberately exceed the allowed bandwidth of these *CRIMINALS*, so they cant use their bogus banks to prey on unsuspecting victims. It is *NOT* an attack on the servers, but on the *CRIMINAL* websites only.

Dear Sir

[Flakeloaf (321975)]

Dear Verizon Subscriber:

I am Dr. Muntange Dwambo, the nephew of the director of your internet service provider's Accepatble Use Enforcement division.

It has come to our attention that you are consuming an unusual amount of bandwidth. I am therefore here to give you a one-time opportunity. My uncle has recently passed away, and left me in control of THREE HUNDRED THOUSAND GIGABYTES PER MONTH of bandwidth. Unfortunately that bandwidth is only available to Verizon subscribers, and that company does not yet offer their services in my native Nigeria.

Pointless again...

[Da Web Guru (215458)]

Of course, this will have no real impact on taking down phishing sites. The people that set up most phishing sites follow these simple steps:

1) Find a vulnerable server and root it, or get just enough access (through something like a phpBB exploit) to upload a phishing site to the right directory. They will end up with a URL that probably looks like "http://aaa.bbb.ccc.ddd/online/wamu.html". Phishing sites don't bother with mundane details like DNS or domains (waste of time and energy) because the URL will be conviently hidden with javascript by your favorite HTML email client anyway.

2) Repeat the above step as often as you like to have a "cluster" of phishing sites.

3) Send out tons of spam advertising the phishing sites, randomly picking one of the above URLs to use for the login page.

4) By the time the phishing sites are detected, reported, and disabled (could be as long as a week or two or four), hundreds of people could have attempted to log into each of the fake login sites.

5) In most cases, the owner of the server being used for the phishing site is completely oblivious of the phishing site. (The rest of their web sites are working fine, so why should they be aware of any problems?) DDoS'ing them will only attack a confused victim.

You could use this software....

[AviLazar (741826)]

or just link the offending website on /.

anonymous

[glassesmonkey (684291)]

Seems to me that filling their dB with useless information would be more effective. (Increasing the victim to fake ratio). These forms are where they are actually taking bank acct numbers. Taking their bandwidth is s temporary band-aid when they are opening webhosting accounts for free, or at most $5.

Couldn't someone make a bookmarklet or javascript to fill forms with fake info? Here are some of the forms they use to get personal information.

http://www.raboswiss.com/housec/ACCSETUP.HTM [raboswiss.com]
http://www.swissroyallbank.com/onlinebanking/getst art.php [swissroyallbank.com]
http://www.kashbankcorp.com/contact_us.php [kashbankcorp.com]
http://www.alphapbonline.com/aibb/online_servces.h tm [alphapbonline.com]
http://www.alliance-ctb.com/ebank/apply.asp [alliance-ctb.com]
http://www.libertystrongholdgroup.com/aindex.html [libertystr...dgroup.com]
http://www.fichnet.net/contact.php [fichnet.net]