Sunday, November 19, 2006

Spam, Botnets, Pump-and-Dump, and Armageddon

Spam has become such a common part of life with e-mail these days that even bringing up the topic in casual conversation has become boring. Boring, that is, unless the conversationalist brings something novel and interesting to the dialogue. If that's true for casual conversations, then it's absolutely true for blogs and other forms of monologue.

Maybe considering volume and percentages helps. I estimate that I receive about 120 spam e-mail messages daily on my personal e-mail account. Because my corporate account is pre-laundered by an external service before e-mail arrives in my Inbox, it's a little more difficult to discuss absolute numbers and percentages (we use Postini's Enterprise Email Protection Service). About 52% of our corporate e-mail is either blocked or quarantined for further review.

My experiences reflect the overall historical situation. In 1978, an e-mail spam was sent to 600 addresses. By 1994, the first large-scale e-mail spam was sent to 6000 bulletin boards and eventually reached millions of people. By June 2005, the volume of spam had reached 30 billion per day. By June of 2006, that number had risen to 55 billion spam e-mail messages per day. About 80-85% of all e-mail messages globally are now "abusive" e-mail (see e-mail spam on Wikipedia).

OK, so maybe even talking about absolute numbers and percentages aren't all that interesting. What I do find interesting, though, is that digging a little deeper into the phenomenon of spam demonstrates alarming changes that go well beyond simple numbers. I'm thinking here of botnets, so-called pump-and-dump, international e-mail crime gangs, and the advent of Armageddon.

Here's a recent example. In the past few weeks, there has been a surge of spam for penny stocks and penis enlargement pills. Evidently, the surge has been tracked back to a gang of Russian hackers who have cobbled together a botnet of 70,000 peer-to-peer computers is as many as 160 countries worldwide which uses the SpamThru Trojan to do the dirty work. Botnets are "broadband-enabled PCs, hijacked during virus and worm attacks and seeded with software that connects back to a server to receive communications from a remote attacker" (Is the Botnet Battle Already Lost?, 16-Oct-2006, eWeek). Computers controlled through botnet technology are generally called zombies. They provide the mechanism whereby spam is generated and delivered, bringing back billions of dollars in revenues to the gangsters.

How prevalent and dangerous is the threat? Since January 2005, Microsoft's Malicious Software Removal Tool has removed at least one Trojan or bot from 3.5 million individual computers. When those computers were compromised by the hidden code, they exemplified the first of the 10 Immutable Laws of Security: Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

How does the bot herder get you to run his program on your computer? Through either a vulnerability on your computer or through a weak password. As Jesper Johannson says, "The only thing that stands between attackers and the end of the world is a password." (see Assessing Network Security, p. 11).

It may be a little early to tell whether the good guys can fight back and delay the advent of Armageddon. But it is clearly the case that the sophistication of the bad guys is alarming. The SpamThru trojan, for example, is not only being used in a very effective spam campaign, it is also evidence of malware that is as complex and feature-rich as many commercial software programs. This trojan, for example, has its very own anti-virus scanner embedded within its code - a pirated version of the Kaspersky AntiVirus for WinGate. The AV scanner is used by the trojan to eliminate rival malware files that would get in the way of maximizing the volume of spam e-mail sent from the zombie computer. That is very clever and very disturbing.

The SpamThru trojan also uses templates downloaded to the zombie but which uses challenge-and-response authentication methods to prevent other malware software from stealing the templates it uses from the template server. Not only is that clever and disturbing, it might even be worthy of a conversation around the water cooler on Monday.

No comments: