Spammers Becoming More Brazen

Over the past six months MessageLabs’ CTO, Mark Sunner, has noticed a disturbing trend: Spammers are using virus-like methods to send out more and more spam.

The recent round of Sobig attacks is a good example, he said. Not only did the Sobig.F virus have an amazingly effective email engine, it also left in its wake a string of back-door Trojans spammers could then use to hijack machines as launch pads for more spam.

Working with SpamHaus, a U.K.-based, real-time blacklist (RBL) provider that tracks open relays, or proxies, on the Internet, MessageLabs found a direct link between the number of viruses on the Internet, like Sobig and LoveGate, which both leave open proxies in their wake, and the amount of spam being generated by spammers, said Sunner.

“This is something we’ve been watching as a growing trend almost in tandem with the up-surgence in spam,” he said. “Currently, over 66 percent of the spam we’re intercepting is coming from machines that are infected with open proxies. So the majority of spam… is actually being generated by machines infected in this way.”

Sunner contends this was probably the real purpose behind Sobig.F. But, because its email engine was so effective, it backfired and now its author(s) are laying low fearing arrest and jail time.

“That actually probably was not the effect the author was looking for because they were looking to compromise lots of machines and use them as launch pads for spam,” said Sunner.

While not as convinced as Sunner that Sobig.F was written either by spammers or with their interest in mind, Charles Taite, CTO of Beginfinite, which markets Gwava e-security products for Novell Groupwise, agrees the two camps are borrowing from each other and using similar tactics.

“There’s certainly good evidence that spammers are getting more brazen and they’re using the technology that virus makers are using to open relays and spread more spam,” he said. “It’s a pretty safe assumption.”

Untraceable Open Door to Internet

Where Taite sees real evidence of this is in the denial-of-service attacks being carried out against RBL service providers. RBLs scan the Internet looking for open proxies and compiles those IP addresses in a blacklist. Subscribers can then download the list in real-time and use it as a filter against which incoming email can be compared. If there is a match, the email is rejected.

Spammers hate these services because it forces them to continually change IP addresses. The best way to do this? Either use your own scanning software to locate open proxies, or, even better, send out a virus that opens them for you. The user never knows his or her machine is being used to send spam and, until the IP address is found and blacklisted, the spammer has an untraceable open door onto the Internet, said Taite.

Symantec’s Sharon Rukman, senior director for Security Response, hasn’t necessarily found a direct link between virus writer and spammers, especially when it comes to Sobig.E and .F, but agrees with Taite there are overlapping techniques being employed by both camps.

“(Sobig.E) was opening up proxy server channels and with that, if somebody knows that somebody’s machine is infected, they could get in and use that machine to send out spam,” she said. “The question that we have not been able to verify is did Sobig happen because spammers chose to put it in? Or, was Sobig available and then spammers realized they could use it and went ahead and sent out spam?”

Either way, the result is the same: more spam. Over the past six months, spam has increased dramatically and, in the same time frame, the nature of viruses has changed as well, said Sunner. Less destructive payloads but more pervasive and faster moving seems to be the effect writers are going for these days, he said.

“The main trend that we can really put our fingers on is what we’ve seen with the most recent viruses,” said Sunner. “Viruses like Sobig don’t have a malicious payload. (But) [w]ith the amount of machines that were compromised, that gives you an absolutely vast spamming array.”

And with that array spammers can generate large sums of cash, which may explain why all of this is happening in the first place, he said. Writing viruses used to be about notoriety or the challenge, but, with amount of money to be made from the unsuspecting, those motives seem to be changing.

“With spam there’s money in this, which is basically appealing to a completely different type of individual,” he said. “There really is, in some cases, a vast commercial gain to be had so it’s a great way to exploit the massive emailing powers you can generate by using virus-type technology.”