The Evolution of Spam, Part 1: New Tricks
"Storm uses complex programming techniques to automatically repackage itself," remarked Randy Abrams, director of technical education at ESET. "It's a bit like someone changing their costume at a party every five minutes. Inside it is the same, but outside it looks different. ... The Storm authors look at how they are being detected and then devise counter attacks."
Nov 13, 2007 4:00 AM PT
It's not a comforting thought, but while you're sleeping peacefully, your PC may be hard at work acting as a spam server or peer-to-peer node, providing processing power to a malware network engaging in any of a variety of criminal activities online.
Spam is being used by botnet operators in a multiplicity of new forms -- such as those behind the now prolific Storm spam-malware hybrid -- to build distributed robot networks, or botnets, made up of spam recipients' enslaved "zombie" PCs. Taken together, the zombie armies provide raw processing power rivaling, and sometimes even surpassing, that of the most powerful supercomputers.
What's especially disturbing is that some legitimate businesses and regulatory and enforcement regimes are complicit, in that they make it more difficult than it needs to be curtail the problem.
"Spam is much bigger than the Storm worm," Randy Abrams, director of technical education at ESET, told the E-Commerce Times.
"Not the least of the problems is the American Congress legalizing spam through the 'Canned Spam Act,' which companies like Microsoft strongly supported," he maintained. "The spammers have very big businesses backing their efforts. Any company that supports 'opt out' instead of 'opt in' is an integral part of the problem."
Storm's combination of spam and malware has infected an estimated 10 million PCs, though the number is constantly changing. However, there's really no way of knowing how many PCs are infected at any one time.
"In reality, it is a dynamic number," explained Shane Coursen, senior technical consultant at Kaspersky Lab.
"The number of Storm-infected machines is in constant flux. Nobody really knows the exact number of Storm-infected machines that exist in the world, but you can be assured it is quite a significant amount," he told the E-Commerce Times. "New machines are constantly being folded into the Storm botnet, just as machines already compromised by Storm are being cleaned and removed from the botnet."
Another thing that's changing is the degree of sophistication and the scale of the botnets spam manufacturers now employ.
"Spam continues to get more sophisticated. Over the past 12 months, we have seen the evolution of spam mutation change as much as it did over the entire previous decade," noted Troy Saxton-Getty, vice-president and general manager at St. Bernard, developer of the LivePrism on-demand e-mail and PC security platform.
"The significance is that detection methods are needing to evolve just as quickly," he told the E-Commerce Times.
"Every day, spammers make tools and use methods to get around the current defenses available in the market," said Saxton-Getty. "It takes only a number of weeks to see the majority of spammers utilizing these same methods, which on a given day can decrease our effectiveness significantly."
This, of course, means that spam detection and prevention specialists have to run faster and do more to keep up.
"Anti-spam defenses are having to deploy multifactor solutions to maintain the same level of detection as they once had with single factor tools," Saxton-Getty pointed out. "This means an increase in the time it takes to process through multiple tools, an increase in cost of goods to the service or appliance vendor, and it opens up the potential for an increase in the false positive rate."
Following a brief period of quiescence, massive Storm-driven spam attacks are once again lighting up security researchers' radar screens. Spam links to MP3 audio files, YouTube videos and Adobe .pdf documents are being used to gull recipients into downloading infected attachments and visiting Web sites that serve as malware distribution nodes -- further infecting their PCs and turning them into part of a network of remotely controlled zombie slaves.
This latest evolutionary wave follows an earlier Storm-driven spam onslaught in which recipients were lured into pump-and-dump stock trading schemes.
The first mass mailing of stock trading spam used specially crafted graphics files that contained background noise, as well as Adobe .pdf files, which at the time were not detected by spam filters, according to Kaspersky Lab.
Storm and other spam creators are notorious for making creative use of timely events and topics -- dancing skeletons for Halloween, cheap pharmaceuticals, messages touting links to popular YouTube videos, e-greeting cards, and ads for credit report services -- in order to entice recipients to open file attachments or follow links to infected Web sites.
Storm spammers, in particular, are also known for their innovation when it comes to evading spam filters and other network and PC security defenses.
"Spammers once again made several attempts to modernize the technology used in creating graphical attachments in spam e-mails (image spam) during the first six months of 2007," Kaspersky researchers note in a recent Viruslist report.
"For example, in February 2007, renewed attempts were made to use with animated graphics, which spammers had all but abandoned by the end of November 2006. This new type of animation differs from the previous type in that the source image is broken into fragments, and each fragment is skewed at a different angle," the report states.
Image spam is a huge problem for two main reasons, said ESET's Abrams.
"First, simply identifying a known image is not always effective. It is trivial to programmatically alter an image by a few pixels, which breaks traditional identification. There are millions of minor alterations that can be made without visibly affecting the image," he explained.
"Secondly, spammers are using links to images hosted on Web sites. The image itself is not in the e-mail until it is opened. One potential approach is to blacklist Web sites and e-mail addresses," Abrams suggested. "This is somewhat effective, but not only does it require a lot of maintenance -- it isn't foolproof. Images can be stored on hacked Web sites for legitimate companies, and botnets use millions of legitimate e-mail addresses to do their sending."
Resiliency Through Adaptation
Though not usually overtly threatening -- that is, they don't typically embed code that could erase disk drives, disable PCs or install keyloggers to capture confidential data such as passwords -- Storm worms or Trojan horses are proving to be the most adaptable malware yet seen.
Storm spam has demonstrated an ability to adapt and change its own code extremely quickly based on the spam filters and other defenses it encounters while attempting to make its way through network and PC defenses, for instance.
"Storm uses complex programming techniques to automatically repackage itself," remarked Abrams. "It's a bit like someone changing their costume at a party every five minutes. Inside it is the same, but outside it looks different. There are still recognizable attributes of the person, such as size, shape, voice and mannerisms, though. The Storm authors look at how they are being detected and then devise counter attacks."
It's the tenacity of Storm programmers in evading detection that has made it such a high-profile malware, Abrams commented.
"From a spam perspective, it is simply one of a large number of botnets that are used to send out spam. Fundamentally, Storm is no better at spamming than any other botnet," he asserted. "Storm is better at getting itself installed and avoiding detection. That said, ESET's heuristics have been detecting the new variants of Storm proactively for several months now. It is not unbeatable."