The Evolution of Spam, Part 2: New Defenses
"There is no single head to cut off, no centralized command structure to attack. These aren't the Red Coats standing in a neat formation; these are guerrillas scattered across the landscape with known objectives and infrequent need for direction," said Randy Abrams, ESET's director of technical education.
Nov 16, 2007 4:00 AM PT
Spam network operators, otherwise known as "botnet herders," are becoming increasingly proficient at evading detection and harnessing the power of peer-to-peer (P2P) computing, much to the consternation of spam detection, prevention and IT security specialists, as Part 1 of this series discusses.
Botnet operators are using spam and recipients' "zombie" PCs to create what amounts to a "shadow" Internet and growing rich in the process. What's more troubling is that the problem is not likely to go away soon. Legitimate companies and businesses are making use of the same spam artists and botnet operators who manage the P2P networks that are also distributing malware. Meanwhile, lax enforcement regimes make the problem much more difficult to combat.
Spam and Storm Genealogy
Now widespread, security researchers first noticed mass mailings of Storm MP3 spam in August as part of a stock pump-and-dump scheme aimed to get recipients to purchase shares of stock already owned by the malware's creators. When the recipient opens the file, he or she hears a distorted female voice advertising stocks in a company called "Exit Only," according to Kaspersky Lab.
Adobe PDF (Portable Document Format) files are among the latest file format to attract malware creators' attention, prompting the release of security updates for versions 8.1 and earlier versions of Adobe Acrobat applications.
Making use of infected .pdf attachments is only one of the file formats used in what has been a resurgence of Storm-driven spam during the first half of this year. Previously, a related wave of spam was spread across the Internet but it only included text messages luring recipients into pump-and-dump stock trading schemes.
"Spammers are utilizing common files types much more frequently, such as the .pdf issue over summer or the ZIP file attachments a few months ago as embedded ways to make the mail message look more authentic and bypass some detection tools," noted Troy Saxton-Getty, vice president and general manager at St. Bernard.
"Migrating from one format to another is as predictable as a shopper in a mall going from one store to the next," Randy Abrams, director of technical education for ESET, told the E-Commerce Times.
"Text, images, documents, spreadsheets, MP3s, etc. are all methods of communicating a message. Any file format that can be used to communicate a 'buy' message should be expected to be included in some form of spam. AutoCAD (computer-aided design) drawings are not likely candidates because not many people have the program required to open them, otherwise they would be used as well."
The Makings of a Shadow Network
While Storm's creators are proving themselves to be adept technical innovators, the key to their success lies in simple social engineering, Abrams continued.
"They simply send out e-mails with links. The titles and promised content are enough to lure the millions of gullible people into downloading and running the executable without having to resort to the use of vulnerabilities. From there, the spam is 'content.' The content is the responsibility of the spammers who pay for the use of the storm botnet for distribution. The use of different file formats for containing the spammed message is not new or revolutionary," he said.
Storm-driven mass mailings appear to be carefully orchestrated, said Kaspersky Lab's Senior Technical Consultant Shane Coursen.
"Instead of sending out a constant barrage of spam, we have seen cycles. As an example, there might be 12-24 hours of activity, where a certain number of Storm-infected machines are commanded to send out spam," Coursen told the E-Commerce Times.
After 12 to 24 hours, the segments of the overall Storm botnet that is being used to generate spam simply go quiet, he said.
"Interestingly, when such spam runs occur the amount of spam/Internet activity generated is significant. This gives insight/evidence as to the size of the Storm botnet. A single spam run as described above may result in 10 to 20 million spammed e-mail messages," said Coursen.
With its on-demand Prism platform filtering millions of messages every day, St. Bernard collects a lot of statistics about spam types, their frequency and points of origination and the methods being used to create and distribute spam.
"It is more common then ever to see spammers deploy Trojan or zombie tools, which are basically virus/malware tools that take over some or all of a user's PC with one deployment strategy -- call it 'Phase I' -- and most of the time [the PC owner or user] doesn't even know," Saxton-Getty told the E-Commerce Times.
Once these are embedded in a PC, botnet herders can move on to Phase II, which involves hooking them all together in a central management system, he continued.
"What this does is allows the spammer to start a spam storm from hundreds of completely different IP addresses for a short period of time, and they string the delivery along the entire herd of zombie machines so they can send millions of spam messages and not trip the 'wire' at many of the ISP's spam and other detection tools," he said.
"Some of these folks can control thousands of unsuspecting PCs, and the PC itself might only send 20 messages per minute to stay undetected," added Saxton-Getty. "It is pretty amazing."
A botherder's customer base is a mixed and varied lot, according to ESET's Abrams.
"Spammers are probably the biggest customers. These include purveyors of porn, pharmaceuticals and stock scams, among other 'products.' Another customer would be the DDOSer (distributed denial of service)," he said.
"The reasons for renting a botnet for a DDOS attack can include revenge, corporate espionage and blackmail. For example, if you run an online gambling site and I DDOS you, then you can't make any money. If I offer to stop the attack -- for a fee -- and that allows you to stay in business. ... Identity thieves are another customer. Bots can collect all manner of information from the PCs they are installed on."
Adware purveyors are another customer group, Abrams continued.
"Bots can be commanded to download and install adware. The adware affiliate programs pay for installations. Large corporations are definitely complicit. I've received spam touting 'Terminix.' The reason is that an affiliate is being paid to drive traffic. There is no significant deterrent for affiliates to comply with whatever weak policies the company may have. The parent company has no obvious feedback for consumers who receive their unwanted spam. Many companies blindly use affiliate programs without any meaningful deterrent to abusers who use spam."
P2P Control Structure
In addition to the tenacity of their efforts to evade spam detection, Storm creators' use of P2P networking as a control structure makes the hybrid spam-malware botnet extremely resilient, explained Abrams.
"There is no single head to cut off, no centralized command structure to attack. These aren't the Red Coats standing in a neat formation; these are guerrillas scattered across the landscape with known objectives and infrequent need for direction," he said.
Yet more problematic, Storm has detected researchers' efforts to probe its code or defend against it and has retaliated by launching distributed DDoS attacks against Storm researchers' PCs and networks, including subnets and e-mail address lists.
Disturbingly, spammers and botnet operators often have access to the same research received by antispam and security specialists, and they even attend the same working group conferences, according to St. Bernard's Saxton-Getty.
"This gives them as much information about identification and filtering strategies as it gives them a heads-up on what is coming," he said.
"This is a big business. Recently, I met a prolific spammer at a conference, and he told me his business's top-line revenue is slightly north of (US)$40 million. These folks are every bit as sophisticated as we are, and have even more direct motivation to get their spam through to readers."
New and Better Approaches to Antispam
The stakes have grown immensely in the struggle to detect and prevent spam and malware distribution as their creators' have become more sophisticated. That's leading IT security specialists to approach the problems from new directions.
Abaca Technology approaches the fight against spam from the recipient's perspective, as opposed to the sender's side, for instance.
"Abaca's spam fighting technology is unique in that it does not rely on content information to accurately rate messages. Therefore, we don't keep statistics on spammer 'tricks' since it doesn't matter to us. We did see a temporary spike in PDF spam a while ago," Steve Kirsch, founder and CEO of Abaca, told the E-Commerce Times.
Abaca's technology identifies spam by determining a reputation for each receiver, Kirsch explained.
"The ratio of spam to legitimate e-mail sent to each receiver is relatively consistent and is the basis for determining the receiver's reputation. Spammers cannot control or get around the receiver's reputation, and as a result, Abaca's technology continues to block spam while other solution providers must react to each new tactic invented by the spammers," he added.
Antispam solutions that tackle the problem by scanning the content of incoming messages results in security providers playing a never-ending game of catch-up, Kirsch continued.
"Using a solution that does not rely upon factors that are under the control or influence of the spammer is really the only way to effectively defend against spam variations. Solutions must be content agnostic and should not rely upon factors like the sender's reputation which the spammer can control. If the solution is oriented toward recognizing and countering the spammers latest tricks, they are already behind in defending against an attack," he said.