The Evolution of Spam, Part 1: New Tricks

By Andrew K. Burger
E-Commerce Times
11/13/07 4:00 AM PT

It's not a comforting thought, but while you're sleeping peacefully, your PC may be hard at work acting as a spam server See the HP Proliant DL380 G5 Server with Systems Insight Manager – Click here. or peer-to-peer node, providing processing power to a malware network See the HP StorageWorks All-in-One Storage System. Click here. engaging in any of a variety of criminal activities online.

Spam is being used by botnet operators in a multiplicity of new forms -- such as those behind the now prolific Storm spam-malware hybrid -- to build distributed robot networks, or botnets, made up of spam recipients' enslaved "zombie" PCs. Taken together, the zombie armies provide raw processing power rivaling, and sometimes even surpassing, that of the most powerful supercomputers.

What's especially disturbing is that some legitimate businesses and regulatory and enforcement regimes are complicit, in that they make it more difficult than it needs to be curtail the problem.

"Spam is much bigger than the Storm worm," Randy Abrams, director of technical education at ESET, told the E-Commerce Times.

"Not the least of the problems is the American Congress legalizing spam through the 'Canned Spam Act,' which companies like Microsoft (Nasdaq: MSFT) Latest News about Microsoft strongly supported," he maintained. "The spammers have very big businesses backing their efforts. Any company that supports 'opt out' instead of 'opt in' is an integral part of the problem."

Faster Mutation

Storm's combination of spam and malware has infected an estimated 10 million PCs, though the number is constantly changing. However, there's really no way of knowing how many PCs are infected at any one time.

"In reality, it is a dynamic number," explained Shane Coursen, senior technical consultant at Kaspersky Lab.

"The number of Storm-infected machines is in constant flux. Nobody really knows the exact number of Storm-infected machines that exist in the world, but you can be assured it is quite a significant amount," he told the E-Commerce Times. "New machines are constantly being folded into the Storm botnet, just as machines already compromised by Storm are being cleaned and removed from the botnet."

Another thing that's changing is the degree of sophistication and the scale of the botnets spam manufacturers now employ.

"Spam continues to get more sophisticated. Over the past 12 months, we have seen the evolution of spam mutation change as much as it did over the entire previous decade," noted Troy Saxton-Getty, vice-president and general manager at St. Bernard, developer of the LivePrism on-demand e-mail E-Mail Marketing Software - Free Trial. Click Here. and PC security platform.

"The significance is that detection methods are needing to evolve just as quickly," he told the E-Commerce Times.

"Every day, spammers make tools and use methods to get around the current defenses available in the market," said Saxton-Getty. "It takes only a number of weeks to see the majority of spammers utilizing these same methods, which on a given day can decrease our effectiveness significantly."

This, of course, means that spam detection and prevention specialists have to run faster and do more to keep up.

"Anti-spam defenses are having to deploy multifactor solutions to maintain the same level of detection as they once had with single factor tools," Saxton-Getty pointed out. "This means an increase in the time it takes to process through multiple tools, an increase in cost of goods to the service or appliance vendor, and it opens up the potential for an increase in the false positive rate."

Storm's Resurgence

Following a brief period of quiescence, massive Storm-driven spam attacks are once again lighting up security researchers' radar screens. Spam links to MP3 audio files, YouTube videos and Adobe .pdf documents are being used to gull recipients into downloading infected attachments and visiting Web sites that serve as malware distribution nodes -- further infecting their PCs and turning them into part of a network of remotely controlled zombie slaves.

This latest evolutionary wave follows an earlier Storm-driven spam onslaught in which recipients were lured into pump-and-dump stock trading schemes.

The first mass mailing of stock trading spam used specially crafted graphics files that contained background noise, as well as Adobe .pdf files, which at the time were not detected by spam filters, according to Kaspersky Lab.

Storm and other spam creators are notorious for making creative use of timely events and topics -- dancing skeletons for Halloween, cheap pharmaceuticals, messages touting links to popular YouTube videos, e-greeting cards, and ads for credit report services -- in order to entice recipients to open file attachments or follow links to infected Web sites.

Storm spammers, in particular, are also known for their innovation when it comes to evading spam filters and other network and PC security defenses.

"Spammers once again made several attempts to modernize the technology used in creating graphical attachments in spam e-mails (image spam) during the first six months of 2007," Kaspersky researchers note in a recent Viruslist report.

"For example, in February 2007, renewed attempts were made to use with animated graphics, which spammers had all but abandoned by the end of November 2006. This new type of animation differs from the previous type in that the source image is broken into fragments, and each fragment is skewed at a different angle," the report states.

Image spam is a huge problem for two main reasons, said ESET's Abrams.

"First, simply identifying a known image is not always effective. It is trivial to programmatically alter an image by a few pixels, which breaks traditional identification. There are millions of minor alterations that can be made without visibly affecting the image," he explained.

"Secondly, spammers are using links to images hosted on Web sites. The image itself is not in the e-mail until it is opened. One potential approach is to blacklist Web sites and e-mail addresses," Abrams suggested. "This is somewhat effective, but not only does it require a lot of maintenance -- it isn't foolproof. Images can be stored on hacked Web sites for legitimate companies, and botnets use millions of legitimate e-mail addresses to do their sending."

Resiliency Through Adaptation

Though not usually overtly threatening -- that is, they don't typically embed code that could erase disk drives, disable PCs or install keyloggers to capture confidential data such as passwords -- Storm worms or Trojan horses are proving to be the most adaptable malware yet seen.

Storm spam has demonstrated an ability to adapt and change its own code extremely quickly based on the spam filters and other defenses it encounters while attempting to make its way through network and PC defenses, for instance.

"Storm uses complex programming techniques to automatically repackage itself," remarked Abrams. "It's a bit like someone changing their costume at a party every five minutes. Inside it is the same, but outside it looks different. There are still recognizable attributes of the person, such as size, shape, voice and mannerisms, though. The Storm authors look at how they are being detected and then devise counter attacks."

It's the tenacity of Storm programmers in evading detection that has made it such a high-profile malware, Abrams commented.

"From a spam perspective, it is simply one of a large number of botnets that are used to send out spam. Fundamentally, Storm is no better at spamming than any other botnet," he asserted. "Storm is better at getting itself installed and avoiding detection. That said, ESET's heuristics have been detecting the new variants of Storm proactively for several months now. It is not unbeatable.

E-Commerce News: Spam: The Evolution of Spam, Part 1: New Tricks

__________________

Spam network operators, otherwise known as "botnet herders," are becoming increasingly proficient at evading detection and harnessing the power of peer-to-peer (P2P) computing, much to the consternation of spam detection, prevention and IT security specialists, as Part 1 of this series discusses.

Botnet operators are using spam and recipients' "zombie" PCs to create what amounts to a "shadow" Internet Over 800,000 High Quality Domains Available For Your Business. Click Here. and growing rich in the process. What's more troubling is that the problem is not likely to go away soon. Legitimate companies and businesses are making use of the same spam artists and botnet operators who manage the P2P networks that are also distributing malware. Meanwhile, lax enforcement regimes make the problem much more difficult to combat.

Spam and Storm Genealogy

Now widespread, security researchers first noticed mass mailings of Storm MP3 spam in August as part of a stock pump-and-dump scheme aimed to get recipients to purchase shares of stock already owned by the malware's creators. When the recipient opens the file, he or she hears a distorted female voice advertising E-Mail Marketing Software - Free Trial. Click Here. stocks in a company called "Exit Only," according to Kaspersky Lab.

Adobe (Nasdaq: ADBE) Latest News about Adobe PDF (Portable Document Format) files are among the latest file format to attract malware creators' attention, prompting the release of security updates for versions 8.1 and earlier versions of Adobe Acrobat applications.

Making use of infected .pdf attachments is only one of the file formats used in what has been a resurgence of Storm-driven spam during the first half of this year. Previously, a related wave of spam was spread across the Internet but it only included text messages luring recipients into pump-and-dump stock trading schemes.

"Spammers are utilizing common files types much more frequently, such as the .pdf issue over summer or the ZIP file attachments a few months ago as embedded ways to make the mail message look more authentic and bypass some detection tools," noted Troy Saxton-Getty, vice president and general manager at St. Bernard.

"Migrating from one format to another is as predictable as a shopper in a mall going from one store to the next," Randy Abrams, director of technical education for ESET, told the E-Commerce Times.

"Text, images, documents, spreadsheets, MP3s, etc. are all methods of communicating a message. Any file format that can be used to communicate a 'buy' message should be expected to be included in some form of spam. AutoCAD (computer-aided design) drawings are not likely candidates because not many people have the program required to open them, otherwise they would be used as well."

The Makings of a Shadow Network

While Storm's creators are proving themselves to be adept technical innovators, the key to their success lies in simple social engineering, Abrams continued.

"They simply send out e-mails with links. The titles and promised content are enough to lure the millions of gullible people into downloading and running the executable without having to resort to the use of vulnerabilities. From there, the spam is 'content.' The content is the responsibility of the spammers who pay for the use of the storm botnet for distribution. The use of different file formats for containing the spammed message is not new or revolutionary," he said.

Storm-driven mass mailings appear to be carefully orchestrated, said Kaspersky Lab's Senior Technical Consultant Shane Coursen.

"Instead of sending out a constant barrage of spam, we have seen cycles. As an example, there might be 12-24 hours of activity, where a certain number of Storm-infected machines are commanded to send out spam," Coursen told the E-Commerce Times.

After 12 to 24 hours, the segments of the overall Storm botnet that is being used to generate spam simply go quiet, he said.

"Interestingly, when such spam runs occur the amount of spam/Internet activity generated is significant. This gives insight/evidence as to the size of the Storm botnet. A single spam run as described above may result in 10 to 20 million spammed e-mail messages," said Coursen.

Two Phases

With its on-demand Prism platform filtering millions of messages every day, St. Bernard collects a lot of statistics about spam types, their frequency and points of origination and the methods being used to create and distribute spam.

"It is more common then ever to see spammers deploy Trojan or zombie tools, which are basically virus/malware tools that take over some or all of a user's PC with one deployment strategy -- call it 'Phase I' -- and most of the time [the PC owner or user] doesn't even know," Saxton-Getty told the E-Commerce Times.

Once these are embedded in a PC, botnet herders can move on to Phase II, which involves hooking them all together in a central management system See the HP Proliant DL380 G5 Server with Systems Insight Manager – Click here., he continued.

"What this does is allows the spammer to start a spam storm from hundreds of completely different IP addresses for a short period of time, and they string the delivery along the entire herd of zombie machines so they can send millions of spam messages and not trip the 'wire' at many of the ISP's spam and other detection tools," he said.

"Some of these folks can control thousands of unsuspecting PCs, and the PC itself might only send 20 messages per minute to stay undetected," added Saxton-Getty. "It is pretty amazing."

Customer Groups

A botherder's customer base is a mixed and varied lot, according to ESET's Abrams.

"Spammers are probably the biggest customers. These include purveyors of porn, pharmaceuticals and stock scams, among other 'products.' Another customer would be the DDOSer (distributed denial of service)," he said.

"The reasons for renting a botnet for a DDOS attack can include revenge, corporate espionage and blackmail. For example, if you run an online gambling site and I DDOS you, then you can't make any money. If I offer to stop the attack -- for a fee -- and that allows you to stay in business. ... Identity thieves are another customer. Bots can collect all manner of information from the PCs they are installed on."

Adware purveyors are another customer group, Abrams continued.

"Bots can be commanded to download and install adware. The adware affiliate programs pay for installations. Large corporations are definitely complicit. I've received spam touting 'Terminix.' The reason is that an affiliate is being paid to drive traffic. There is no significant deterrent for affiliates to comply with whatever weak policies the company may have. The parent company has no obvious feedback for consumers who receive their unwanted spam. Many companies blindly use affiliate programs without any meaningful deterrent to abusers who use spam."

P2P Control Structure

In addition to the tenacity of their efforts to evade spam detection, Storm creators' use of P2P networking as a control structure makes the hybrid spam-malware botnet extremely resilient, explained Abrams.

"There is no single head to cut off, no centralized command structure to attack. These aren't the Red Coats standing in a neat formation; these are guerrillas scattered across the landscape with known objectives and infrequent need for direction," he said.

Yet more problematic, Storm has detected researchers' efforts to probe its code or defend against it and has retaliated by launching distributed DDoS attacks against Storm researchers' PCs and networks, including subnets and e-mail address lists.

Disturbingly, spammers and botnet operators often have access to the same research received by antispam and security specialists, and they even attend the same working group conferences, according to St. Bernard's Saxton-Getty.

"This gives them as much information about identification and filtering strategies as it gives them a heads-up on what is coming," he said.

"This is a big business. Recently, I met a prolific spammer at a conference, and he told me his business's top-line revenue is slightly north of (US)$40 million. These folks are every bit as sophisticated as we are, and have even more direct motivation to get their spam through to readers."

New and Better Approaches to Antispam

The stakes have grown immensely in the struggle to detect and prevent spam and malware distribution as their creators' have become more sophisticated. That's leading IT security specialists to approach the problems from new directions.

Abaca Technology approaches the fight against spam from the recipient's perspective, as opposed to the sender's side, for instance.

"Abaca's spam fighting technology is unique in that it does not rely on content information to accurately rate messages. Therefore, we don't keep statistics on spammer 'tricks' since it doesn't matter to us. We did see a temporary spike in PDF spam a while ago," Steve Kirsch, founder and CEO of Abaca, told the E-Commerce Times.

Abaca's technology identifies spam by determining a reputation for each receiver, Kirsch explained.

"The ratio of spam to legitimate e-mail sent to each receiver is relatively consistent and is the basis for determining the receiver's reputation. Spammers cannot control or get around the receiver's reputation, and as a result, Abaca's technology continues to block spam while other solution providers must react to each new tactic invented by the spammers," he added.

Antispam solutions that tackle the problem by scanning the content of incoming messages results in security providers playing a never-ending game of catch-up, Kirsch continued.

"Using a solution that does not rely upon factors that are under the control or influence of the spammer is really the only way to effectively defend against spam variations. Solutions must be content agnostic and should not rely upon factors like the sender's reputation which the spammer can control. If the solution is oriented toward recognizing and countering the spammers latest tricks, they are already behind in defending against an attack," he said.

E-Commerce News: Spam: The Evolution of Spam, Part 2: New Defenses

__________________