Trojan One-Two Punch Sends Spam Rates Soaring

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/news/showArticle.jhtml?articleID=193501739

By Gregg Keizer
TechWeb News
Nov 3, 2006

MessageLabs on Friday fingered a pair of Trojans for pushing up spam 
rates, and said the duo use techniques that make it difficult for 
anti-virus vendors to keep up.

According to the U.K.-based security provider, the sharp increase in 
spam -- a jump to 72.9 percent of all mail in October from the previous 
month's 64.4 percent -- was largely caused by two zealous Trojan 
downloaders that have been infecting PCs, then using them to spew huge 
amounts of junk mail.

"The Warezov Trojan is the most aggressive we've seen in quite a while," 
said Paul Wood, a senior analyst with MessageLabs. "Once on a system, it 
downloads the next stage or component, but as it does, it changes a few 
bytes in the code and essentially releases a new version. That makes it 
very difficult for anti-virus systems to identify."

By mutating its own code -- done automatically, MessageLabs researchers 
suspect, though they haven't found final proof -- Warezov, aka 
"Stration," expands the attack window. "If anti-virus companies take 
five to six hours to create a signature, the Trojan extends that time 
even further with these new versions," said Wood.

The other fly in the October ointment, said Wood, was SpamThru, another 
piece of malicious code that has been hitting systems hard.  SpamThru, 
which was called out by other security companies last week, uses what 
Wood called a "spam cannon" approach that relies on mail merge-like 
templates to vary the outbound spam. That, said Wood, allows each spam 
zombie to pump out millions of messages and still stay off blacklists.

SpamThru's flexible command-and-control also makes it much tougher for 
ISPs, researchers, and authorities to knock offline. SpamThru relies on 
peer-to-peer (P2P) style communication between the bots and their hacker 
controller, said Wood. "Each bot learns about the other bots 
participating in the same network. If a bot loses the command and 
control channel, it can query the others for an alternate channel.  
That really increases the resiliency of the botnet."

Together, the two Trojans accounted for a huge number of spam messages 
in October; MessageLabs alone snared nearly a million copies of the 
newest Warezov variant during a 24-hour period late in the month.

"It's likely the spam rates will continue to rise through the end of the 
year," added Wood, who noted that the fourth quarter is historically a 
prime time for spammers to boost volume. "This is the highest [rate] 
it's been for quite some time. I think it'll eke a bit further toward 
100 percent."

In its end-of-the-month report on the state of messaging, MessageLabs 
also noted that while the overall volume of phishing e-mails had 
decreased slightly, the percentage of malicious messages that were 
identity fraud related increased.

India remained the country hardest hit by virus-laden messages -- during 
October, 1 in every 16 e-mails carried some kind of malware -- but also 
witnessed almost a doubling of the percentage of mail categorized as 
spam. Spam levels increased by 20.5 percent in October, to 49.3 percent, 
compared to the month before.

MessageLabs' October report can be downloaded as a PDF file from here [1].

[1] 
http://www.messagelabs.com/portal/server.pt/gateway/PTARGS_0_0_434_462_-462_43/http%3B/0120-0176-CTC1%3B8080/publishedcontent/publish/_dotcom_libraries_en/files/monthly_reports/messagelabs_intelligence_report__october_2006_5.pdf


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org