Bot nets likely behind jump in spam

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2006/10/31/botnet_spam_surge/

By Robert Lemos
SecurityFocus
31st October 2006

A significant rise in the global volume of spam in the past two months 
has security analysts worried that bot nets are increasingly being used 
by spammers to stymie network defenses erected to curtail bulk email.

Estimates of the magnitude of the increase in junk email vary, but 
experts agree that an uncommon surge in spam is occurring. On the low 
side, Symantec, the owner of SecurityFocus, has found that average spam 
volume has increased almost 30 percent for its 35,000 clients in the 
last two months. Others have seen much more significant jumps: Spam 
black list maintainer Total Quality Management Cubed has seen a 450 
percent increase in spam in two months, and the amount of spam filtered 
out every week by security software maker Sunbelt Software has more than 
tripled compared to six months ago.

While bulk emailers have, in the past, sent unwanted messages from a 
single server, increasingly the spam emanates from networks of 
compromised PCs, known as bot nets. The level of junk email has 
increased almost in lock step with the number of compromised systems 
used for spam, said David Hart, the administrator for Total Quality 
Management.

"What is most alarming is that new clients - internet addresses that we 
have never seen before and which could be new infections - have tripled 
since June," said Hart, who posted a chart tracking the growth on his 
Web site this week.

Bots and bot nets have rapidly emerged as one of the major threats on 
the Internet. Tens of thousands of compromised PCs are frequently 
counted among a single bot net's unwilling members, with some bot nets 
boasting as many as a million systems. Traditionally, the networks have 
been used to install adware on victims' machines or level 
denial-of-service attacks at online companies as part of an extortion 
scheme.

Now, spammers are frequently counted among the operators or the clients 
of bot nets. Last May, a spammer only identified as "PharmaMaster" used 
a bot net to target anti-spam provider Blue Security and its Internet 
service providers with a massive denial-of-service attack that blocked 
access to the companies for hours and, in the case of Blue Security, 
days. Because of the attack, the company exited the anti-spam business.

Many bot herders - as the criminals that infect computers with bot 
software are named - sell or rent bot nets to others to use, and 
spammers increasingly seem to be among their customers.

There is strong evidence that bot nets - networks of compromised PCs - 
are behind the recent jump in spam.

Sunbelt Software analyzed the junk email messages received by one of its 
dummy accounts in the past 48 hours: The 1,110 blocked messages came 
from 160 different mail servers as determined by their Internet 
addresses. The data suggests that a large number of compromised PCs are 
participating in sending out spma.

"It's pretty easy, once you start breaking out the numbers, to tell a 
bot net from a run-of-the-mill spam server," Greg Kras, vice president 
of products for Sunbelt. "Honestly, I think the increase is an attempt 
to keep viability by the corporations that are doing spam," Kras said. 
"It use to be that 1 in 1,000 was a good success rate for a spam run. 
Now, it is more likely 1 in 100,000."

Some Internet users have noticed an indirect effect of the surge in bulk 
email. Spammers usually put another person's email address in sender's 
field of the message. Because many spam and antivirus filters send back 
a rejection message to the sender, the actual owner of the email address 
will be inundated with replies.

That's exactly what happened recently to one client of Paul Marsh, a 
consultant and the information technology manager for the Nellie May 
Education Foundation.

"The client called me up to say, 'I've probably got a thousand e-mails 
in my inbox that seems to be nothing by bounce backs from spam,'" Marsh 
said.

Other Internet users may not notice the increase, because the spam 
messages are blocked by email filters or by anti-spam software on their 
PCs.

It's likely that the greatest increase is due to certain companies being 
targeted by spam more than others. Many companies may see a gradual 
increase, others an enormous spike, in traffic, said Carlin Wiegner, 
director of product management at Symantec.

"I don't know if I would say this is out of the ordinary, but I would 
say that it's not common, especially if you are one of those customers 
that is suffering a 100 per cent increase," Wiegner said.

Security researchers that use honey pots - heavily monitored computers 
that are allowed to be infected by malicious software to spy on the 
attackers - have also confirmed the connection between bot nets and 
spam, said Thorsten Holz, a graduate student and the founder of the 
German Honeynet Project.

"Our spam traps show definitely an increase in the last couple of days 
(and) weeks," Holz said.

Holz credits the difficulty in sending spam from single-server mail 
relays for causing spammers to move their operations to bot nets.

"Since more and more network operators shut down open mail relays or 
other administrators use black lists to block these open relays, the 
attackers have shifted their tactics: they use compromised machines - in 
the form of bot nets - to send out spam," Holz said. "Filtering these is 
hard and thus it offers attackers a way to send out spam."

The majority of spam now seems to be pharmaceutical and stock related. 
In particular, image spam - which contains meaningless and random text 
snippets to throw off filters and an image with the actual 
advertisement- that touts stocks has surged.

The volume and improved techniques has continued to gunk up the 
Internet, said Paul Ferguson, network architect for antivirus firm Trend 
Micro.

"The numbers are pretty staggering," Ferguson said. "The more of a 
cesspool things become, the less useful things become, so as a community 
at large, yeah, it is something we have to worry about."

While better technical defenses are needed, technology only goes so far, 
said TQMCubed's Hart. Its time that users are taught that anyone who 
responds to spam has become part of the problem.

"We should be teaching people not to do business with criminals and to 
stop giving credit cards to criminals," Hart said.

Hart argues that, if no one bought the goods hawked by spammers, then 
the incentive for bulk emailers would rapidly go away. The message is 
simple, he added.

"If you don't like spam, then don't do business with spammers."

-=-

This article originally appeared in Security Focus.

Copyright 2006, SecurityFocus


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org