Sophisticated spam set to expand - MessageLabs

 

Gallery

By Matt Whipp

Posted on 30 Jan 2007 at 18:01

Spam levels look set to escalate, and the seasonal spike over the Christmas period could mark the start of something bigger, according to MessageLabs' monthly report for January.

The latest figures show that spam accounts for 75.8 per cent of all corporate inbound email and represents 'a continuation of the hike in the run up to Christmas ... of which an easy majority is stock pumping image spam' according to Mark Sunner, Chief Security Analyst, MessageLabs.

However, the technology behind spam has taken a leap forward in sophistication, he claimed. That seasonal spike over Christmas was kicked off by the Spamthru trojan.

Sunner described Spamthru as 'different from other Trojans we've seen since all this began.' It boasts a number of features that put it head and shoulders above the common or garden variety of spam trojans.

Systems infected by this kind of malicious code often become commandeered as part of a botnet, which listens for commands from another computer, often known as a botnet herder or command and control centre.

Spamthru is different. Machines infected with Spamthru form a peer-to-peer network, and each has information on the other machines in the network. The controller can access the network from any one of these machines, making it very difficult to trace who is controlling it.

It also has its own antivirus protection in the form of a hacked version of Kaspersky's engine, which will clean off any previous infections, making more room for itself.

And when it does start spamming out mail, it repixellates the images used so that each is slightly different, making it more difficult to identify and stop automatically.

But what concerns Sunner is that this could be just the beginning. 'If you look back at the traffic for Spamthru it's very spiky, whereas spam generally shows quite linear activity levels. Almost as if someone's turning on a tap momentarily and turning it off again.'

He says the patterns mimic the activity spikes seen in the first six months of 2003, when virus writers were testing out and tweaking variants of the SoBig virus that led to infections on an epidemic scale in July and August of that year.

'When you see a leap in sophistication like this, it's usually followed by 'me-too' type Trojans,' he said.

'It's not being used anywhere near to its full capacity,' said Sunner. 'We're looking at the thin end of the wedge here. I'd be naive to assume that spam volumes won't increase or that there won't be copycats.'

The success of Spamthru is likely to motivate virus writers to emulate those features in future malware, and often this results in readily available kits for the less technically minded to knock up a variant very easily.

'Once tool kits start to appear, it lowers the barrier to entry,' he said. But at some point, Spamthru itself will be superseded by the next generational leap in spam technology. 'It is at the end of the day ... it is an arms race,' said Sunner.

For more information visit Messagelabs.