Spammers hire infected PCs by the hour

By Matt Whipp

Posted on 6 Jul 2004 at 14:52

The pull of the US dollar is felt strongly in Eastern Europe, where virus writers are minting it by selling airtime on networks of infected computers to spammers - by the hour.

MessageLabs' Chief Technology Officer Mark Sunner told us that increasingly close ties between virus writers and spammers is creating a cottage industry.

'Virus writers are now selling airtime on botnet networks,' he said. 'They're flogging two-hour sessions for between $50 and $100.'

'Viruses are now intrinsically linked to spam,' he told us. 'Nearly all the viruses this year were written to create botnets - or zombie networks.'

Botnets are networks of computers infected with viruses that give remote access to their resources. Virus writers can then harness these computers into a single network for their own purposes such as launching a denial of service attack on a web site.

Traditionally, virus writers have garnered kudos through the malevolence of the payloads their creations delivered. However, the modern virus writer has dollar signs in their eyes. 'All of a sudden the need for notorietary has resulted in a new trend of virus-writers boasting they're working with spammers - showing they're commercially savvy,' said Sunner.

And what was once the province of a close, secretive community is becoming ever more accessible. 'To get the tools to access these networks used to be very difficult - it was a masonic affair where you would need to be voted in to certain spamming circles,' Sunner explained. 'But now you can obtain these same tools with a Google search - now this botnet business is open to a much greater number of people with a lower skill set.'

'MessageLabs now detects 70 per cent of intercepted spam comes from botnets,' said Sunner, up from about 30 per cent a year ago.

'The phenomenum started last year with SoBig,' he said, but has continued this year with the endless stream of Netsky and Bagle worms, for example.

Much of the virus activity emanates from Eastern Europe, while the spammers making use of these botnets are mostly US-based. However, Sunner said that virus writers in the US and China are starting to get in on the act too.

And despite the antivirus software available, it is still proving successful strategy.

The problem remains that there is still an eight or nine hour window between a virus being discovered in the wild and application vendors issuing a virus signature. And then end users still have to update their antivirus software with it.

But as soon as this happens, the virus writers press the launch button for a new variant of that virus, and they get another nine hour window to infect systems.

'With the numbers of email we scan, it looks like a sine wave of infections as new variants are released, all engineered to hit that window of vulnerability,' said Sunner.

And while today's viruses almost exclusively target Windows systems, Sunner maintains it's not the security glitches that plague the platform that attracts virus writers, but rather the installed base.

Sunner predicted that if everyone jumped ship to the Mac or Linux, virus writers would jump with them. 'It's about where is the installed base, not what's the platform,' he said.

Indeed most of the viruses that are released today are built from reverse engineering the patches released by Microsoft. So calls to Microsoft to make patches for vulnerabilities available earlier are somewhat misplaced. If Microsoft did rush out every patch within days of a vulnerability being discovered, everyone would be updating systems piecemeal, with different patches and different versions of patches. Owning a computer would be a full time job.