Why is there so much spam?

In October 2006, the spam levels jumped a massive 10% in the UK (up from an average of 51.4% of emails being spam in September to 61.4% being spam) according to MessageLabs (the world’s leading provider of messaging security and management services to business). Globally the average went up by 8.5% in October 2006 to 72.9% of email received being spam.

This was, in part, due to it being the start of the spam season in the run up to Christmas – ie more junk gets sent to catch unsuspecting shoppers. However, aside from seasonal variations, there are other two other key factors at play in the increase in spam.

• A trojan horse called Warezov which, once installed on a person’s PC, sends out spam continuously. The trojan horse has been spread to hundreds of thousands of computers.
• A trojan horse nicknamed SpamThru which harvests email addresses and uses them to generate spam content which gets sent out. Again, this has been downloaded onto huge numbers of computers.

It’s not clear at this stage if there is a link between them – ie SpamThru harvests email addresses and pushes content through to Warezov – but the fact is that these 2 trojans have contributed to the majority of the increased volume of spam over the last few months and the trend is unlikely to change.

A clever trick employed by SpamThru is that it contains a hacked copy of Kaspersky Anti-Virus which actually does clean up the computer and remove spam bots, viruses, etc. However, it’s been hacked to allow SpamThru to remain undetected and unchallenged by other spam bots on that computer. Consequently, people may also unwittingly install SpamThru because they think they are getting a free virus program, but they are being duped into installing a spam system.

The messages are clear:

• Spam is not going away, and will get worse
• Only ever download software you know the pedigree of
• Find a good spam filtering system

In more detail: Warezov

The first is the aggressive level of activity around one particular trojan dropper called Warezov. Tens of thousands of copies of different variants of the trojan are sent out in multiple batches, where each batch is subtly different from the previous one. Even a few bytes changed in the code will allow the trojan to pass undetected through traditional anti-virus protection. Because it is a “dropper” (a piece of code that later downloads new code/viruses/worms/malware/email content/etc onto the affected computer) it is uncertain as to what the trojan is being used for, however it seems clear that there is a connection with the huge rise in spam levels around the world. In fact, in 24 hours on 26th October, MessageLabs software trapped over 900,000 copies of Warezov. It’s been around since August 2006 and is being updated all the time to avoid detection and so continue to spread spam.

In more detail: SpamThru

The second driver of increased spam is another trojan, dubbed “SpamThru” which is responsible for a great deal of the botnet activity behind increased levels of spam. Analysis of SpamThru shows that the SpamThru makers are releasing new strains at regular intervals in order to confound traditional anti-virus signature detection. Using the “spam cannon” technique, SpamThru uses a template for each spam it sends and by combining it with a list of email addresses, each zombie (computer) is then able to pump out millions of spam emails.

Although designed to turn the infected computer into a spam-sending zombie, SpamThru employs an interesting device to circumvent the closure of the command-and-control channel. In a normal botnet, there is a central “controlling” program (called the mother-ship) which coordinates and keeps everything running. If this mother-ship is disrupted or disconnected, the entire botnet is disrupted or disabled. However, SpamThru has a “self-healing” capability in that if the mother-ship goes offline, as long as the botnet controller can access any other zombie macine, they can change it to assume the role of the new mother-ship and so maintain the continuity of the whole botnet. In other words, SpamThru is much more resilient to attacks on the mother-ship and less likely to be stopped.

SpamThru also attempts to neutralize anti-virus software by corrupting the local “hosts” file, inserting dummy addresses to override genuine anti-virus update URLs. SpamThru also downloads an illegal copy of Kaspersky Anti-Virus onto the infected computer, scanning the PC for viruses, whilst ensuring that it bypasses its own components. Interestingly, any other malware found on the system is removed the next time Windows reboots.

blog comments powered by Disqus