Spam-a-bot: The Gift That Keeps On Giving

CompTIA's Eighth Annual Global Information Security Trends study, published last November, found that many companies continue to play catch-up, struggling to keep pace with new threats and vulnerabilities. Since 2008, security has been increasing as an organizational priority, from 35 percent to 49 percent in 2010 and an expected 62 percent in 2012.

Spam, the electronic version of junk mail, has been a huge problem for years, and according to new reports from McAfee, Trend Micro, Cisco and Dell, the problems, if not the volumes, are only going to get worse. Spam accounted for 80 percent of total e-mail traffic in the fourth quarter of 2010, the lowest point since the first quarter of 2007, states McAfee's Threats Report: Fourth Quarter 2010. Of the almost 55 million total pieces of malware McAfee Labs identified, 36 percent was created in 2010.

McAfee attributes this ebb in spam to a "transition period," with several botnets going dormant during a time of year when spam volumes are usually on an upward path. This quarter's volume is off by 47 percent from last quarter and by more than 62 percent since the start of 2010. The company predicts a retooling and possibly some consolidation in the botnet space that will ultimately lead to growing spam volumes.

"Spambots are just the tip of the iceberg," says Jamz Yaneza, threat researcher, Trend Micro. "In almost all cases, the larger issue points to the lack of focused security and enforcing policies to prevent infection or installations of rogue applications." The generated spam volume can easily show how large of a compromise has been done and is rather indicative of the fact that a bot is installed; the spam traffic shows that the compromise has been done and that the installed bots are now looking for other targets outside of the currently affected network.

"Think of it like an army: Once an area has been fully 'secured,' it's time to send the runners and feelers to target the next campaign. ... Enterprises and individuals as well should be vigilant and use tools to identify, isolate and eradicate the threat--whether this will involve full re-imaging or re-installation will fully depend on the confidence and infrastructure after a damage clean-up operation has been performed."Bots are the biggest threat today, continues Yaneza. "In the past, we've talked about hybrid malware and how a single malware could eventually download plug-ins to extend functionality. Today, these come as bots that are self-contained with full functionality. However, it doesn't stop there. With access to the larger Internet and using previously good-intentioned technologies, like fast-flux and double-fast-flux, as we've seen in previous bots like Storm, the introduction of active and targeted compromise surely makes any bot network--whether running 100 or 1 million nodes--of large concern. The pervasive techniques such as stealth rootkits, new mediums such as mobile phones, man-in-the-middle attacks a la Zeus are even more proof."

There is no end in sight to spam, notes Joe Stewart, with the Dell SecureWorks Counter Threat Unit research team. Instead, there is an overall maturation to the spambot ecosystem, with fewer new spambot families emerging and only incremental changes in the existing spambot families.

With an estimated 250,000 bots, Rustock is the most prolific spam botnet around, says Stewart. It was designed as a rootkit, burying its files and activity deep inside the Windows operating system where it can hide from popular anti-malware products and remain on an infected system longer.

At 100,000 bots, Cutwail holds down the No. 2 spot, using custom encryption to disguise its communications. Lethic, with 75,000 bots, uses a "connect-back" scheme that causes the bot to reach out to the Lethic controller to begin receiving traffic.

Dell says other popular bots include Grum (65,000), Festi (60,000) and Maazben (30,000). While spam botnet sizes and spam volume are down over last year, one trend that can be seen is spambots piggybacking on existing worms and viruses to extend their reach.Cisco' s 4Q10 Global Threat Report revealed that Web malware increased by 139 percent in 2010 compared with the previous year. The biggest risk was posed to companies in the pharmaceutical and chemicals sector and in the energy and oil sector, followed by the agriculture and mining sector and the education sector. The sectors with the lowest risks include professional services and aviation and automotive.

The company attributes the drop in spam volumes to several key events, including the takedowns of botnet segments related to Lethic, Waledac, Mariposa and Zeus in the first quarter, followed by a takedown of a branch of the Pushdo botnet in August 2010. Fourth quarter takedowns included segments of the Bredolab and Koobface botnets. SpamIt.org was also shut down.

All in all, there is no silver bullet, notes Yaneza. "Enterprises should exercise due diligence in protecting their intellectual property by using layered security with the latest tools available. The layers should include usage polices and user education as part of a preventive regimen, including the use of collaborative and reputation technologies that stop the threat even before the gateway. Likewise, [companies should invest] in physical security that prevents threats coming from within inside one's organization in the form of mobile gadgets and other consumer devices that in today's environment serve dual-purpose needs."

See more on this topic by subscribing to Network Computing Pro Reports Security: Wicked Innovation (subscription required).