Sturdier Botnets Mean More Spam In 2007

The late-2006 appearance of durable botnets was a tipping point in the back-and-forth battle against spammers, an industry analyst said Friday, who predicted that spam will continue to gain ground on defenses.

Assembled by a Trojan called SpamThru, the new botnets are tougher to bring down, says Paul Wood, senior analyst with MessageLabs, a message security and filtering service. "The advent of Trojans like SpamThru makes it possible for each bot in the net to learn about the location of other bots. When a bot goes down or the command and control channel is compromised, the other bots know about it."

In SpamThru's techniques, if a control server is shut down, the spammer can easily update the rest of the bots with the location of a new server as long as he controls at least one bot in the net. And if a specific bot is shut down, its spam load can be quickly shifted to another, as-yet-undiscovered, bot.

"Until now, it's not been possible to regain control of a [compromised] botnet," says Wood. "This makes botnets much more resilient."

And that, says Wood, is bad news for companies and consumers plagued by a tidal wave of spam since September and October. "In the last few months, certainly from September-October, spam has become much more aggressive."Most spam watchers, including MessageLabs, have noted large spikes in spam volume in the last three months of 2006. From September to October, for instance, MessageLabs tracked a 13% increase in the percentage of all mail pegged as spam.

The techniques pioneered by SpamThru, which first appeared in October, will be applied by more spammers in 2007, Wood predicts.

MessageLabs is also tracking several other spam trends it believes will bear fruit for criminals next year.

"Phishing has really taken over," he says. "As a proportion of the traffic in malicious e-mail, phishing now accounts for 68.6% of the total." At the beginning of 2006, the rate was only 10.6%. Attackers have ditched virus and worm development and replaced that with increasingly sophisticated phishing campaigns, some of which are extremely targeted. "People who were creating viruses and Trojans are shifting to phishing. They're using very personal information, such as mail codes of zip codes or addresses, which make the phish much more compelling."

Wood also worries about a boost in "ransomware," the practice where criminals gain access to a computer, encrypt some or all of its data files, and then send e-mails demanding payment in return for the key that unlocks the documents."The next generation of ransomware could be much more sophisticated," says Wood. All criminals need to do, he says, is increase the strength of the encryption, which would make it much more difficult -- and possibly impossible -- for security researchers to break the key, as they've done in the past.

With the upcoming year looking treacherous, Wood had little hope for an end to the spam battle.

"We can't make the problem go away altogether," he says. "Even the best defense can only be so effective."