Who would have thought that it would be so easy to get PC and network users to install viruses, worms, application-downloading Trojan horses and other forms of malware on their PCs?
Through a simple form of social engineering — sending out enticing, unsolicited e-mail spam — Internet users are doing just that. Part 1 and Part 2 of this series discuss how users are also handing over control of their PCs, along with all their computing and network power, over to robot network — or botnet — operators.
It is estimated that 10 to 25 percent of all PCs in the world are now part of botnets. The Storm spam-malware hybrid has grown to become the largest, most notorious of a new breed of spam-driven robot networks.
“What is frightening about the Storm group is not that they have built such a large botnet, but that they have proven that large numbers of systems can be compromised by simply asking the end user to install their malicious application. The Storm guys have shown that social engineering on a massive scale can build a powerful and monetizable security threat,” Adam O’Donnell, director of emerging technologies at Cloudmark, told the E-Commerce Times.
A Growing Specter
Using the very same tools and methods that are driving e-commerce growth — essentially all the means used to conduct e-mail advertising and Web marketing programs — botnet operators are duping Internet users into giving them the means to grow their businesses.
E-mail spam, banner ads, legitimate Web sites, image and .PDF files are all being co-opted and used as malware carriers, installing viruses, Trojan horses, worms and other forms of malware, on to e-mail recipients’ and Web surfers’ PCs and turning them into a network of remotely controlled “zombie” slaves.
“Botnets are a problem because they allow spammers to scale without increasing their ability to be detected. Estimates range up to 70 million compromised computers are part of botnets,” Andrew Klein, senior marketing manager at SonicWall, told the E-Commerce Times.
“For that many bots to exist and be operational many companies are at least unknowingly involved, from ISPs (Internet service providers) who allow DHCP (Dynamic Host Control Procedure) users to suddenly send e-mail from a dynamic IP address, to registrars who allow people to registers domains that are obvious spoofs of legitimate domains — citibanhk.com, ebay-secure.com, etc. — to e-mail hosting companies that don’t bother to virus-check e-mail for their customers,” he said.
The ability to generate and transmit spam via botnets provided spammers with two tools they did not have before, according to O’Donnell: excessive IP address space and excessive CPU (central processing unit) time.
“They used the increased CPU availability to write spam creators that could not only mutate messages for each transmission but also send far more complicated messages, such as image spam. Anyone with an e-mail account has seen the result for the past two years, namely all the various forms of image spam and PDF spam containers,” he said.
Newer forms of spam and the development of more sophisticated forms of distributed computing have enabled botnet operators to build what turns out to be self-sustaining networks of much larger size that are more difficult to detect.
“Malware and spam are symbiotic issues. The one drives the other. I don’t see any reason on the horizon — even several years out — to think that the malware and spam problem will get any better,” O’Donnell commented.
A Moving Target
The increasing scale, scope and sophistication of the spam-botnet malware distribution model is forcing IT security specialists and organizations of every size and stripe to take more costly and computing intensive steps to thwart their efforts.
Botnets have been the largest contributor to spam for some time, and they are extremely effective at rendering IP-address based blocking, the most popular large-scale spam filtering method, ineffective, according to Cloudmark’s O’Donnell.
Storm was the first multi-vector attack combing e-mail, Web sites and blogs — all coordinated to capture and infect users, said Klein. It also combined this with a virus that morphed variants quickly across the vectors making the collection and blocking of such variants difficult. The number of infected machines ranges from 1 to 50 million depending on reports — we can not verify this. The estimated number of spam messages generated by Storm infected machines is certainly in the billions,” Klein elaborated.
While Storm wasn’t the first to display a multitude of variants, it has gone a long way towards perfecting the technique, according to Klein.
“For the last several years viruses have been able to produce variants, but usually only a few. For example, until about a year ago we could track variants by appending letters to each variant, Sobig.a, Sobig.b, and so on — the number was manageable.
“Now the practice is nearly worthless as Storm might have something like Storm.abgde and Storm.abgdf,” said Klein. “Once you can understand how a virus mutates to produce variants you can attempt to create signatures or at least heuristics that can detect the variant. Of course, this assumes that the virus will mutate in a logical fashion and that is not always the case.”
“Personally, I won’t surf anymore without using SandBoxIE, which works for Firefox as well,” commented Randy Abrams, director of technical education at ESET. “I also empty the Sandbox regularly. This is not a panacea, but it is a useful layer of defense.”
What to do? “Web hosts should filter out any active content from all banner ads when possible,” Abrams told the E-Commerce Times.
“I believe that Web ad abuse will be a significant and growing attack vector. If Web sites want to meaningfully protect their reputations as well as their viewers I think they need to either block active content from advertisements or use expensive white-listing technologies,” he suggested.
Abrams and other IT security professionals are advocating the adoption of much better approaches to establishing and verifying the reputations of Internet advertising agencies and specific advertising applets.
“This means that there also must be consequences to advertising agencies that provide malicious content, even inadvertently,” Abrams said. “It is only then that there will be financial incentive to know who is providing the actual content, who is developing it, and how to physically find them.”
The costs of combating the spam-malware system, both financial and in terms of network and systems performance, continues to grow.
“From a filtering perspective it is entirely context dependent. This means that a filter alone will produce massive false positives. Filtering is a part of the solution, but in its raw form is not accurate enough if you want to be able to get legitimate emails as well,” Abrams explained.
This is leading vendors such as Abaca to focus their efforts on using heuristics based on establishing the reputation of e-mail recipients’ mailboxes as opposed to e-mail sending sources.
“At St. Bernard, we recommend our antispam customers to ‘outbound’ with our service just as much as they use us for in-bound traffic,” Saxton-Getty said.
“What this does is allows us to scan their sent items before they arrive at their intended recipient. If a computer on a customers’ domain gets infected, we see it immediately, and we block it and contact the customer and tell them the exact computers to clean up the infection on. This is huge and it keeps the customers domain off of the many spammer blacklists. Once on these lists, it makes all e-mail from the customers domain suspect and it is very tough to get off of these lists,” he said.
Taking Action Against Spam
Is there any way that all the holes in Windows or any operating system can be plugged or otherwise somehow prevent mass spam mailings and botnet herding?
“No. The risks can be minimized, but not eliminated,” SonicWall’s Klein asserted.
“The real question is can we stop spam,” he added. “The answer is that we have to break the economic cycle in two places. One, we have to make the creation of tools such as Storm to be expensive in both monetary and legal terms. There is a balance between creativity and proper use — think peer-to-peer — that we have to watch out for. Two, we have to make spam/phishing process more expensive, probably in legal terms, so we really can’t charge the sender if that person is part of a botnet.”
There is not enough of a financial incentive at this point for most site operators to take measures that may be considered draconian, ESET’s Abrams added.
“However, I believe that the problem will reach a magnitude that will warrant serious measures. The history of security in Microsoft operating systems and applications dictates that sites that are not looking at solving the problem of malicious ads are not learning anything at all from history and, as was the case with Microsoft, will not make changes until it hurts their image and bottom line.”
Fundamentally, the solution is not technical but social, Abrams concluded.
“People have to stop buying from spam. I have to wonder if there are really people, even 1 in 10 million, who are so stupid that they think it is a good idea to buy Viagra from an e-mail titled ‘Fires in California kill a second person.’ It would seem so. The economics of spam make eradication extremely difficult. The cost of spamming is so low that it takes very few purchases of spammed products to make it cost-effective.”