Spammers retool for a renewed assault
The botnets responsible for so much spam appear to be in a brief rebuilding phase, but any respite is likely to be brief and new threats loom on the horizon, according to e-mail security firm MX Logic.
“Over the long haul, there is no reason to think that the decline is going to continue,” said Sam Masiello, MX Logic’s vice president of information security.
Botnets are networks of compromised computers, remotely manipulated through control servers without the knowledge of their legitimate users. They can be used to distribute malicious code to compromise other computers, launch denial-of-service attacks against online resources and harvest sensitive information. Spam probably is the most visible product of these botnets, however.
Spam volumes took a sharp dive in November with the shutdown of McColo, a hosting company based in San Jose, Calif., that was identified as the source of a lot of unwanted e-mail messages. Since then the volume has been coming back up, although MX Logic observed a small drop in February. The percentage of spam dipped slightly in February to 83 percent of all e-mail traffic, down from 85.2 percent in January. Total volume of spam decreased by about 5 percent over that time.
“The bot masters are trying to build their botnets back up,” Masiello said. “There is a lot of variance even on a daily basis on how much spam is being sent and received.”
Several significant new botnets have appeared, including Xarvester, Waledac and Donbot. But the darkest cloud on the horizon appears to be Conficker, a rapidly growing network currently estimated at 12.5 million nodes that so far has been relatively dormant.
“It’s just sitting there,” Masiello said. It appears to be building up its resistance with new malware variants updating the nodes in an effort to make it more difficult to track command and control communications with servers. “At this point they are trying to find a way to build a botnet that is more resilient,” so that when it is activated it cannot be easily shut down. “It’s very scary.”
How it might be used is anyone’s guess at this point, but spam is a likely possibility. In that case, “we could easily be at or exceed pre-McColo levels,” Masiello said.
Another possible threat is the use of stolen personal data to create well-targeted spam campaigns. Data breaches continue to occur with millions of personal records being exposed on an almost monthly basis.
“They are likely going to be used for ID theft, mostly,” Masiello said. But the data also could be used to tailor fraudulent e-mails that could be convincing enough to entice even wary recipients to visit malicious Web sites or download malicious code.
Targeted spam that is crafted for a particular recipient is a growing problem. Because it can have a more legitimate look and feel, it is likely to have a higher success rate than traditional mass mailings that can be more easily identified and blocked or avoided. But that does not mean that mass mailings are likely to disappear or even decrease.
“The spam model is an almost pure profit model,” Masiello said. The overhead of sending out large volumes is so small that even a tiny fractional response rate can produce a profit.
So although the number of targeted spam e-mails is likely to increase, there is no reason to think the mass mailings will shrink, and all of the standard precautions such as not opening unexpected attachments and not clicking on links will continue to apply in the foreseeable future.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.