Spam has surged to unprecedented levels in recent weeks, and one researcher has uncovered a major factor behind the onslaught.
A Russian gang of spammers used the SpamThru Trojan to engineer a tidal wave of junk mail hawking everything from stocks to pills, according to an analysis from Joe Stewart, senior security researcher for Atlanta-based SecureWorks Inc.
Stewart concluded that the spammers used the Trojan to grow a botnet of more than 70,000 machines that were used to churn out wave after wave of junk mail advertising pharmaceuticals and pump-and-dump stock schemes.
Working with the antispam group SpamHaus and the ISP, SecureWorks was able to access and analyze files from the SpamThru control server, Stewart said in the analysis report. In total, he said, zombie PCs in 166 different countries are part of the SpamThru botnet.
"The SpamThru controller keeps statistics on the country of origin of all bots in the botnet," Stewart said in his analysis. "Although the U.S. has the highest number of infections, bot distribution is not limited to any particular country."
Stewart said SpamThru operates in a limited peer-to-peer capacity, but all bots report to a central control server. The bots are segmented into different server ports, determined by which variant of the Trojan is installed. "The bots are further segmented into peer groups of no more than 512 bots, keeping the overhead involved in exchanging information about other peers to a minimum," he said.
SpamThru's successful infection rates are due to some innovative tactics, Stewart said. It can scan the system for other malware using a pirated copy of Kaspersky Anti-Virus. The scanning generates a report that may or may not be uploaded to the control server. "In the reports that were sent, we can see a list of infected files along with the name of the detected malware," he said. "Overall, 3,863 different-named malware variants were found on the systems that sent scan reports back to the control server."
SpamThru can also use a list of proxy servers maintained by the controller to evade antispam blacklisting of the bot IP addresses. "In this way, SpamThru acts as massive distributed engine for sending spam, but without the cost of maintaining static servers," he said. "Total spam capacity is fairly high. With 73,000 bots, given an average SMTP transaction time of five seconds, the botnet is theoretically capable of sending a billion spams in a single day."
The botnet also keeps general lists of millions of email addresses. One executable detected by Kaspersky Anti-Virus was Backdoor.Win32.Agent.ail, which was forcibly installed via SpamThru's remote-control mechanism. The executable was specifically designed to harvest email addresses from the hard drives of infected systems, allowing the spammer to reach users who have never published their email address online or given it to anyone other than personal contacts, Stewart said.
"It also appears the spammer made an effort to obtain more targeted lists of email addresses by hacking into smaller investment news Web sites and other e-businesses and downloading their user databases," he said. "This is likely due to the fact that pump-and-dump stock spam seems to be a primary motive of the botnet."
Based on file names and text found in the spammer's source code, Stewart concluded that SpamThru is operated by one or more Russians that tend to stick to a particular model of pump-and-dump stock and penis enlargement spam.
"Clearly, they are not concerned with the criminality of their endeavors, which is probably because Russia is not well known for prosecuting spammers or virus writers," Stewart said. "Because of these factors and the peer-to-peer nature of the SpamThru botnet, it is likely we will continue to see this spam operation continue for a long time to come."
Stewart's findings are the latest in a stream of reports showing spam at unprecedented levels.
San Carlos, Calif.-based Postini Inc. found, for example, that spam levels spiked by nearly 60% in an eight-week period, and that 91% of all their customers' email is now spam. Postini monitors 10 million users across 36,000 businesses worldwide. Of that number, the average user gets seven wanted emails a day, while Postini blocks 77 unwanted emails a day.
UK-based Sophos released a report identifying the top five spam-relaying countries in the third quarter of 2006 as:
- United States, 21.6%
- China, 13.4%
- France, 6.3%
- South Korea, 6.3%
- Spain, 5.8%
Sophos concluded that a possible reason for America's increasing lead in relayed spam when compared to its closest rival, China, is the emergence of over 300 strains of the mass-spammed Stratio worm. The worm, also known as Stration and Warezov, "uses a trick dependent on the victim being able to speak English in its attempt to convert innocent PCs into members of a spam botnet," Sophos said on its Web site.
Experts at Cupertino, Calif.-based Symantec Corp. said their research shows an overall spam increase of 22% in the last two months, almost all of which is the result of new, more resilient and stealthier spambots.
"These new bots are now doing real-time [DNS] lookups so their messages are not getting bounced nearly as often," said Vincent Weafer, senior director of development for Symantec's Security Response organization. "Our overall detection of them is going up, but it's still a big problem. They're definitely getting more sophisticated, smarter and more focused."
Weafer said that the level of intensity and volume in spam and phishing attacks has grown steadily throughout 2006 and he expects that trend to continue well into the new year.
"The attackers are doing things smarter. The tools the spammers are using are more sophisticated. They don't necessarily know the things they're using are from organized crime families or are meant to be backdoors; they just know they work better than they did before," he said. "The botnets are definitely the engine that's driving all of this. The command-and-control servers go away in one or two hours and pop up somewhere else, so there's a degree of frustration for those of us trying to shut them down. There isn't a magic bullet yet for this."