|
International Issue: August 2005
Combating the Zombie Army
PCs hijacked by spammers to act as proxy e-mail servers — so-called 'zombie computers' — are the latest threat to ISPs.
by Graham Cluley
Spam is the bane of our email lives. It is irritating for users, causes downtime for businesses and presents an ongoing challenge for internet service providers (ISPs). Spammers aim to grab as much money as they possibly can through unsolicited, commercial email — whether for themselves or for third parties. Their relentless, psychological tricks outwit users far too often.
That’s not to say they’re unstoppable. The defences to combat spam are growing ever more powerful but new spamming techniques continue to emerge, demanding a variety of tactics to deal with them.
But some of these tactics can be implemented by ISPs. Good ISPs, for example, have enforced policies to ensure they do not knowingly provide network services for spammers; some actually block all unsolicited email in an attempt to nullify the threat. Simple methods of tagging the subject lines of suspicious emails with the phrase ‘spam’, filtering the emails directly into a junk folder or blocking them completely are proving successful. Reputable ISPs ensure this remains transparent to users and provide the service for free or very little charge. Web pages where users can oversee their personal anti-spam protection are also very helpful.
Spammer in the works
But the spammers have fought back. They are now effectively and fiercely implementing a range of new techniques to try and slip past email filtering systems, just like the writers of computer viruses who have been forced to adapt and develop new tactics to spread their malicious code.
Many service providers report an upsurge in spam traffic immediately following a worm attack — evidence that spam and virus threats are converging. While it is true that people still write viruses for other reasons, an economic incentive is driving innovation in the virus writer community in a different direction — namely quietly hijacking, rather than noisily vandalising, computer systems. Previously, cyber criminals just wanted to gain notoriety, which meant causing obvious damage. Now they have a financial inducement.
Spammers, meanwhile, are increasingly turning to illegitimate providers to meet the demand for the specialised tools and services needed to make spamming more effective. The various relationships include virus writers and hackers supplying the infrastructure needed to deliver spam; spammer services supplying specialised skills and resources; and spamming software coordinating spammer services and managing campaigns.
Armed with these new tools and resources, spamming operations have evolved from individual efforts to a massive underground economy powered by spammers, virus writers and hackers,
all intent on making money through unsolicited email.
Take ‘phishing’, for example, which is a technique to unlawfully gain personal information from an internet user. These spam emails sometimes manage to break through filters by pretending to be from a familiar source, such as the user’s bank. They then lead the unsuspecting victim to hand over personal information so that money can be stolen. Phishing is on the rise and approximately two per cent of targeted computer users will reply, enabling the fraudsters to make a lot of money.
The coordinated efforts of this new illicit community have formed a relay team in the technology race against users, ISPs, businesses and the security industry. A race that is perpetuated by rapid innovation and increasingly sophisticated tools.
The rise of the zombies
Spammers who send out vast quantities of junk through their own ISP tend to quickly lose their accounts. So, in the fashion of when one door closes another opens, spammers have turned to PCs belonging to other users — without them even realising.
PCs hijacked by spammers to churn out their wares are known as zombies and are perhaps the most effective tool in the spamming armoury. The illicit relay team uses home computers to send bulk emails by the millions, taking advantage of
security weaknesses to install hidden software that turns innocent consumers’ computers into mail or proxy servers. Bulk mail is then routed through these spam zombies, obscuring its true origin. In a short amount of time, zombie systems can throw out huge amounts of spam from many different locations and here lies the latest challenge for ISPs — controlling the outgoing email of their subscribers.
Zombie computers are a growing problem, currently generating over 50 per cent of all spam. Users fail to realise they are being used to spew spam to all the email addresses on their hard drive due to the complex control mechanisms the spammers hide behind. It is in the spammer’s best interests that the user remains blissfully ignorant, that way no action is taken to stop the spread. By relaying the spam messages, spammers are also able to get around country-specific legislation that prohibits the sending of spam in certain regions.
The recent Sober worms are a prime example of what can now be done through a zombie and just how sophisticated the spamming-virus machine has become. These worms spread via email systems using a variety of enticing subject lines to persuade users to click on an attached file, thereby launching the virus and forwarding the infected mail to harvested addresses.
One variant — Sober-N — posed as free tickets for the 2006 World Cup in Germany. This broke into computer systems in more than 40 countries across the world and was responsible for an astonishing 4.5 per cent of all email sent across the internet and accounted for nearly 80 per cent of all virus reports at its peak. Due to the sheer amount of email the worm can send, computer users found their mailboxes filling up and affected companies had to bear the brunt of slower email.
Thousands of PCs compromised by Sober-N sat waiting silently and were then used by a new variant of the worm to churn out German nationalistic spam. As spammers continue to collaborate aggressively with virus writers to create armies of zombie computers in this
fashion, legitimate organisations with hijacked computers are thrown into the firing line, themselves identified as sources of spam.
Up-to-date anti-virus software continues to protect businesses from the Sober worm. However, it seems that many home users are complacent and, hence, allow their PCs to belch out more and more emails. This is worsened by the increased adoption of always-on broadband, which means infected machines can constantly spew out spam. While Great Aunt Mary is quietly knitting in the conservatory, her computer may be sending out ads for Viagra behind her back. Simply ensuring the latest operating system patches are applied along with a decent firewall will make it significantly harder for PCs to be compromised and for spammers to rally a zombie network.
A call to arms
When the zombie problem first cropped up, it was largely ignored by service providers, which had neither the resources nor the money to invest in dealing with the problem. However, the cost of ignoring this issue recently resulted in approximately one million Telewest addresses being blacklisted by the Spam Prevention Early Warning System (SPEWS). Blacklisting organisations operate on political rather than technical grounds. However, whether they are a private or public organisation, their work can seriously dent a reputation in the eyes of current and prospective customers — proving a very successful call to action for ISPs.
Larger service providers, such as AOL, were heavily criticised when they didn’t take action. Today, AOL and many of its counterparts boast a stronger, safer service and have managed to prevent their users’ zombies being the source of spam. Despite the fact that around 35 per cent of the world’s spam originates from the US, providers there have tightened up a great deal and really knuckled down on the zombie problem. They set a good example to those who have failed to clean up their act. The UK and Asia Pacific, meanwhile, have been particularly slack.
Since most large providers have now taken steps to tackle the problem, it is the medium-sized providers that are increasingly at risk. Spammers are more likely to target them because security is liable to be weaker, meaning they can relay their spam more quickly and easily. If these medium-sized providers don’t implement safer measures soon, the danger is that they will be ousted from the market.
Complacence — or ignorance — about the converged threat environment is not an option for any service provider that wants to survive in such a saturated marketplace. All must take action against spam and identifying zombie computers based on suspicious behaviour is the first vital step to achieve this. Crucially ISPs must scan outgoing emails as well as those coming into their systems.
But it is not an impossible battle. Blocking port 25 will prevent a zombie PC from barfing out email directly to its targets, forcing the email to be relayed through the provider. This allows them to monitor both the amount of email and the speed at which it is coming out. Certain indicators will help the ISP see when something is amiss. Those providers intent on canning spam should offer throttling services when they see weird activity, allowing them to slow down the stream of email. When they are assured something is wrong, they can quarantine the spam in order to stem its flow.
It is also imperative that service providers add email authentication because, although some threats are programmed to look for authentication and then steal it, many do not have this sophistication. It is worth noting though that an authenticated sender’s stamp can suggest a threat is at work.
After noticing a great deal of email spilling out of an account, providers could direct the user to a page about threats such as zombies, encouraging them to consider whether they are hosting a spam relay machine without even knowing it. Providing subscribers with straight talking advice on how to practise safe computing is also essential. Ideally, providers should be able to cut off those who continue to spew viruses and spam onto others.
Of course, individuals must also take responsibility for the spam problem — the ISP should not have to act as a nanny. Every user should ensure they have a properly patched PC, firewalls, up-to-date anti-virus and anti-spam software. A scheme similar, in theory, to the cycling proficiency test that provides practical advice for those who wish to keep squeaky clean online would be a good idea. Though this could not be imposed on people, it is an additional service ISPs could look to provide.
Controlling outgoing email will help service providers by protecting their reputations and preventing them appearing on the dreaded blacklists. Moreover, it will reduce the bandwidth that gets consumed by their users’ infected PCs.
The introduction of standards for best practice with guidelines for ISPs that can be self-regulated would be hugely beneficial for the industry. Perhaps some kind of enforcement for the worst offending ISPs should also be implemented, to truly inject a ‘no excuses’ approach to clamping down on spam.
ISPs need to work closely with the security industry to battle spam and protect all computers from being compromised by spammers. Only through a united approach, along with a combination of user education, technology — in the form of multi-layered defence — and enforced legislation will we be able to reclaim inboxes back from the bad guys.
Graham Cluley, senior technology consultant, Sophos, a computer security specialist (www.sophos.com)
|
