Content

Spam finds a way

"There is going to be a real growth in 'pump and dump' spam," says Graham Cluley, senior technology consultant for anti-virus company Sophos. At the start of the year, this type of spam only accounted for 0.8 percent of spam, but by November had shot up to 13.5 percent.

"It is expected to grow even more," says Cluley. He noted that the number of new malware threats -- worms, viruses and their ilk -- rose by 48 percent, with 10,724 new threats recorded in 2004 rising to 15,907 in 2005. And this figure is likely to keep growing in 2006.

Pump and dump scams involve hyping the stock of a particular company, typically a small company with a share price in pennies, through false and misleading statements to the market or, in this case, to internet users. The scammer hopes that enough people receiving the email are duped into investing in the shares, which the scammer has also heavily invested in. Then, when the share price has inflated, the scammer "dumps" his shares and the duped investors lose money.

Lately, such schemes have been claiming that companies have developed effective medication against bird flu.

While most security professionals are clever enough to avoid these schemes, the problem remains of how to stop this and other types of spam clogging up email servers and eating up bandwidth. Spam filters will deal with such threats, but some experts argue that this approach is never going to solve the problem completely, and may in fact make it worse in the long term.

Neil Murray, CTO of email management and security company Mimecast, says spam will continue to get through because filters cannot deal with the "infinite variables" the content possesses.

"Content filters will always have content-based false positives, and therefore associated quarantines that the IT department or end-user must trawl through, which leaves employees forced to view sensitive content," says Murray. He says that the answer is to focus on authentication and reputation techniques, making filtering a second layer of defense.

The nature of spam is also undergoing rapid change. What started off as a nuisance became a problem and is now a big threat to the integrity of the corporate infrastructure. Spam is no longer just being used to sell dodgy medications, but to install trojans, adware and spyware.

The typical spam email comes with just a simple subject and a URL; it's simple enough to fool a spam filter, but still an effective trap. The link, when clicked on, downloads malware to the desktop.

"Once installed, these trojans can enable remote attackers to harvest confidential passwords and access sensitive network data, or to use the infected system as a 'slave' in mounting other attacks, such as a DDoS or as a spam relay," says Piers Wilson, head of technical assurance at Insight Consulting.

"For an organization, the idea of its workstations being not only compromised, but then used to launch attacks against other organizations, is a major concern," he adds.

Virus and trojan writing and distribution has become a genuine, but highly illegal, industry. It is no longer the domain of socially inept teenagers sitting in bedrooms. Organized crime muscled into the action last year. The wiseguys now carry a laptop as well as a piece.

"Organized crime is taking a more sophisticated approach and hiring software engineers, researchers and others to help exploit the systems out there, and they are coming up with increasingly ingenious attacks, often leveraging key infrastructure components that are hard to shut off," says Brian Wilson, the CTO of email security company Mailfrontier.

And, there is a whole range of attacks the hackers can use against organizations. Criminals use botnets of thousands of infected computers to launch any manner of attacks against organizations and users.

The theft of sensitive data is one major concern. Using the techniques learned from phishing scams, criminals are turning to "spear phishing." This is a phishing campaign focused on a small number of users, such as employees at a particular company or even a particular department within that organization, in order to gain access to confidential data.

"By using social engineering tactics and forging the email address used in the spear phishing email so as to appear to come from someone the recipient knows, the opportunities for a successful crime are increased," says Cluley. This sort of attack flies under the radar of most companies looking for the big outbreaks.

Trojan threats are not just limited to the real world. A number of worms and trojans have been developed to steal credentials from players of MMORPGs (massively multiplayer online role playing games). Criminals use these credentials to steal and sell virtual items from the games to make money in the real world.

"This move into the theft of virtual goods is hardly surprising when you consider the sums of money changing hands for virtual items in these virtual worlds," said Cluley. It's hard to believe, but a man in Miami recently spent $100,000 on a virtual space station.

It seems that behind every scam there is a botnet, and behind that botnet is a criminal gang. Chris Boyd, security research manager at FaceTime Communications, uncovered a botnet controlled by a criminal group in the Middle East. A worm recruited computers by propagating itself via the AOL Instant Messenger network.

The worm, once installed, not only downloaded and installed various adware and spyware applications (from which the group earned revenues from affiliate fees), it also installed a rootkit "lockx.exe." This rootkit then listened in on an IRC channel to await further commands (a botnet master's favorite trick). Further programs can be installed to sniff out usernames, passwords and other personal information that can be used to steal identities.

While these botnets are not new, Boyd believes they are becoming smaller in order to avoid detection.

Hackers are changing their tactics in other ways. Boyd says that spyware merchants are looking at peer-to-peer networks, such as BitTorrent, as a means of distribution. The technology allows hackers to move large files more efficiently and anonymously through the internet.

"This is the next attack vector," says Boyd. "And it is definitely the craziest one I've seen bar none."

With so many new ways of compromising a computer, what can be done to keep an infrastructure free of malware?

"The clever hacker will identify a loophole that we have not foreseen," says Simon Heron, director of managed security service company Network Box. "The only people who are going to be ready for it are those who recognize this fact and have implemented a flexible defense that can be rapidly updated. It will require people to monitor their networks closely. The days of installing defenses and thinking you are safe are gone."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.