One of the most noteworthy IT security developments of 2003 is the convergence between spamming and viral techniques, leading to a much more dangerous threat for email users.
As Sobig and other viruses have demonstrated, the hijacking of PCs to send out mass mailings of spam takes the email security threat to a new level. The rise of broadband is also making this situation worse – as always on means always vulnerable – and next year this problem is set to continue. Crucially, these developments are set against a landscape in which traditional desktop-based security is proving inadequate. A far more sophisticated approach is required if the dynamic nature by which these new threats emerge is to be countered effectively.
Over the past 12 months MessageLabs has amassed a wealth of data for trend analysis, allowing predictions for the coming year to be made with a high degree of accuracy.
2004 will be the year when the line between different types of email threat – between the actions of virus writers and spammers – becomes increasingly blurred, to the extent that in practical terms it disappears. What will characterise the coming year in email security will be the rise of ‘convergence’ – the use of virus techniques by spammers, and vice versa, to propagate more serious and sophisticated threats.
The rise in email threats
In 2003 MessageLabs stopped one virus in every 33 emails sent – twelve months ago that same ratio was one in 212. Currently, three viruses a second are intercepted by MessageLabs’ technology. The situation for spam is even more alarming, with scanners intercepting one spam in every 2.5 emails – or a massive 27 spam emails every second – compared with one in 11 last year.
What was particularly noticeable over the past year, however, was how the techniques used to create viruses and spam became interlinked. Historically the vast majority of viruses have been written by misguided adolescent males, with a chip on their shoulder, a desire for malicious notoriety or an over zealous regard for blonde Russian tennis stars…
What viruses released in 2003 demonstrated clearly was that a new breed of virus writer is now on the scene, using email as the delivery mechanism for a more sinister, fraudulent intent. They’ve joined ranks with spammers who – seeking to gain as wide an audience as possible for their messages – have taken to using virus writing techniques to further propagate their unwanted information.
Sobig and the emergence of open proxies
The highest profile example of convergence was the emergence of SoBig, which hit the headlines in the summer. The initial reason was because it lived up to its name – its rapid and massive spread across the globe made it the worst ever in terms of volume. In August, MessageLabs stopped over a million copies of SoBig.F in a single day, at an incredible rate of one in every seventeen emails. By the end of the year over 33 million copies of the virus had been intercepted.
What became apparent soon after was the reason for this rapid and malicious spread. Not only did the virus mass mail from the email address book on the infected machine, but SoBig also dropped a Trojan that allowed for the installation of open proxies on infected machines. Compromised computers thereby formed a global network of relay points from which spam could be disseminated in significant volumes.
The concept of open proxies is often difficult to grasp, but it is crucial to a proper appreciation of convergence. Proxy servers were initially developed to allow PCs to link to the internet via a local network.
This is a useful connection, but has perhaps been overshadowed by the fact that, if left unguarded and open, they present a back door route into computer networks for malicious, if grateful, spammers.
The rise of this new threat has led security companies and ISPs to close the open proxies on a lot of machines. As a result, those looking to exploit them have had to become more devious – leading to the introduction of new viral attacks containing a trojan programme that will work to reopen the proxy server once inside.
Using this technique, spammers can use vulnerable machines to distribute their junk mail on a massive scale. Recent estimates suggest that as much as 60% of all spam is distributed using open proxies in this way, and again this figure is likely to get worse in the coming year.
Some techniques have already gained a terminology all of their own: ‘phishing’ for example is the use of email messaging to try and deceive users into revealing financial details. The virus MiMail.J is a classic example, which tried to dupe unsuspecting users of US financial house PayPal into providing confidential information, including credit card details. Citibank, Barclays, Lloyds TSB and eBay have all been targeted by the perpetrators of online fraud during the past three months.
Viruses adopted a ‘hit and run’ of approach – unlike previous examples such as SirCam or Klez they are not engineered with longevity in mind. Instead they rely on catching a crop of unsuspecting users before disappearing, usually to be followed closely by a new variant that is released so that the whole process can begin again. By the middle of December for example, there had already been eleven different strains of MiMail.
Spammers have always defended the legitimacy of their actions by claiming they are doing nothing illegal, that spam is a recognised marketing tool. Whilst this has been a dubious claim from the outset, the use of malicious email viruses to hijack computers and the identity of their unsuspecting users undermines this notion even further. And in the future the prevalence of spam being sent from innocent servers & workstations is only likely to increase.
Always on means always vulnerable
The problem is also likely to be exacerbated by the mass introduction of broadband connectivity, both at work and in the home. Recent research by The Yankee Group shows that over the past 12 months there has been a significant increase in the number of broadband internet connections taken up – with around half a million business lines in place by the end of 2003.
This always-on connection provides companies with terrific opportunities in terms of increased internet usage, but the advantages of speed and connectivity are somewhat mitigated when considering the implications for security.
Always on means always vulnerable – the 24/7 connectivity that broadband brings makes life much easier for the spammer seeking to hijack a machine. The research estimated that firms using broadband are up to five times more vulnerable to attack than those using traditional dial-up access.
How to tackle convergence
The combination of the convergence of virus and spam techniques, together with the vulnerability created by broadband connectivity, means that companies are having to fight email security threats as never before. Those that are doing so with only traditional security software on their desktops will find it difficult to cope. The essentially reactive nature of these services means that they are incapable of responding to the dynamic nature of viral spam.
A more sophisticated threat requires a more sophisticated solution, one that can stop the problem before it arrives by scanning email for unwanted content at the internet level.
A managed service, proactively seeking to identify and stop the dangers contained within seemingly harmless emails from equally innocent looking addresses, is the best way to ensure that a business is protected from attack.
In the future lie ever more dangerous threats from malicious spammers and virus writers. That is not just a prediction but a certainty. Equally sure is my resolution that, by understanding the true nature of the threat and dealing with it accordingly, we can stay one step ahead of convergence and any other threat that comes along.
Mark Sunner is Chief Technology Officer at MessageLabs