The new face of spamming

Spam - unsolicited email - is driving IT departments crazy. It wastes network and storage resources, steals time from staff and diverts IT resources to managing defences and poring over quarantine lists.

In short, most IT departments would love to get their hands around the throat of the nearest spammer. Until they discover that they'd be throttling themselves: because many businesses are unwitting hosts to a new breed of "malware" called the 'spam zombie'.

Spam zombies are PCs and servers that have been hijacked and programmed to send out spam. Lots of spam. Much of the early press on this new threat has focused on the home PC user (the so-called 'soft underbelly' of the Internet). But if home PCs account for two-thirds of spam, as has been reported, the remaining third must come from PCs that live in businesses or government offices -- the zombie in pin stripes.

In other words, thousands of businesses are acting as free distribution centres for spammers - and helping to cover their tracks as well.

It's a bitter irony. While businesses spend thousands and thousands trying to kill spam, many are blindly sending it out by the million.

Here's how it works. A business user receives an innocent-looking email and opens the attachment. A 'Trojan Horse' program automatically and invisibly installs itself on the user's PC and sends a message to a remote master, announcing a new, wide-open 'back door' and seeking further instructions.

The sinister instructions can include a virus or a keystroke logger (that steals passwords or other sensitive information). Or it might simply turn the host PC into a spam server; further spreading spam, viruses and malicious code. Corporate resources are probably the most prized by spammers, because zombies on a corporate high speed connection are particularly dangerous - a zombie on a high speed connection can infect thousands of other machines on cable/dsl each hour, loading up proxies or SMTP relays in the process. They act as a conduit to many other zombies effectively concealing the spammer in question

A new era dawns

Spam zombies are part of a new generation of Internet-borne threats. The first generation of hackers and virus writers were essentially misguided hobbyists and vandals. Typically, they'd have nothing to do with spammers, the 'pond life' of the Internet.

But increasingly, hackers, virus writers and spammers are converging to deploy sophisticated, multi-stage attacks driven by a much more powerful motive: profit.

The commercial imperative has even created a secondary market, as hackers rent clusters of tens of thousands of Zombie PCs to spammers on a daily or weekly basis. It cost roughly $500 for 10,000 hosts last summer when the MyDoom and the Blaster worm first appeared. According to Andrew Kirch, a security administrator at the Abusive Hosts Blocking List, the price has probably doubled since then. By his reckoning, non-exclusive access to compromised PCs sells for about 10 cents a throw.

In short, viruses are spreading spam and spam is spreading viruses. The once discrete threats are merging into a wider content security problem that is best solved holistically rather than through the piecemeal approach we're used to today.

Making spamming pay

Just as government and industry initiatives try to stem the spam tide, zombies are making it easier, safer and more profitable for spammers.

With their own zombie network, spammers can send out many millions of emails without owning a single server - with the added benefit that their zombie hosts mask their activities.

Even with extremely low response rates for spam emails - some put the figure at one response per 40,000 messages - the vast numbers and miniscule costs can generate serious profits.

The business zombie

IDC estimates that 56% of Europe's PCs are in businesses rather than homes. While these PCs tend to be better defended than the typical home PC with its 'always on' broadband connection, they're still far from immune to the zombie threat.

Spammers and virus writers may not even be aiming for business PCs, but their indiscriminate, shotgun approach means that many business PCs have already been turned into zombies.

Visible damage

Since spam zombies work invisibly, some companies might be tempted to look the other way and let them get on with their business. But most companies see spam as a serious enemy and are loathe to play a part in distributing it.

Beyond this moral objection, every company has much to fear from the zombies in their midst. Not only do zombies take up significant bandwidth, they can also cause the company to be blacklisted by the various spam-watching organizations.

Being blacklisted means the company won't be able to send out any email at all - a crippling blow to most businesses. And getting removed from the blacklists can take hours or even days.

In the recent Spam Monitor Survey commissioned by Clearswift, a staggering 84% of businesses reported having been blacklisted at least once. While ill-considered email marketing may have caused some of this, much of it has been caused by corporate zombie activity.

Finally, being the source of millions of spam messages can pose a reputation risk for any business - one of the reasons that more noise has not been made about the zombie threat.

Zombie defence

For most spammers, spamming is a full-time job. For most IT departments, on the other hand, fighting spam is just one of hundreds of important tasks they are responsible for. It's no wonder that the bad guys have taken the lead.

But there is a lot that any business can do to protect itself against zombie attacks - and to identify and remove zombies already inside the company.

The basic firewall and intrusion detection defences that most businesses employ are clearly not enough - email (and its dangerous cargo) passes through firewalls often due to mis-configuration. Web traffic and web-based email also uses open ports on firewalls and make for handy conduits for the code that turns PCs into zombies.

Anti-virus and anti-spam packages will catch many of the incoming threats - if deployed intelligently and updated religiously (something few companies do well enough). But even these leave holes wide open for the new generation of malware.

The key to prevention is a multi-layered defence that includes a blend of different anti-spam and anti-virus solutions and - crucially - a content security solution that can stop malicious code even before the anti-virus and anti-spam filters have been updated in response to new threats.

A content security solution closes the gaping hole in most company's defences, allowing IT departments to block entire classes of attachments even if a virus patch has not yet been issued.

It is also important for IT departments to monitor their email and web traffic to look for the telltale signs of active spam zombies - including dramatically increased traffic from a single PC; outgoing emails that don't come from the known mail servers; and message IDs in mail headers that differ from the company's own IDs.

Most IT departments only notice the presence of a spam zombie when their network performance is compromised by the extra activity. And if they have enough spare capacity, they may never notice at all. That's why it's important to monitor traffic, spot the zombies and drive them out of the building.

Spam zombies are an early incarnation of the new generation of sophisticated, multi-stage digital attacks against business. We can all do our part to defend against them and to root them out. Because if your company is not part of the solution, it's part of the problem.

Pete Simpson is ThreatLab Manager, Clearswift

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.