A sudden increase in spam has been identified in the latest security report issued today, as cyber-criminals gear up for a pre-Christmas blitz.
Spammers are using new weapons to evade detection by conventional security software and increase their success rate, according to the October 2006 Intelligence report from security firm MessageLabs.
One of these is a 'dropper' variant of the Warezov virus, which instructs the infected computer to download a second component, an executable file, from an IP address.
Usually the .exe file downloads a spam message and email addresses, turning the infected computer into a spam production house, MessageLabs senior analyst Paul Wood told vnunet.com.
Using a dropper technique means that Warezov does not have to deliver all its code in the initial infection, making it harder to detect using conventional antivirus software.
Furthermore, variations of Warezov have been issued in batches. Conventional antivirus software works by identifying the virus signature, the string of code which makes up the virus.
By altering the code subtly with each variation, the virus can evade detection until antivirus firms identify the new variation and issue an update.
Warezov variations have been released over weekends when staffing levels at antivirus firms are lowest, which means that security firms have struggled to issue patches in time, according to Wood.
Large computer systems which use heuristic, or rules-based, filters can weed out these variations, but such tools are not viable for single PCs as they would sap too much processing power.
Another weapon in the spammers' new arsenal is a spam-sending trojan dubbed SpamThru which employs the "spam cannon" technique. This uses a template for each spam and combines it with a list of email addresses, similar to a mail merge.
In October, the global ratio of spam in email traffic from new and unknown bad sources was 72.9 percent (one in 1.37 emails), an increase of 8.5 percent on the previous month, according to MessageLabs.
This is the sharpest rise in spam levels since January 2006, which saw an increase of 9.2 percent.
Spam is sent out by distributed networks of zombie computers, usually broadband-connected home PCs, recruited into criminal service by infection with a trojan virus unbeknown to their owners.
Security firms have destroyed botnets by attacking their command and control channel, usually concentrated at a single point, the equivalent of killing a monster by cutting off its head.
However, cyber-criminals are adapting the way botnets operate, distributing command and control using techniques similar to peer-to-peer networks.
Even if the principal command and control channel is destroyed, access to one zombie in the network can re-establish control, making the botnet much harder to kill.
MessageLabs revealed last week that it had detected a botnet of nearly one million zombie PCs being assembled.
This super-sized botnet uses distributed command and control, according to Wood, which on the surface makes it look like several smaller botnets, when in fact it can operate as a single entity with remarkable resilience.
MessageLabs argued that consumers should not have to protect themselves against these threats and that aggressive email filtering should be performed by ISPs before it reaches consumers' email inboxes.
This would also free bandwidth to make legal traffic move more quickly.
Even large companies which can afford heuristic filters at the boundaries of their networks would benefit from this service because spam filtering currently consumes bandwidth and processing power on their networks.
Spammers gear up for pre-Christmas blitz
By Andrew Charlesworth on Nov 3, 2006 9:50AM