By Gregg Keizer
Nov 3, 2006
MessageLabs on Friday fingered a pair of Trojans for pushing up spam
rates, and said the duo use techniques that make it difficult for
anti-virus vendors to keep up.
According to the U.K.-based security provider, the sharp increase in
spam -- a jump to 72.9 percent of all mail in October from the previous
month's 64.4 percent -- was largely caused by two zealous Trojan
downloaders that have been infecting PCs, then using them to spew huge
amounts of junk mail.
"The Warezov Trojan is the most aggressive we've seen in quite a while,"
said Paul Wood, a senior analyst with MessageLabs. "Once on a system, it
downloads the next stage or component, but as it does, it changes a few
bytes in the code and essentially releases a new version. That makes it
very difficult for anti-virus systems to identify."
By mutating its own code -- done automatically, MessageLabs researchers
suspect, though they haven't found final proof -- Warezov, aka
"Stration," expands the attack window. "If anti-virus companies take
five to six hours to create a signature, the Trojan extends that time
even further with these new versions," said Wood.
The other fly in the October ointment, said Wood, was SpamThru, another
piece of malicious code that has been hitting systems hard. SpamThru,
which was called out by other security companies last week, uses what
Wood called a "spam cannon" approach that relies on mail merge-like
templates to vary the outbound spam. That, said Wood, allows each spam
zombie to pump out millions of messages and still stay off blacklists.
SpamThru's flexible command-and-control also makes it much tougher for
ISPs, researchers, and authorities to knock offline. SpamThru relies on
peer-to-peer (P2P) style communication between the bots and their hacker
controller, said Wood. "Each bot learns about the other bots
participating in the same network. If a bot loses the command and
control channel, it can query the others for an alternate channel.
That really increases the resiliency of the botnet."
Together, the two Trojans accounted for a huge number of spam messages
in October; MessageLabs alone snared nearly a million copies of the
newest Warezov variant during a 24-hour period late in the month.
"It's likely the spam rates will continue to rise through the end of the
year," added Wood, who noted that the fourth quarter is historically a
prime time for spammers to boost volume. "This is the highest [rate]
it's been for quite some time. I think it'll eke a bit further toward
In its end-of-the-month report on the state of messaging, MessageLabs
also noted that while the overall volume of phishing e-mails had
decreased slightly, the percentage of malicious messages that were
identity fraud related increased.
India remained the country hardest hit by virus-laden messages -- during
October, 1 in every 16 e-mails carried some kind of malware -- but also
witnessed almost a doubling of the percentage of mail categorized as
spam. Spam levels increased by 20.5 percent in October, to 49.3 percent,
compared to the month before.
MessageLabs' October report can be downloaded as a PDF file from here .
Visit the InfoSec News store!