http://www.informationweek.com/news/showArticle.jhtml?articleID=193501739 By Gregg Keizer TechWeb News Nov 3, 2006 MessageLabs on Friday fingered a pair of Trojans for pushing up spam rates, and said the duo use techniques that make it difficult for anti-virus vendors to keep up. According to the U.K.-based security provider, the sharp increase in spam -- a jump to 72.9 percent of all mail in October from the previous month's 64.4 percent -- was largely caused by two zealous Trojan downloaders that have been infecting PCs, then using them to spew huge amounts of junk mail. "The Warezov Trojan is the most aggressive we've seen in quite a while," said Paul Wood, a senior analyst with MessageLabs. "Once on a system, it downloads the next stage or component, but as it does, it changes a few bytes in the code and essentially releases a new version. That makes it very difficult for anti-virus systems to identify." By mutating its own code -- done automatically, MessageLabs researchers suspect, though they haven't found final proof -- Warezov, aka "Stration," expands the attack window. "If anti-virus companies take five to six hours to create a signature, the Trojan extends that time even further with these new versions," said Wood. The other fly in the October ointment, said Wood, was SpamThru, another piece of malicious code that has been hitting systems hard. SpamThru, which was called out by other security companies last week, uses what Wood called a "spam cannon" approach that relies on mail merge-like templates to vary the outbound spam. That, said Wood, allows each spam zombie to pump out millions of messages and still stay off blacklists. SpamThru's flexible command-and-control also makes it much tougher for ISPs, researchers, and authorities to knock offline. SpamThru relies on peer-to-peer (P2P) style communication between the bots and their hacker controller, said Wood. "Each bot learns about the other bots participating in the same network. If a bot loses the command and control channel, it can query the others for an alternate channel. That really increases the resiliency of the botnet." Together, the two Trojans accounted for a huge number of spam messages in October; MessageLabs alone snared nearly a million copies of the newest Warezov variant during a 24-hour period late in the month. "It's likely the spam rates will continue to rise through the end of the year," added Wood, who noted that the fourth quarter is historically a prime time for spammers to boost volume. "This is the highest [rate] it's been for quite some time. I think it'll eke a bit further toward 100 percent." In its end-of-the-month report on the state of messaging, MessageLabs also noted that while the overall volume of phishing e-mails had decreased slightly, the percentage of malicious messages that were identity fraud related increased. India remained the country hardest hit by virus-laden messages -- during October, 1 in every 16 e-mails carried some kind of malware -- but also witnessed almost a doubling of the percentage of mail categorized as spam. Spam levels increased by 20.5 percent in October, to 49.3 percent, compared to the month before. MessageLabs' October report can be downloaded as a PDF file from here [1]. [1] http://www.messagelabs.com/portal/server.pt/gateway/PTARGS_0_0_434_462_-462_43/http%3B/0120-0176-CTC1%3B8080/publishedcontent/publish/_dotcom_libraries_en/files/monthly_reports/messagelabs_intelligence_report__october_2006_5.pdf _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Nov 05 2006 - 23:34:06 PST