A Nasty Little Thing Called Spam.

Posted: February 7, 2012 in Analysis

So, what do you think happens 250 billion times a day? Well, OK, it’s a rhetorical question, especially if you paid attention to the title.  But every day, in total, 250 billion spam e-mails are sent to inboxes all over the world. It sounds like a lot, but let’s be honest, does that number really shock you?

Next, try to define what you think of as spam. Most people assume it’s about Viagra, Nigerian letters and other pathetic, lame scams which jam up your inbox and slow down your daily business. But here’s the thing: spam is far more than just unsolicited ads. That Viagra offer is just the tip of the iceberg, while spam as a phenomenon is a crucial part of a huge cybercrimeecosystem. And the apparent “innocence” of spam is the illusion that I will be debunking here.

The technical foundations of the cybercrime ecosystem are botnets. These are huge clusters of computers infected with special Trojans (bots) that allow cyber crooks to remotely control these computers without their owners even knowing about it. That’s why experts also call botnets zombie networks – the computers are modified to obey cyber criminals’ commands as if they are zombies. Sometimes botnets can consist of millions of computers. For example, the notorious Kido (Conficker) botnet contained 7 million bots while TDSS had around 4.5 million bots.

How do they make money from botnets? The economics is quite simple here. Cyber crooks monetize the botnets in several ways including DDoS attacks, advertising services, phishing, data theft, etc. The picture looks something like this:

You may ask: so, what is the big deal about spam here?

Of course, the cybercrime ecosystem is much more sophisticated than the outline in this diagram. It’s a self-contained system that features a high level of cross-pollination between blocks. And spam plays a major role, being one of the main tools for recruiting new computers to botnets! Among other nasty things, spam leads users to phishing sites that are specially crafted to inject malware using drive-by-download techniques. Let’s delve deeper into the nature of the spam threat. What is the most widespread way of performing targeted attacks? Spam (targeted spam to be more precise). How do cyber crooks perform attacks using exploit kits like BlackHole? Spam. Shall I continue?

Let’s get back to the nature of spam.

Spam not only consists of annoying ads but is also: (i) one of the major means for malware distribution; (ii) an important tool used in high-profile targeted attacks against governments and large enterprises; (iii) a tool for the implementation of other types of cyber threats; (iv) one of the most widespread means of network fraud. In this light, spam starts to look more like cyberspace’s equivalent of a Doctor Evil, cunningly hiding behind the image of annoying but generally harmless advertising. It’s as if the offline junk mail services that send promos and offers to our snail mail addresses came with the added bonus of a dose of anthrax.

Despite all this, I’m far from assuming that spam is the root of all evil on the Internet. On the contrary, the whole system is very tightly integrated. One broken link in the chain can wreck the whole concept, forcing cyber crooks to look for new ways of hatching their malicious plots.

Of course, it’s possible to send spam without a botnet, or something similar. But that’s slow, expensive and ineffective. And the reverse applies: it’s possible to create a botnet without spam, but again it’s slow, expensive and ineffective. I agree that there are cases of DDoS attacks implemented without botnets, but this is normally a well-financed state/enterprise-backed cyber attack. It’s usually the exception which proves the rule. Cybercrime is a solid, unified and well-structured ecosystem where spam plays a major role.

Why am I getting so deep into the nature of spam? It’s time to look into spam fighting technologies.

In fact “spam fighting” is not the right definition. It’s like curing a single symptom of a sophisticated disease. Yes, technically speaking combating spam implies some special technologies for threat detection, prevention and elimination. However, generally speaking, this is part of a more comprehensive issue that requires equally comprehensive, global efforts. It’s not just about security vendors but also about users who need to understand the threat and act accordingly; it’s about service providers (alas, for some of them spam is a part of their business); and it’s about innovations in the Internet architecture.

Sometimes people ask me why we still create our own anti-spam technology and keep a bunch of developers and even a dedicated anti-spam lab full of quite expensive analysts? There are lots of free (and sometimes fairly decent) solutions around – just go and license one, cut your expenses and increase your profits. I admit this is exactly the way high-profile MBA graduates are taught to do business. The theory looks good, but in reality this is the road to hell. Especially for high-tech companies involved in the security field.

You may have noticed that KL is one of the few leading companies in this industry which has not used externally-developed technologies in its products. This is nothing to do with a lack of money – quite the contrary. Firstly, we believe that diluting your technological landscape will inevitably require a company to sacrifice the solidity and overall reliability of its technology. Secondly, without a full range of in-house security technologies (anti-spam expertise in particular) you cannot fight the cybercrime phenomenon! Spam analysis brings us tons of extremely valuable information about cybercrime development in general.

Here is an example. A super-duper new malware is exploiting an unknown zero-day vulnerability that no product is able to detect. Even in this seemingly hopeless situation there is a chance the threat can be neutralized by anti-spam technology detecting the e-mail carrying the malware. This is exactly the idea behind comprehensive solutions of the “Internet Security” or “Total Security” category that include anti-virus, anti-spam, firewall, parental control, backup, file shredder and other useful features. With this arsenal users have a much better chance of withstanding cybercrime. Sorry for the cliché here, but this is exactly the time to say: “United we stand”.

source – Eugene Kaspersky

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s