I'm almost done listening to all the presentations at this year's Spam Conference at MIT and one things strikes me as missing: any real talk about combating the zombie threat. Yes, there was a lawyer talking about Microsoft having left a zombie infected machine attached to the Internet. In 20 days the machine tried to send 18m email messages. It was used by 12 different spam operations to try to advertise 13,000 different web sites.
Those figures in themselves are scary. They mean that the spammers created one new web site about every 2 minutes.
But that's just the beginning of the zombie threat. If I 0wn your machine I can do much more than send bulk messages to people (and I probably can't do that if the ISP blocks or controls port 25): I am you. I predict that the following will happen (or is happening):
Just stop and think about that for a minute. You're running Windows, you get infected with a zombie and I can control your machine; I can make the machine behave as if you were instructing it to do my bidding.
1. I can install a key logger and other software so that I can trivially steal all your passwords and browsing habits and history.
2. I can exploit your trusted relationships. That means I can use your machine to infect your friends, but I can also use it to spam your friends. I can examine your mail, contruct messages to your contacts with subject lines and content that your friends will be expecting. Your friends will trust the mail I send as you. The content I extract from your mail may make my spam pass easily through a spam filter.
3. I can laugh in the face of encryption and authentication. Since I can steal your passwords, watch as you type, and send mail as you these technologies are irrelevant. I am you. If I send mail as you and you normally use encryption or sign your messages, I can too.
4. I do not need to raise the suspicions of anti-spammers. I can spam just your friends. Just a few messages per zombied machine. Once I have a large network of machines and your trusted relationships I can hit millions of users with distributed spamming. Each machine need only send mail to trusted recipients. I can even use your mail program to do it, or your ISP's SMTP server.
5. I can modify your legitimate mail. When you type a message I can add a footer to each message with a link to my web site.