Thursday, March 30, 2006

The Zombie threat is worse than you think

I'm almost done listening to all the presentations at this year's Spam Conference at MIT and one things strikes me as missing: any real talk about combating the zombie threat. Yes, there was a lawyer talking about Microsoft having left a zombie infected machine attached to the Internet. In 20 days the machine tried to send 18m email messages. It was used by 12 different spam operations to try to advertise 13,000 different web sites.

Those figures in themselves are scary. They mean that the spammers created one new web site about every 2 minutes.

But that's just the beginning of the zombie threat. If I 0wn your machine I can do much more than send bulk messages to people (and I probably can't do that if the ISP blocks or controls port 25): I am you. I predict that the following will happen (or is happening):

Just stop and think about that for a minute. You're running Windows, you get infected with a zombie and I can control your machine; I can make the machine behave as if you were instructing it to do my bidding.

For example,

1. I can install a key logger and other software so that I can trivially steal all your passwords and browsing habits and history.

2. I can exploit your trusted relationships. That means I can use your machine to infect your friends, but I can also use it to spam your friends. I can examine your mail, contruct messages to your contacts with subject lines and content that your friends will be expecting. Your friends will trust the mail I send as you. The content I extract from your mail may make my spam pass easily through a spam filter.

3. I can laugh in the face of encryption and authentication. Since I can steal your passwords, watch as you type, and send mail as you these technologies are irrelevant. I am you. If I send mail as you and you normally use encryption or sign your messages, I can too.

4. I do not need to raise the suspicions of anti-spammers. I can spam just your friends. Just a few messages per zombied machine. Once I have a large network of machines and your trusted relationships I can hit millions of users with distributed spamming. Each machine need only send mail to trusted recipients. I can even use your mail program to do it, or your ISP's SMTP server.

5. I can modify your legitimate mail. When you type a message I can add a footer to each message with a link to my web site.


Justin Mason said...

Hi John --

No question that it's a massive problem. Just check out the trojans that are being installed on zombied machines nowadays: here, here, here, or here.

Insane levels of sophistication, targeted at stealing the money directly from your own bank account. As a result of this, I tell my family and (non-techie) friends not to use online banking on Windows any more -- seriously! That's how serious I judge the problem to be.

But I don't think the Spam Conference would be right place to talk about it -- the attendees write spam filters. There are other conferences for the kinds of people who _can_ make a difference -- for example the secret meetings held between anti-"cybercrime" law enforcement officials, or the various anti-network-abuse meet-ups.

The zombie problem is much bigger than spam alone.

It's attractive to think we could help as antispammers, but I've been trying to think of ways and there really don't seem to be any, apart from maybe making it easier to report spam, thereby allowing ISPs to discover subverted machines on their nets.


Nick FitzGerald said...

As John knows, I made much the same points in my Virus Bulletin presentation last year. Further, I pointed out that many of those "really bad things" had already more or less been done "back in the day" when mass-mailing viruses were all the rage and a few clever VXers were pushing that envelope (no pun intended).

Luckily for the anti-spammers, by the time the virus writers (or at least their methods) were enjoined with spamming most of the "smart" virus writers had grown tired of mass-mailers. The skiddies left in that game were mainly interested in pumping more, rather than cleverer, viruses with their eye on getting the next "biggest", "fastest spreading", "worst ever", etc media accolade. With their emphahsis heavily on "as many/fast as possible" message delivery all kinds of delivery speed or volume improvements and tricks were built into the masss-mailing viruses, and it was that rather crude, direct to MX, pump-and-dump code base that many of today's spam-bots have grown from (which also makes many of them so easily blockable with trivial mail server fixes like banner delays...).

As the pressure of increasing anti-spam success grows though, I fully expect we will see the return of some of the cleverer tricks of the early self-mailing viruses, in some cases tweaked to make them more suitable to filling the ends of the spammers, in some cases gently tweaked to make them even more effective against many of today's better anti-spam approaches, and in some cases just straight copied as they are nicely anti-anti-spam as they are.

Much of the current emphasis on improving our anti-spam techniques occurs in a historical vacuum, oblivious to the history of malware code developments and the massive benefit the multiplier effect of having tens or even hundreds of thousands of bots gives the spammers (this was really John's observation about the MIT Anti-Spam Conference). One day (soon-ish) some of the smarter bot-herding spammers will decide that the anti-spammers have crimped the economics of "pump-and-dump" spamming too much and they'll fairly quickly recognize that some of those historical malware lessons the anti-spammers have totally ignored can be turned very easily and successfully to their (the spammers') massive benefit. At that point a lot of what is virtually pointless technology either in development for, or already deployed in, "the war on spam", will become utterly useless, as the spammers' adoption of these older approaches completely sidesteps the narrowly conceived "solutions" being pushed and used today...

Nick FitzGerald said...

"...thereby allowing ISPs to discover subverted machines on their nets." -- Justin Mason

Of course, inherent in suggesting that this might be helpful or useful is the assumption that the ISPs do or might care about which of their customers are infected and then would have the wherewithal to do something, anything about it.

They don't and they won't.

The most heavily infested ISP networks in the developed world (let's just assume that if the developed world can't get it right, the less-developed world will always remain a basket case) are those running on the thinnest margins. I have seen estimates that show if a user on these networks ever makes a single tech-support call beyond the initial setup and config of their connection they effectively eliminate all the ISP's profit from that subscription.

Under such economic pressures, the ISPs certainly are not going to take on the masses of extra support staff, buy the liability insurance, and so on necessary, to allow them to reach out to their infected users and help them clean up their machines...

John Graham-Cumming said...


You're absolutely right. I should have referenced your Virus Bulletin presentation somewhere. Is there a convenient link available on the web to it? If so, why not post it in a comment.