- Email: [email protected]
When spammers attack!
c o l u m n
Mark Sunner When spammers attack! Why the convergence of viruses and spam gives security experts a big headache
I
n the summer of 2003 a new email virus hit the front pages of the newspapers worldwide. Initially SoBig was famous for being exactly what its name suggests — the rapid spread of the virus across the globe made it the worst ever in terms of volume. At one stage in August, MessageLabs stopped over a million copies in a single day, at an astonishing rate of one every 17 emails. Looking back , it will not just be the sheer size of it that will make SoBig notorious. It was also a prime example of a new email threat, and one which will change forever the way companies should consider their email security protection. SoBig was a classic example of convergence — the union of virus and spam techniques to create a much more sophisticated problem for security staff. This convergence is a crucial new development because it unites twin threats that previously could be considered and dealt with separately. Email viruses have of course continued to increase — in 2002 MessageLabs stopped a virus every 212 emails, in 2003 the ratio was one in 33, a seven-fold increase. Global levels of spam have rocketed alongside this. In 2003 the figure was up over 50% in terms of spam per email, with MessageLabs stopping an incredible 25 spam emails every second.
Infosecurity Today January/February 2004
At the heart of this growth is the much closer relationship that is growing up between viruses and spam. Traditionally viruses are nasty but random, written by misguided youths with either malicious intent, a chip on their shoulder or, most likely, a desire for fame within the virus writing and/or hacker community.
What SoBig showed clearly is that viruses are used increasingly as the delivery mechanism to fulfil a more sinister, fraudulent intent. Spammers, seeking to gain as wide an audience as possible for their messages, have taken to using virus techniques to propagate their information. The most obvious mechanism is via a new breed of Trojan virus. This seeks not only to infect a machine and run a mass mailshot, but also to open up the system to future attacks by leaving it as an open proxy server. Proxy servers were first developed to link PCs to the Internet via a local area network. But this usefulness has perhaps now been compromised; if left unguarded and open, they offer a back door route into computer networks for a grateful spammer.
“Viruses are used increasingly as the delivery mechanism to fulfil a more sinister, fraudulent intent.”
Internet security companies and ISPs have become more aware of this problem and closed the open proxies on a lot of machines. As a result, those looking to exploit them have had to become more sophisticated. This has led to new viral attacks carrying a Trojan programme that will try to reopen the proxy server once it gets inside. This technique has been popular with spammers who use the vulnerable and unknowing machines to distribute their junk mail on a massive scale. Recent estimates suggest that as much as 60% of all spam is distributed using open proxies in this way. What this convergence presents is a new and worrying development for all those who have to protect against email threats. Spammers have always defended the
42
1742-6847/04 ©2004 Elsevier Ltd. All rights reserved.
c o l u m n
legitimacy of their actions by claiming they are doing nothing illegal and that spam is a recognised marketing tool. But the use of malicious email viruses to hijack computers and the identity of their users undermines this claim. And in the future the prevalence of spam being sent from unknowing, innocent servers is likely only to increase. The problem is also made worse by the mass introduction of broadband connectivity. Recent research commissioned by Star Internet shows that over the past year many more small and medium companies have taken up broadband internet connections. Some half a million lines were in place by the end of 2003. This always-on connection is a weakness as well as a strength. Always-on means always vulnerable. This makes life very much easier for the spammer who seeks to hijack a machine. The Star research, carried out by analysts the Yankee Group, found that firms that use broadband are up to five times more likely to face attack than those using traditional dial-up access. This is costing SMEs alone nearly £2billion a year. The combination of the convergence of viruses and spam with the greater vulnerability created by always-on broadband connections means that, more than ever, firms need to be aware of what is going on and think more holistically about their security.
As the level of threat increases so does the need for vigilance. A managed service, seeking proactively to identify the dangers lurking within seemingly harmless emails, is the best way to reassure those responsible for internet security that their customers are properly protected against spammers’ attack.
Mark Sunner is the chief technology officer of MessageLabs. Since joining MessageLabs he has been the technical visionary driving the development of the company’s email security services, which currently protect more than 8,000 businesses worldwide from email-borne threats such as viruses, spam, pornography and other unwanted content. MessageLabs is exhibiting at Infosecurity Europe 2004, Europe’s top IT security exhibition. The event brings together professionals interested in IT security from around the globe with suppliers of security hardware, software and consultancy services. Now in its ninth year, the show features Europe’s most comprehensive free education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27 to the 29 April 2004. www.infosec.co.uk
Traditional anti-virus or anti-spam solutions are not in themselves going to be effective. Reactive software simply cannot handle this increasing threat, and separate solutions are always going to be flawed.
Sunner: The convergence of spam and viruses requires greater vigilance.
Infosecurity Today January/February 2004
The only viable solution is to seek a more sophisticated form of protection. This means stopping the problem before it arises by scanning for unwanted content at the Internet level.
43
Mark Sunner When spammers attack! Why the convergence of viruses and spam gives security experts a big headache
I
n the summer of 2003 a new email virus hit the front pages of the newspapers worldwide. Initially SoBig was famous for being exactly what its name suggests — the rapid spread of the virus across the globe made it the worst ever in terms of volume. At one stage in August, MessageLabs stopped over a million copies in a single day, at an astonishing rate of one every 17 emails. Looking back , it will not just be the sheer size of it that will make SoBig notorious. It was also a prime example of a new email threat, and one which will change forever the way companies should consider their email security protection. SoBig was a classic example of convergence — the union of virus and spam techniques to create a much more sophisticated problem for security staff. This convergence is a crucial new development because it unites twin threats that previously could be considered and dealt with separately. Email viruses have of course continued to increase — in 2002 MessageLabs stopped a virus every 212 emails, in 2003 the ratio was one in 33, a seven-fold increase. Global levels of spam have rocketed alongside this. In 2003 the figure was up over 50% in terms of spam per email, with MessageLabs stopping an incredible 25 spam emails every second.
Infosecurity Today January/February 2004
At the heart of this growth is the much closer relationship that is growing up between viruses and spam. Traditionally viruses are nasty but random, written by misguided youths with either malicious intent, a chip on their shoulder or, most likely, a desire for fame within the virus writing and/or hacker community.
What SoBig showed clearly is that viruses are used increasingly as the delivery mechanism to fulfil a more sinister, fraudulent intent. Spammers, seeking to gain as wide an audience as possible for their messages, have taken to using virus techniques to propagate their information. The most obvious mechanism is via a new breed of Trojan virus. This seeks not only to infect a machine and run a mass mailshot, but also to open up the system to future attacks by leaving it as an open proxy server. Proxy servers were first developed to link PCs to the Internet via a local area network. But this usefulness has perhaps now been compromised; if left unguarded and open, they offer a back door route into computer networks for a grateful spammer.
“Viruses are used increasingly as the delivery mechanism to fulfil a more sinister, fraudulent intent.”
Internet security companies and ISPs have become more aware of this problem and closed the open proxies on a lot of machines. As a result, those looking to exploit them have had to become more sophisticated. This has led to new viral attacks carrying a Trojan programme that will try to reopen the proxy server once it gets inside. This technique has been popular with spammers who use the vulnerable and unknowing machines to distribute their junk mail on a massive scale. Recent estimates suggest that as much as 60% of all spam is distributed using open proxies in this way. What this convergence presents is a new and worrying development for all those who have to protect against email threats. Spammers have always defended the
42
1742-6847/04 ©2004 Elsevier Ltd. All rights reserved.
c o l u m n
legitimacy of their actions by claiming they are doing nothing illegal and that spam is a recognised marketing tool. But the use of malicious email viruses to hijack computers and the identity of their users undermines this claim. And in the future the prevalence of spam being sent from unknowing, innocent servers is likely only to increase. The problem is also made worse by the mass introduction of broadband connectivity. Recent research commissioned by Star Internet shows that over the past year many more small and medium companies have taken up broadband internet connections. Some half a million lines were in place by the end of 2003. This always-on connection is a weakness as well as a strength. Always-on means always vulnerable. This makes life very much easier for the spammer who seeks to hijack a machine. The Star research, carried out by analysts the Yankee Group, found that firms that use broadband are up to five times more likely to face attack than those using traditional dial-up access. This is costing SMEs alone nearly £2billion a year. The combination of the convergence of viruses and spam with the greater vulnerability created by always-on broadband connections means that, more than ever, firms need to be aware of what is going on and think more holistically about their security.
As the level of threat increases so does the need for vigilance. A managed service, seeking proactively to identify the dangers lurking within seemingly harmless emails, is the best way to reassure those responsible for internet security that their customers are properly protected against spammers’ attack.
Mark Sunner is the chief technology officer of MessageLabs. Since joining MessageLabs he has been the technical visionary driving the development of the company’s email security services, which currently protect more than 8,000 businesses worldwide from email-borne threats such as viruses, spam, pornography and other unwanted content. MessageLabs is exhibiting at Infosecurity Europe 2004, Europe’s top IT security exhibition. The event brings together professionals interested in IT security from around the globe with suppliers of security hardware, software and consultancy services. Now in its ninth year, the show features Europe’s most comprehensive free education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27 to the 29 April 2004. www.infosec.co.uk
Traditional anti-virus or anti-spam solutions are not in themselves going to be effective. Reactive software simply cannot handle this increasing threat, and separate solutions are always going to be flawed.
Sunner: The convergence of spam and viruses requires greater vigilance.
Infosecurity Today January/February 2004
The only viable solution is to seek a more sophisticated form of protection. This means stopping the problem before it arises by scanning for unwanted content at the Internet level.
43