news / tech talk

Increase in SPAM due to Botnets.

by Lee LeClair
01/19/2007
As seen in Inside Tucson Business

I have been reading about (and personally seeing) the surge in email spam on the Internet in recent months. One of the causes of this has been the increasing use of intelligently controlled botnets to send and perpetuate this email. Botnets are large groups of computers that have been taken over by computer criminals. These computers are all over the world and consist of both home and business PCs. Once they are infected or taken, they are used as drones to carry out the commands of a central manager, normally in groups. They are most often used to spew forth spam trying to sell penny stocks and Viagra and the kind of thing people are so used to seeing now. The motive is obvious, they are paid for these emails.

However, it is interesting to note that a good percentage of recent spam seems to be gibberish. It is not trying to sell anything, it is just odd and nonsense text snippets. Security experts reason that this is to confound spam filters. As with anti-virus software, spam is a game of act and react with spammers devising new and clever ways to beat spam filters as spam filters are constantly improved to catch more spam. The recent nonsense spam appears to be meant to confuse the statistical filtering engines that many spam filters use to determine whether email is genuine or not.

Another interesting aspect of the recent use of botnets is the intelligence and efficiency of the botnet controllers. Where botnets were once somewhat crudely guided, the recent surge in spam is the result of sophisticated botnet management. Recent forensics of compromised PCs indicate that when a system is initially infected or captured, a small program immediately runs a hacked version of a very good commercial anti-virus and anti-spyware software to scan and remove any other malicious programs on the attacked PC. In effect, the sophisticated program is cleaning the machine of any other bad programs so that it will have total control of the system. Next, it notifies a management system that it is in a ready state. The management system is a remote PC or server that directs the PC about what to do, when to do it, and even directs it to use moving proxy systems.

Botnets tend to use proxies because a common method of fighting spam is to note where it is coming from and block those network addresses from being able to send further spam. The botnet manager servers detect this and redirect various botnets to use other unblocked proxies while they find new network addresses for the blocked proxies. They use randomization of timing and continued attempts at contact in case systems are lost or disconnected. Most of this is automated intelligence so only a few people can manage botnets of thousands of PCs. In addition, since botnets tend to show up on security radar when huge masses of PCs are doing the same thing, the controllers have devised groupings of smaller botnets with varied tasks so that they are not as noticeable. It is truly an extraordinary system that most corporations would envy.

How do they get control of all these PCs? Most people buy a PC, load their programs on it and then simply use it. Seems straightforward. However in the meantime, the software manufacturers have discovered (or had brought to their attention) bugs in their software. They release patches after a few months but a lot of PCs have already been exposed. In addition, most people do not download and apply the patches that come out. Meanwhile automated programs run constantly looking for vulnerable PCs, 24 hours a day, 7 days a week, 365 days a year. Most broadband connections are always on. That’s part of it. More is brought on by people themselves. They click on links in email some acquaintance sent or they surf around to questionable sites and click on some flashing picture or link. In these cases, the user is basically initiating the action that is subverting this PC. What can you do? Patch early and often. Get and use anti-virus and anti-spyware programs frequently. Finally, take the time to be careful what you click on and allow. Unless you want to join the fast growing ranks of a popular botnet near you.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business