Spammers will do just about anything to get their e-mail through corporate and desktop filters. According to MessageLabs, they're now using Google Docs, a perfectly legitimate way to publish to the Web. Only what they're publishing is the same old wares--this time, it's enhancement pills. This week I talked with Matt Sergeant, senior anti-spam technologist with MessageLabs, who told me how they they've tracking one Google Doc since May 8, 2008.
Later in the conversation, Sergeant talks about the resurgence of Storm. Only a few weeks ago, MessageLabs reported a notable decrease in computers infected with the Storm botnet.
Below is a transcript of part of my interview. The entire podcast can be heard here.
Matt Sergeant: What's happening with Google Docs is that Google Docs is a way to publish your documents online. So, for example, word processing documents and spreadsheets and so on, and much like if you were using Microsoft Word you can embed links within those documents. What this does for the spammers is it allows them to effectively publish online a Web page on hosting sites such as Google that has all the bandwidth in the world for hosting it, and it's also a Web site that is never going to get blacklisted by anyone because nobody would be stupid enough to blacklist Google. So in effect, for the spammers this is a human shield effect. They can host their information and links online on a very stable source of bandwidth and links, and not worry ever about it being taken down or blacklisted.
Me: When did you first see this happening?
Sergeant: The first one that we saw, which showed on our radar in extremely small numbers clearly as a test by the spammers, was on May the 8th. So I guess that's about two weeks ago now.
Me: Have you contacted Google?
Sergeant: We've contacted Google, and also there's a link at the bottom of each one of the documents that Google publishes online that says, "Report this as spam." We clicked that link and I imagine anyone else who got the e-mail clicked that link as well. Unfortunately, Google has proved themselves to be quite slow at tackling this kind of abuse. Weeks later this document is still available online despite the reporting as spam.
Me: When you say that Google has a history of this can you site another example in recent memory where they've been slow to act on spam like this?
Sergeant: Generally, yeah there's a couple of different issues that we see in spam with Google. The first and very obvious one is spam directly from Gmail accounts, often that's the Nigerian spammers who are sending out these offers of millions of dollars where there is in fact no money. By most people's standards, Google tends to be quite slow at shutting down those accounts, whether it be an account that's actually an e-mail or just a drop box account for people to reply to. So those accounts seem to stay active for longer than if they were being hosted somewhere else for example. The other thing we see with Google is redirector links, so they have these links on their Web site which allow anyone or just about, but obviously mostly the spammers to have a link that looks like it's going directly to Google, but in fact after you've visited Google it redirects you to the actual spammers Web site. These redirectors are quite common on loads and loads of Web sites out there, but obviously again they're gaining advantage from Google of all the bandwidth and unblock ability of the Google Web site.
Me: So give me an example of what we would see if we went to the spammers website, what sort of, where is it being hawked or Malware being served up.
Sergeant: In the example that we saw on May the 8th it was a very simple pills scam or a pills Web site. So the e-mail came in with a link to Google Docs and very little of a text in the e-mail itself. They're very hard to block because there was very little to go on regarding the contents of it. When you went to the Google Docs Web site you saw much more information about the pills available for sale and the prices and so on, and almost every bit of text within that was a link which took you to the spammers drop Web site, which is where you would actually go if you wanted to purchase some of those pills.
Spammers are going legit, and they're using Yahoo e-mail authentication servers to do it, said Mark Sunner, chief security analyst with MessageLabs.
Most people use the Web interface for Yahoo Mail, which attaches a banner of advertising on the e-mail somewhere within the message. Yahoo also provides a service, Yahoo Plus, that allows the sender to use SMTP and traditional e-mail clients such as Outlook Express or Thunderbird. Mail sent via SMTP passes through Yahoo's servers, signing the mail as legit using the Yahoo Domain Keys Identified Mail (DKIM) service.
What this does is strip out the usual Yahoo advertising banners and help validate the mail as legitimate to escape most spam filters. MessageLabs found that anyone with a standard Yahoo account can also authenticate to the Yahoo Plus servers and send mail, without necessarily paying for the premium service. Sunner said in a interview with CNET News.com that this isn't a flaw; it appears that's just how the Yahoo service was designed.
In April, MessageLabs found that around 1,127 unique Yahoo user IDs were used in the distribution of this new kind of spam over 28 days. Sunner said around 40 new IDs per day are being generated, with the IDs not being shared between different infected computers.
Further, says Sunner, the Yahoo! accounts used--all from the same domain of @yahoo.co.uk--appear to have been automatically generated. That implies that the criminal hackers have somehow defeated the Yahoo CAPTCHA mechanism.
Details of this new spam campaign can be found in the April MessageLabs Intelligent Report (PDF).
On Thursday, MessageLabs reported in its April Intelligence Report a marked decrease in the number of malware links connected to the Storm botnet. "It's not too often that a security company says that things are getting better," said Mark Sunner, Chief Security Analyst.
At its peak, Sunner said, the Storm botnet resided upon one million computers worldwide. That number has since come down to between 85,000 IP addresses at the end of April. He said that over the last eighteen months Storm has been constant, and never decreased according to MessageLabs research. "Other security companies have reported decreases in the past," he said because of different methods of studying the botnet, "but this is first decrease we've seen."
He credited the most recent patches from Microsoft with the decline. He said that in the weeks following the most recent Patch Tuesday there was a sharp drop off.
Given that the creators of Storm managed and maintained a constant flood of variations for more than one year, it's a little odd that they would just take their money and walk away. Sunner said that they are seeing an increase in Srizbi, named for the one of the Web sites from which is downloaded. A Trojan, Srizbi uses rootkit technology to hide on an infected machine but, like Storm, it is also known to relay spam.
Once again, criminal hackers are targeting a worldwide event to deposit their malicious software on victims' PCs, according to one security vendor.
Within the last six months, MessageLabs has found at least 13 new Trojan horse programs associated with e-mails bearing subjects such as "The Beijing 2008 Torch Relay" and "National Olympic Committee and Ticket Sales Agents."
The problem is, according to a MessageLabs representative, that the hackers' e-mail messages employ an embedded Microsoft Office database file within the zipped attachment. Microsoft said in a recent security advisory that customers not running Windows Vista or Windows Server 2003 are vulnerable to allowing remote attackers to gain full access to a compromised machine.
Once the malicious code is installed, an attacker could steal personal data. MessageLabs further predicts that malicious-code writers will change formats by using 1 Byte XOR Key, Multiple XOR keys, and ROR, ROL, ADD, and SUB formats.
The e-mails, however, are not random. MessageLabs says the Trojan horses are often targeted to individuals within a specific organization in an attempt to gain access to the corporate network. This practice is known as "spear phishing."
So far, such attacks appear to be a corporate threat, as opposed to an individual threat.
Research from MessageLabs shows that while the e-mails state that they come from the International Olympic Committee in Switzerland, most have IP addressed based in Asia.
- prev
- 1
- next
