Malware Writers Using Open-Source Tactics
Sep 9, 2004 7:42 AM PT
The techniques used to develop open-source software like Linux have proven to be so effective that they've been adopted by malware writers to improve their mischievous ways.
"There's a community of worm builders creating, almost in an open-source fashion, Trojan source code that can be downloaded, compiled and released into the wild," said Scott Chasin, CTO of e-mail defense solutions company MX Logic in Denver, Colorado.
"A lot of these Trojans and their variants borrow from the open-source industry and are built off a community effort in an underground environment," he told LinuxInsider.
Among the devilish deeds that can be perpetrated by Trojans is the creation of "zombie networks" -- networks typically composed of home computers surreptitiously controlled by a badware's author.
Those networks are currently a prime delivery vehicle for spammers, according to Chasin. "We estimate that spam zombie networks are responsible for from anywhere to 25 to 30 percent of the spam on the Internet today, and it's growing," he maintained.
Some analysts peg the contribution of zombie networks to the spread of spam even higher. A report released in June by Sandvine, a broadband security firm in Waterloo, Ontario, Canada, estimated that as much as 80 percent of all unsolicited marketing e-mail emanates from residential ISP networks and home PCs.
"The collaboration between spammers and worm authors and a rich target environment of insecure PCs with broadband connections has created an opportunity for the continued existence of Trojan networks," Chasin observed.
Greater reliance by spammers on the zombies has created a cash market for the networks. A network of 20,000 zombies was reported by USA Today selling for US$2,000 to $3,000.
"Every person that does this kind of activity pretty much sets their own price," noted Joe Stewart, a senior security researcher at the Myrtle Beach, South Carolina, offices of LURHQ, a managed security services provider.
"It's what an individual author wants for his network," he told LinuxInsider. "It doesn't cost them anything to do what they're so they're talking 100 percent profit no matter what they charge."
Sanvine Cofounder and Chief Architect Don Bowman explained that zombie network creators have had to adopt their systems over time to counter defense measures taken against them.
Comcast Closes Door
A common defense adopted by ISPs is to monitor activity on port 25, the port most commonly used by spammers to avoid an ISP's outbound mail servers and ship their annoying payloads directly to other ISP's inbound servers.
If an ISP sees an unusual volume of mail emanating from one of its users on port 25, it will turn off that user's access to the port.
The technique can be quite effective. After it began a program in June to shut down port 25 to spammers, Philadelphia-based Comcast, the nation's largest broadband ISP, reduced unsolicited e-mail originating on its network by 80 percent, spokesperson Jeanne Russo told LinuxInsider.
"Port 25 can be an open door for a spammer," she said. "By blocking port 25, we close that door. That makes a user less attractive to a spammer because they can't get their spam out."
To counter port 25 measures, Bowman explained, zombie operators have tried to create larger networks and send fewer messages per PC.
"The first zombies that we saw would basically go as fast as they could for as long as they could until they were shut down," he said. "Now they use more stealth."
"They also tend to operate in hours when people are less likely to be at their PC," he added. "So in the Eastern time zone, they'll be more likely to be active in the late afternoon than in the evening."
"These spammers are smart," he continued. "They want to keep these PCs infected as long as possible."