The spammers are getting smarter

By Adam Swidler, Google

Spam and virus activity has been dramatically increasing in both volume and the sophistication of the attacks. At Google, we have measured it as a 216 percent jump in 2008 compared to 2006 and over 95 percent of the email traffic moving through our data centers is now spam. Profit motive is attracting highly talented software engineers who use their skills to develop tools and platforms for spamming. As the volume of attacks continues to increase, the technical sophistication of the attacks is increasing as well. It is becoming more difficult for financial institutions to effectively filter spam and virus message themselves using on-premise solutions. Financial institutions that have deployed on-premise anti-spam software or appliances are experiencing decreasing effectiveness and increasing costs associated with maintaining those solutions. In many cases these companies are looking for a different and more effective way to solve the problem. Cloud computing offers the most effective approach to combating the spam and virus problem and many financial institutions are adopting them.

The rise of the botnets
One of the key elements fueling the rise in attacks are the botnets. These are networks of personal computers that hackers successfully infect with viruses or malware. The computers are mostly home PC's with high-speed, broadband connections to the internet, but some of them are corporate computers connected via the corporate network. Once infected, a PC is added as a node on the botnet and becomes available for sending spam and virus messages, often operating in the botnet without their owner’s knowledge. A botnet can contain millions of nodes and while virus attacks are used to add new nodes, nodes are removed as owners discover viruses on their computers. However, the removal of botnet viruses is often very difficult because viruses are very effective at hiding themselves from detection and removal tools. Consequently many machines remain infected and participating in a botnet for long periods of time.

The botnets have fundamentally changed the economics of sending spam. Previously, spammers would buy and maintain the servers used to send spam as well as the high capacity internet connections for them, giving two disadvantages for the spammers: costs increased with increasing amounts of spam and it was fairly easy to detect large scale spam attacks emanating from a single server. With the development of the botnets, the marginal cost of sending spam approaches zero. A botnet-based attack is harder to detect by traditional anti-spam filters as each participating node will send a relatively small number of spam emails. This broadly distributed sending behavior looks just like regular email traffic to most anti-spam solutions and is therefore difficult to detect and block.

Virus attacks are very sophisticated
The main way that botnets are created is through email messages that contain the virus code as an attachment or contain a URL link to a website where the malware is hosted. These emails are most often sent out in large quantities, similar to spam emails. In fact, they are often sent from the botnets themselves, creating a vicious cycle of spam and viruses. One of the most successful and most chronicled botnets is known as the ‘Storm’ botnet and offers a good perspective on how the spammers change their tactics over time. Storm got its start when 10's of millions of emails were sent out with headlines that describing death and destruction from a severe storm that was occurring in Europe. The email contained an executable attachment that was purported to be video of the damage. 2006 was a relatively quiet year in terms of virus volume, but this first attack in January 2007 brought a 20-fold increase in virus volume per day compared to the average per day in 2006. While the majority of the messages were related to the storm, there were also significant quantities of emails with other sensational news headlines and supposed video clips attached. This was an early preview of just how rapidly and effectively the spammers could vary the headlines and the malware attachments to avoid detection by anti-virus filters.

In February, the emails came masquerading as electronic greeting cards with subject lines related to romantic themes, timed to coincide with the Valentine's Day holiday. By April and May the attacks featured a very interesting social engineering tactic, telling the user that their PC is already infected with a virus and they must download and install the attached patch. If the user failed to do so, the email indicated, they would be shut off from email access. The email appeared to be coming from a help desk and included a password to decrypt the attached file.

In the most prolonged virus attack in history, over 1.4 Billion virus emails were sent out over 58 days in July and August. Average daily volumes were up to– 50 times greater than the previous year. When a user was fooled into clicking on the link, they would be directed to the website that was hosting the malware. It would be downloaded through the user’s browser to infect their PC and add it as a node on the botnet.

One of the most striking aspects of these attacks is how rapidly the spammers are able to vary the email subject as well as the malware in an effort to avoid detection by anti-virus filters. Typical anti-virus protection utilizes virus signatures that are used to identify the virus in the incoming emails and block it based on that identification. However, with rapid rate of change of these cutting edge viruses, it has become very difficult for the signatures to keep up. That period between when the virus is first detected in the wild and when an updated signature definition is released is known as the ‘zero hour.’ It is vital that your anti-virus protection include non-signature methods of detecting and blocking virus emails.

Spam content is very sophisticated
The content of spam is now almost exclusively focused on money-making schemes as individual spammers and organized groups are increasingly driven by profit motives. Pump and Dump stock scams, fake pharmaceuticals, discount software and other goods for sale are making up more and more of the spam messages. Phishing and other identity theft attacks are also on the rise.

Often, spam messages now contain an image or a file attachment where the ‘pitch’ is made. Over 50 percent of all spam messages now contain images or an attachment and create significant new problems for financial institutions. Financial institutions are being forced into unexpected IT expenditures to add capacity in response, in order to keep their email flowing smoothly.

Images or attachments are harder to detect by content analysis. Some anti-spam solutions have added Optical Character Recognition (OCR) to their filters to try and ‘read’the image. While this sounds like a promising approach, the reality is that OCR is a very CPU intensive process that requires significant amounts of computing power. Add to that the fact that spammers can manipulate the image with various techniques that reduce the accuracy of OCR and it no longer makes it an effective way to filter out image spam.

In particular, one attack in August of 2007 featured an attached .pdf file that contained a pump and dump stock scam message. The combination of the size of the attachment and the number of messages sent out represented a five times increase in the storage requirements for the quarantines of the anti-spam filters in a period of 24 hours. For anti-spam filters that do not have this type of excess storage capacity available to them, email may be delayed or disrupted when these types of attacks occur. This is another very compelling reason to use a cloud computing solution for anti-spam filtering: you do not need to worry about capacity or storage requirements.

Going forward
We can expect to see continued increase in the volume and sophisticated nature of spam attacks. This is primarily caused by two factors. As long as human behavior leads some small percentage of us to respond to spam, the spammers will continue to make money and will continue to send spam. And as globalization leads to more personal computers on the internet with broadband connections, the spammers will have a growing pool of potential nodes to add to their botnets. As the spammers continue to get smarter, the only effective way to deal with the current set of spam and virus threats is to use a cloud computing solution and keep all of those spam and virus messages from ever getting to your corporate IT infrastructure.

For more information of Google's cloud computing solutions for businesses and organizations, please visit www.google.com/a/security.