SPAM : Death by a thousand cuts!!

In the “good old days” spammers aggressively scanned the Internet for open relay servers to send spam. Open relays are out of fashion these days. So much so that the Open Relay DataBase is shutting down due to changes in spammer tactics.

Today’s spammers, in collusion with malware authors, infect thousands of machines on the Internet turning them into spam relay zombies. These zombie machines connect to a web server controlled by the spammer, which provides a constantly updated live feed of email addresses and content to spam. The content could be anything from pump-and-dump stock spams, online pharmaceutical drugs or the usual penis enlargement. Each individual zombie machine is capable of sending hundreds of spam emails per minute depending on the bandwidth available. Example: Spam-Maxy, Spam-Loot

And with more machines having access to broadband and ADSL connections, it provides a fertile breeding ground for this unholy alliance of malware authors and spammers to take advantage of.

At McAfee Avert Labs Bangalore, we sampled emails that were captured by our honeypot this quarter. The following chart shows the content of the email messages captured during in-house live testing of malware:

Only 11% constituted executable attachments. 2% were mails containing infection notifications or captured cached passwords that were meant for the trojan author. The rest, some 87%, was spam. A high percentage of this spammed content was image spam and ASCII art; techniques that spammers have effectively used to subvert traditional detection by anti-spam vendors.

Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world.