Mark Sunner, Chief Security Analyst at MessageLabs was among the many security analysts watching one Trojan called “Spam Thru”, a piece of malware designed to send spam from an infected computer, at the turn of last year. Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor.

Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

The thing that worries Mark Sunner the most is that he suspects the major traffic spike towards the end of 2006 was merely a test run for more if not similarly sophisticated botnets to follow. Sunner adds

” With new levels of sophistication this has reached a real milestone. Botnets are getting smaller, more stealthy and more discreet and yet the volumes of spam are going up. Without a hint of scaremongering, will this get a lot worse throughout 2007 in terms of botnet sending? Absolutely, yes.”

The British IT-Sicherheitsfirma Message Lab registered a dramatic increase in Spam Mail traffic from 64.4% to 72.9% late last year, all attributed to Spam Thru.

How does Spam Thru work?

The Spam Thru Trojan uses peer-to-peer technology to send commands to hijacked computer. The concept of viruses and Trojans attempting to block anti-virus software on the host machine they are trying to infect is nothing new. They do this by tweaking hosts file to the anti-virus update sites, killing processes, removing registry keys etc. SpamThru does this by downloading a cracked copy of Kaspersky AntiVirus and scans the host machine for malware setting them up for deletion at the next reboot while skipping over files it detects are part of its own installation.

According to the research done by Joe Stewart, a senior security researcher, SpamThru takes the game to a whole new level, actually using an anti-virus engine against potential rivals. He adds

” It is simply to keep all the system resources for themselves—if they have to compete with, say, a mass-mailer virus, it really puts a damper on how much spam they can send”

SpamThru creates the following registry entries:

HKCR\CLSID\(2C1CD3D7-86AC-4068-93BC-A02304BB8C34)\InProcServer32
<default>
<Path to Trojan DLL>

HKCR\CLSID\(2C1CD3D7-86AC-4068-93BC-A02304BB8C34)\InProcServer32
ThreadingModel
Apartment

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ SharedTaskScheduler
(2C1CD3D7-86AC-4068-93BC-A02304BB8C34)
DCOM Server

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
DCOM Server
(2C1CD3D7-86AC-4068-93BC-A02304BB8C34)

SpamThru is being used to send out mails such as the one below besides pump-and-dump stock schemes.

or something like this

Some of the advances made by SpamThru on the level of compexity of Trojans

1. Highly efficient usage of P2P technology. In case the control server is disabled, the spammer can updated his botnet with the location of a new control server as long as he maintains control over atleast one peer.

2. The SpamThru Trojan randomizes the GIF files changing the width and height of the spam messages it is sending out, so as to defeat the anti-spam solutions that reject e-mail based on a static image.

References:

EWeek article on SpamThru: Spam Trojan Installs Own Anti-Virus Scanner

Sophos Analysis of SpamThru

Spamming is the abuse of electronic messaging systems to send unsolicited bulk messages. While the most widely recognized form of spam is email spam, spam in blogs is becomming huge these days along with search engine spam and mobile phone messaging spam.

Spamming is economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge.

Blog Spam or “blam” for short is spamming on webblogs. This type of spam takes advantage of the open nature of comments in the blogging sftware by placing comments to various blog posts that provided nothing more than a link to the spammer’s commerical web site.

Blogs such as TechCrunch have caught over 1 million spam comments. For most blogs such as this one and AskStudent, the protection from such Blog Spam like TechCrunch is Akismet.

Today, I saw a new method of Blog Spam by these spammers. They are using TinyURL, a very popular web service which provides short aliases to long URLs. TinyURL inspite of its benefits has had to face the criticism that they are opaque, hiding the ultimate destination from a web user. This opaqueness is now being leveraged by spammers, who can use such link in spam and thus bypassing URL blacklists.

UPDATE:

TinyURL has blocked the above site stating that they abused their policy. How does one deal with such spam? Post in comments area.

Related Articles:

1. How to hide your email address from spammers, a thorough guide

2. How a PayPal phishing email looks like and how to detect it

3. Top phishing targets are Ebay and PayPal followed by Banks

4. References: Wikipedia article on spammer

In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.

The first recorded mention of phishing is on the alt.online-service.america-online Usenet newsgroup on January 2, 1996, although the term may have appeared even earlier in the print edition of the hacker magazine 2600. The term phishing is a variant of fishing, probably influenced by phreaking,  and alludes to the use of increasingly sophisticated lures to “fish” for users’ financial information and passwords. The word may also be linked to leetspeak, in which ph is a common substitution for f.

Shown below is a sample email message I received from PayPal

If you dissect this email digging into its header and the content code, you will see two things jump out

1. The image being shown as PayPal logo at the beginning of the email is hosted on a secure website called paypalobjects. The full link for the image is https://www.paypalobjects.com/en_US/i/logo/paypal_logo.gif

2. At the link in the email where they ask you to click to confirm your email account, the link displayed is only https://www.paypal.com/cgi-bin/webscr?cmd=login-run which is actually a valid login site at PayPal.

However, there is a hidden section in that link with your click being forwarded to a dns.nic.bs website.

https://www.paypal.com/cgi-bin/webscr?cmd=_login-runhttp://dns.nic.bs/webscr/cgi-bin/3fcmd=_login-run/paypal/login.htm

Luckily, both IE7 and Firefox 2.0′s built in phishing detection work as shown below

Anti-phishing software is available that may identify phishing contents on websites, act as a toolbar that displays the real domain name for the visited website, or spot phishing attempts in email. Microsoft’s new IE7 browser, Mozilla’s Firefox 2, and Opera from version 9.1 will include a form of anti-phishing technology, by which a site may be checked against a list of known phishing sites. If the site is a suspect the software may either warn a user or block the site outright as shown in the pictures above. Firefox 2 uses Google anti-phishing software, which may also be installed under IE6. Spam filters also help protect users from phishers, because they reduce the number of phishing-related emails that users receive. An approach introduced in mid-2006 (similar in principle to using a hosts file to block web adverts) involves switching to using a special DNS service that filters out known phishing domains, which will work with any browser

Sites have added verification tools that allow users to see a secret image that the user selected in advance; if the image does not appear, then the site is not legitimate. Bank of America uses this together with challenge questions, which ask the user for information that should be known only to the user and the bank.

External Anti spam links

Every IT professional worth his/her salt has their own webpage/blog these days. While you may have people from all over the globe dropping a line at your site, Email harvesters are the most unwanted visitors on any website. These email spambots crawl the web via search engines to find and extract email addresses from webpages. E-mail addresses in your blog or webpage are no secret to spam robots. Here’s a guide that should help you protect your email addresses from these spam spiders. Techniques mentioned use text manipulation, Masking, HTML, Flash, CSS, and JS to hide email addresses.
How email spammers operate? Email addresses always contain an @ symbol. Most spambots do a pattern-search for likely combinations of letters (abc@xyz.com) like billgates@microsoft.com or larrypage@google.org in the HTML source of webpages. Often they just search for the @ character and grab all the letters on each side on the assumption that it’s a valid email address.
How to keep your email address available to humans but invisible to email spiders? There are tons of Email Address Protector software that claim to protect your email address in web pages and get rid of junk mail – Don’t waste your money, they only encode your email or generate a javascript snippet. We will discuss manual email encoding techniques here. If a visitor clicks an encryped email link on your website, it will work as normal, but spam robots will not be able to extract the address from the link.
#1: Replace the AT (@) and DOT (.) symbols:

The most common approach to block email harvesting is to remove the @ symbol. If you eliminate the @ from email addresses then most spambots won’t be able to recognize that the text is actually an email addresses: Here are some examples:
ajit AT askstudent DOT com ajit (at) askstudent.com ajit@askstudent.com ajit_AT_askstudent_DOT_com
#2: Mask your email with tags, append meaningful words:

Consider “masking” your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. Some email masking examples commonly employed by newsgroups and mailing list subscribers:
ajit@askstudent.com.nospam ajit@askstudent.com.removeme ajit@REMOVE.askstudent.com
#3: Replace text with an image:

This technique involves creating a graphic or screen capture of your email address text in jpg, png or gif formats and display that picture instead of the actual address string. Robots and spiders can’t read the text that is embedded in the image. Anyone who wants to email you will have to manually type in your address though.
#4: Email Obfuscators:

E-mail Obfuscator make you email less vulnerable to spammers. Using an online email Obfuscator, convert (or disguise) individual characters of your email address into corresponding ASCII code (a <=> a hex coding) For example, the email address a@b.com is represented in ASCII as: a@b.com The above ASCII string can be used as arguement for mailto: HTML tag as shown here. Email addresses will appear perfectly normal, and will even be clickable, to human visitors to your website. e-mail to confuse sniffer ASCII_STRING
#5: Encode the mailto: and @ symbols with special HTML characters
Encode the mailto: and @ characters with this code: mailto: changes to mailto @ changes to @
The email link HTML code to hide your email address will look like: < a href=”mailtoname@domain.com” mce_href=”mailtoname@domain.com” >hidden email< /a>
Hide email using CSS trick (direction property)
Scramble the email – While coding HTML, jumble and write the email address in reverse direction. (a@b.com should be written as moc.b@a). We can then use CSS stylesheet to reverse the email address againwhen rendering. Here’s the sample HTML code with CSS. < style type=”text/css”> .backwards {unicode-bidi:bidi-override; direction: rtl;} < /style> < span class=”backwards”>moc.b@a< /span>

If someone copies your email address, it will available in the reverse direction. Would not work on older browsers.

Use Macromedia Flash You can easily create a tiny.swf file in Flash with embedded mailto: behaviour. The button action used to pick up the text held in the variables is: on (release){ getURL (“mailto:” +recipient+ “?cc=” + cc + “&subject=” + subject + “&body=” +body) } Requires Macromedia Flash player on client’s machine.

How to hide your email address from spammers with JavaScript

Let’s look at more advanced methods that use javascipt to hide the email (name@domain.com). Remember to use noscript tags since some users prefer to disable javascript in browsers:

1. Basic Email Script

2. Basic Mailto: Email Script with Link Text

3. Inline JavaScript
Send me an email

4. External JavaScript file

The external javascript contains the code mentioned in 2 above.

Enkoder Javscript Form
The enkoder form script generated an encrypted javascript as shown below:

Original HTML: write email
Encrypted HTML code

<script type=”text/javascript”>/* <![CDATA[ */function hivelogic_enkoder(){var kode="kode=\";)'':)1-htgnel.edok(tArahc.edok?htgnel.edok<i(+x=edok})i(tArahc.edo"+"k+)1+i(tArahc.edok=+x{)2=+i;)1-htgnel.edok(<i;0=i(rof;''=x;\\\")''n(oi.j()"+"seerev.r')('itpl.sdekoe=od;kk\\\"\\\\do=e\\\\\\\\\\\"\\\\kode\\\\\\\\\\\\"+"\\\\\\\\\\\\\\\"\\\\r=hn%gn@gr%h,__@_>d%?_vAw2_wAh__%___hw__wv__%___o@l_#h"+"_w_w_%__r_1_oppf{hCshdxhruovd=_wpl__%___h@k_di_u?#__w+u%1hqlpzfwgh>x%rn_gr"+"@hrnhgv1oswl*+,*u1yhuhhv,+m1lr+q**>,@%*{i*u>lr3+l@+>r?hnogq1wh0j,kl4@>,.{5"+"@~r.hnfgd1Dk+u.w,ln4g.1rkhufwdlD\\\\\\\\+\\\\\\\\\\\\\\\\,\\\\\\\\000nrgh@"+"{.+l?nrgh1ohqjwkBnrgh1fkduDw+nrgh1ohqjwk04,=**,>\\\\\\\\;\\\"\\\\\\\\\\\\="+"\\\\\\\\'xf'r;io0(i=k;d<.oeeglhnit+;{+=)ocekcda.ChdrAo(e)t3ii-(;<f)c+01c8="+"x2=;t+iSgrfno.CramChdr(o)ekcd}=oxe\\\\\\\\\\\"\\\\x;'=;'of(r=i;0<ik(do.eel"+"gnht1-;)+i2={)+xk=do.ehcratAi(1++)okedc.ahAr(t)ik}do=e+xi(k<do.eelgnhtk?do"+".ehcratAk(do.eelgnht1-:)'';)=\\\"\\\\deko\\\"=edok\";kode=kode.split('').r"+"everse().join('')";var i,c,x;while(eval(kode));}hivelogic_enkoder();/* ]]> */</script>

All of us have experienced the tremendous pains of spam. Who can remember the glory days of Hotmail 2MB storage where 85% of the inbox was filled with spam. While this plague is going to exist for some more time, here are a few tips we can take to overcome this issue and prevent spam from hitting your inbox.

» Don’t post your email address on message boards or mailing list.

» Maintain two separate email aliases – one for business and important email and other one for subscribing to mailing lists and web forums (called throw away email)

» Don’t publish your email addres directly on the homepage – use Email Obfuscators.

» Provide a fake email address to websites that require mandatory registration before you download software or read their archives.