$this->articleCE->primaryUrlById(3810446) = /security/article.php/3810446/Report+Says+Spam+Arms+Race+Escalating.htm
Report Says Spam Arms Race Escalating - InternetNews.
RealTime IT News

Report Says Spam Arms Race Escalating

Just four months ago, the world enjoyed a brief reduction in spam with the closure of McColo, a U.S.-based Web host that was accused of being a major hub for spammer activity, including a massive botnet called Srbizi.

Within less than one month, traffic began to bounce back and spammers had redesigned their new botnets to incorporate the lessons learned from the shut down of Srbizi.

"It was a question of when, rather than if, spammers would be back up after McColo was taken down," Zulflika Ramzan, technical director at Symantec, told InternetNews.com at the time.

The rising tide of spam since then is now clearly visible, most experts say. "In October, spam volume was 200 billion messages per day," said Nilesh Bandhari, product manager at Cisco's security appliance subsidiary IronPort Systems. "After McColo, it was down to 100 to 120 billion per day. Now spam volume has started to return, to about 140 to 150 billion messages per day.

The longer term view is more bleak. "Overall, between 2003 and 2008, we've seen the volume of worldwide spam increase exponentially, from 10 trillion to 53 trillion [per year] thanks in large part to the use of botnets," wrote Dr. Thomas Steding, president and CEO of e-mail security company Red Condor in response to an e-mail query. "We anticipate by 2013 that volume will again grow exponentially as will the business costs of trying to manage the problem,"

The percentage of all e-mail that is spam alone is stunning. "Spam was 73.3 percent of all e-mail in February," said Paul Wood, senior analyst at Symantec's hosted e-mail security provider MessageLabs.

But not everyone agrees that the volume of spam is increasing. "Actually, from what we see, spam levels are staying more or less the same," wrote David Skoll, president and CEO of e-mail filtering company Roaring Penguin Software, to InternetNews.com. "It continues to be an annoying problem for some, and a very serious problem for many."

Liable to worsen

Expect more spam later this year. IronPort's Bandhari said that botnet owners are building vast bot armies with the capability of sending even more spam but are not yet using them to their full capacity. "We see two or three botnets that are set up but not fully monetized yet," he said. "There have been some spam and malware attacks hosted from there, but they are trying to stay under the radar."

MessageLabs' Wood said that several botnets are competing with each other, and he named a few of them: Xarvester, Cutwail and Mega-D. He added that Mega-D may have competed too hard.

"Mega-D became number one, sending 40 percent of spam, with fewer nodes working harder. But over a period of time, ISPs and others can block those addresses, so as a long-term tactic, making bots work harder is not viable," said Wood.

Shutting down these bots will not be as easy as it was with McColo. The next generation of botnet is designed to make that impossible. "In order to avoid another McColo, malware authors are using different command and control techniques," said Wood.

One longstanding technique is to use an IRC channel. All the bots log into a chat room and wait for an instruction, which is usually to go to a Web site, download a program, and run it. But the bots have hard coded information that reveals the location of the command and control network, so you can identify the location of the chat room and disrupt the botnet.

These more sophisticated botnets run like peer-to-peer networks, with no central command and control. "Each bot learns from other bots, and instructions cascade through the network," said Wood.

Even if you could identify a choke point, it would be difficult to act on the information in a timely manner. Bandwidth providers cannot act fast and on a whim. They need to be careful, as privacy expert Ray Everett-Church explained in an article on InternetNews.com at the time of the McColo shut down.

Bandwidth providers need compelling proof to act because they must honor the contracts they have signed. "I can certainly empathize with the sentiment of 'unplug first and ask questions later,' but the number of occasions in which that is the appropriate response are far fewer than you might think," Everett-Church wrote.