By Ryan Naraine  |  Posted 2006-11-16 Print this article Print

The SpamThru spammer also controls lists of millions of e-mail addresses harvested from the hard drives of computers already in the botnet. "This gives the spammer the ability to reach individuals who have never published their e-mail address online or given it to anyone other than personal contacts," Stewart explained.

"Its a very enterprising operation and its interesting that theyre only doing pump-and-dump and penis enlargement spam. Thats probably because those are the most lucrative," he added.

Even the spam messages come with a unique component. The messages are both text- and image-based and a lot of effort has been put into evading spam filters. For example, each SpamThru client works as its own spam engine, downloading a template containing the spam and random phrases to use as hash-busters, random "from" names, and a list of several hundred e-mail addresses to send to.

Stewart discovered that the image files in the templates are modified with every e-mail message sent, allowing the spammer to change the width and height. The image-based spam also includes random pixels at the bottom, specifically to defeat anti-spam technologies that reject mail based on a static image.

All SpamThru bots—the botnet controls about 73,000 infected clients—are also capable of using a list of proxy servers maintained by the controller to evade blacklisting of the bot IP addresses by anti-spam services. Stewart said this allows the Trojan to act as a "massive distributed engine for sending spam," without the cost of maintaining static servers.

With a botnet of this size, the group is theoretically capable of sending a billion spam e-mails in a single day. "This number assumes one recipient per message, [but] in reality, most spams are delivered in a single message with multiple recipients at the same domain, so the actual number of separate spams landing in different inboxes could be even higher," Stewart said.

According to data from Barracuda Networks, an enterprise security appliance vendor in Mountain View, Calif., there has been a 67 percent increase in overall spam volume and a 500 percent increase in image spam since Aug. 2006.

Stephen Pao, vice president of product management at Barracuda Networks, echoed Stewarts findings, noting that the bulk of the spam is linked to the trading of penny stocks. "Across the board, we are observing more spam and more sophistication in sending the spam," Pao said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK SecurityWatch blog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel