A Method to the

By Matt Hines  |  Posted 2007-01-19 Print this article Print

Madness"> Over the last several months, Bowers said that Symantec, of Cupertino, Calif., has observed a growing number of examples of the newsletter attacks. Often times, the spam content is embedded into a single image in a message, and sometimes a carbon copy of a legitimate newsletter appears in a users in-box first, and then the spam message inserts itself into the e-mail a few minutes later.

Bowers said there also seems to be a calculated measure of control to the attacks, as they never appear to distribute more than one of the altered messages to any individual e-mail account per day. The attacks hijack the content of a wide range of reputable businesses, versus focusing on one or two legitimate sources.

The research said that Symantec has not been able to prove that the spammers are sending their work to individuals who are known recipients of the newsletters they are copying, but he suspects this could be the next step the criminals take.

Adding to the complexity of tracking down the sources of the newsletter spammers is their frequent use of hijacked botnet computers for distributing their campaigns. Bowers said that botnets continue to play an increasing role in the techniques used by more sophisticated spammers.

"Theres currently a big focus for global networks to analyze botnet traffic and block these types of content," Bowers said. "We have a tremendous amount of insight into the command and control of botnets, but the more distributed the system for spam distribution, the harder it makes it to trace back to the source."

Other researchers are tracking the emergence of a widespread spam campaign that uses messages disguised as breaking news reports to trick users into opening the e-mails, which often carry a Trojan horse desktop virus.

According to malware experts at software maker Sophos, which has its U.S. headquarters in Burlington, Mass., the attacks were being sent out at an alarming pace on Jan. 18, with the Trojan accounting for 67 percent of all malware reports observed by the companys worldwide threat monitoring network. The news spam attack was so pervasive that at one point it was showing up in 1 of every 200 e-mails inspected by Sophos.

Among the news headlines used in the attacks were stories related to heavy storms in Europe, genocide of Muslim people, murderers freed from prison and the travels of U.S. Secretary of State Condoleezza Rice. Sophos said that files with names including Full Clip.exe, Full Story.exe, Full Video.exe, Read More.exe and Video.exe were most frequently attached to the spam e-mails and contain the malicious code.

"The Trojan is spreading at an extremely rapid rate and overwhelming many inboxes," said Ron OBrien, senior security analyst at Sophos. "While users will not be affected by simply reading or receiving the e-mail, they must be very careful not to open the attached files. If they do accidentally open one, a Trojan horse will automatically install on their computer."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel