SecureWorks is reporting that the Warezov botnet is back spewing spam--this time using compromised Hotmail accounts. Whoever is behind the spam campaign has defeated Microsoft Hotmail's CAPTCHA system and is part of a trend security researchers call "reputation hijacking."Just as the Storm botnet appears to have died down, the Warezov botnet has
once again reared its head.
New
research from SecureWorks shows the Warezov botnet has begun spamming again—but
this time, its tactics have changed. Having apparently defeated CAPTCHA, the
bot is using a tool to spew spam via Microsoft’s Hotmail service.
The activity highlights a disturbing trend among spammers known as "reputation
hijacking." In its recent "E-mail Trends Security Report,"
security vendor Commtouch
noted spammers are increasingly capitalizing on the good
reputations of established sites and senders to bypass reputation-based
e-mail defenses.
It's unclear just how CAPTCHA was defeated in this case, but it is
commonly known the system has been beaten by spammers via optical
character recognition or human "account farming" operations, Joe Stewart,
director of malware research at SecureWorks, wrote in a posting on the
company's Web site.
The resurgence of spam from Warezov comes after months of
inactivity following the January indictment of Alan Ralsky and 10 others on
charges of illegal spamming tied to a "pump-and-dump" scheme.
According to Stewart, it is unknown whether Warezov was used by Ralsky or
if the botnet’s true operators got nervous after his arrest. Whatever the case,
the botnet ceased sending spam—until recently.
On or about Oct. 7, Warezov began spamming again—except now, rather than
send direct-to-MX spam as before, it has begun abusing Hotmail. While
monitoring a bot, SecureWorks observed it had been given a list of Hotmail
usernames and passwords that appeared to be automatically generated. Each
username was used to send a few e-mails, with an average of five recipients
each to defeat any rate-limiting imposed by Hotmail to thwart this type of
activity, Stewart wrote in his post.
“I think the reason for the trend toward reputation hijacking is that it's
getting harder to send spam direct to MX from zombie computers,” Stewart said
later in an interview with eWEEK. “Blacklists like the CBL
[Composite Block List] … are consistently getting better at flagging
bot-infected IPs. The PBL [Policy Block List] is blocking large ranges of
networks where dial-up/residential bots are located, even without seeing them
send any spam first.”
Anyone using Spamhaus' blacklists to block spam is cutting out a lot of the
direct-bot spew, making the reputation hijacking of major Webmail providers a
good way for spammers to reach sites using IP blacklists, he said.
SecureWorks has also seen a trend toward Webmail reputation hijacking by
other malware such as Wopla and Hotlan, Stewart noted in the posting. However,
the trend may be short-lived because, unlike SMTP (Simple Mail Transfer
Protocol), which is a universal and stable protocol, creating Webmail accounts
and sending spam through them requires that the spammer constantly change the
botnet code to adapt to protection methods employed by the Webmail service.
While that may sound similar to what spammers have been doing for years,
there is a difference, Stewart wrote in the posting. Before, spammers had to
adapt their content to defeat filters. Now, they have to adapt to changes in
the Webmail system, which requires them to pay for highly skilled programmers
and possibly other services to maintain their spamming capacity, he explained.
In light of how spammers are defeating CAPTCHA, the best defense for Webmail
providers is a multipronged approach such as limiting how many messages per
hour a particular account can send or how fast one IP address can register
accounts, Stewart said.
“If you are OK with forcing your users to have JavaScript enabled, you can use
Pramana's HumanPresent system instead of CAPTCHA,” he advised during
the interview. “Also, standard anti-fraud stuff like checking IPs against
proxy blacklists or watching for patterns of suspicious usernames being
registered. When the spammers discover they just aren't able to send the volume
of mail they expected, they will hopefully give up and target another service.
But then it becomes someone else's problem.”
