Warezov Botnet Is Back in the Spam Game

SecureWorks is reporting that the Warezov botnet is back spewing spam--this time using compromised Hotmail accounts. Whoever is behind the spam campaign has defeated Microsoft Hotmail's CAPTCHA system and is part of a trend security researchers call "reputation hijacking."

Just as the Storm botnet appears to have died down, the Warezov botnet has once again reared its head.

New research from SecureWorks shows the Warezov botnet has begun spamming again-but this time, its tactics have changed. Having apparently defeated CAPTCHA, the bot is using a tool to spew spam via Microsoft's Hotmail service.

The activity highlights a disturbing trend among spammers known as "reputation hijacking." In its recent "E-mail Trends Security Report," security vendor Commtouch noted spammers are increasingly capitalizing on the good reputations of established sites and senders to bypass reputation-based e-mail defenses.

It's unclear just how CAPTCHA was defeated in this case, but it is commonly known the system has been beaten by spammers via optical character recognition or human "account farming" operations, Joe Stewart, director of malware research at SecureWorks, wrote in a posting on the company's Web site.

The resurgence of spam from Warezov comes after months of inactivity following the January indictment of Alan Ralsky and 10 others on charges of illegal spamming tied to a "pump-and-dump" scheme. According to Stewart, it is unknown whether Warezov was used by Ralsky or if the botnet's true operators got nervous after his arrest. Whatever the case, the botnet ceased sending spam-until recently.

On or about Oct. 7, Warezov began spamming again-except now, rather than send direct-to-MX spam as before, it has begun abusing Hotmail. While monitoring a bot, SecureWorks observed it had been given a list of Hotmail usernames and passwords that appeared to be automatically generated. Each username was used to send a few e-mails, with an average of five recipients each to defeat any rate-limiting imposed by Hotmail to thwart this type of activity, Stewart wrote in his post.

"I think the reason for the trend toward reputation hijacking is that it's getting harder to send spam direct to MX from zombie computers," Stewart said later in an interview with eWEEK. "Blacklists like the CBL [Composite Block List] ... are consistently getting better at flagging bot-infected IPs. The PBL [Policy Block List] is blocking large ranges of networks where dial-up/residential bots are located, even without seeing them send any spam first."

Linux vendors increase security features. Read more here.

Anyone using Spamhaus' blacklists to block spam is cutting out a lot of the direct-bot spew, making the reputation hijacking of major Webmail providers a good way for spammers to reach sites using IP blacklists, he said.

SecureWorks has also seen a trend toward Webmail reputation hijacking by other malware such as Wopla and Hotlan, Stewart noted in the posting. However, the trend may be short-lived because, unlike SMTP (Simple Mail Transfer Protocol), which is a universal and stable protocol, creating Webmail accounts and sending spam through them requires that the spammer constantly change the botnet code to adapt to protection methods employed by the Webmail service.

While that may sound similar to what spammers have been doing for years, there is a difference, Stewart wrote in the posting. Before, spammers had to adapt their content to defeat filters. Now, they have to adapt to changes in the Webmail system, which requires them to pay for highly skilled programmers and possibly other services to maintain their spamming capacity, he explained.

In light of how spammers are defeating CAPTCHA, the best defense for Webmail providers is a multipronged approach such as limiting how many messages per hour a particular account can send or how fast one IP address can register accounts, Stewart said.

"If you are OK with forcing your users to have JavaScript enabled, you can use Pramana's HumanPresent system instead of CAPTCHA," he advised during the interview. "Also, standard anti-fraud stuff like checking IPs against proxy blacklists or watching for patterns of suspicious usernames being registered. When the spammers discover they just aren't able to send the volume of mail they expected, they will hopefully give up and target another service. But then it becomes someone else's problem."