Spammers, Hackers Increasingly Feed Off Each Other

Welcome Guest. | Log In| Register | Membership Benefits

February 12, 2004 (12:31 PM EST)

Spammers, Hackers Increasingly Feed Off Each Other

Evidence is mounting that spammers and hackers are in a symbiotic relationship, according to a message filtering firm, a partnership that may, in fact, be one of the reasons why virus and worm attacks are increasing in both number and sophistication.

According to Mark Sunner, the chief technology officer of MessageLabs, a U.K.-based spam- and virus-filtering vendor, the numbers tell the story. Spammers and virus writers are working hand in hand, he said, driven by the greed of the former and fueled by the technical skills of the latter.

"We try to trace back each spam that we intercept," Sunner said, "to look at its source. What we've found is that approximately two-thirds of all spam is coming from open proxies."

"Open proxy" is the term given computers which have been compromised by attackers -- through worm or virus infection -- that are then used by the hacker as an e-mail or Web server; the owner of the machine typically has no idea his PC has been hijacked.

Most of the open proxies that MessageLabs has identified carry IP addresses from broadband Internet providers, such as cable and telecommunications companies selling cable- and DSL-based Web access. "Home users are the fertile ground that allow these kinds of things to be perpetuated," said Sunner, noting that although enterprises often quickly shore up their defenses against new worms, consumers are typically the last to update, if they ever do.

MessageLabs, said Sunner, also has analyzed other data that points more conclusively to a spammer-hacker convergence. As the company collects spam, it notes the IP addresses of the sending systems, then compares those addresses, or address ranges, to those it's noted as having tried to spawn worms and viruses its filters have intercepted.

Increasingly, Sunner said, that comparison is coming up with a correlated match. "We've found a strong match between machines sending lots of spam and those machines from which we've intercepted worms and viruses such as Sobig.f and Fizzer," he said.

"It's unquestionably more than circumstantial evidence," he went on. "There's a definite link between spam and viruses."

For instance, MessageLabs has intercepted over 650,000 spam messages from machines infected with Fizzer, a worm first discovered in May, 2003, that includes a backdoor capability which hackers can use to turn a compromised machine into an open proxy.

"Sobig.f is another example," he added. "Its whole purpose was to harvest lots of machines which could then be used to send spam.

"It's not just the volume of messages which can be sent from open proxies that drives spammers [to use infected machines], but also the fact that they have a huge swath of the IP address space available to them." By using a large number of IP addresses, spammers can defeat blacklisting, still one of the most popular ways to filter out spam before it crosses the network perimeter.

All this data points to "a new person or persons entering the malware fray," said Sunner.

"Very broadly speaking, the past profile of a hacker was a young, adolescent male who was after notoriety and to some extent, had malicious intent. "Now, however, we're definitely seeing a secondary plot that seems to be rooted in spam," he said.

"Spammers are bankrolling people who are very, very sophisticated [technically]. to harvest lots of machines to send their messages. In many cases, these are people who wouldn't normally be writing worms and viruses, but they're now being brought in by spammers."

"This seems to be the landscape now," concluded Sunner. "The Internet is being used to pollinate viruses, which are in turn used by spammers."