Spam and Mobile Malicious Code

Author: Stephen Cobb CISSP
Status: Exclusive to the Web site.

There has never been a “typical” writer of mobile malicious code or MMC (a handy umbrella term for viruses, worms, Trojans, zombies and the numerous emerging combinations thereof that we call blended threats). When experts like Sarah Gordon have looked at what motivates writers of MMC, the answers have been all over the map (literally, like ILoveYou from the Philippines, Melissa from New Jersey). But seriously, the motives range from impressing a girlfriend to robbing a bank, with the latter being, historically, a lot less common than the former, and probably a lot less than the some sensationalist media types would like to think.

Over the years, this lack of cohesive motive has been a big help to those of us in information security. Past MMC outbreaks, stretching back to the 1980s, have been costly for companies, consumers, and government agencies. Despite that, I would say that prior to 2003 we were fairly lucky. Why? Because most MMC was of inferior quality. Some of you may recall the presentations that Dr. Alan Solomon (creator of Dr. Solomon's Anti-Virus Toolkit, now owned by McAfee) used to make during the pre-macro virus era (1985-1995). He made considerable fun of the inept and unskilled coding techniques used by virus writers.

The folks who were on the front lines when ILoveYou and Melissa hit might not have felt fortunate, but the fact is, MMC writing has been, for the most part, bereft of generally accepted code development techniques like Q&A that we associate with the production of quality commercial code. Until now. Until spam.

In the last twelve months we have seen two record-setting worm outbreaks (SoBig and Mydoom) that are spam-related. Unlike the vast majority of the virus writing that has gone on in the last 20 years, spamming is a commercial activity. People don’t send spam to impress their girlfriends. They do it to make money. If you are familiar with the theory of risk displacement you will not be surprised to find that, as the avenues for sending spam have been closed off, by ISPs tightening and enforcing service agreements and system administrators tightening up networks, spammers have been looking elsewhere. There is now a market in hijacked computers. Here’s Symantec’s Vincent Weafer: “Internet chat rooms are full of computer criminals offering such proxies for sale — one estimate suggests a going rate of $5,000 for about 10,000. There is real money being spent for compromised boxes.” An incentive scheme like that for MMC writers should have everyone very concerned. I have no doubt that there are a lot worse things than Mydoom already in Q&A.

But there is good news, an Achilles heel in the market for proxies, a vulnerability in the very act of spamming: profit. Reduce the profit and you reduce the spam (this is not just a theory—I can show you numbers, from the field, that prove it). Slash the profit in spam and you remove a major incentive to write high quality MMC. And there is more good news, the right technology, deployed at the network level, can slash the profitability of spam.

Historically, despite a constant string of “new and improved” products, the main defense against both spam and MMC has remained unchanged since the first commercial products shipped in the eighties: filtering. While AV products use the term scanning and we associate filtering with spam, they are one and the same: compare the code you are about run or the message you are about to receive, against known bad code/messages, or known attributes thereof. This approach does not really impact the economics of spam, except to encourage the sending of even more spam so as to get enough messages past the filters to the suckers.

Is it too much of a stretch to say that part of the reason we are seeing a market in zombies, and the MMC that creates them, is that we are doing more and more filtering of spam? I don’t know. But I do know that if you take a totally different approach to spam, one that dynamically denies spammers access to your network resources, then spammers cannot send you more spam. If spammers cannot deliver messages to your network at a high rate of speed, they soon stop trying. And paying for zombies will not buy them any leverage against this type of defense. In other words, if this technology is widely deployed it will be a big disincentive to the creation of high quality MMC. That market will go away. I’m not saying that people will stop writing MMC, there will always be a few out there who keep trying to impress their girlfriends. But that’s a lot different from the burgeoning MMC industry we are facing today.