Botnets + Spam = Trouble

Cybercrime is going upscale. Criminals are not just putting together bigger botnets—more than a million computers in some cases—they are also adopting the principles of modern marketing to get their products onto your users’ computers. This has implications that will be coming soon to thousands of mailboxes near you.

At the center of all this activity are not spammers or phishers, who increasingly outsource the delivery of their e-mail campaigns, but professional botnet herders, most of whom rent out their networks of infected machines through an elaborate underground marketplace.

Where botnets were once more or less a sideline for spammers and phishers, they are now a full-time, tightly focused and highly competitive business. Like any other businesspeople, these professional herders concentrate on improving their products by delivering better service to their customers. Better service, in this case, is defined as slashing through the defenses of even more computers even faster.

These new herders are a lot more agile than those who preceded them. They have discovered that mass, velocity and agility are the keys to this new environment.

Because the botnets are so big, they can send billions of spams or other malware in a week or two. It’s estimated that the August PDF spams involved sending out 5 billion e-mails in two or three weeks. This kind of velocity means that the botnets’ messages can hit billions of inboxes before word filters down about the new threats. What’s more, botnet herders are quick to modify their approach, depending on what seems to be working.

For example, by the time word spread about the PDF spam and most major security companies had released products that could scan PDFs, the herders had already moved on to other attacks, such as phony XLS spreadsheets or invitations to sign up for the Verified by Visa credit card security program. That means new attacks tend to come in waves.

The other major change is an increased use of social engineering. That’s because these scammers still rely on getting the user to visit a malicious website or click on an infected file.

“There are more defenses in place,” says Uriel Maimon, the senior researcher in the office of the chief technology officer for RSA, the security division of EMC. “That means more spam needs to be sent with more variations until it gets through to you.”

“We see more and more of a role for deception in infections,” says Dave Cole, director of security response at Symantec. “You certainly see this with the Storm Trojan, and you have pretty elaborate ruses put into play by the bad guys.”

That makes the old strategy of letting users find out about attacks through the grapevine less effective. The spam is spreading too rapidly. It makes more sense than ever to send users regular security bulletins—say weekly—warning about new kinds of spam and reminding them to be suspicious of e-mails with attachments or links.