To print: Click here or Select File and then Print from your browser's menu
--------------------------------------------------------------
This story was printed from Anchordesk,
located at http://review.zdnet.com/AnchorDesk/.
--------------------------------------------------------------
How viruses (and your PC) are used to send spam
|
| By Robert Vamosi: Senior Editor, Reviews |
| Monday, June 30, 2003 |
| |
Spam has become an international crisis. Security company MessageLabs says about 55 percent of all the e-mail it scans for viruses is actually spam. That's bad news for you and me.
Thanks to continuing effort by legislators and private companies to crack down on this epidemic, spammers now have to try harder than ever before to remain anonymous. For example, a few weeks ago I wrote about spammers exploiting open proxies to conceal their identities behind fake IP addresses.
UNFORTUNATELY, it appears spammers have found another creative way to avoid being caught: using millions of virus-infected PCs--one of which could be yours--to send out their junk e-mail messages.
The virus many suspect to be sending spam is called Sobig. Like many Internet worms, it's able to send copies of itself to e-mail addresses it finds on infected computers, and carries a Trojan horse so its author can remotely access infected PCs. What's special about Sobig is that it can use its self-contained e-mail engine to send out spam as well.
Several Sobig variants have appeared this year. Sobig.b, also known as Palyh, appeared in early May as a fake Microsoft support e-mail, and expired on May 31. Sobig.c was around for the first week of June, and the little-known Sobig.d is set to expire on July 8. The most recent one, Sobig.e, should expire on July 14.
WHILE IT'S NOT unusual for viruses to expire, it is unusual for a series of variants to terminate themselves only two or three weeks apart. With Sobig, it appears that each iteration works through a single job request (say, send spam to 4 million e-mail addresses), then quits. I'm just speculating here, but I think the Sobig author could be getting paid by someone to develop new variations quickly. Why else would each of these Sobig versions expire so soon after being released, only to be replaced by another?
You may wonder why spammers are so keen on using viruses to deliver messages. It's because viruses are traditionally anonymous. The few virus writers who've been arrested were caught because of careless or deliberate actions, such as bragging about their exploits on IRC chat groups, submitting a version of the code as a senior thesis, or leaving a telltale code within the virus that identifies the computer on which the malicious program was written.
The Sobig author seems to have left no such clue. He or she also seems to be very clever, as the virus has been successful at spreading itself across the Net. One reason for this success is that the latest variants include Zip files, a common compression format that's not blocked by the security features built into Microsoft Outlook.
GETTING BACK TO your PC's role in all of this: How do you know if your system's been hijacked for spam? One clue is, in your e-mail client, the sudden presence of "delivery failure" alerts for e-mails sent to people you do not know. Another is the presence of increased activity on your PC's UDP Ports 995 to 999, which any good firewall should notice and inform you of.
There's no foolproof way to restrict the Sobig variations from getting onto your PC--otherwise we'd be able to stop all viruses and spam (which we obviously can't). But you can stop the virus from sending out copies of itself and communicating with other infected PCs or the virus author by updating your antivirus app and installing a good personal firewall, such as the new ZoneAlarm Pro 4.0.
What really alarms me about Sobig is that it shows virus writing may no longer be an idle, antisocial pastime--it may well become a business in which virus authors get paid big bucks to perpetrate a spammer's latest schemes. The monetization of virus writing--now that's something I never thought I'd see.
Has your computer been hijacked by the Sobig worm? TalkBack to me!
