Hackers, Spammers Partner Up To Wreak Havoc - InformationWeek
02:57 PM

Hackers, Spammers Partner Up To Wreak Havoc

A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert says.

A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert said Thursday.

The attack, which involves a new combination of malicious code, shows evidence of "tactical coordination that is unprecedented," said Sam Curry, vice president of Computer Associates' eTrust security group.

Unlike blended threats, which were first popular two years ago -- and in which one piece of malicious code uses multiple tricks or tactics to spread -- this recent attack is a convergence of malware itself and its creators, Curry went on.

"They're collaborating, and making quite an effective parcel," said Curry.

Curry outlined the three-step process, which he characterized as "spread, disarm, and exploit," as starting with the Glieder Trojan horse. Wednesday, said Curry, at least eight Glieder variants -- which are similar enough to the Bagle worm that many security firms label them as such -- hit the Web, one after another, "about one each hour." According to another security researcher, Carole Theriault of Sophos, that pace continued into Thursday.

Glieder, which unlike a true Bagle worm, doesn't spread on its own, was spammed in huge numbers, said Curry. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware. This is the 'beachhead' for the other elements."

"This was spammed to huge lists," said Curry. "That's a different technique than what hackers have used in the past, where they spam a worm to a relatively small list as a 'booster' to initially seed it. Those don't have the mass-mailing dimension we're seeing here."

Once safely installed on a PC, Glieder downloads another Trojan, dubbed Fantibag by Computer Associates. This Trojan horse overwrites the system's HOSTS file so that the machine can't connect with most anti-virus vendor sites (or even Microsoft's Windows Update site). "This is a 'shields down' Trojan," said Curry. "It effectively isolates the user and his machine from help."

Finally, said Curry, a third Trojan -- Mitglieder, another Bagle look-alike -- is loaded and installed to turn the system into a proxy, from which spam can be sent. Additionally, Mitglieder leaves open a backdoor through which the attacker can add keyloggers or other malicious code to further compromise the computer.

"This is a convergence of more than just malware types," said Curry. "This is a cooperative effort by spammers, thieves, and criminals."

Their goal, he said, is to collect as many compromised PCs as possible, since each one is a potential profit center. "Spammers and criminals engaged in fraud are paying between 2 or 3 cents and 7 or 8 cents for each compromised computer," he said. "Although I can't say what kind of revenues someone may generate from a compromised machine -- we're still talking to law enforcement to get a clearer picture of that -- it's certainly north of 10 cents per system."

Other analysts have pegged a value as high as $2.40 in annual revenues from a machine infected with just one piece of spyware.

The Glieder Trojan -- which some security firms have been calling a Bagle downloader to differentiate it from a true Bagle worm -- accounted for over 800,000 of the malicious code nabbed by filtering firm MessageLabs in the last 24 hours. But the numbers are fading, indicating, said MessageLabs analyst Maksym Schipka, that the wave may have peaked.

Even so, the attack Curry described accounted for about 14 percent of all malicious code detected by U.K. security firm Sophos in the last 48 hours, said Theriault.

"I really hate to spread doom and gloom," said Curry, "But I think what we're seeing now is what we're been afraid of for a year or so now, a real partnership between the bad guys."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll