Hackers, Spammers Partner Up To Wreak Havoc - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Hackers, Spammers Partner Up To Wreak Havoc

A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert says.

A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert said Thursday.

The attack, which involves a new combination of malicious code, shows evidence of "tactical coordination that is unprecedented," said Sam Curry, vice president of Computer Associates' eTrust security group.

Unlike blended threats, which were first popular two years ago -- and in which one piece of malicious code uses multiple tricks or tactics to spread -- this recent attack is a convergence of malware itself and its creators, Curry went on.

"They're collaborating, and making quite an effective parcel," said Curry.

Curry outlined the three-step process, which he characterized as "spread, disarm, and exploit," as starting with the Glieder Trojan horse. Wednesday, said Curry, at least eight Glieder variants -- which are similar enough to the Bagle worm that many security firms label them as such -- hit the Web, one after another, "about one each hour." According to another security researcher, Carole Theriault of Sophos, that pace continued into Thursday.

Glieder, which unlike a true Bagle worm, doesn't spread on its own, was spammed in huge numbers, said Curry. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware. This is the 'beachhead' for the other elements."

"This was spammed to huge lists," said Curry. "That's a different technique than what hackers have used in the past, where they spam a worm to a relatively small list as a 'booster' to initially seed it. Those don't have the mass-mailing dimension we're seeing here."

Once safely installed on a PC, Glieder downloads another Trojan, dubbed Fantibag by Computer Associates. This Trojan horse overwrites the system's HOSTS file so that the machine can't connect with most anti-virus vendor sites (or even Microsoft's Windows Update site). "This is a 'shields down' Trojan," said Curry. "It effectively isolates the user and his machine from help."

Finally, said Curry, a third Trojan -- Mitglieder, another Bagle look-alike -- is loaded and installed to turn the system into a proxy, from which spam can be sent. Additionally, Mitglieder leaves open a backdoor through which the attacker can add keyloggers or other malicious code to further compromise the computer.

"This is a convergence of more than just malware types," said Curry. "This is a cooperative effort by spammers, thieves, and criminals."

Their goal, he said, is to collect as many compromised PCs as possible, since each one is a potential profit center. "Spammers and criminals engaged in fraud are paying between 2 or 3 cents and 7 or 8 cents for each compromised computer," he said. "Although I can't say what kind of revenues someone may generate from a compromised machine -- we're still talking to law enforcement to get a clearer picture of that -- it's certainly north of 10 cents per system."

Other analysts have pegged a value as high as $2.40 in annual revenues from a machine infected with just one piece of spyware.

The Glieder Trojan -- which some security firms have been calling a Bagle downloader to differentiate it from a true Bagle worm -- accounted for over 800,000 of the malicious code nabbed by filtering firm MessageLabs in the last 24 hours. But the numbers are fading, indicating, said MessageLabs analyst Maksym Schipka, that the wave may have peaked.

Even so, the attack Curry described accounted for about 14 percent of all malicious code detected by U.K. security firm Sophos in the last 48 hours, said Theriault.

"I really hate to spread doom and gloom," said Curry, "But I think what we're seeing now is what we're been afraid of for a year or so now, a real partnership between the bad guys."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll