Skip to content

What If Freddie Krueger Wrote Code?

It sounds like a cheap horror-movie sequel: The Spammers Meet the Virus Writers. But in this case, the horrors are real.

The plot centers on successive versions of the Sobig worm unleashed at regular intervals over the past year. Sobig is a new step in the evolution of malicious code, says Pete Simpson, ThreatLab manager of Clearswift, a U.K.-based company that creates software for managing and securing electronic communications. Simpson says that once Sobig infects a host, it works in three stages. First, it hides in the background, waiting until a file—actually a Trojan horse program called Lala—becomes available from a particular Web site. Next, it downloads and installs Lala and deletes the original worm, making it difficult to find during an antivirus scan. But the most frightening new element is that this Trojan, which allows a backdoor into the infected computer, next installs a proxy server that can be used by those who now control that computer to send spam.

A similar Trojan horse backdoor, named Migmaf, is used as a reverse proxy that helps shield the location of a Web site. For example, imagine a spam recipient who clicks on the hyperlink in a spam message and links to a pornographic Web site. Instead of going directly to that site (which could help investigators locate it and shut it down), the link goes to a compromised PC, and the reverse proxy then bounces that traffic to a master Web server. Simpson says that in addition to providing anonymity, the reverse proxy has another purpose: “It’s an opportunity for getting financial credentials if [that site] is signing up credit card numbers.” 

Joe Stewart of managed security services provider LURHQ was the person who originally discovered and dissected the Migmaf program (which he named). Stewart says that these Trojans show that “a sophisticated infrastructure” is being built for spammers. “Either they’ve become really good programmers or they’ve farmed the work out to hackers who are more experienced in Trojaning systems and writing these kinds of applications,” he says.

Probably it’s the latter, guesses Simpson, who says, “I think it’s a little beyond the capabilities of the spammers. I think that spammers are providing funds for this project but not the technical skills.”

It might seem, given the prevalence of antivirus software even among home users, that malicious code would not be able to spread so widely. However, the antivirus programs might only block those viruses transmitted as executable e-mail attachments. Hackers have leveraged other security weaknesses to spread this type of code, Stewart explains. For example, late last year Web-hosting company Interland was hacked, Stewart says, and they later found that many of their customers had their home pages compromised with malicious code that was appended to each page. Anyone visiting one of those sites with a version of Internet Explorer that had not been recently patched would be vulnerable to infection by a Trojan known as coreflood, simply by visiting the site.

Antivirus software might have blocked the Trojan, depending on how the software was configured and whether the software was up to date and recognized the code or was set up to look for unusual activity, says David Perry, public education director of antivirus firm TrendMicro. And a firewall wouldn’t have prevented infection, as the data arrived as trusted content (such as ActiveX controls that are allowed to run on Internet Explorer) through an already open port.

The new relationship between the two groups was born thanks to the success of attempts to close down the open relays that spammers have long relied on and the creation of black-hole lists of spamming machines that have pushed the spammers underground. “In this case, they had a problem that their Web sites kept getting shut down, so someone said, ‘Let’s make this a bit more untraceable,’ and the way to do that was to host it, or appear to host it, on third-party systems,” Stewart says. “If they get shut down, who cares? There’s a thousand more to take their place.”

Simpson worries that future versions of Sobig (which he expects imminently) will be much more clever,  using better encryption for example to hide the addresses of the Web sites from which the worm was retrieving Lala (Sobig.f was halted because antivirus company F-Secure cracked the encryption and got the machines serving Lala shut down).

Stewart says that the Trojans are indeed getting deadlier: Coreflood not only serves as a facilitator for delivery of spam but is built to carry out distributed denial of service (DDOS) attacks. Perhaps not coincidentally, several large antispam sites have been victims of recent DDOS attacks, apparently knocking at least one of them offline for good.

The nightmare is likely to get worse. “I think more spammers are jumping on the bandwagon now that they’ve seen the success of it and the profitability in it,” Stewart says. “I’ve seen at least three other systems since then that appear to be solely for the purpose of spamming that are out there in the wild.” These systems combine scores of computers with backdoors installed and the master controller they report to.