Saturday, August 04, 2007

Malware and spam statistics

The precise motivation behind the current malware epidemic is a mystery even among security experts. It's clear that bad guys now have a financial motivation for getting control of lots of pc's, but it's not clear whether the main goal is to steal information (e.g., banking passwords) or to use the pc to relay spam and in ddos (distributed denial of service) attacks. In the latter case the compromised pc is turned into a "zombie" or "bot" on a secret network controlled by a hacker thousands of miles away. I've always thought that financial crime is far riskier for the bad guy than running a botnet -- in getting money out of someone's bank account there is a significant documentation trail, even if it ends in a former eastern bloc country. On the other hand, most people whose pc's are part of a botnet have no idea that their machine is relaying spam or being used to attack other machines. They just notice that their pc or internet connection is a bit slow from time to time, and probably blame Microsoft for the problem :-) In the rare case that the infection is discovered, tracing control back to the bad guy is almost impossible -- he may be routing each command through multiple compromised machines across several continents. Typical botnets these days can include hundreds of thousands of compromised pc's -- the whole process, from infection to remote control, is automated. Often people only notice their machine is acting funny when two or more different malware packages are fighting for control!

The New Yorker article excerpted below gives some interesting statistics for spam. There's obviously real money to be made from spam, or else it wouldn't be such a well-developed industry. About 90% of all email traffic is spam, hundreds of billions of messages per day. The response rate is around 1 per hundred thousand, and you can imagine that the bad guys could easily average $1 of profit per response. Taking those assumptions, we can conclude that spam generates at least a $1 billion per year for the bad guys. That pays for a lot of ingenuity in crafting and distributing malware! (The IT industry may spend as much as $10 billion per year just fighting spam.)

Both the malware and spam problems are a kind of tax on the overall internet population caused by the least sophisticated users (I won't reference IQ here, but there is certainly a correlation). It's the least sophisticated users that tend to get their machines infected (providing cheap botnet spam distribution -- any pc with a broadband connection can send out millions of messages per day), and it's the least sophisticated among us who reply to spam messages, generating profits for the spammers. I suspect that removing the 20% least sophisticated users from the ecosystem would make life 10 times harder for the bad guys. It's actually hard for people in the security industry to understand this sometimes -- security engineers tend to focus on very complex, technologically advanced solutions, without realizing that the key problem is to protect the most clueless users from themselves.

New Yorker: ... Few companies could function without attempting to stop spam from invading their employees’ in-boxes. The costs are not always easy to assess, but several studies have found that in the United States more than ten billion dollars is spent each year trying to contain spam. The success rate of such anti-spam efforts usually exceeds ninety-five per cent, but spam behaves on the Internet in much the same way that viruses do when they infect humans: it might take a million of them to attack an immune system before one gets through, but one is enough. The same is true of e-mail. The more spam that is blocked, the greater the volume spammers will need to send in order to make money. “If you used to have to send fifty thousand pieces of spam to get a response, now you have to send a million,’’ John Scarrow, the general manager of anti-spam technologies at Microsoft, told me. (Spammers usually need to send a million e-mails to get fifteen positive responses; for the average direct-mail campaign, the response rate is three thousand per million.) “Spammers just shrug it off and send a million.” That amount of e-mail can overwhelm servers and waste time, particularly for those who check their mail several times a day. (It takes at least five seconds to recognize and delete an e-mail. If a billion spam messages elude detection every day—which means that ninety-nine per cent do not—that adds up to a hundred and fifty-nine years of collective time lost hitting the delete button every day.) Scarrow told me that of the four billion e-mails processed by Hotmail every day, they deliver only six hundred million. The rest are spam.

...Matt Sergeant, of MessageLabs, told me. “In 2003, spammers started paying people to write viruses to take control of home computers. The easy days were over.” Viruses are actually tiny software programs that exploit weaknesses in networks or computer operating systems like Windows. They find a way to burrow into a computer’s hard drive. That summer, a virus called Sobig infected millions of computers through-out the world. In a single day, MessageLabs intercepted a million copies and AOL stopped more than twenty-five million.

Sobig was the first commercial virus created by spammers designed specifically to infect machines, embed its code, and then turn those machines into networks that could send millions of e-mails. Because the e-mails were sent by innocent people who never knew that their computers were infected, the criminals were almost impossible to trace. Suddenly, spam had created an industry: a netherworld of hijacked PCs (called zombies or slaves), linked together in rogue robot networks (or botnets) controlled by underground bot herders, who operate from anywhere in the world. These networks can unleash millions of pieces of mail in a few minutes; when the botnets disband, the herders regroup and seize tens of thousands of other computers. Even the cheapest machines now have enough processing power to churn randomly through millions of address combinations until they stumble on a few that are correct.

The increase in spam levels—nearly tenfold in the past three years—is almost solely a result of botnets. Messages routinely carried viruses, many of which were designed to evade traditional filters. It’s not hard to do: Many people use common, easily guessed passwords to protect their wireless networks—and a surprising number don’t use passwords at all. Clicking on the wrong link at a Web address can also permit malicious software to install itself on a computer and force it to manufacture spam. This is called a “drive-by download.” Once a computer virus invades, it will seek out any address book, sending copies of itself to every e-mail address it can find. Spammers today almost never use their own computers or Internet connections. It is rarely necessary, since they can seize control remotely from computers all around the world. “By the end of last year, spammers had taken over enough PCs that they could really do whatever they wanted with them,’’ Sergeant said. “Half of the time, they are doing it on your computer and you wouldn’t even have a clue.”


Anonymous said...

> In the rare case that the infection is discovered, tracing control back to the bad guy is almost impossible

I don't understand why the FBI or some other 3-letter agency does not run some PCs in the open.
Once infected they could trace back the originator and take them out (infecting a federal PC should be a federal crime).
Maybe they are doing it and are just not very effective...

Steve Hsu said...

The open pc (honeypot) will be infected from and controlled by an intermediary pc which is nowhere near the actual bad guy. Tracing back to the bad guy requires good traffic logs on all the intermediary pcs, which are often in different jurisdictions (even continents) with different privacy laws. Almost certainly, some will be personal machines in someone's home but with a broadband connection. The logs for such a machine (whether on the machine or kept by the ISP) will typically be inadequate, and even the most determined chase will end there.

Each step in the tracing process requires skilled (expensive) people -- not just engineers but lawyers to serve warrants to get access to machines and logs. You can see it's a losing proposition for law enforcement.

Anonymous said...

Still, if governments (not just the US) would be determined to do something about this and actually enforce the law, it should be possible to do this at relatively modest cost (lets say under a billion $).

Steve Hsu said...

Yes, a competent world govenment could do it, if willing to enforce some draconian rules on monitoring of internet traffic :-)

But there are many nearly lawless countries (or with corrupt governments) where no one cares at all about these things.

One forecast for the future is that, as machines and operating systems get more complex, low level infections will be common and ongoing, just as in our own bodies and other biological systems.

Robert D Feinman said...

You are blaming the victim. If PC's are so poorly designed that doing normal operations (like opening a mail message) can cause the machine to become infected then one has to ask why are they susceptible in the first place?

Suppose you are smart enough to know of the dangers. Can you go out and buy a Windows machine which is not at risk? Perhaps you can buy a machine with some preinstalled countermeasure software, but this is just a patch on an inferior product.

The problem lies with the fact that the OS is controlled by a monopoly which does not find it worthwhile to make their product secure.

Steve Hsu said...

I'm not a Microsoft apologist -- certainly Windows security could be improved quite a bit -- but the problem would still exist even if linux or OS X were the dominant platform.

A lot of people are infected when they click "I accept" and install a desired program that has a malware payload bundled inside. This problem would exist even in OS's with good permissions structure, because many users do not understand permissions! i.e., my mom might still click "I Accept" even after getting a stern warning from security software about root privileges and dangerous software. That's the same type of person who might be confused and reply to a spam message.

Ultimately, any computing environment that lets the user configure their own machine, install sophisticated software, etc. will be at risk due to clueless users no matter how fundamentally secure the OS is.

Just wait until most of the cellphones out there are as powerful as the iPhone. Then you'll see some real security fun :-)

Microsoft gets attacked because (1) they are the dominant platform (a no brainer to write malware for Windows as opposed to any other OS) and (2) they have a lot of security holes. But (2) is not the entire story.

Anonymous said...

> when they click "I accept" and install a desired program that has a malware payload bundled inside

but this is exactly where law-enforcement should come in.

When was the last time somebody bought a new car and it exploded 10 min later, just because the buyer did not read that the fine print of the sales contract states that the car comes with malware ?

Terry Hardy said...

You make a good point because it used to be that hacking in general was a test of the skills of the hacker. Taking down a major site was a way to give yourself a reputation and prove your ability as a coder. Now they are always playing games of getting past our malware prevention measures, in order to...what? Get money, plan for future attacks...sometimes these bugs seem designed just to spread themselves, but with no real secondary course of action

Remove Spyware said...

Your article is really well-written.

Blog Archive