Anatomy of a spambot

Your computer could be busy right now making money for someone else. But that’s not the worst thing that spambots do.

Spam folder

For security pros, spambots are known enemies. For the uninitiated, they are unknown entities. And yet they proliferate like ants at a picnic or teens on messaging apps. You might be receiving countless messages from bots every day, and even worse, a bot might be sending out unwanted emails from your computer right now, making you an unwilling participant in digitized mayhem.

As with any unknown, it can be helpful to understand how spambots work, what they do, how they proliferate and what you can do to protect yourself from being coerced into running one of them.

How it all starts

Before you understand how a spambot infects your computer and how it works, it’s worth exploring how they come into existence in the first place.

Thomas Pore, director of IT and services at Plixer, a malware detection company, told Computerworld some of the gory details. It usually starts when hackers, many of them overseas, in places such as Russia and China, purchase a database of email addresses on the dark web.

This is easier than it sounds, and it’s getting easier all of the time. When Yahoo recently announced that all 3 billion of its user accounts had been breached in 2013 — including information such as email addresses, passwords and dates of birth — the news probably didn’t surprise spambot creators. In all likelihood, they had been using that data in their bots for years. Spambots feed on email addresses and can’t run without them. The origin of any spambot always involves a collection of emails.

Originally, though, spambots simply guessed at email addresses and tried to infect computers randomly. Lawrence Pingree, a Gartner analyst, says this is not true anymore. There are plenty of addresses for sale. And by using social engineering, spambot creators set up a vicious circle. A successful social engineering incursion can lead to a data breach, and a successful data breach makes more email addresses available. This explains the massive increase in data breaches. It’s all about collecting more information to trick more people.

How you get infected

One of the difficulties in combating spambots is that their creators are always shifting tactics. Take, for example, the initial infection that installs an email-generating spambot on an unwitting user’s computer. For some time, Pingree notes, spammers have tricked users into inadvertently downloading malware from disreputable sites or used phishing messages to get users to click on a link that leads to trouble.

Security organizations have drilled into their users’ heads the idea that they should be wary of attachments and links they receive from strangers. However, spammers have turned to more sophisticated tactics. Pingree says a recent technique is to hijack a photo from a user’s Facebook feed and then email it to that user in a message that closely mimics a Facebook notification saying that a friend has commented on the photo. Respond, and your computer becomes a spambot host, all without your knowledge.

Another trick, one that is thankfully just a proof of concept, is to show the iTunes login and password dialog box on an iPhone — but the login is from an app meant to steal your account information and possibly install malware on your phone.

“Spammers use social engineering (which equates to ‘trickery through lying’) in order to get a user to trust the email and either open an attachment or click on the content in the email,” says Pingree.

If the user isn’t fooled into clicking, the spammer can still get something. A close inspection of the spam message might reveal to a knowing eye a barely detectable image tag. When the user opens the email, the tag communicates the click back to the botmaster, who now knows that the user is a real person, says Joe St Sauver, scientist for Farsight Security.

In those cases when a spambot is successfully installed on a new host computer, it can start sending out more emails, most of them phishing attacks or even further propagation of the spambot code through a malware client.

What’s happening technically

According to Plixer’s Pore, once your computer is infected, the spambot starts communicating with a command-and-control center — essentially, a master server for several bots. The master server operates in a way that is surprisingly similar to a real email server. The hacker receives reports from the spambot about success and failure rates. Sometimes, the command center relays additional instructions to the bot about where to send information. Constantly changing that contact information is important, says Pore, because the bot master is trying to evade detection by law enforcement officials and security pros.

All of that back and forth keeps the spambot working, says St Sauver.

“Typically, the bot will function as a proxy that takes in traffic and then pumps that same traffic back out, thereby obfuscating its true origin and attempting to avoid traffic filters that some sites may be using,” he says. “Or it can also be used as a spam ‘factory,’ taking raw inputs — such as message templates, bogus ‘From:’ lines and subjects, and lists of targeted email addresses — to formulate and then send spam messages on the fly.”

Sometimes spambots will discover that they have been blocked from sending spam. But that doesn’t render a spambot useless, St Sauver explains. A spambot that can’t complete its primary mission can still perform some other task, such as traffic spoofing on a website or participating in a denial-of-service attack aimed at crippling a website.

What you can do about spambots

Unfortunately, spambots do not follow a typical pattern of behavior for long; attack methods are constantly shifting, making it extremely difficult to protect computers from infection. You can update the malware detection software in the enterprise, but spammers are adept at finding ways around this.

Because malware is trying to evade anti-malware techniques, large enterprises have moved to malware sandboxing and endpoint detection-and-response solutions, says Gartner’s Pingree, and they are combining those defenses with URL, domain and IP address blocking and threat-intelligence sharing.

The ever-escalating battle can make the situation sound dire, with security organizations pitted against spambot creators who are as relentless as the phishing scams they produce. But there is some good news. Spambots tend to be poorly coded, according to the experts, and give up easily. If you poke them too much — and update your detection software and endpoint security — they will roll over and die.

Copyright © 2017 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon