While much spam does come from those sources, a new spamming technique is to use ordinary people as unwitting spammers. One such recent attack, Storm Worm, seeks to turn poorly secured PCs into occasional spam servers.
Many users in Europe downloaded Storm Worm early this year when they clicked on an email attachment claiming to contain information about wind storms that ravaged the continent. In the U.S., users were infected when they opened an email with a subject line reading U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel. The email contained an attachment purporting to be a video of the event.
A set of software tools that give an intruder administrator access to a PC, Rootkits typically hide themselves from end users. The rootkit can then provides ongoing access to the system, allowing attackers to install spyware, monitor user keystrokes, or use the compromised computer as part of a spam botnet, which is what Storm Worm does.
Storm Worms botnet sends out so-called pumpndump stock spamspam used to inflate a stocks price, which the spammers own and then dump after it gets high enough. Fortunately, Storm Worm appeared to be rushed. It was a fairly primitive rootkit, which standard antivirus scanners can detect.
The user community is lucky in this case. A better designed rootkit can persist long after a signature has been developed for it. The problem is that people believe they are uninfected. Theyve kept their security up to date and run their scans, but the rootkit has avoided detection and is working in the background, said Neil MacDonald, VP and fellow at the research firm Gartner.
Rootkits more advanced than Storm Worm make themselves invisible to antivirus scanners, often even disabling them. They also hide themselves from Windows Task Manager, which shows a PCs running processes. The end result is they are extremely difficult to detect after the initial infection, and an infection can last indefinitely, all without the end user suspecting a thing.
Attacks as Investments
Rootkits are on the rise because hackers have different goals today. The motivations of hackers have switched, MacDonald said. Taking down a million machines for fame and glory isnt the motive anymore. Now its profit. The goal of attackers today is to use a compromised system over the long haul.
For todays organized cyber-criminals, an infected machine is an investment, and they seek to leverage that investment over time.
Even if you cant see the process running in your Task Manager, wouldnt you notice a system slowdown? Not necessarily. Most users expect performance degradation over time, and attackers are smart about hiding their activities.
One thing many attackers do is target times when usage is low. Many PCs stay on all the time, so an attacker will schedule activities for late at night, MacDonald said.
Rootkits exploit a key flaw in many operating systems: The fact that standard users are granted administrator privileges. If end users dont have administrator privileges, the threat is less significant, MacDonald said.
One of the key security improvements in Microsoft Vista is its User Account Control (UAC). Activities such as surfing the web, sending email, and using productivity applications do not require special privileges, so UAC automatically limits the power of a users account, even an account with administrative privileges, when doing those activities, said Stephen Toulouse, security program manager at Microsoft.