Spam zombies? They may be alive and kicking on corporate networks

Although the US again tops the league of spam-relaying countries, its position is only part of the story of a problem that just refuses to die.
Written by Toby Wolpe, Contributor

A decade after Microsoft chairman CEO Bill Gates predicted the imminent death of spam, the zombie systems behind the problem are still busy worldwide — and even using corporate networks.

The US again emerges as the top spam-relaying nation in figures from security firm Sophos, 10 years on from Gates' speech to the 2004 World Economic Forum in Davos, when he said the problem would be eradicated within two years.

But America's 14.5 percent share of the total spam volume sent in the final quarter of last year owes more to the country's population size and high connectivity than the presence of individual spammers.

"If there's anything to read into that US figure, it's not that spammers are in the US," said Sophos senior security adviser Paul Ducklin.

"In fact, that is decreasingly likely where they're going to be — at least the overtly criminal spammers — because they might get caught and if they do get caught, the US courts are not to be trifled with when it comes to cybercrime these days.

"So they're probably somewhere else but they're playing fast and free with US networks to distribute that spam."

China comes in second with 8.2 percent by volume, with Russia third on 5.5 percent. However, when ranked by spam volume per person, Belarus, Kuwait and Taiwan occupy the top three slots. The US falls to 27th place by that measure.

"It's 10 times as likely that someone will have a zombie or some malware on their computer in Belarus as in the US and that's something that they and all of us need to get to grips with," Ducklin said.

"Spam is still a serious problem. The reason it matters, even though most of it gets thrown away by a spam filter — or it's just such unreconstructed garbage that we know how to recognise it now and we just click delete — the problem is that it's getting sent in the first place."

If criminals can use a computer to send 100,000 or a million pieces of spam over two months one at a time, hour-by-hour in the background without its owner realising, imagine what else they are picking up and stealing from the machine at the same time, Ducklin said. 

Estimates put spam volumes at between 50 percent and 80 percent of all emails received worldwide. It is almost never delivered by servers owned and operated by criminals but is sent from malware-infected computers.

"It's become this terribly distributed problem because of botnets and the industrialisation of malware," he said.

Although most spam originates from home users, evidence from recent data breaches demonstrates that remote-control malware inside corporate networks is a significant problem.

"There have been significant botnet instances inside big corporates and some of them have been financial and payment-processing companies," Ducklin said.

He said one of the most common ways for a corporate computer to become botted is still by a user inside a network clicking on a rogue email link or opening an attachment that has evaded filtering.

"We also have this increasing blurring of the boundaries between work and home," he said.

"Even if staff are connecting using a VPN, if crooks have got some control over the operating system, they could do things like taking screenshots of what's in your browser at any moment, which can actually give an amazing picture of what someone is up to at work even over an encrypted link."

If criminals have gained control of a computer inside the firewall that can make email connections and send spam, then it can almost certainly ask simple question about what the network looks like.

"Even if all the crooks get out of that is: 'There are five printers I can see from here and here are the names, the IP range is like this and my neighbour's computer is called Jim', that information all put together is gold to the crooks and the problem is they don't have to use it themselves," Ducklin said.

"They can collect that data while the bot is doing all its other stuff and just sell it on to the highest bidder on the cyber underground."

The evidence of botnets on corporate networks suggests some firms have yet to operate a successful strategy of defence in depth.

"We've got spam filtering at the boundary. That's important. But then other technologies — such as application control, antivirus, end-point firewalls that can prevent network connections being forged outside the corporate network directly from an individual user's computer — those sorts of technology can help protect as well," he said.

"Spam might get through and it might begin to do its damage but you can stop the side-effects — namely, that it's able to exfiltrate what comes next, whether that's sending an email, or sneaking out a password, or encrypting your hard disk with CryptoLocker and saying: 'Ha ha. Send me three hundred bucks'.

"If you can stop all that happening, then even if the spam makes it through, the chance that it will do any damage is greatly reduced."

More on security

Editorial standards