Spammers get fussy as zombie army grows

Is your Internet connection actually worth infecting? The Bobax worm tests PCs first to see if they'll be good spam zombies

The Bobax worm, which is less than a week old but has already spawned four variants, is one of the first worms to conduct a bandwidth test on its infected host to see if it is worthy of being used as a spam zombie.

Bobax uses a combination of the Windows vulnerabilities exploited by the Sasser worm and the MSBlast worm. Although Bobax is unlikely to spread very far because larger companies have already applied the relevant Microsoft patches, its behaviour shows that virus writers and professional spammers have taken control of more than enough computers to fulfil their requirements -- and are now able to get fussy about which ones to use.

Mikko Hyppönen, director of antivirus research at Finnish company F-Secure, said that although the Bobax worm infects any vulnerable machine, it has a bandwidth testing utility built in, which is used to help the virus authors decide if the infected machine has a fast enough Internet connection to be worthy of recruitment into their army of zombie spam relays.

The virus performs its bandwidth test by instructing the infected computer to download a large file from a public FTP site. Once the virus has collected some bandwidth statistics, it contacts the virus's author so it can be used as required, depending on the spammer's bandwidth requirements.

"The spammers have so many machines to choose from, they have the luxury of picking only the best of the crop -- the machines with the fastest connections and the widest bandwidth," Hyppönen said.

Graham Cluley, senior technology consultant for antivirus firm Sophos, said that being able to pick the fastest computers with the most bandwidth makes a lot of sense for spammers, but this behaviour means that they are spoilt for choice when it comes to machines they can exploit.

"It's fantastic being a spammer because you have this wonderful array of computers all around the world to go and infect -- it's not as though they have to battle over a few thousand computers," Cluley said.

F-Secure's Hyppönen said that although Sasser has already forced many people to update their machines, there is a constant stream of vulnerable computers being connected to the Internet.

"If someone buys a brand new computer today and puts it online, it won't have the patches. The first virus it will be infected by will most probably be Bobax," Hyppönen said.