Spam Slayer: Slaying Spam-Spewing Zombie PCs

Tip of the Month

Have you been labeled a spammer? You may be able to find out. First determine what your Internet protocol address is by using a site like WhatIsMyIP.com. Next punch your IP address (or your domain name, for business users) into DNSstuff's Spam Database Lookup site to see a list of antispam companies that recommend blocking your e-mail.

If you think spam hawking Viagra, pirated Microsoft software, and get-rich-quick schemes is sent by lowlifes and their evil spam-spewing computers, you're wrong. Today, more than 80 percent of all spam worldwide comes from zombie PCs owned by businesses, universities, and average computer owners, says MessageLabs, an e-mail security service provider.

Zombie PCs are computers that have been infected by malicious code that allows spammers to use them to send e-mail. The use of zombies by spammers and hackers isn't new. But, according to experts, this practice has become increasingly more organized and more profitable over the past year.

"A new underground economy is evolving," says Gregg Mastoras, a senior security analyst at the security firm Sophos.

Sophos estimates that about 50 percent of spam currently originates from zombie PCs, a 25 percent increase over the past year. Although Sophos's estimates are lower than Message Labs numbers, the growth in the number of zombie attacks is alarming.

What's causing the increase? New antispam laws and better spam filters have made it harder to send junk e-mail, so spammers are looking for new and more creative ways to send their messages, Mastoras says. And many of these spammers have found help from what once would have been an unlikely source: hackers and virus writers.

Mastoras says spammers are hiring virus writers and hackers to help them create armies of zombie PCs to send spam. These once-disparate groups are working together, forming their own online axis of evil.

By routing their e-mail messages through zombie computers, spammers avoid spending money on the bandwidth they'd need to send out millions of messages. Using zombies also allows them to hide the origins of their messages, making it more difficult for law enforcement officials to find them. Many times, these zombie networks are also used to launch denial-of-service attacks.

Zombie Hunt

As a test, I traced the origins of some of the worst spam messages I've received over a one-week period to find out whether the messages were likely sent through zombies. As it turns out, many of the messages I received could be traced back to respectable businesses and universities--unwitting pawns in the spam deluge.

For example, I traced an e-mail pitching pirated Microsoft software back to a financial planning firm in Manhattan. There was no obvious way to tell that the message had originated from a computer at the firm. It had a nonfunctioning return e-mail address, and it never mentioned the company in question. But every e-mail message contains the unique IP address of the computer that sent it, so I used that address to trace the pitch for pirated software back to a computer at the firm.

"We would never send spam knowingly," says Jason Keis, a network administrator at that firm.

Keis says the message was sent from one of the 20 PCs he manages. The PC was turned into a zombie when it was left vulnerable for a short period of time during an update of the firm's antivirus software, he says.

Keis's firm was not the only company I found that had fallen victim to a zombie attack. I traced a Viagra pitch to a medical services company in Kansas City, Kansas. A prescription drug offer came from the University of Finance and Economics in Beijing. A nursing home in Ontario, Canada, sent me a get-rich-quick scheme. Each of these messages were sent from zombie computers, and each contained forged return addresses concealing the fact that they had actually been sent by third-party PCs.

Are You a Zombie?

Representatives of the victimized companies that I spoke with hate spam just as much as we all do, and they never thought one of their computers would be used to send junk e-mail. It's likely that someone at each of these companies was tricked into downloading a virus that allowed a hacker to hijack the computer.

Worms such as Bagel, Glieder, and Sobig have been identified as containing malicious code, or malware, that allows remote attackers to take over infected machines. The Glieder worm, for example, directs an infected computer to a Web site to download the Mitglieder Trojan horse. Next, the program disables the PC's firewall and antivirus software and opens a back door, allowing the computer to be controlled remotely by hackers.

Once hackers have gained control over the PC, they can then use the machine to send spam or instruct it to carry out a DoS attack.

De-Zombie Your PC

In May, the U.S. Federal Trade Commission and a number of other government agencies abroad began targeting zombies with a program called "Operation Spam Zombies." To raise the visibility of the problem, the FTC sent letters to about 3000 ISPs urging them to employ protective measures to prevent their customers' computers from being hijacked by spammers.

But you shouldn't rely solely on the FTC. You can reduce your risk by installing a personal firewall and antivirus software, and keeping your copy of Windows up-to-date. If you are concerned that a Trojan horse may have disabled your firewall or antivirus software, launch the programs and make sure they are still running.

Symptoms of a zombie PC include a suddenly sluggish broadband connection, excessive hard drive activity, an unresponsive mouse or keyboard, or bounce notifications in your inbox from people you never tried to contact. But these symptoms do not guarantee that your PC is a zombie.

If you fear your PC is a spam-spewing zombie, refer to my Tip of the Month and check to see whether your computer's IP address has made it onto an antispam blacklist.

Q&A

Q. I've received a chain e-mail urging me to register my cell phone with the FTC's Do Not Call Registry. The e-mail states that cell phone numbers will be released to telemarketers in a matter of weeks. It's pointed out that text messages will also be banned from being sent to my cell phone.

The e-mail links to the legitimate Do Not Call Registry Web site and the toll free number is the right one for the FTC. Is this e-mail legit?
--Howard

A. The chain e-mail is a hoax, according to the FTC. Most types of telemarketing to cell phones are already prohibited by law, and that isn't going to change anytime soon. There is no harm in submitting your cell phone number to the FTC's Do Not Call Web site. But the FTC points out if your cell phone is owned by your business it won't be covered under the registry. That's because business-to-business communications are exempt from the Do Not Call Registry.

Spam text messages on your cell phone cannot be avoided, according to the FTC. Currently, there is no definitive answer as to whether they can be blocked under the Do Not Call Registry or antispam laws.

The FTC says cell phone numbers are not being released to anyone. It says consumers who do get telemarketing calls on their cell phones likely only have themselves to blame. Most people who receive telemarketing calls have submitted their cell phone number when signing up for something.

Subscribe to the Daily Downloads Newsletter

Comments