Bugwatch: The emergence of convergence

This week Natasha Staley, information security analyst at MessageLabs, considers the sinister and growing trend of spammers and virus writers incorporating each others' tactics.

Spammers are often regarded as a pretty unsophisticated bunch when it comes to technical skills.

Adept at sending hundreds of thousands of unsolicited commercial emails they may be, but they are rarely renowned for using sophisticated techniques in order to facilitate the spread of spam.

Virus writers, on the other hand, are generally thought of as a technically superior group.

Although some of them have only basic IT skills and may even use 'kits' to write viruses, others are experienced programmers capable of producing increasingly complex malicious code.

But the line between spammers and virus writers is becoming blurred as each makes use of tactics typically associated with the other.

As a result we are seeing spam incorporating methods for harvesting emails and bypassing detection and viruses manipulating open relay servers and open proxies in order to spread further.

Possibly the most prominent example of convergence is the SoBig family of worms. Each version used a slightly more sophisticated method than the one before, culminating in SoBig.F, the most prolific virus of 2003.

Not only did SoBig.F manage to spread at an exponential rate, it used a Trojan to subtly install open proxies on thousands of machines the world over.

Spammers could then send small volumes of spam through these open proxies before moving on to the next batch. The relatively low amount of activity helps to ensure that no alarm is raised.

Estimates suggest that 60 to 70 per cent of the world's spam is sent through open proxies, indicating that this kind of technique is more widespread than previously thought.

There are several reasons why this trend is likely to continue. Neither spam nor viruses show any signs of abating so it is natural to assume that, now their paths have crossed, the perpetrators of each will find more ways of using 'borrowed' techniques to achieve their purposes.

The most compelling reason to believe that this convergence will become one of the dominant IT security themes of 2004 is the fact that it works.

SoBig.G isn't too far away; but I'm willing to bet it will only be just one of many pieces of malicious code constructed using convergence.