If you thought the rodent kind of rat was a pest, you ain't seen nothing yet: antispam and antivirus company Sophos says a third of all the spam snaking around cyberspace is relayed through personal computers – perhaps even your own – by way of Remote Access Trojans (RATs).
These programs can take full control of a personal computer as long as it's connected to the Internet, according to Sophos senior technology consultant Graham Cluley, who told CNET the growth of broadband and a lack of basic security awareness have made it possible for a third of the world's spam to be routed through unsuspecting users' computers.
"There are lots of people on cable modems and broadband connections who haven't properly secured their computers," Cluley told CNET. "They don't know it, but their PCs are being used as relays for sending spam to thousands and thousands of other people ... (an attacker) can steal information, read files, write files, send e-mails from that user’s name – it is as though the attacker has broken into the office or home and is sitting in front of that computer."
These attackers are clever enough that they can cover their cybertracks and make it extremely difficult for a PC user who discovers a machine has been infected that way to trace them. “It is really just network and Internet bandwidth that is suffering – there is no permanent record left on the PC that you can look up – you wouldn't see anything if you checked your Outlook ‘sent items’ folder," Cluley told CNET.
Sophos said on its Website that they've seen a considerable rise in so-called backdoor Trojan horse infections, which open the operating system holes that allow hackers to plant RATs into infected computers. Among the more prevalent such Trojans of 2003 was Sysbug, which was spammed to thousands posing, like Mimail-L, as a package of erotic encounter photographs.
Trojan horses may well become a more widespread technique for child porn purveyors as well. Earlier this year, in fact, a British man was exonerated of child porn possession charges after he was able to prove – with court- and prosecution-approved technical assistance – that the 14 images in question had been planted onto his computer through a Trojan horse slipped into the machine without his previous knowledge.
Like anti-spam group Spamhaus Project, Sophos believes there are connections between virus writers and spammers, especially since the detection earlier this week of a new Mimail variant, Mimail-L, that disguises itself as an attachment purporting to include erotic imagery and, if activated, sends a follow-up e-mail to an infected user suggesting a child porn CD-ROM will be sent to the user's postal address.
"Anti-spam Websites have been knocked out by these viruses: Why is that? We all suffer from spam. Virus writers are either working with spammers or they are the spammers," Cluley told CNET.
Spamhaus founder Steve Linford told Wired the new Mimail is aiming for more users than the original variants of the worm did. "So many Internet users are flooding us with complaints about these child-porn CDs that we supposedly ordered for them," he told the magazine, adding that he was cooperating with police. SearchSecurity.org quoted Linford as saying the implications of Spamhaus being involved with child porn in any way "is both disturbing and baffling" to him.
"Naturally, each time we are then inundated with complaints from angry users, angry that 'we' are 'going to charge their cards' and angry that we are 'selling child pornography,'" Linford told the Website. "None of the thousands of users who contact us stop to think we're actually an antispam organization that does not sell anything."
The Mimail-L follow-up e-mails are said to tell the user a weekly fee for child porn has been charged to the user's credit card, implying it came from anti-spam groups, and instructing the user to cancel "membership and your CD pack" by sending a message to a Spamhaus e-mail address.
Mimail-A turned up number seven among the top 10 computer viruses of 2003, according to Sophos. By far the number one virus of the year was Sobig-F, accounting for over 19 percent of the virus reports the company received during the year, with Blaster-A a slightly distant second at 15 percent. Nachi-A placed third (8.4 percent), Gibe-F fourth (7.2 percent), Dumaru-A (6.1 percent) fifth, Sober-A (5.8 percent) sixth, Bugbear-B (3.1 percent) eighth, Sobig-E (2.9 percent) ninth, and Klez-H (1.6 percent) tenth, on the company's reporting surveys.
An e-mail virus, Sobig-F wreaked what Cluley calls an ironic effect: some of the worst damage done by the virus was to spammers. "They found that they could not send their millions of spams as easily because their e-mail gateways were deluged by Sobig traffic," Cluley said in comments included with the Sophos virus survey report. "Microsoft has issued a substantial financial reward for evidence leading to the arrest and conviction of Sobig's author, but we seem to be no closer to identifying him or her."
Blaster wasn't an e-mail worm, but exploited a Microsoft security hole to spread like a California wildfire around cyberspace, which added to Microsoft's embarrassment because the worm's payload included a protest message to Microsoft mastermind Bill Gates.
