By Jane Black In June, half of all e-mail was spam -- those annoying unsolicited messages that hawk everything from porn and Viagra to mortgage-refinancing deals and weight-loss patches. But if you think spam is out of control, prepare yourself. It could get a lot worse.
Over the past few months, e-mail security companies have seen mounting evidence that spammers are using virus-writing techniques to assure that their sales pitches get through. At the same time, intrepid virus writers have latched onto spammers' trusty mass-mailing techniques in an effort to wreak widespread digital mayhem. "What we're seeing is the convergence of the spammer and the malicious code writer," says David Perry, global director of education at antivirus company Trend Micro (TMIC).
RELAY STATIONS. Witness the recent spread of a virus known as Webber, which was discovered on July 16. It carried the subject line "Re: Your credit application." Users who opened the attachment downloaded a malicious program that turned a home PC into a so-called open relay server, which allows a third party to send or receive e-mail -- including spam -- remotely from that PC. Spammers are notorious for using open relays to hide their identities. According to British e-mail security company MessageLabs, 70% of spam comes through open relays.
Then there's Sobig.E, a virus that grabs e-mail addresses from several different locations on a PC, including the Windows address book and Internet cache files. Sobig.E then tries to send a copy of itself to each address. It also uses one of the stolen addresses to forge the source of the message, so that it appears to come from someone else. MessageLabs believes Sobig.E is a spammers' virus designed to harvest legitimate e-mail addresses from users' computers.
So far, no concrete evidence shows any home PCs that have been infected by either Webber or Sobig.E have been used to send spam. But experts fear that the two viruses could be "spam zombies," programs that will lie in wait on a PC until called on by the spammer to send out millions of untraceable e-mails.
"I LOVE YOU" MORE. The convergence of spam and malicious code makes sense, says Chris Miller, Symantec's (SMYC) group product manager for enterprise e-mail security. "They have a common goal -- to do what they're doing without being seen," Miller says.
Virus writers and spammers send out their messages from illegitimate e-mail accounts, never from the ISPs where they are registered. It isn't hard to see where the union of these two insidious groups' techniques might lead. Using such weapons as Sobig.E and Webber, spammers can hijack a user's address book, then use the PC to send out hundreds, even thousands, of junk messages.
And virus writers can use mass-mailing techniques to spread malicious code even faster than before. The destructive "I Love You" virus of 2000 was originally sent to a small number of people. Within days it had affected tens of millions of computers and caused damage worth hundreds of millions of dollars. Imagine if, like spam, it had originally been mailed to a half-million computers.
Security experts cite other recent examples of spam-virus convergence:
Key-logger Trojans. In May, 2003, a major food-manufacturing company received a spam e-mail that, when viewed in a preview pane in Microsoft Outlook, showed a message that appeared to be an opportunity to sign up for a newsletter. First, though, the message asked the recipient to verify their e-mail log-on ID and password. That information was collected by the key-logger code and then sent to the spammer, who could then log into the user's e-mail at any time and search for valuable information.
Drive-by downloads. Recent spam sent to a major airline manufacturer led unsuspecting users to Web pages where spying software was secretly downloaded without the user's knowledge. So-called spyware monitors a user's activity on the Internet and transmits that information to someone else, usually an advertiser or online marketer. Spyware can also gather information about e-mail addresses, passwords, and credit-card numbers. Drive-by downloads can be done without either notifying the user or asking permission because many users accept such a download without question, thinking it's a normal function of the Web site.
CALL IT "MALWARE." According to the strictest definitions, key loggers and drive-by downloads aren't viruses, which are programs that replicate themselves. (If you've seen The Matrix Reloaded, think of the way Agent Smith makes infinite copies of himself to try to destroy Keanu Reeves' Neo.) A Trojan is a program that rolls into your computer unannounced, then persuades the computer to launch it through fraud.
As spam and malicious code converge, however, such definitions are becoming less useful. That's why experts like Trend Micro's Perry are now looking at a broader term -- "malware" -- to describe any program with malicious intent. "With traditional hackers, the motivation has always been to prove that you're a rad dude," Perry said in a phone interview from the Las Vegas hacker convention DefCon. "But when we start seeing these techniques used for commercial gain like spam, it's going to get a whole lot more serious." Cybersurfers, beware. Black covers technology for BusinessWeek Online and writes our regular Privacy Matters column