Spam zombies from outer spaceApril 28, 2006
Spammers could soon use zombie computers in a totally new way. Infected computers could run programs that spy into a person's email, mine it for information, and generate realistic-looking replies.
John Aycock, an assistant professor of computer science at the University of Calgary, and his student Nathan Friess conducted new research that shows it is possible to create a new type of spam that would likely bypass even the best spam filters and trick experienced computer users who would normally delete suspicious email messages.
There are two key reasons why spam is suspicious to anti-spam filters and human targets alike. First, it often comes from an unrecognized source. Second, it doesn't look right.
The evolution of spam zombies will change this. These new zombies will mine corpora of email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others.
The next generation of spam could be sent from your friends' and colleagues' email addresses – and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalization, and personal signatures) – making you more likely to click on a Web link or open an attachment.
What features can be easily extracted from an email corpus? There are four categories:
1. Email addresses. The victim's email address and any other email aliases they have can be extracted, as can the email addresses of people with whom the victim corresponds.
2. Information related to the victim's email program and its configuration. For example, the User-Agent, the message encoding as text and/or HTML, automatically-appended signature file, the quoting style used for replies and forwarded messages, etc.
3. Vocabulary. The normal vocabulary used by the victim and the people with whom they correspond.
4. Email style.
• Line length, as some people never break lines;
• Capitalization, or lack thereof;
• Manually-added signatures, often the victim's name;
• Abbreviations, e.g., "u" for "you";
• Misspellings and typos;
• Inappropriate synonyms, e.g., "there" instead of "their";
• Replying above or below quoted text in replies.
Such a specific, targeted approach has previously been viewed as too complex to be worth spammers' efforts. But Aycock and Friess tested one part of this hypothetical new approach, showing that it is not only possible but relatively easy to automatically generate this new type of spam.
Aycock and Friess used two pools of email – one which they generated manually and another that came from publicly available Enron databases that were released after the company's collapse.
A computer program mined the data in both email pools, finding statistically significant patterns of abbreviation, capitalization and signatures. A second program used these patterns to automatically transform a standard, one-line spam message into convincing, individualized replies.
When you get this message, I’m expecting a reply. Please reply to me as soon as possible.
The Big Manager
Intended spam message:
I just talked with [NAME] and you should take a quick look at http://some.bad/url
The generator was able to create a reply to Tim Boss with the text below:
|Tim Boss wrote:|
>When you get this message, I’m expecting a reply. Please
>reply to me as soon as possible.
>The Big Manager
I just talked with Rick CoWorker and u should
take a quick look at http://some.bad/url
The Big Corporation
The deception can be further extended if the malware doesn't generate a reply when the victim is actively using the infected computer, because the victim may actually be replying to the email.
Malware can also avoid sending email at unusual times. As with other features, a victim's email corpus can be mined to determine those times when they usually respond to email. This also contributes to making the spam look more normal.
The new approach hasn't been used by spammers yet, but Aycock says it's only a matter of time before they begin to exploit resources already at their fingertips.
"All the pieces are in place right now," he says. "Spammers are using zombie networks, spammers have access to email accounts, spammers know that spam filters are catching most of their messages. They're looking for ways around those defenses. Also, data mining has been used for a long time by lots of people. And what we're talking about is very simple data mining. At some point, the other shoe has to drop."
Aycock and Friess will present these findings--and some new solutions--on April 30 at the 15th annual conference of the European Institute for Computer Anti-Virus Research, being held in Hamburg, Germany. The aim of the research is to raise awareness of the potential threat so that anti-spam software can be written that anticipates spammers' next moves and protects business and personal computers.