IT Security Blog

I've mentioned before that I think PDF spam is here to stay, but I'd also like to present a counterpoint to my own argument so that I can say that I have looked at both sides of this coin.

The primary reason that PDF spam might not last as a delivery mechanism is that it is terribly inconvenient for the end user. Everyone has heard it by now:

"Don't open attachments from people that you don't know"

"Don't open attachments from people that you do know if you weren't expecting what they sent"

Blah Blah.

Image spam was uniquely annoying in that the image rendered itself directly within the body of the email message. If you opened the message (and didn't have images blocked by default) you were automatically presented with whatever advertisement accompanied it. No fuss. No muss. In order for a user to view the content of PDF Spam they have to consciously double click the attachment within their email client.

Clearly, despite advice to the contrary, people are still opening whatever attachments come into their inbox otherwise this tactic for both spam and malware distribution wouldn't still be so popular. If the purpose of PDF spam is to get the user to take action, however they need to make the delivery of the content as convenient as possible. Forcing the user to open the attachment flies in the face of that paradigm. Besides that, it generally takes between 15 and 30 seconds just for Acrobat Reader to open! I barely even care what the content is after that amount of time, much less have any desire to act on it!

So then why PDF spam to begin with? Because it worked! Will it stick around? I still think it will, but in order to continue to be viable the tactic will need to become much more refined.

I am speaking more specifically about an article that caught my attention this morning. If you don't want to read the article, he is essentially waving the banner saying that spam email should be filtered using a method called "challenge-response." The way that this method works is like this:

Someone who hasn't previously emailed you sends you a message (typically a good start :) ). If they haven't emailed you previously, the challenge-response server sends an email back to the sender and usually requires some sort of action to verify that the sender was a person and not, for example, a bot. This is the "challenge." If the challenge is "responded to" then the message is delivered to the original recipient.

To those completely uneducated about spam filtering and email traffic this might sound like a good idea at a very high level. Let's briefly go into a couple of reasons why it is not:

-- It contributes to the spam problem.

Say for example a message sent from a bot is intended for your inbox. The challenge-response server will send a challenge back to a likely invalid original sending address. This message will then generate a bounce when it is intended to be delivered to the purported sender. Generating two messages to attempt to deliver one doesn't help the spam problem and clearly doesn't reduce email traffic.

-- It can prevent legitimate mail from being delivered.

I'll ignore the case for a moment where I personally (and I know of many others) who refuse to acknowledge these challenges based on principle alone. Let's take the example of when you sign up for a legitimate industry newsletter via some web site. As good senders do, they make an attempt to confirm your opt-in status by sending you an email with instructions to confirm your subscription. Oops! This confirmation is being sent by an automated system, not a person. So, when the confirmation email is received, the challenge is sent back to a mailbox that nobody reads. So, the challenge is never answered, your subscription is never confirmed, and you never get the newsletter that you tried to subscribe to.

There are some other flaws with the report as well with regards to scoring false negatives (missed spam messages) as being a worse offense than a false positive (legitimate messages identified as spam) which only further proves that the author doesn't understand anti-spam, but for the sake of brevity, I won't go into that right now.

Before any detractors state that I am only writing this because he made a negative comment about MX Logic, I'm not. I came to grips a long time ago with the fact that we cannot please all of the people all of the time. I also realize that Robert Westervelt (the author of the article linked to at the start of this entry) didn't write the report that he references in his story. However he did write about it as if it is a reputable publication, which makes him culpable.

If you are interested, there is another blog entry about the subject here which also goes into some more detail.

Obviously, there are many different ways to skin a cat, fight spam, whatever, but can we please stop promoting anti-spam methods that actually contribute to making the product worse? That's all I ask!

Although there are no known active exploits for this vulnerability, just wait. As we already talked about here it was only a matter of time before these vulnerabilities were made public and a short time after that before we had little armies of iBots dotting the Apple landscape.

My question is: What took them so long?

I honestly expected this type of story to come out within a week of the initial release of the phone (yes, I am somewhat ignoring David Maynor's allegations that he had already found bugs for the iPhone prior to its release. He certainly may have done so, but he has basically been radio silent since). I certainly have nothing against Apple or their products (I own an iPod myself and use it every day), but I have to admit that there is a part of me that is hopeful that some of the fallacy that you are "invulnerable to malware" if you own a Mac finally starts to wane in light of some of these latest findings.

I was actually hoping to get this out a little bit sooner, but things have been so hectic around here as we work out algorithms and fingerprints to stop what started to be a huge flood of PDF spam on Wednesday that I haven't had much time to sit down and collect my thoughts. I really do appreciate Martin Hack from the Hack Report and Cameron Sturdevant from eWeek for taking time out of their schedules to speak with me and write up some of our conversations in their blogs.

We originally started talking about PDF Based Image Spam back on July 2nd and its prevalence since then has greatly increased.

On Wednesday (July 18th) we saw spam traffic numbers increase by about 25% as we saw a flood of new PDF spam hitting our system. This was different than the PDF spam that we had been seeing to date which was usually contained an image. This new variant was essentially a text based spam message pasted into the body of a PDF.

The first page of the PDF was generally some kind of stock pump and dump scam. Subsequent pages (ranging from 3-10 additional pages) were your typical "word salad" that we see at the bottom of many spam messages that attempt to throw off spam filters still using naive Bayes filtering.

This is not likely to be a tactic that sticks around because there are already many tools that exist that will convert PDF files to text to allow other anti-spam engines to execute against these messages much more easily. The proof of concept here was that many filters have not yet deployed this type of functionality, and as such the messages were getting delivered to the inbox.

Even over the past couple of weeks since we started talking about PDF based spam (which actually originally started back in 2004, but never really caught on) we have already seen the technique start to evolve and traffic volumes dramatically increase. The message is clear though that PDF spam is here to stay!

Anyway, I thought I would be remiss without taking a few minutes to discuss some of my thoughts from this conference.

The first FTC Spam Summit took place in 2003 in the same location that thisyear's conference did; in the FTC Satellite Building in DC. I wasn't at the previous conference, but apparently a couple of folks almost got into a fist fight. Anything to make it more exciting, I guess. Nothing like that this time around though.

My first impression as I looked around the room (which was smaller than I had anticipated) was that it appeared that the event was not very well publicized. The only place that I had actively heard the conference mentioned was by Sana Coleman Chriss of the FTC (obviously she had a vested interest) at the AOTA Conference in Boston in April. In speaking with some other people they had also heard Sana announce the Summit at a local DC conference within the two weeks leading up to the event. That isn't to say that there wasn't an active push towards getting the word out on this conference. I just hadn't seen it, and I think those results showed in the attendance.

My second observation was that industry attendance was quite low. Some of the usual suspects that I see at most industry events such as MAAWG and the like were there, and some of those folks also participated in panel discussions. Overall though I expected a better industry presence to spur some better dialog.

There were a few items of note that I thought were worthy of mention here:

-- One particularly well known spammer was on the first panel discussion of the conference. I am not quite sure I understand what the reasoning was behind this, but I waffled between feelings of amusement and confusion. I felt amused because I was almost wondering whether or not his participation on the panel was a move by the FTC akin to starting any speech off with a joke. I felt similarly confused because I was trying to figure out what his goal was by sitting on this panel. He sat there talking about the challenges facing legitimate email marketers. Although I can certainly sympathize with the plight of legitimate email marketers, I failed to see how he was the most appropriate representative to discuss the issue.

-- The other item that caught my attention was the use of compromised web servers to send out spam. Why a compromised web server? Many web applications today utilize email as a vehicle for communication (transactional receipts, confirmation of opt-in, etc). As such, these web servers generally have permission from the corporate MTA to channel mail through. This has the potential to cause serious issues for legitimate MTAs that sit next to compromised web servers which are turned into bots and is a potential threat worth watching!

-- I didn't write down who noted this statistic but it was reported by a panelist that 15-20% of new phishing attacks every month are against targets that hadn't been targetted previously. This illustrates a trend that has been spoken about here as well as being reported across the industry of spammers shifting their tactics toward smaller targets.

-- According to an FBI survey of 639 companies (no mention was made as to the size of these organizations), 80% had experienced losses as a result of cyber crime. The total loss sustained by those companies was approximately $130M. The highest of which was $42M by one company.

Overall, I felt that the conference was a productive meeting, but there was neither enough representation by the industry nor the government in order for it to generate any significant, ground breaking takeaways. I certainly applaud the FTC for putting on this conference and hope that they do so again. As widely known and understood as the problem is, it was somewhat telling to me by the smaller attendance numbers that there is only a select few who really want to take strides to do something about it.

This new variant is another in a line of Storm worms that we have seen since the early part of the year. There was one new twist with this new variant and a moderate re-use of an old Storm worm tactic.

As with the original Storm worm variants, it used current events as a lure to get someone to open the message. In this case, the worm used a number of July 4th related subject lines like "Happy 4th July", "Happy Birthday America", "Your Nations [sic] Birthday." Once opened, the message contained an invitation for the user to view an ecard that was sent to them purportedly by a number of different people (friends, family members, etc). Unfortunately, the only celebration to be had if the link was clicked on was by the person or people behind the scam as you happily download malware onto your PC which will turn your machine into a spambot to further propagate the worm.

So, the new twist (at least as far as the Storm worm is concerned) that I alluded to earlier is the use of a link to direct the user to downloading the malware off of an external site as opposed to an executable file attached to the message that we had seen by most of the preceding Storm Worm variants. This is a growing trend that we are seeing lately not only in the proliferation of malware, but also with image spam where the content delivery is being done remotely as opposed to attaching the payload directly to the message itself.

Traffic associated with this new Storm Worm variant has been very high since it originally started coming in on Tuesday morning. At its peak email associated with this worm accounted for 1 in 13 messages being processed by the MX Logic Threat Center. Compare this with some of the most prolific worms that we have seen such as Sober.N (1 in 7 messages from May, 2005) and Sobig.F (1 in 12 from August, 2003) and this one ranks right up there. Due to the short term relevance of this variant though (centered around a specific holiday event), it isn't likely to have any staying power, however machines that are infected can and likely will be used as vehicles for delivery of future variants of this worm.

We are now seeing the next wave of this where the image is being embedded within a PDF file. Although PDF based spam is not new (it originally reared its head back in 2004, but never caught on).

This is an interesting new tactic because even utilities that exist which convert PDF files to text would not help in these situations because those tools would not perform OCR functions on the image (OCR tools on image spam have been largely useless for about a year now anyway).

No stats yet on volume numbers associated with this new tactic, but we'll be collecting those and I will make those available in the coming weeks.

The iPhones went on sale Friday, June 29th, and most retailers either sold out of them pretty quickly or were pretty close to sold out. From most reports that I read, the 8GB model for $599 flew off of the shelves pretty quickly and the places that still had any models had the 4GB model which sells for $499.

I had blogged previously about how long it would take for the first iBots to start popping up. Although this is a phish and does not turn your machine into a bot, iPhone scams are already out there and as long as availability remains scarce, expect similar scams to keep popping up. Whether or not iPhones continue to be a target for scammers and hackers over the long haul remains to be seen, but they are expected to only obtain about a 1% share of the mobile phone market and be popular mostly amongst the techies and Apple Fan Boys.