M86 lab traces botnet threats — from Auckland

Since reestablishing its Auckland Tracelabs in 2006, the M86 team has been rebuilding the company’s antispam knowledge and IP, says lead security researcher Phil Hay, who heads the local team.

While much effort still goes into blocking unwanted mail, the role of an antispam lab has changed in the era of botnets. Such spam is now mainly about delivering malware, so the lab has set about trying to understand such networks, Hay says.

And that is where the M86 team is claiming success. The Tracelabs team says it is the first group of researchers to prove that 80 to 90 percent of spam is produced by just a handful of botnets.

“The real big professional boys are inundating everybody,” Hay says.

The M86 lab pushed into the botnet area because it felt the development was not well understood in the wider community. A side benefit was innovations in the company’s products, particularly a technology called SpamBot Censor.

M86 rates SpamBot Censor among MailMarshal’s most significant capabilities. While the M86’s IP Reputation Service blocks incoming spam based on the reputation of the sending IP address, SpamBotCensor identifies and blocks bot-based spam.

M86 built a layer into MailMarshal that looks for a particular trait of a botnet within the spam that they send, Hay explains.

At the lab, honeypots are used to trap the spam and to extract URLs from them. This is then combined with other URL feeds and used in WebMarshal and 8e6.

Marshal and 8e6 merged in November 2008.

Hay says emerging threats are what could loosely be called blog spam. Spam is now taking advantage of Twitter and the APIs other social networking services that link into it, he says.

Phil Hay, centre, and the Tracelabs team

“The biggest issue is the volume of malware. It’s all about stealth these days — not about deleting your hard drive.”

Malware aims to steal data, send more spam and stay on a user’s system without being detected, he says.

Now most threats come in the form of “blended threats”, which utilise social engineering in email messages to encourage users to click on the URLs infected with malware. Traditional defences do not protect organisations from such attacks.

Polymorpic viruses that change as they spread and the wide array of threats out there, mean no single technology is capable of protecting users, Hay says.

While security researchers compete at the business level, there is a lot of cooperation at the technical level he says.

The local lab has three staff and feeds its work up to another M86 lab in Orange County, California. From there it goes into the company’s Mail Marshal and Web Marshal products.

Hay’s advice to users: keep your operating system and antivirus software up to date — and your plug-ins too.

Update

M86's latest Security Labs Report, released this week, details a massive increase in spam volumes and recent vulnerabilities in applications including Adobe products and attacks via social networking sites such as Twitter.

Researchers analyse more than seven million email messages every day looking for patterns and emerging trends and correlate this data with web exploit and vulnerability research.

One of the major attack vectors now is shortened URLs. The report finds a surge in attacks through social networking sites such as Twitter because of the increased use of such shortened URLs. These have become a favourite tool of attackers because they not only make it easier to obscure malicious links, but also exploit end users’ trust through social engineering.

Zero-Day application vulnerabilities such as those within the Internet Explorer and Adobe products are becoming just as prevalent as those seen in the operating systems themselves as hackers take advantage of such application vulnerabilities, M86 says. Adobe PDFs are a major attack vector here.

Spam remains a popular conduit for the distribution of malware, phishing and other scams by cyber criminals. The volume of malicious spam has dramatically increased; reaching three billion messages per day, compared to 600 million messages per day in the first half of 2009, M86 says.