Aug2
3:09 am (UTC-7)   |   by Ryan Flores (Advanced Threats Researcher)

This entry of McAfee got me thinking about the advancing techniques of spammers to get their spam mails through various anti-spam scanners.


Originally, spam only contained of text strings advertising a particular product or web site. Bayesian filtering was applied to tag e-mail messages with words commonly used in a spam. This method stopped most of the spam, so spammers got a little bit smarter and included dozens of common words (normally at the end of the spam message) to poison the Bayesian filters to let the spam get through. Security vendors countered by including the e-mail subject in their filtering.


The spammers got a little bit smarter again and generated random e-mail subjects not related to the product being advertised. By this time, security vendors began to approach the spam problem through a combination of techniques such as hash filtering, string matching, and network/sender reputation blacklist.


Again, spammers did the next step ahead by using images instead of text to defeat hash filtering and string matching. Spammers also use malware infected computers (such as NUWAR) to launch spam e-mails to defeat network/sender reputation filtering. The Excel, PDF, and RAR archived spam are just next generation anti anti-spam techniques spammers discovered they can use to avoid detection.


This catch-me-if-you-can game is eerily similar to the development of anti anti-virus techniques used by malware writers.

When viruses were being detected heuristically, virus authors employed polymorphism to make anti-virus detection a lot harder.
The same goes for file based malwares such as Bots and Trojans, detection rate for normal Bots and Trojans became really good, so, malware authors began to employ packers. At first, malware authors commonly used UPX to pack their malwares, but as the UPX packer became increasingly supported by anti-virus scanners, malware authors began to use a variety of packers, several layers most of the time, to avoid detection. But the battle does not end there, as anti-virus scanners update to support new packers, malware authors are using a combination of binders, packers and cryptors to avoid detection.


The cycle goes on and on, the good guys (that’s us) creates new technologies to defeat the bad guys (the malware authors), and the bad guys retaliate by using another new technology to defeat the good guys’ weapons. Apparently, escalation is the name of the game. As Inspector James Gordon told Batman in Batman Begins – “We start carrying semi-automatics, they buy automatics. We start wearing Kevlar they buy armor-piercing rounds.” The same holds true in this cyber-war between security vendors and the malware authors.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Thursday, August 2nd, 2007 at 3:09 am and is filed under Uncategorized . Responses are closed, but you can trackback from your own site.



Comments are closed.


Widgets can let threats get into your (hair)net
A Russian Uprising?


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice