If your PCs are hijacked and turned into zombies for
spammers, your company could find itself blacklisted and your
communications blocked, says Pete Simpson.
Spam is driving IT departments crazy. Unsolicited e-mail
wastes network and storage resources, steals staff time and diverts
IT resources to managing defences and poring over quarantine
lists.
Spam zombies are PCs and servers that have been hijacked to send
out spam. Lots of spam. Much of the early press on this new threat
has focused on the home PC user, the so-called "soft underbelly" of
the internet. But if home PCs account for two-thirds of spam, the
remaining third must come from PCs that live in businesses or
government offices - the zombie in pin-stripes.
Thousands of businesses are acting as free distribution centres for
spammers and helping to cover their tracks. It is a bitter irony.
As businesses spend thousands of pounds trying to kill spam, many
are blindly sending it out by the million.
It happens all too easily. A business user receives an innocent
looking e-mail and opens the attachment. A Trojan horse invisibly
installs itself on the user's PC and sends a message to a remote
master, announcing a new, wide open "back door" and seeking further
instructions.
These instructions can include a virus or a keystroke logger that
steals sensitive information. Alternatively, it might simply turn
the host PC into a spam server; further spreading spam, viruses and
malicious code.
Corporate resources are probably the most prized by spammers
because zombies on a corporate high-speed connection are
particularly dangerous.
Analyst firm IDC estimated that 56% of Europe's PCs are in
businesses rather than homes. Although these tend to be better
defended than the typical home PC with its "always on" broadband
connection, they are still far from immune to the zombie
threat.
As spam zombies work invisibly, some companies might be tempted to
look the other way. But most companies see spam as a serious enemy
and are loath to play a part in distributing it.
Not only do zombies take up bandwidth, they can also cause the
company to be blacklisted by spam-watching organisations.
Being blacklisted means the company will not be able to send out
any e-mail at all - a crippling blow to most businesses. Getting
removed from the blacklists can take hours or even days.
There is a lot a business can do to protect itself against zombie
attacks and to identify and remove the zombies already
inside.
The basic firewall and intrusion detection defences are clearly not
enough - e-mail passes through firewalls. Web ports on firewalls
are handy conduits for code that turns PCs into zombies.
Anti-virus and anti-spam packages will catch threats if they are
updated religiously, but even these leave holes wide open for the
new generation of malware.
The key to prevention is a multi-layered defence that includes a
blend of anti-spam and anti-virus and crucially, security that can
stop malicious code even before filters have been updated.
It is also important for IT to monitor e-mail and web traffic to
look for telltale signs of active zombies, such as dramatically
increased traffic from a single PC and outgoing e-mails that do not
come from known mail servers.
We can all do our part to defend against them and to root them out.
If your company is not part of the solution, it is part of the
problem.
Pete Simpson is Threatlab manager at Clearswift
