Scary Storm figure

This study of the Storm worm (via) contains this rather terrifying factoid:

Figure 12 illustrates a time-volume graph of TCP packets, SMTP packets, spam messages, and smtp servers. Our analysis of this graph reveals the following findings. First, we find that except for the first 5 minutes almost all the TCP communication is dominated by spam. Second, we measured that hosts generate on average of 100 successful spam messages per five minutes, which translates to 1200 spam messages per hour or 28,800 messages per day. If we mutiply this by the estimated size for the Storm network (which we suspect varies between 1 million and 5 million, we derive that the total number of spam messages that could be generated by Storm is somewhere between 28 billion and 140 billon per day.

While such numbers might be mind-boggling they are inline with observed spam volumes in the Internet, e.g., overall volume of spam messages in the Internet per day in 2006 was estimated to be around 140 billion [2]; Spamhaus claims to have been blocking over 50 billion spam messages per day in October 2006 [10], and AOL was blocking 1.5 billion spam messages per day in its network in June 2006 [5]. These numbers suggest that Storm could be responsible for anywhere between 17% and 50% of all spam that is generated on the Internet.

28 to 140 billion messages per day. That is a lot of spam.

Minor nitpick with the paper — it notes that

Storm retrieves emails found in [certain] files and gathers information about possible hosts, users, and mailing lists that are referenced in these files. In particular, it looks for strings like “yahoo.com”, “gmail.com”, “[email protected]”, “f-secur”, “news”, “update”, “[email protected]”, “[email protected]”, “[email protected]”, “feste”, “[email protected]”, “[email protected]”, “[email protected]”, “[email protected]”, “[email protected]”, “kasp”, “admin”, “icrosoft”, “support”, “ntivi”, “unix”, “bsd”, “linux”, “listserv”, “certific”, “sopho”, “@foo”, “@iana”, “free-av”, “@messagelab”, “winzip”, “google”, “winrar”, “samples” , “abuse”, “panda”, “cafee”, “spam”, “pgp”, “@avp.” , “noreply” , “local”, “[email protected]”, and “[email protected]”.

I would postulate that those strings are a stoplist — that in fact the worm avoids sending spam to addresses containing those strings. The presence of “abuse” and “postmaster” in particular would suggest that.

This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

4 Comments

  1. Posted October 11, 2007 at 16:27 | Permalink

    Why would they stoplist yahoo and gmail though Justin? Seems odd. There’s certainly plenty of spam hitting my gmail a/c; although it could of course be coming from another source.

    Any thoughts on how we stop something like storm, bar finding the people responsible and putting a gun to their head?

    adam

  2. Posted October 11, 2007 at 18:00 | Permalink

    ‘Why would they stoplist yahoo and gmail though Justin? Seems odd. There’s certainly plenty of spam hitting my gmail a/c; although it could of course be coming from another source.’

    hmm. Good point.

    Maybe the gmail/yahoo strings are used for a different purpose…. I agree, stoplisting them doesn’t make much sense. Maybe they activate GMail-specific custom code in the SMTP sender.

    ‘Any thoughts on how we stop something like storm, bar finding the people responsible and putting a gun to their head?’

    Yeah, it’s tricky; if the author is in Russia, there’s little hope of law enforcement bothering to lift a finger about it in the next few years. The only alternative I can see is for ISPs to further filter and restrict the abilities of end-user-oriented broadband, in order to block malware-emitted traffic.

  3. Posted October 11, 2007 at 18:43 | Permalink

    Be honest with you, I’ve never had a problem with that. I can understand why sysops would be pissed off with restrictions of their abilities, but it wouldn’t be all that hard to provide an opt-out mechanism for those people anyway. Firewall the fork out of ’em, that’s what I say. If they’re stupid enough to click on these things, they’ll probably won’t even notice anyway.

    adam

  4. Posted October 12, 2007 at 07:31 | Permalink

    The presence of “abuse” and “postmaster” in particular would suggest that.

    You’d think so, but I get anywhere from 2-7 spams to “abuse” every day. It seems like an obvious address to skip, since I’d expect a spammer (or virus writer) wouldn’t want to bring itself to the attention of the people most likely to block and/or go after them.

    Back on the topic, I’d guess that some of the strings are a blacklist — don’t send yourself to the antivirus researchers, don’t waste time with auto-responders or unattended boxes — but some, like yahoo.com and gmail.com, might be an effort to detect simply-obfuscated addresses, like ‘bob at example.com’. Basically, look for a domain with lots of email accounts, then look at the words nearby for possible usernames.