MoMusings

Quite a number of people have asked me why they are suddenly seeing Spam, or more Spam than they are used to. To answer this I decided to put together this blog entry to try and explain why more Spam appears to be turning up on our computers, and how they bypass the anti-spam tools and filters most companies have in place. I covered a number of the tricks and techniques in a presentation I gave back in July. For those that saw the presentation this can be considered an update.

I have covered spam on this blog a number of times and to be honest apart from the constantly increasing amount and the subject matter used in spam constantly changing not much has changed in the way that spam is created. This has predominantly been either plain ASCII text or HTML based. These are sometimes disguised by using encoding methods or other obfuscation techniques to try and fool anti-spam tools and bypass filters.

However, since the move by the spammers in sending nearly all their spam via botnets; it is believed that over 80 percent of all spam is sent via bots and botnets now, other new techniques have been seen. This blog entry will discuss some of these new techniques and why the spammers are using them.

Graphical Spam
This was the first major change made by the spammers, instead of just using graphics for pictures they decided to make the whole spam message into a graphical one. This they believed would allow them to fool or bypass anti-spam filters. To improve the likelihood of their message getting through they often would include random text or text stolen from news or other articles and even books in the body of the e-mail. You can see an example of this type of spam message below:

A larger version of this screenshot can be found here.

The next step was to add random dots to the graphical spam; this means that you can no longer just filter graphical spam out by using a checksum or hash value as a temporary fix, as now the checksum or hash will be different each time the spammers produce an image spam using a new microdot pattern or position. If you look carefully at the example above you may notice little black dots where this technique has been used on this graphical spam.

This type of graphical spam using micro-dots is allowing spam to bypass many anti-spam tools which is why many people are seeing more spam than they had before. However, this is not the end of the development cycle of the spammers. Next they decided to animate them…

Animated GIF Spam
So, why do the spammers want to use animated gifs for spam? I mentioned above that the spammers are increasingly using microdots to effectively make hashing or checksumming techniques for detecting graphical spam almost useless, however they make the spam look messy. So, to solve this problem the spammers move the microdots to a separate GIF or in some cases more than one. This allows them to place these before and after their clean and tidy graphical spam image. To make this work well the microdot image frames of the animated GIF are set to only appear for a fraction of a second. You can see an example of this type below:

I have modified the above animated GIF to allow you to see the other frames which contain the microdots or other graphical data. This animated GIF originally only animated once, I have changed it to animate forever.

Subliminal Spam
The next step taken by the spammers was to think “Well we are now using animated gifs, why not use the microdot frames another way? How about we put subliminal messages in them?” So that’s what they did. You can see a modified example below:

I have modified the above animated GIF to allow you to see the other frames which contain the subliminal message data. This GIF animates forever, all I have done is change the interval that the so-called subliminal data shows.

Please note these are not only spam, but also what is known as ‘pump-and-dump’ stock scams, do not use the data that the spammers supply to buy any of the stock, as unless you are very quick and manage to sell the stocks you buy from them, before they dump theirs, you will end up losing lots of money.
Don’t do it.

These types of scams are now being investigated and I expect that at least a few of those responsible will start to get arrested, charged, tried, and then sent to prison where they belong.

Word Document Spam
The next change appeared a couple of weeks ago. All of a sudden I started getting lots of e-mails with Word documents attached. These came attached to e-mails with subject line like:

• Hospital Office Billing Update #57769
• Confirm amount of charges fro Claim #86774
• Filed under your account via Claim #91023
• Records confirmation. See claim #94801
• Your receipt for Statement #95775
• Billing Update, Form #33128
• Billing Summary - Invoice #62633
• …and so on…

They also only contained a single line of ASCII text urging me to open the attachment to check certain details.

To say I was suspicious of these e-mails is an understatement. These Word documents may have contained malware or used one of the many recent known vulnerabilities in Word, so I only opened them in OpenOffice, and only then after I had tested them against numerous anti-virus and anti-spyware tools. What did I find?

Well, you can see for yourself, nothing malicious, no exploit code, no dangerous embedded files, scripts or links, only Spam!

Here is a second example of Word document based Spam.

The use of Word documents as a method of sending out spam is both interesting and worrying; interesting in that the spammers seem to be be trying out file formats which they believe will allow them to bypass anti-spam tools and get their message through to you. This will mean that to counter this move to graphical spam we are probably going to have to use anti-spam tools that use OCR [Optical Character Recognition] to extract the text from the spam and then analyse it as before. As for the move to Word documents, we may have to update anti-spam tools to use content filtering and/or file extension filtering, much as we already do for dealing with malware.

So what’s next from the spammers?
Unfortunately, we are seeing a similar ‘arms-race’ in the spam and anti-spam arena that we have been living with in the malware and anti-malware arena for the last two decades. You can bet that we will see other file formats being used by spammers, and we may also see them starting to use some of these file formats to not only get their spam through our defences, but also, I fear, to use them to drop malware/spyware onto unsuspecting users systems. We may also see the spammers start to use exploit code to infiltrate systems and turn them into spam relays or to install keyloggers to steal financial or other personal or commercial data.

Hold on tight, I think we are in for a bumpy ride! Anyone got any good recipes for Spam, apart from Spam fritters?