(New Scientist) The latest variant of a six-month old virus called Mimail appears to be being used as a double-pronged spammer’s tool, says a victim of the attack, the anti-spam company Spamhaus. The virus is both forcing infected computers to attack anti-spam websites and harvesting email addresses.
Dave Linford, who runs Spamhaus, believes W32.Mimail.D embodies a worrying new trend, with spammers increasingly using computer viruses to increase the stealth and efficiency of their work.
“The spammers think computer viruses are the best thing since sliced bread,” he told New Scientist. Previously, most virus writers were teenagers whose only aim was to create online havoc. Now computer viruses have moved into the hands of spammers with commercial aims, Linford says.
Paul Wood of MessageLabs, a UK-based spam and virus filtering service, thinks that a spam team is “definitely behind” the latest Mimail release. But Graham Cluley, of Sophos, another spam and virus filter company, is more cautious: “At this stage we can’t say for sure that it is a spammer – it’s almost too obvious.”
Denial of service
W32.Mimail.D first surfaced on Saturday and has a dual purpose. It uses the computers it infects to try to crash anti-spam websites such as Spamhaus.org and Spews.org by bombarding them with requests, a malicious technique known as a Distributed Denial of Service attack (DDOS). It also attempts to harvest email addresses that could be used as spam targets in future.
The new variant invades users’ PCs through an email attachment entitled “don’t be late!”. If the attachment is opened, the virus converts the computer into a web server and begins the DDOS attack.
The virus also rifles through any email accounts hosted on the computer, emails itself to all the addresses that it finds, and sends the addresses back to a controller for future use.
Viruses can also be used to turn computers into a “zombie” that the spammer controls and uses to send out spam. This technique makes it very difficult to trace the spam back to the original sender and can vastly increases the volume of spam sent.
The virus has not succeeded in bringing down the Spamhaus website, mainly because the company recently installed a new defensive technology called an anti-DDOS box, similar to a firewall.
Spamhaus believe that a notorious team of US-based spammers is behind the Mimail attack. They blame the same team for another variant that was also released this weekend called W32.Mimail.C, also known as Mimail.E.
Instead of causing computers to flood anti-spam websites with requests, W32.Mimail.C targets websites with the phrase “darkprofits” in their URL, including darkprofits.net and darkprofits.com. Neither site was accessible at 1800 GMT on Monday. The motive this DDOS is not known.
W32.Mimail.C bears the subject line “our private photos” and contains a lewd message and a zip file, which must be opened for the virus to become active. W32.Mimail.D is also buried in a zip file.
Using a zip file may seem like an odd strategy, as it relies on people spending time to open up the file. But Linford says the virus writers are trying to get around anti-virus filters.
Anti-virus software has become good at recognising destructive code delivered as a standard executable program file. So burying the .exe file in a zip document makes it harder for virus filters to spot.