Escalation - Article About Spammers

Originally from this site:
http://blog.trendmicro.com/escalation/

--------------------------------------------------------------------------------
Escalation
August 2nd, 2007 by Ryan Flores

This entry of McAfee got me thinking about the advancing techniques of
spammers to get their spam mails through various anti-spam scanners.

Originally, spam only contained of text strings advertising a particular
product or web site. Bayesian filtering was applied to tag e-mail messages
with words commonly used in a spam. This method stopped most of the spam, so
spammers got a little bit smarter and included dozens of common words
(normally at the end of the spam message) to poison the Bayesian filters to
let the spam get through. Security vendors countered by including the e-mail
subject in their filtering.

The spammers got a little bit smarter again and generated random e-mail
subjects not related to the product being advertised. By this time, security
vendors began to approach the spam problem through a combination of
techniques such as hash filtering, string matching, and network/sender
reputation blacklist.

Again, spammers did the next step ahead by using images instead of text to
defeat hash filtering and string matching. Spammers also use malware
infected computers (such as NUWAR) to launch spam e-mails to defeat
network/sender reputation filtering. The Excel, PDF, and RAR archived spam
are just next generation anti anti-spam techniques spammers discovered they
can use to avoid detection.

This catch-me-if-you-can game is eerily similar to the development of anti
anti-virus techniques used by malware writers.

When viruses were being detected heuristically, virus authors employed
polymorphism to make anti-virus detection a lot harder.
The same goes for file based malwares such as Bots and Trojans, detection
rate for normal Bots and Trojans became really good, so, malware authors
began to employ packers. At first, malware authors commonly used UPX to pack
their malwares, but as the UPX packer became increasingly supported by
anti-virus scanners, malware authors began to use a variety of packers,
several layers most of the time, to avoid detection. But the battle does not
end there, as anti-virus scanners update to support new packers, malware
authors are using a combination of binders, packers and cryptors to avoid
detection.

The cycle goes on and on, the good guys (that's us) creates new technologies
to defeat the bad guys (the malware authors), and the bad guys retaliate by
using another new technology to defeat the good guys' weapons. Apparently,
escalation is the name of the game. As Inspector James Gordon told Batman in
Batman Begins - "We start carrying semi-automatics, they buy automatics. We
start wearing Kevlar they buy armor-piercing rounds." The same holds true in
this cyber-war between security vendors and the malware authors.