Bit9

eWeek has written an article that offers an explanation for a recently observed 67% increase in overall spam volume since August. The cause seems to be a Russian hacker group controlling a massive and sophisticated botnet of 70,000 compromised hosts spanning 166 countries. It is built upon the SpamThru Trojan that I blogged about earlier. SpamThru is the malware which includes its own pirated full AV scanner to kill other malware, freeing up more machine resources for its own purposes. I wondered why SpamThru introduced this complex functionality into the wild, but now it seems clear. In the apparently profitable and booming spam email business, more machines and more CPU cycles means more profit. In fact, we see there is enough profit to fund many developers and botnet administrators.

This is another example of an "asymmetric warfare" situation in computer security. Even patched versions of modern OS's are vulnerable -- almost 50% of this new botnet is XP SP2. We know this because the botnet tracks everything extremely well. An attacker can find a single vulnerability in just a small time window, and that is enough to take the machine. And with modern rootkit technologies, one taken, no known general defense will reliably get the computer back or protect it again. Only a new proactive defenses, such as application control which protects against the first execution of unknown code, can stop new modern threats like this.