By Jake Edge
November 12, 2008
Spam is a problem that all email users suffer from but getting a handle on
the economics of spamming has never been easy. A group of researchers has
changed that to some extent by publishing a study
[PDF] that looks at the conversion rate of spam emails. While the methods
they used were somewhat ethically questionable, the data it provides is
quite useful and interesting.
In the study, the Storm botnet's "command and control" (C&C) infrastructure
was infiltrated in such a way
that spam messages sent by Storm worker nodes would point the URLs in the
spam at sites controlled by the researchers. By doing this, they could
determine how much spam was sent and, more importantly, how much of it was
clicked on. While sending spam is not very costly, it clearly does not
have a zero cost. This means that—unbelievable though it sometimes
seems—people actually do click through spam emails; not only that,
they actually make purchases from the sites where they land.
The researchers set up fake pharmacy
sites—selling male enhancement products amongst other things—that would be reached
via the spam links. To protect the spam "victims", a visitor to the site
would be allowed
to get to the checkout stage before showing a site error. It seems
plausible that nearly everyone willing to fill their shopping cart with
such products and enter the checkout process is a very likely buyer.
In this way, the study could count not only those who followed the links,
but also those who were likely to buy.
What they found was that of 350 million emails sent—they estimate 82
million actually delivered—ten thousand recipients visited the site
for a click-through rate of 0.003%. Of those, 28 users actually tried to
check out with products totaling over $2700. The study was run for 26
days, so this could have resulted in roughly $100 per day of revenue.
Also of interest were the campaigns that were run to test the propagation
of the Storm malware. This is normally done by sending spam that directs
users to a website (via a "you have received a postcard" message) and
entices them into clicking a link that will download and install the
malware. The percentages of click-throughs were slightly higher
(0.004-0.006%), but a rather large percentage of those (almost 10%)
actually clicked the malware link once they reached the website. The
researcher's version would download a benign executable, but the clear
implication is that a small, but useful, number of users would actually
add themselves to the botnet more-or-less voluntarily.
While the study is quick to point out that it represents only one data
point, there is some value in extrapolating what the botnet might be able
to generate in terms of revenue:
Different campaigns, using different tactics and marketing
different products will undoubtedly produce different outcomes.
Indeed, we caution strongly against researchers using the conversion
rates we have measured for these Storm-based campaigns to
justify assumptions in any other context. At the same time, it
is tempting to speculate on what the numbers we have measured
might mean. We succumb to this temptation below, with the understanding
that few of our speculations can be empirically validated
at this time.
The conclusion is that something on the order of $7000-9500 per day could be
generated, which equates to $2.5-3.5 million per year—a tidy sum by any
measure. There is some additional speculation that because of the retail
cost of
sending spam (rumored to be something like $80 per million sent), it only
makes sense that the Storm operators and the "pharmacies" are one and the
same. The sites used for propagation of the Storm malware have
similarities to those used by the shopping sites, which also indicates a
close association between the two. The study makes the following, perhaps
overly optimistic, argument:
If true, this hypothesis is heartening since it suggests that the
third-party retail market for spam distribution has not grown large
or efficient enough to produce competitive pricing and thus, that
profitable spam campaigns require organizations that can assemble
complete "soup-to-nuts" teams. Put another way, the profit margin
for spam (at least for this one pharmacy campaign) may be meager enough
that spammers must be sensitive to the details of how
their campaigns are run and are economically susceptible to new
defenses.
The full paper is well worth a read for those interested in botnets or
spam, but there are some ethical questions to consider as well. Is it
reasonable to use other people's computers for your research without their
consent? There is no easy answer to that question. The researchers
outline their argument, which boils down to "we strictly reduce
harm". Because they are just intercepting and modifying orders that
are already
being sent to workers, their research did not increase the amount of spam
sent, nor did it increase the work that others' computers would do.
Since the spam that they arrange to be sent is harmless—at least in
terms of selling bogus medicine or propagating malware—they have
actually reduced the number of harmful spams sent. While their arguments
seem at least well-thought-out, it is not something that would be fun to try to
explain to a judge bent on enforcing some of the poorly-thought-out
computer crime statutes. The researchers seem confident that their methods
will pass muster, though: "We have been careful to design experiments
that we believe are
both consistent with current U.S. legal doctrine and are fundamentally
ethical as well."
It is difficult to see how this kind of data could be gathered without
co-opting Storm or another spam-sending botnet. From that standpoint,
the researchers took the only path they could, but they certainly appear to
have considered the legal and ethical landscape. While there may be a
tendency to overestimate how widely applicable the data is—which the
authors warn against—it does provide a nice look under the covers of the
botnets delivering spam to one's inbox daily.
Comments (9 posted)
Brief items
If you read
this bug
entry, you'll see that getting root access on an Android-based phone is
rather easier than originally thought. It seems that the phone simply
boots with a root shell listening to the keyboard, regardless of any other
applications running. Be careful what you type... (a bit more information
can be found on
this
page).
Comments (6 posted)
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2008-2549
CVE-2008-2992
CVE-2008-4812
CVE-2008-4813
CVE-2008-4814
CVE-2008-4815
CVE-2008-4817
|
| Created: | November 12, 2008 |
Updated: | January 13, 2009 |
| Description: |
From the Red Hat advisory:
Several input validation flaws were discovered in Adobe Reader. A malicious
PDF file could cause Adobe Reader to crash or, potentially, execute
arbitrary code as the user running Adobe Reader. (CVE-2008-2549,
CVE-2008-2992, CVE-2008-4812, CVE-2008-4813, CVE-2008-4814, CVE-2008-4817)
The Adobe Reader binary had an insecure relative RPATH (runtime library
search path) set in the ELF (Executable and Linking Format) header. A local
attacker able to convince another user to run Adobe Reader in an
attacker-controlled directory could run arbitrary code with the privileges
of the victim. (CVE-2008-4815)
|
| Alerts: |
|
Comments (none posted)
blender: arbitrary code execution
| Package(s): | blender |
CVE #(s): | CVE-2008-4863
|
| Created: | November 12, 2008 |
Updated: | January 14, 2010 |
| Description: |
From the Red Hat bugzilla entry:
Untrusted search path vulnerability in BPY_interface in Blender 2.46
allows local users to execute arbitrary code via a Trojan horse Python
file in the current working directory, related to an erroneous setting
of sys.path by the PySys_SetArgv function.
|
| Alerts: |
|
Comments (none posted)
dovecot: denial of service
| Package(s): | dovecot |
CVE #(s): | CVE-2008-4907
|
| Created: | November 12, 2008 |
Updated: | December 15, 2008 |
| Description: |
From the Ubuntu advisory:
It was discovered that certain email headers were not correctly handled
by Dovecot. If a remote attacker sent a specially crafted email to a
user with a mailbox managed by Dovecot, that user's mailbox would become
inaccessible through Dovecot, leading to a denial of service.
|
| Alerts: |
|
Comments (none posted)
drupal-cck: cross site scripting
| Package(s): | drupal-cck |
CVE #(s): | |
| Created: | November 7, 2008 |
Updated: | November 24, 2008 |
| Description: |
From the Drupal advisory: The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.
Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access.
This is only an issue if you need any role separation between administrators and users with the "administer content" permission. |
| Alerts: |
|
Comments (none posted)
faad2: arbitrary code execution
| Package(s): | faad2 |
CVE #(s): | CVE-2008-4201
|
| Created: | November 12, 2008 |
Updated: | November 12, 2008 |
| Description: |
From the Gentoo advisory:
The ICST-ERCIS (Peking University) reported a heap-based buffer
overflow in the decodeMP4file() function in frontend/main.c.
A remote attacker could entice a user to open a specially crafted
MPEG-4 (MP4) file in an application using FAAD2, possibly leading to
the execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
flash-plugin: multiple vulnerabilities
| Package(s): | flash-plugin |
CVE #(s): | CVE-2008-4818
CVE-2008-4819
CVE-2008-4823
CVE-2008-4822
CVE-2008-4821
|
| Created: | November 12, 2008 |
Updated: | November 12, 2008 |
| Description: |
From the Red Hat advisory:
Flash Player contains a flaw in the way it interprets HTTP response
headers. An attacker could use this flaw to conduct a cross-site scripting
attack against the user running Flash Player. (CVE-2008-4818)
A flaw was found in the way Flash Player handles the ActionScript
attribute. A malicious site could use this flaw to inject arbitrary HTML
content, confusing the user running the browser. (CVE-2008-4823)
A flaw was found in the way Flash Player interprets policy files. It was
possible to bypass a non-root domain policy, possibly allowing a malicious
site to access data in a different domain. (CVE-2008-4822)
A flaw was found in how Flash Player's jar: protocol handler interacts with
Mozilla. A malicious flash application could use this flaw to disclose
sensitive information. (CVE-2008-4821)
Updated Flash Player also extends mechanisms to help prevent an attacker
from executing a DNS rebinding attack. (CVE-2008-4819)
|
| Alerts: |
|
Comments (none posted)
gallery: multiple vulnerabilities
| Package(s): | gallery |
CVE #(s): | CVE-2008-3600
CVE-2008-3662
CVE-2008-4129
CVE-2008-4130
|
| Created: | November 12, 2008 |
Updated: | December 15, 2008 |
| Description: |
From the Gentoo advisory:
* Digital Security Research Group reported a directory traversal
vulnerability in contrib/phpBB2/modules.php in Gallery 1, when
register_globals is enabled (CVE-2008-3600).
* Hanno Boeck reported that Gallery 1 and 2 did not set the secure
flag for the session cookie in an HTTPS session (CVE-2008-3662).
* Alex Ustinov reported that Gallery 1 and 2 does not properly handle
ZIP archives containing symbolic links (CVE-2008-4129).
* The vendor reported a Cross-Site Scripting vulnerability in Gallery
2 (CVE-2008-4130).
|
| Alerts: |
|
Comments (none posted)
gnutls: man in the middle attacks
| Package(s): | gnutls |
CVE #(s): | CVE-2008-4989
|
| Created: | November 11, 2008 |
Updated: | September 28, 2009 |
| Description: |
From the Red Hat advisory: Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates. |
| Alerts: |
|
Comments (none posted)
kvm: heap overflow
| Package(s): | kvm |
CVE #(s): | CVE-2008-4539
|
| Created: | November 12, 2008 |
Updated: | May 13, 2009 |
| Description: |
This is evidently a reoccurrence of CVE-2007-1320, which has the following description:
Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: symlink traversal
| Package(s): | mysql-dfsg-5.0 |
CVE #(s): | CVE-2008-4098
CVE-2008-4097
|
| Created: | November 6, 2008 |
Updated: | June 4, 2010 |
| Description: |
From the Debian advisory: A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to
execute shell commands on the database server to bypass MySQL access
controls, enabling them to write to tables in databases to which they
would not ordinarily have access.
|
| Alerts: |
|
Comments (none posted)
php-Smarty: remote code execution
| Package(s): | php-Smarty |
CVE #(s): | CVE-2008-4811
|
| Created: | November 7, 2008 |
Updated: | June 3, 2010 |
| Description: |
From the CVE entry: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 r2797 and earlier allows remote attackers to execute arbitrary PHP code via vectors related to templates and a \ (backslash) before a dollar-sign character. |
| Alerts: |
|
Comments (none posted)
uw-imap: unspecified vulnerability
| Package(s): | uw-imap |
CVE #(s): | |
| Created: | November 6, 2008 |
Updated: | November 12, 2008 |
| Description: |
From this
imap-uw advisory: There is a security bug in versions of the programs
tmail and dmail distributed with the IMAP Toolkit versions 2007c or earlier
(all versions prior to 2008-10-29). This includes the version distributed
with Alpine 2.00. |
| Alerts: |
|
Comments (none posted)
wordpress: arbitrary command execution
| Package(s): | wordpress |
CVE #(s): | CVE-2008-4796
|
| Created: | November 7, 2008 |
Updated: | December 11, 2009 |
| Description: |
From the CVE entry: The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
