Spamalytics Revisited

 A group of researchers from UC Berkeley and UC San Diego made headlines in the past week for publishing data on the rate of success of a spam wave which was launched using the Trojan.Peed (aka Storm Worm) network. To do this, the researchers hijacked part of the network (an estimated 1.5% of it) and changed it so that e-mails sent from trojans under their control did not send those who clicked to an on-line pharmacy or to a site that would have infected them with a trojan, but rather to a researcher-controlled web page. In this fashion, the efficiency and effectiveness of the spam campaigns could be measured.

 The hijacking was performed by actually installing Peed/Storm command and control servers on computers under the researchers’ control, so that some of the infected machines would use the research servers instead of true ones. The spamming “chores” passed down through these servers to Storm-infected machines was then modified by the researchers to suit their goals.

 According to the researchers, the pharmacy spam wave wasn’t very successful, with an estimate of only about 10 thousand dollars generated from 350 million e-mails sent over a month. The self-propagation waves fared “a little” better, with an estimated 3500-8000 new infected machines each day. The research paper is well worth reading if you’re at all interested in computer security and is certainly a first in the field.

 The means chosen to measure conversion for the self-propagation campaign is particularly interesting. The researchers assumed correctly that not all users who would download the “infected” file from their mock infection site would also run it, so they placed an actual executable as the download target, one that would simply notify the researchers it had been run, by posting on a researcher-controlled server. The researchers noted with interest having
“observed that several anti-virus vendors developed signatures for our benign executable within a few days of our
introducing it”.

 Graham Cluley of Sophos argues that the researchers’ methodology was entirely ethical. “As such – no extra spam was sent, but more of the spam which was sent was non-dangerous”, he said to Register reporter John Leyden.

My personal opinion is that he may well be wrong.

 After all, the infamous Morris worm began life as a research project too (Morris wanted to see how big the Internet had grown). Just like in the Morris case, the people on whose computers the “harmless executable” used in the Spamalytics research was run certainly hadn’t agreed to participate in any kind of research. No-one agreed to receive spam either, not even of the harmless variety, nor was any of the people whose computers were infected with the Storm trojan actually notified.

 A gray area, certainly, and one where security research could benefit from creating unambiguous ethical guidelines akin to those used in sociological research, psychology or even medicine and law enforcement.