Microsoft Hunts For 'Zombie' Spammers

"zombie,"

Microsoft's action, which was done in conjunction with the Federal Trade Commission (FTC) and Consumer Action, a San Francisco-based advocacy group, was part of a call to arms against zombies, compromised computers that are used without their owners' permission to send spam, launch denial-of-service (DoS) attacks, and spread worms and viruses.

"The widespread use of zombie computers to commit crimes over the Internet presents a very real danger to law-abiding computer users," said Tim Cranton, the director of Microsoft's Internet Safety division.

Earlier this year, Cranton said, Microsoft set up a "clean" PC, then infected it with malicious code commonly used by attackers to turn a computer into a zombie. Researchers then monitored the PC's use of the Internet for 20 days, and tallied the number of messages sent through it.

"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.

That amount of data was impossible to analyze, so Microsoft focused on the three most-active spamming days, when 470,00 connection requests were made of the PC, and about 1.8 million messages were sent through it.

Microsoft then used the IP addresses of the computers requesting connections, and the addresses of the Web sites advertised in the sent spam, to identify 13 distinct spamming groups. In some cases, those IP addresses and sites were compared to spam samples captured by Microsoft's Hotmail honeypots.

“By inserting ourselves in the spammers&' path and looking upstream, we have been able to see things we have never been able to see before,” Cranton said.

Microsoft filed a civil lawsuit Aug. 17 in King County, Wash., and named 13 "John Doe" defendants so that it could use discovery to learn the spammers' true identities.

"We have identified [some] names through the discovery process, and we're verifying their involvement, or non-involvement," added Cranton. "Then we'll name the spam operators." He refused to give out additional details of the investigation, but did say that several of the spammers were operating in the U.S., and so could be prosecuted under the federal CAN-SPAM Act.

"Hopefully, we'll be able to turn over the results of our investigation for criminal prosecution under CAN-SPAM," Cranton added. "We need to take a few more steps, but in the next two to three months, I think we can name these spammers."

At the same press conference, Dan Salsburg, the assistant director of the FTC's Bureau of Consumer Protection, urged all computer users to do their part to stymie zombies.

"The FTC is taking aggressive steps to stop zombies and protect consumers, but consumers also need to insure that zombies aren't on their computers," Salsburg said.

He recommended that consumers visit the new OnguardOnline.gov Web site -- set up this month -- for more information on protecting their PCs.