IronPort Research Discovers Links Between Malware Originators
June 2008 by Ironport
IronPort® Systems, a leading provider of enterprise spam, virus and spyware protection, and now part of Cisco, today announced that recent research has identified a link between originators of malware, such as Storm, and illegal pharmaceutical supply chain businesses that recruit the botnets to send spam promoting their websites. By converting spam into high-value pharmaceutical purchases, these supply chain enterprises allow the monetization of spamming botnets, providing an enormous profit motivation for botnet attacks. In an update to its annual Internet Security Trends Report, IronPort analyzes the impact of these botnets and uncovers the true drivers of pharmacy spam and continued malware innovation.
“Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now,” said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. “Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year.”
IronPort’s research revealed that more than 80 percent of Storm botnet spam advertises online pharmacy brands. This spam is sent by millions of consumers’ personal computers, which have been infected by the Storm worm via a multitude of sophisticated social engineering tricks and web-based exploits. Further investigation revealed that spam templates, “spamvertized” URLs, website designs, credit card processing, product fulfillment and customer support were being provided by a Russian criminal organization that operates in conjunction with Storm.
This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services. However, IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors.
Details on the Storm botnet and the connection with the supply chain can be found in IronPort’s special report “2008 Internet Malware Trends: Storm and the Future of Social Engineering.” This report also identifies a number of ways in which malware is being used to infect host PCs to bypass security software. These methods include:
• Webmail spam. Sophisticated bots are operating in conjunction with automated and manual Captcha-breaking processes to create large numbers of free webmail accounts. (“Captcha” stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. A common Captcha test requires someone to type a series of distorted letters and numbers to ensure that the response is not computer-generated.) After the accounts are created, the bots send out spam using these accounts, and the spam recipient observes the messages as originating from a legitimate ISP’s mail servers, not from the botnet. These “theft of reputation” attacks accounted for more than 5 percent of all spam in the first quarter of 2008, up from less than 1 percent the previous quarter.
• Google exploitation. Next-generation malware is using Google’s “I’m feeling lucky” search option to channel traffic to infected sites. An estimated 1.3 percent of all Google searches return malware sites as valid results. Given the tremendous volume of searches carried out every minute, this translates into a potentially huge opportunity for malware distributors.
The botnets examined in the report are unique in that they tied spam campaigns to current events or websites of interest, using a blend of email and the web to propagate. Additionally, these decentralized and highly coordinated attacks enabled a variety of Internet assaults, from email and blog spam to phishing, instant messaging (IM) attacks and distributed denial-of-service (DDoS) attacks.
Storm malware was the first of this trend of sophisticated social engineering, affecting a cumulative 40 million computers around the world between January 2007 and February 2008, according to IronPort researchers. At its peak in July 2007, Storm accounted for more than 20 percent of all spam messages and had infected and was active in 1.4 million computers simultaneously. It continued to infect or reinfect about 900,000 computers per month. By September 2007, the number of simultaneous active computers generating Storm messages was reduced to 280,000 a day, and the total number of spam messages accounted for 4 percent of all spam. Storm currently represents only a tiny sliver of the more than 161 billion spam messages sent every day, yet variants of Storm are still active.
In addition to assessing the damage from such social-engineering-based attacks, the report details trends that portend the future of spam and viruses and the measures that businesses should take to ensure that their networks are protected. No longer is spam just an irritation created by individuals seeking glory. Today it has morphed into organized, technically savvy, well-funded malware efforts that are comparable in scale to the business operations of legitimate software vendors. To increase efficiency and profitability, malware creators are even beginning to offer their products as complete solutions, including technical support, analytics and administration tools, and software updates. Among the recent botnet malware discoveries are Bobax, Kraken/Kracken and Srizbi.
To prevent the spread of botnets such as Storm and its successors, IronPort’s report recommends that every business employ spam filtering, assess its web reputation, monitor port and communications activity, and keep all antivirus and antimalware products updated.