Storm Botnet Returns: MessageLabs

In May 2010, MessageLabs discovered that the Storm Botnet has re-entered the spam world. Researchers discovered the first case of Storm attacking users on April 30, 2010 and by May 8, 2010, the spam messages generated by the botnet estimated for just more than 1% of the overall spam.

Researchers at the security firm have claimed that the new Storm botnet is a variant of the previous version. Till now, the messages sent by Storm are related to pharmaceutical. The subject lines of mail sent by the botnet included "Get your favorite rxmedications here!", "Get all the medications you want online!", etc.

There is a shortened URL and a single line of text in these e-mails. The security experts revealed that the shortened links are one of the biggest threats to the users. They cannot know from the URL embedded in the message where it will land, and if they are not alert they can be tricked into revealing their personal data.

Several cybercriminals using shortened URLs also make use of Typo-Domains, those which look like the domain of a business but possess a single letter that is unusual or extension of an alternate domain. But, it also makes the links harder for spam filters to trace, as the shortened URL looks authentic, even if it takes the user to a spam URL on being clicked.

Some of the domains which have been frequently used by the Storm since its return are doiop.com, 2url.org, qurl.com, low.cc, odun.net, etc. All of these are shortened URLs.

Also, the security experts noted that the only transformation in the new variant is the circulation of Storm bots. Earlier, the largest amount was discovered in the United States, but there were several other nations with systems compromised by Storm. The Storm botnet was extensively circulated all around the world. But the new variant is comparatively less circulated at present.

Currently, almost 75% of spam generated by Storm is emerging from the US. Spain (contributing 15% of spam volume) and the UK (5%) are also rank high on list of Storm-infected systems, but some other countries, including those which usually show high spam volumes, are comparatively silent this time.

Related article: Storm Worm Returns with Follow-Up Attack

» SPAMfighter News - 6/3/2010