Storm Botnet Transformed Strippers into New Year’s Greeting
With the end of Christmas when botnet unleashed spam featuring Christmas strippers, the Storm botnet began targeting and deceiving users with messages, "New Year 2008", as per the security researchers.
The botnet of Storm Trojan-compromised computers begun sending spam in which messages of New Year wishes like "Happy New Year!" and "Happy 2008!" were written soon after Christmas, as per the reports by the security experts at Cupertino, California-based Symantec Corp. and UK-based Prevx Ltd.
The messages were crafted by professionals in such a manner that recipients could not resist to click on the given link - uhavepostcard.com, a website to download file tagged "happy2008 exe". The file was a new Storm Trojan variant.
As the user clicks on the given link in the spam mail, his computer is attacked by malware. This malware connects the user's computer to the criminal's botnet. After setting up connection, the compromised computer begins sending spam messages to the criminals, which are later on used by criminals in various types of cyber crimes.
On December 26, 2007, two general variants were identified by the security experts of Prevx, said Macro Giuliani of Prevx. He said that the first variant was circulating on the Internet for about ten hours and they noticed its 166 distinct repacked versions, as reported by Computerworld on December 26, 2007.
He also confirmed that Storm code was repacked in every few minute with the help of polymorphic technique since it was started sending by botnet. The basic purpose of frequent repacking of Storm code was to dupe signature-based antivirus solution.
In order to operate uhavepostcard.com site, the perpetrators of Storm botnet used fast-flux DNS tactics. This tactics is an anti-security strategy that is used to register and deregister web addresses as a part of address list either for a complete DNS zone or a single DNS server.
The idea behind using this tactic is to cover up the IP address of the malware site. In both the processes, the IP address of malware is hidden behind ever-changing array of compromised machines that work as a proxy.
Related article: Storm Worm Returns with Follow-Up Attack
» SPAMfighter News - 09-01-2008