[ISN] 'Pump-and-Dump' Spam Surge Linked to Russian Bot Herders

From: InfoSec News (alerts@private)
Date: Fri Nov 17 2006 - 02:10:40 PST


http://www.eweek.com/article2/0,1895,2060235,00.asp

By Ryan Naraine
November 16, 2006

The recent surge in e-mail spam hawking penny stocks and penis 
enlargement pills is the handiwork of Russian hackers running a botnet 
powered by tens of thousands of hijacked computers.

Internet security researchers and law enforcement authorities have 
traced the operation to a well-organized hacking gang controlling a 
70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan.

According to Joe Stewart, senior security researcher at SecureWorks, in 
Atlanta, the gang functions with a level of sophistication rarely seen 
in the hacking underworld.

For starters, the Trojan comes with its own anti-virus scannera pirated 
copy of Kaspersky's security softwarethat removes competing malware 
files from the hijacked machine. Once a Windows machine is infected, it 
becomes a peer in a peer-to-peer botnet controlled by a central server. 
If the control server is disabled by botnet hunters, the spammer simply 
has to control a single peer to retain control of all the bots and send 
instructions on the location of a new control server.

The bots are segmented into different server ports, determined by the 
variant of the Trojan installed, and further segmented into peer groups 
of no more than 512 bots. This allows the hackers to keep the overhead 
involved in exchanging information about other peers to a minimum, 
Stewart explained.

Stewart, a reverse engineering expert with expertise in deconstructing 
malware samples, gained access to files from a SpamThru control server 
and found evidence that the attackers are meticulous about keeping 
statistics on bot infections around the world.

For example, the SpamThru controller keeps statistics on the country of 
origin of all bots in the botnet. In all, computers in 166 countries are 
part of the botnet, with the United States accounting for more than half 
of the infections.

The botnet stats tracker even logs the version of Windows the infected 
client is running, down to the service pack level. One chart 
commandeered by Stewart showed that Windows XP SP2 (Service Pack 2) 
machines dominate the makeup of the botnet, a clear sign that the latest 
version of Microsoft's operating system is falling prey to attacks.

Another sign of the complexity of the operation, Stewart found, was a 
database hacking component that signaled the ability of the spammers to 
target its pump-and-dump scams to victims most likely to be associated 
with stock trading.

Stewart said about 20 small investment and financial news sites have 
been breached for the express purpose of downloading user databases with 
e-mail addresses matched to names and other site registration data. On 
the bot herder's control server, Stewart found a MySQL database dump of 
e-mail addresses associated with an online shop.

"They're breaking into sites that are somewhat related to the stock 
market and stealing e-mail address from those databases. The thinking 
is, if they get an e-mail address for someone reading stock market and 
investment news, that's a perfect target for these penny stock scams," 
Stewart said in an interview with eWEEK.

The SpamThru spammer also controls lists of millions of e-mail addresses 
harvested from the hard drives of computers already in the botnet. "This 
gives the spammer the ability to reach individuals who have never 
published their e-mail address online or given it to anyone other than 
personal contacts," Stewart explained.

"It's a very enterprising operation and it's interesting that they're 
only doing pump-and-dump and penis enlargement spam. That's probably 
because those are the most lucrative," he added.

Even the spam messages come with a unique component. The messages are 
both text- and image-based and a lot of effort has been put into evading 
spam filters. For example, each SpamThru client works as its own spam 
engine, downloading a template containing the spam and random phrases to 
use as hash-busters, random "from" names, and a list of several hundred 
e-mail addresses to send to.

Stewart discovered that the image files in the templates are modified 
with every e-mail message sent, allowing the spammer to change the width 
and height. The image-based spam also includes random pixels at the 
bottom, specifically to defeat anti-spam technologies that reject mail 
based on a static image.

All SpamThru botsthe botnet controls about 73,000 infected clientsare 
also capable of using a list of proxy servers maintained by the 
controller to evade blacklisting of the bot IP addresses by anti-spam 
services. Stewart said this allows the Trojan to act as a "massive 
distributed engine for sending spam," without the cost of maintaining 
static servers.

With a botnet of this size, the group is theoretically capable of 
sending a billion spam e-mails in a single day. "This number assumes one 
recipient per message, [but] in reality, most spams are delivered in a 
single message with multiple recipients at the same domain, so the 
actual number of separate spams landing in different inboxes could be 
even higher," Stewart said.

According to data from Barracuda Networks, an enterprise security 
appliance vendor in Mountain View, Calif., there has been a 67 percent 
increase in overall spam volume and a 500 percent increase in image spam 
since Aug. 2006.

Stephen Pao, vice president of product management at Barracuda Networks, 
echoed Stewart's findings, noting that the bulk of the spam is linked to 
the trading of penny stocks. "Across the board, we are observing more 
spam and more sophistication in sending the spam," Pao said.


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Fri Nov 17 2006 - 02:36:23 PST