The Return of Storm
Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services
Recently, the infamous Storm worm has reappeared in the wild. MessageLabs Intelligence first saw this new variant of the botnet start spamming on 30 April. Since then, output has come in bursts reaching a peak of 1.4 percent of spam on 8 May.
The actual spam that we have been seeing is all fairly standard pharmaceutical spam, containing links to web pages hosting the well known Canadian Pharmacy site, with subjects like these:
Get all the medications you want online!
Disappointed with your bad performance in bed?
great offers to spice it up in bed..
need some help in the bed?
its time to spice up the bed
Safest and approved method of male enhancing have a easier time making her...
Have long strong night in BED!
Get your favorite rxmedications here!
Win from benefits of hidden secret of pornstars!
The emails that are being sent are very simple, consisting of only one line which includes a web link, like the example below.
The above is very similar in style to the emails that the original Storm used to send, like this one.
All of the URL links we have seen from the new Storm so far have been shortened or custom URL links. This means that the end user cannot tell anything about the site they will land on by clicking the link in the email. It also makes the links more difficult for spam filters to recognise, as the shortened URL appears genuine, even if it redirects to a spam URL when it is clicked. The following chart shows the ten most used domains from Storm since its return, all of which are shortened URLs.
Storm uses a wide variety of top level domains, but the most common by far is the .com TLD.
Something that has changed with the new variant is the distribution of the Storm bots. Previously, the largest amount was in the US, but there were many other countries that had Storm infected machines. The Storm botnet was widely distributed around the globe.
But the new variant is currently much less distributed. Almost 75 percent of the new Storm botnet is located in the US. Spain and the UK are the next most infected countries with 13.8 percent and 4.3 percent of the new Storm bots respectively.
The below image is a visual depiction of the Storm botnet created by computational artist, Alex Dragulescu.
About Symantec Intelligence
The Symantec Intelligence Blog published by Symantec.cloud serves as a conduit for communicating Intelligence data, trends and statistics based on analysis of cyber security threats, trends and insights from the Symantec Intelligence team comprised of many world-renowned malware and spam experts. Sitting on the front lines of defense, they have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day. Filter by:
Recently on Twitter
- Symantec's view on the CFO's role in the cloud question: http://t.co/LwEpuhNk30 Apr 2012
- Protecting against spam and malware – Best practices guidelines for Enterprises, Users & Consumers http://t.co/Hs7ngvHZ02 Mar 2012
- Spammers impersonating the Better Business Bureau in socially engineered attacks. http://t.co/Hs7ngvHZ02 Mar 2012
- Symantec's Tom Powledge makes the case for why you may consider shifting your IT security to the cloud: http://t.co/5eMKbmgT02 Mar 2012
- Themed spam messages continue to rise as 2012 Olympic games draw closer. http://t.co/Hs7ngvHZ01 Mar 2012
Comments
(No subject)
Would you like to reply?
Login or Register to post your comment.