Malware is becoming increasingly complex. Take Rustock.B for example: this threat goes above and beyond to prevent analysis and detection. A blog article is probably too small of a space to describe everything Rustock does technically, but you shouldn’t be surprised, considering its complexity, that Rustock has a clear financial motive. In particular, apart from hiding itself with advanced rootkit techniques, the primary goal of this threat is to send a lot of spam. Because we capture spam such as this, it allows us to update our email security products, such as Brightmail AntiSpam. In addition to pharmaceuticals, mortgages, and imitation product spam, Rustock has also sent stock-based spam. Stock-based spam usually consists of some random text, followed by an image, followed by more random text. Below is an example of one of the stock-based image spams that was sent on 27th October 2006.
As you can see, the stock price on that day was around $0.65 and the spam made promises of $10 in five days. I decided to watch this stock to see if anything would happen. Below is a graph showing the stock activity around this period.
As shown in the graph above, the stock rose from $0.65 up to $2.00 dollars per share over a five-day period, during which the spam controller host issued the command “spam this stock” to Rustock. However, after a few days, the price fell back to previous levels and presumably the person who ordered the spam run had cashed out. Even more telling is that the peak volume of shares traded in this period soared to almost 5 million shares!
Of course, maybe something else happened with this particular stock during this period, but the coincidence seems to be too good to be true. And, for all of you thinking that you can get in before everyone else receives the same spam and get rich quick, take note of this Web site, where a virtual stock portfolio has lost over $55,000. Investing in stocks advertised by stock-based spam is definitely not a good idea.