“Storm Trojan” Outbreak – A Spam-centric View
While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007.
Figure 1. Top 10 malware caught by Symantec Brightmail AntiSpam
One of the things that leaps out from this pie chart is that Peacomm has already ran past the mass-mailing “happy new year” worm (W32.Mixor.Q@mm) despite getting a much later start in the period. The actual number of Peacomm spam is even higher because the majority of messages detected as Trojan.Packed.8 are a result of Peacomm spam as well. Trojan.Packed.8 was a heuristic detection that initially triggered on Peacomm when it was released, but due to the increase in Peacomm activity it was split out into its own detection to allow it to be tracked more easily.
In the above graph (Fig. 1), W32.Mixor.Q@mm comes second after Peacomm in the amount of email detected. Because it is a mass-mailer, Mixor.Q is generating this email directly, unlike Peacomm which is being spammed out. However, there is a link between the two malware. While the first sample of Mixor.Q did not contain Peacomm, it did contain a simple downloader executable. Later samples of Mixor.Q were slightly modified to embed Peacomm, with Mixor simply dropping the executable and running it. It is highly likely that there is a direct correlation between the number of Mixor infections and the later rise of Peacomm, considering that Mixor dropped Peacomm as a payload.
A logical assumption would be that Mixor sent out Peacomm itself, but upon close analysis of a number of Mixor samples, this is not the case. Mixor merely drops Peacomm; so, we believe Peacomm was manually spammed out and the likely chain of events is as follows:
1. Mixor is embedded with Peacomm
2. Mixor self-replicates and infects a large number of hosts
3. Mixor drops Peacomm onto the infected system
4. Peacomm downloads other .exe files including spam proxies, mail harvesters, and self-updaters
5. The spam proxies are used to send spam: “game1.exe” spams out text stocks, and “game0.exe” (copied as taskdir.exe) spams out image-based stocks
One thing to note is that to date we have not seen any Peacomm-infected hosts instructed to send out emails with Peacomm attached in order to propagate Peacomm; these infected hosts are only sending out spam.
This chart displays the amount of malware caught by our antispam solutions on a daily basis. The first bump is again due to Mixor.Q, which used social-engineering to persuade victims to open up a nasty New Year’s e-greeting card, while the second and more pronounced spike is due to Peacomm hitting the scene. If you have a hard time reading the numbers (they may be a little small), the spike on 2007-1-19 for Peacomm nearly struck the 13 million spam messages mark!
The Peacomm spam is changing form and is now sending out image-based spam that continues to advertise penny stocks. (Fig. 3) The image spam is being sent out at a slightly slower rate, but is still continuous. There are also new spam samples with “romantic” subjects, but these are being easily caught by Symantec Brightmail AntiSpam traps.
Figure 3. Peacomm image-based spam
As for the malware samples, there continues to be new executables downloaded and run to send new image-based spam. New malware variants are still being detected; however, the rootkit in the latest samples is the same used in the previous version.
In regard to operating systems affected, both the non-rootkit sample and the rootkit sample fail to install on Vista with UAC turned on. If a user explicitly right-clicks on the malicious file and clicks "Run as Administrator", then the threat will install the wincom32 driver file and registry entries, but the threat will fail to actually run. However, the restriction in the code that prevented it from executing on Windows 2003 has now been removed.
Symantec Security Response will continue to monitor this threat closely and release any new information or protection updates as new findings come to light.