We've been watching Wargbot for the past week to monitor its activities. As noted in our previous blog entry, Wargbot was being used to send spam. I wanted to provide some statistics and anecdotes on Wargbot's activities.
As part of our standard intelligence gathering, we monitor a varietyof botnets. Usually, these botnets don't stay up too long because ISPsrespond to our shutdown notices, but servers related to Wargbot havebeen up for a week already and have been quite active. In particular,Wargbot downloads Backdoor.Ranky, which converts the infected machineinto a proxy for spam. Since the spam started coming through, we'veseen tens of thousands of spam messages being pumped through ourhoneypot; we actually take all of these spam messages and redirect themto the Symantec Email Security Group. The Email Security Group thenverifies that existing spam signatures and heuristics already catch thespam, otherwise new signatures and updated heuristics are created. Thisway, our customers are protected from such spam messages.
Inaddition, because we are intercepting these spam messages they neverreach their intended recipients, but as far as the malware authorknows, his spam runs have been successful. With a single machine, theauthor averages a spam message every 3.7 seconds with each messagebeing delivered to an average of six recipients. That is over 5,800spam messages in an hour.
The type of spam involved with Wargbot varies, but it is your usualmix of pharmaceutical or financing offers, stock scams, and e-commercesites selling replica goods. However, included in the mix were phishingmessages for a variety of banks, mostly in Europe. Based on this mix ofmessages it’s clear the author isn't sending spam on his own behalf,but is a middle man sending out spam for others (at a price).
The whole motivation behind the average malicious code author hasdefinitely been changing over the past few years. In the old days,malicious code authors tended to be young males creating things to showoff, but now money is the biggest motivator.