COMPUTERWORLD / Security
April 10, 2009
Conficker botnet could flood Web with spam
------------------------------------------
It could send billions of messages daily,
says Russian security researcher
By
Gregg Keizer
April 10, 2009 (Computerworld) Windows PCs infected with the Conficker
worm have turned into junk mail-spewing robots capable of sending
billions of spam messages a day, a security company warned today.
According to Kaspersky Lab, a Moscow-based antivirus firm, yesterday's
update to Conficker, which in some cases was accompanied by the Waledac
spam bot, has resulted in a floodtide of junk e-mail.
"In just 12 hours, one bot alone sent out 42,298 spam messages," said
Kaspersky researcher Alex Gostev in a message Friday. "A simple
calculation shows that one bot sends out around 80,000 e-mails in 24
hours. Assuming that there are 5 million infected machines out there,
the [Conficker] botnet could send out about 400 billion spam messages
over a 24-hour period!"
The spam is pitching pharmaceuticals exclusively at the moment, said
Gostev, primarily erectile dysfunction medications such as Viagra and
Cialis, with message subject headings, including "She will dream of
you days and nights!" and "Hot life -- our help here. Ensure your
potence [sic] today!"
Gostev also noted that almost every message contained a unique domain
in the embedded link, a tactic spammers sometimes use to side-step
antispam filters, which analyze the frequency that any one domain is
used. "We detected the use of 40,542 third-level domains and 33
second-level domains," said Gostev. "They all belonged to spammers
and the companies that ordered these mailings."
Most of the domains are hosted in China, he added.
Conficker, the worm that first appeared in November 2008, exploded
in early 2009 to infect several million machines and set off a
near-panic as an April 1 trigger date approached, was fed a new
version early Thursday that restored its ability to spread and beefed
up its defenses against security tools. If it successfully updated an
already-infected PC, Conficker.e -- as the new variant has been labeled
-- also downloaded and installed a noted spam bot, Waledac.
Waledac has its own checkered history, in that it's assumed to have
been created by some of the same hackers who operated the notorious
Storm botnet during 2007 and 2008.
The spam coming from Conficker.e-infected systems is actually generated
and sent by the Waledac bot Trojan.
Some Conficker bots have also downloaded and installed Spyware Protect
2009, one of the many "scareware" programs in circulation. Scareware
is the term given to fake anti-malware software that generates bogus
infection warnings and then nags users with endless alerts until they
pay to $50 to buy the useless program. According to Microsoft, the
scam -- also called "rogue software" -- is one of the biggest threats
to Internet users. In the second half of 2008 alone, Microsoft's
anti-malware tools cleaned nearly 6 million PCs of scareware-related
infections.
Yesterday, another researcher raised the alarm about the new Conficker
and the software it drops, saying that the spam and scareware angles
were clearly the first solid evidence of how the worm's makers planned
to profit from their crime. "I don't want to be a scaremonger," said
Kevin Hogan, director of security response operations at Symantec Corp.
"But the situation now, as Conficker does go back to propagating, is
actually more serious than a couple of weeks ago."
##
|
