The Storm Worm's Elaborate Con Game
Security researchers at Cisco's IronPort say they've pieced together the complex con operation behind the Storm Worm, a persistent Web threat. The botnet's purpose, they say, was essentially to act as a virtual dealer of prescription -- and often bogus -- medication, sometimes enlisting work-from-home employees who thought they were doing legitimate tasks.
06/11/08 4:00 AM PT
Despite their discovery of a direct link to the funding sources behind the infamous Storm Virus, IronPort Systems researchers are doubtful law enforcement will ever nail the perpetrators. Still, improving technologies may help to block its continuing spread.
In its latest Security Trends Report, released Wednesday, Cisco-owned IronPort exposes links between malware originators and online pharmaceutical companies selling fake and unregulated drugs.
IronPort announced its discovery of an online criminal ecosystem comprised of illegal pharmaceutical supply chain businesses that recruit botnets to send spam promoting their Web sites. By converting spam into high-value pharmaceutical purchases, these supply chain enterprises allow the monetization of spamming botnets, providing an enormous profit motivation for botnet attacks and continuous innovation.
IronPort's study points to these fake drug traffickers as large sources of funding for Storm virus technology. Among the more insidious related criminal activities involves the enlistment of workers to collect and deliver funds from phishing and fraud schemes that have been initiated through the Storm virus.
In many cases, the workers, who may be responding to a TV, radio or Internet advertisement, innocently sign on to do what appears to be legitimate work from home. In fact, they have been unwittingly immersed in a criminal network performing crimes for which they can be held liable.
"The Storm Virus continues to persist despite assurances from Microsoft that it is dead. The Storm Virus writers release only small pieces of the infection to keep it obscure. This multi-model malware distribution will continue for a long time," Nilesh Bhandhari, product manager at IronPort, told TechNewsWorld.
IronPort researchers got a little lucky in sorting through various theories about the source of the Storm Virus, said Bhandari. Researchers made a connection between the virus and SPAMIT.com, a URL that requires a username and password to gain access.
Apparently, the capacity was reached from a flood of connections by infected computers. Researchers unveiled an accompanying error message announcing the server was busy and asking the user to try again, he said.
"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy Web sites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains such as SpamIt.com and GlavMed, generating revenue in excess of (US)$150 million per year."
Using some sleuthing techniques, IronPort researchers found code under the error message linking it to mycanadianpharmacy.com. Entering that URL in a Web browser redirects visitors to CanadaDrugs.com, TechnewsWorld discovered.
Apparently, mycanadianpharmacy.com provides a full service operation for order fullfillment, said Bhandari. The operation involves the use of a botnet to rent out fullfillment, he said. A botmaster can remotely access commands for the robotized computers to execute without the knowledge or consent of the computers' owners.
Millions of consumers' personal computers infected by the Storm Worm via various social engineering tricks and Web-based exploits send spam messages about buying drugs from these online pharmacies. IronPort's research revealed that more than 80 percent of Storm botnet spam advertises online pharmacy brands like CanadianPharmacy.com, TheCanadianMeds.com and CanadianPharmacyLtd.com, according to IronPort.
Researchers also found a connection between Glavmed.com and the botnet operation, Bhandari said. The owners of Glavmed.com are not partners but let spammers convert pharmacy traffic to real money, according to the security firm.
"They provide a back-end fullfillment for 30 or 40 percent revenue share," he said. "Those participating in the operation can rent parts of the Storm Virus and have all the supporting services for sales. They can rent a complete fullfillment center for the delivery of false and possibly dangerous drugs."
GlavMed recruits botnet spamming partners to advertise their illegal pharmacy Web sites, which receive a 40 percent commission on sales orders, according to Iron Port. GlavMed offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services.
False Drugs Purchased
IronPort researchers followed the trail they uncovered and ordered sample pills from a pharmacy source in India. They then had an independent lab analyze the contents. The pills IronPort ordered contained sugar and some inert filler, Bhandari said.
A second test sampling from another online pharmacy purchase contained high metal content. The substances could be very harmful to unsuspecting consumers, he said.
IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors, according to IronPort.
Despite what researchers at IronPort uncovered, they concluded it's next to impossible for law enforcement officials to shut down the phony drug sale operations. Much of the activity resembles a sleight-of-hand operation.
"There is no place to shut this down. We can find a name server and a Web server. But the name server is updated to new locations every five minutes," said Bhandari.
Some of the ever-changing servers are also hosted by compromised computers around the world. This makes it virtually impossible to track down the botmasters and those criminals running the fraudulent operations, he said.
"All investigators can detect are short bursts of activity for short periods of time. It is almost not noticeable as a performance hit on the infected computer, Bhandari said.
While law enforcement is hard-pressed to capture the perpetrators, malware protection can help corporations, Internet service providers and consumers stem the tide of new spam attacks.
Some of the malware causing Storm Virus infections are hosted on legitimate Web sites, Bhandari noted. Better E-mail filtering and Web security practices can block this.
"At IronPort we see so much of the world's e-mail through our monitoring network that we can pinpoint and stop the spread of the Storm Virus. We can block even the five-minute URL bursts and switched locations," he said.
IronPort's trend report also identifies several ways in which malware is being used to infect host PCs to bypass security software. These methods include:
- Webmail spam. Sophisticated bots are operating in conjunction with automated and manual captcha-breaking processes to create large numbers of free webmail accounts. After the accounts are created, the bots send out spam using these accounts, and the spam recipient observes the messages as originating from a legitimate ISP's mail servers, not from the botnet's. These "theft of reputation" attacks accounted for more than 5 percent of all spam in the first quarter of 2008, up from less than 1 percent the previous quarter.
- Google exploitation. Next-generation malware is using Google's "I'm feeling lucky" search option to channel traffic to infected sites. An estimated 1.3 percent of all Google searches return malware sites as valid results. Given the tremendous volume of searches carried out every minute, this translates into a potentially huge opportunity for malware distributors.
- "Out of office" notices. If an e-mail address is spammed when the user has an "out of office" notification turned on, these responses not only validate the address but also allow spammers to hijack the corporate mail server and send spam that appears to be coming from a legitimate address. This style of attack is quite new, and it highlights the sophistication of spammers seeking to circumvent antispam filters.