Distributed threats use infected third parties to mount attacks. The most common distributed attack scenario is a "botnet". Through remote control software injected by email spam and Web-based trojan horses, cyber criminals gain full access to infected PCs, and then combine these "zombie" PCs, or "bots", into organized networks ("botnets").
Through these botnets, criminals gain the power to launch Distributed Denial of Service (DDoS) attacks, commit large-scale click-fraud, and distribute pornography, spam, and malicious content. Botmasters also rent out pieces of these botnets to Cyber criminals and the rental pricing is generally determined via auction.
The most significant botnet activities this year were those related to NUWAR (also known as STORM). Trend Micro's Advanced Threat researchers found that the Storm bot network has grown during 2007, and is employing new techniques to organize its armies of computers. The botnet, which comprises computers compromised by NUWAR and TROJ_SMALL variants, planted its first seeds in late 2006 with doomsday messages such as the death of the president of the United States. Its makers' social engineering techniques have since taken advantage of real-life events, including the Kyrill storm in Central Europe last January (TROJ_SMALL.EDW and WORM_NUWAR.CQ), the National Football League season, and holidays, including 4th of July, labor day and Halloween. The infection strategy used most frequently was to send electronic greeting cards with a link to the malware download site.
NUWAR authors have used various techniques to try to evade detection technologies, such as by embedding the malware in a password-protected .ZIP or .RAR archive, or by using .GIF images (WORM_NUWAR.EN) in the body of spammed email messages. Since May 2007, rather than delivering an infectious file attachment, the criminals spammed email messages containing a link to an external NUWAR download Web site. The NUWAR threat has continued to evolve in response to detection techniques, based on sophisticated social engineering.
While NUWAR infections are global, the United States remains the attackers favorite target. 28% of the IP addresses from which NUWAR-related spammed email messages originate are based in the United States.
STORM / NUWAR's owners have recently broken the botnet into distinct segments, with each communicating using a different 40-byte encryption key over a peer-to-peer protocol called Overnet. This P2P communication method allows the attackers to communicate without the need of a single control center, which makes the whole network much more robust than old-style botnet communication. The reasons for this segmentation remain unknown, but the technical expertise and business coordination behind the move reflect an increasing sophistication.
STORM / NUWAR's email database has also grown significantly. Nearly all (97 percent) of the 27 million spammed email messages intercepted by Trend Micro over a 3-month timeframe were on their way to unique recipients. Only around 750 thousand addresses received more than one email, with fewer than 100 recipients receiving five or more messages. The remaining 26.4 million email addresses are unique. This shows the enormity of the email database that the criminals are amassing.
David Sancho, Trend Micro researcher, discovered proof that the STORM / NUWAR botnet rents its services to Web sites when he identified online pharmacies of dubious origin using STORM-based spam offers to redirect users to sites with masked URLs by using the fast-flux feature of the botnet.
"These pharmacies are the clients of the botnet owners, so they must be paying big for being advertised by means of spammed messages and for redirecting users from the emails to the Web site, whose real domain you never see," added Sancho.
Other potential applications of the STORM / NUWAR botnet, such as large-scale identity theft, could be far more lucrative to the botnet's owners, and far more damaging to end-users and businesses. |
