Archive for February 10th, 2008

Phast-Phlux Phake Pharma

February 10th, 2008 by Jovi Umawing (Technical Communications)

Trend Micro Senior Threat Researchers Paul Ferguson, David Sancho, and Feike Hacquebord discovered a spammed email message containing a link to the fake Canadian Pharmacy Web site. Below is the email message body and screenshot of the said site that appears upon clicking the link:

Best online drugstore since 1996. Your Coupon #SQzYB. Save 86% Visit us.
alaric dexter

Fake Canadian Web Site Screenshot

Sancho deduced that the site rides on a fast-flux network that most likely belongs to the Storm botnet owners. “Storm has been sending ads for the Canadian Pharmacy since end of January. They use a limited pool of domains hosted by (certain) sites that always redirect to a nicely formatted Canadian Pharmacy Web page. They seem to have a similar strategy as the hohoho2008.com domains back on Christmas.” He added the domain that housed the fake site and the following domains share a root DNS server:

  • angerfollow.com
  • beautybegan.com
  • byoperate.com
  • chickher.com
  • elementgrand.com
  • instantsilent.com
  • interestquiet.com
  • roundtoward.com
  • twoinstant.com

Further studies show that, in contrast to known Storm fast-flux networks that were found to have no evident backends after all, the fast-flux on which the fake Canadian Pharmacy Web site rides is different from Storm’s. He noted, however, that spam messages carrying the link were sent through the Storm network.

Hacquebord also mentioned that the DNS used as backend of this fast-flux network was also found to be the DNS backend for casino spam sites.

Trend Micro detected and blocked these domains and others that were also found during the week. Users are advised to refrain from clicking links contained in emails that come from untrusted sources. Keeping spam filter patterns updated also remains a must to counter this kind of threat.

There’s More to Come After Storm…

February 10th, 2008 by Roderick Ordoñez (Technical Communications)

The Storm botnet may have inspired a following.

TrendLabs recently came across a HTTP botnet which sends spam, and sends a report card of its spamming success as well. Compared to Storm, the botnet — which has been dubbed the “Mayday” botnet — has a smaller sized network of compromised systems, but this could be due to the fact that it is new.

The botnet shows signs of using a P2P-like system for some of its routines, similar to Storm, and connects to certain servers periodically to get commands. It also drops a file which Trend Micro detects as WORM_MYTOB.TJ.

The botnet seems to be coming from the domain http://{BLOCKED}ydaynet2008.co.uk/, which TrendLabs speculate to be a compromised site.

With routines stealthier than Storm, this new botnet may easily outgrow Storm if left untreated. It may even become more powerful than Storm, given the fact that it primarily tries to infect the machines of large businesses.

Should Mayday’s authors decide to use the botnet for one common purpose, it could render damage more than Storm ever will. Mayday’s may be just waiting for the right time to wreak havoc, in true botnet fashion.

Subscribe in a reader

Most Recent Posts

Calendar

February 2008
M T W T F S S
« Jan   Mar »
 123
45678910
11121314151617
18192021222324
2526272829  

Posts by Month


Scan for free!