Sep21
11:37 am (UTC-7)   |   by David Sancho (Malware Researcher)

It looks like the Storm botnet is renting its services to different websites. In this case, we caught emails in our storm honeypot that look like storm emails:

Pharmacy Spam from Storm botnet

The domain names are taken from a pool of about 10. They are all .com and are not recognizable word names or brands. They all resolve to different DNS names hosted by the botnet fast-flux network. This means that every time you access one of these websites, a different member of the botnet will point your browser to the same pharmacy-related website. These pharmacies are the clients of the botnet so they must be paying big for being advertised by means of spammed messages and for redirecting users from the emails to the website, whose real domain you never see. This is living proof of the economics behind botnets.

Here’s a screenshot of the pharmacy site:

Pharmacy site advertised by the Storm botnet

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Friday, September 21st, 2007 at 11:37 am and is filed under Botnet, Malware . Responses are closed, but you can trackback from your own site.



Comments are closed.


POC Exploit Yahoo!s
YouTube Chinese New Year Video – With a Malware Twist


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice