Side of spam with your Dorf?

Filed Under: Malware, SophosLabs, Spam

As we've blogged about previously, the current form of the constant flood of Dorf spam has been taking advantage of Valentine's Day which is quickly approaching. An interesting twist observed by SophosLabs this week is the same IP addresses used in the spam messages that are hosting the Dorf malware (also known as Storm), are also being used to redirect to websites selling penis enlargement pills.

Here are two message samples, the first linking to the Valentine's Day Dorf malware, the second redirects to a penis enlargement website, though both use the same IP address:

Sample Dorf
Sample PE

While we have seen examples of the same machines hosting both malware and spam many times before, this is the first time we have seen the machines hosting the Dorf malware (part of the Storm botnet) also being used to host/redirect to spam websites. It's just yet another example of how close the ties between malware and spam really are.

I wonder if it is just a coincidence that they decided to spam out penis enlargement products at the same time they are pushing Dorf malware making use of the holiday most associated with romance. The penis enlargement website suggests that it will take 4-6 months to see the full effects of their product so those planning on using this to spice up this year's Valentine's day are likely to be out of luck.

You might like

About the author

Brett is a Technical Lead in the AntiSpam Operations team within SophosLabs. He has been working for Sophos since their acquisition of ActiveState in 2003.