Our most recent post described the current increase in spam propagating the Dorf (“Storm”) malware. I thought it’ll be interesting to provide some extra detail on this.
It’s been almost a month since we’ve started seeing “Storm” spam exploiting the Valentine’s theme. Here is how it looks like in retrospective:
The periods of inactivity you see on the graph correspond to weekends. I guess the criminals have some sort of planned “maintenance window” for their botnet farm, when they can release upgrades or prepare the entire botnet for something new and nasty. The past weekend’s “window” was followed by over a 100% increase in Dorf spam volume sent globally.
Apparently, this weekend’s activity also included updating of HTML code and graphics for the payload website, as well as changing the file name for the executable.
The spam campaign template has also changed. In addition to pointing to an IP based URL, some Storm e-mails link to newly registered domain names to give the attack a bit more legitimacy. The domain names were registered in China with corresponding DNS servers hosted on the botnet itself:
$ host -t ns destroy***oon.com destroy***oon.com name server ns5.lllddd***.com. destroy***oon.com name server ns6.lllddd***.com. ... ns5.lllddd***.com = adsl-*-152-121-32.dsl.emhril.sbcglobal.net ns6.lllddd***.com = 210.*.*.71.bb-dynamic.vsnl.net.in ...
It’s not a new tactic employed by this botnet, but it illustrates how self-sufficient it is. It’s probably the largest globally distributed network “offering” hosting of websites, DNS and e-mail “services”.