Dorf: Amero, postcards, FBI vs. Facebook

After the US vs. Iran Dorf (Storm) spam campaign, the malware authors had taken a short break and the botnet stopped sending their regular campaigns.

Starting a week ago, the authors have renewed their attacks and published 3 campaigns within the last 8 days. On the 21st, we have seen a campaign for the new currency Amero (the North American version of Euro). On the 24th, the often-seen “loveyou” postcards campaign was launched.

This morning (28th) at 0630 PST, the malware authors launched a FBI vs. Facebook spam campaign. A capture of the latest Dorf website is below, where the link points to the malware executable fbi_facebook.exe:

FBI vs. Facebook

The email subjects for the latest campaign include:

F.B.I. may strike Facebook
F.B.I. watching us
The FBI’s plan to “profile” Facebook
The FBI has a new way of tracking Facebook
F.B.I. are spying on your Facebook profiles
F.B.I. busts alleged Facebook
Get Facebook’s F.B.I. Files
Facebook’s F.B.I. ties
F.B.I. watching you

This latest Dorf campaign employs both domains and the IP addresses as links. We have seen 6 Dorf domains so far.

The malware and spam messages changed very little even though the topics and websites were updated regularly.  The malware is proactively detected as Dorf-O, and the spam messages are proactively detected by published antispam rules.

Below are some statistics for the Dorf campaign with IP-based links for the month of July. The Dorf botnet was quiet until the the start of the Fourth of July Fireworks campaign, which was active until July 5th. The botnet then switched to the domain-based “US vs. Iran” campaign until the 8th (not shown in figure). The botnet then lay dormant until the 21st, when the spam campaigns started anew.

July 2008

One has to wonder what the Dorf authors were doing for two weeks. Perhaps they went off for a summer vacation?