By Jack M. Germain TechNewsWorld Part of the ECT News Network
06/11/08 4:00 AM PT
Security researchers at Cisco's IronPort say they've pieced together the complex con operation behind the Storm Worm, a persistent Web threat. The botnet's purpose, they say, was essentially to act as a virtual dealer of prescription -- and often bogus -- medication, sometimes enlisting work-from-home employees who thought they were doing legitimate tasks.
How Much is 'Free' Costing You? Learn how DaveRamsey.com saw a 567% uplift in ROI with Omniture. This complimentary guide and webinar cover the most important factors in selecting an analytics solution. Download Now.
Despite their discovery of a direct link to the funding sources behind the infamous Storm Virus, IronPort Systems researchers are doubtful law enforcement will ever nail the perpetrators. Still, improving technologies may help to block its continuing spread.
In its latest Security Trends Report, released Wednesday, Cisco-owned IronPort exposes links between malware originators and online pharmaceutical companies selling fake and unregulated drugs.
IronPort announced its discovery of an online criminal ecosystem comprised of illegal pharmaceutical supply chain businesses that recruit botnets to send spam promoting their Web sites. By converting spam into high-value pharmaceutical purchases, these supply chain enterprises allow the monetization of spamming botnets, providing an enormous profit motivation for botnet attacks and continuous innovation.
IronPort's study points to these fake drug traffickers as large sources of funding for Storm virus technology. Among the more insidious related criminal activities involves the enlistment of workers to collect and deliver funds from phishing and fraud schemes that have been initiated through the Storm virus.
In many cases, the workers, who may be responding to a TV, radio or Internet advertisement, innocently sign on to do what appears to be legitimate work from home. In fact, they have been unwittingly immersed in a criminal network performing crimes for which they can be held liable.
"The Storm Virus continues to persist despite assurances from Microsoft (Nasdaq: MSFT) that it is dead. The Storm Virus writers release only small pieces of the infection to keep it obscure. This multi-model malware distribution will continue for a long time," Nilesh Bhandhari, product manager at IronPort, told TechNewsWorld.
Smoking Gun
IronPort researchers got a little lucky in sorting through various theories about the source of the Storm Virus, said Bhandari. Researchers made a connection between the virus and SPAMIT.com, a URL that requires a username and password to gain access.
Apparently, the capacity was reached from a flood of connections by infected computers. Researchers unveiled an accompanying error message announcing the server was busy and asking the user to try again, he said.
"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy Web sites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco (Nasdaq: CSCO) fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains such as SpamIt.com and GlavMed, generating revenue in excess of (US)$150 million per year."
AntiSpy Sleuthing
Using some sleuthing techniques, IronPort researchers found code under the error message linking it to mycanadianpharmacy.com. Entering that URL in a Web browser redirects visitors to CanadaDrugs.com, TechnewsWorld discovered.
Apparently, mycanadianpharmacy.com provides a full service operation for order fullfillment, said Bhandari. The operation involves the use of a botnet to rent out fullfillment, he said. A botmaster can remotely access commands for the robotized computers to execute without the knowledge or consent of the computers' owners.
Millions of consumers' personal computers infected by the Storm Worm via various social engineering tricks and Web-based exploits send spam messages about buying drugs from these online pharmacies. IronPort's research revealed that more than 80 percent of Storm botnet spam advertises online pharmacy brands like CanadianPharmacy.com, TheCanadianMeds.com and CanadianPharmacyLtd.com, according to IronPort.
More Sponsors
Researchers also found a connection between Glavmed.com and the botnet operation, Bhandari said. The owners of Glavmed.com are not partners but let spammers convert pharmacy traffic to real money, according to the security firm.
"They provide a back-end fullfillment for 30 or 40 percent revenue share," he said. "Those participating in the operation can rent parts of the Storm Virus and have all the supporting services for sales . They can rent a complete fullfillment center for the delivery of false and possibly dangerous drugs."
GlavMed recruits botnet spamming partners to advertise their illegal pharmacy Web sites, which receive a 40 percent commission on sales orders, according to Iron Port. GlavMed offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services.
False Drugs Purchased
IronPort researchers followed the trail they uncovered and ordered sample pills from a pharmacy source in India. They then had an independent lab analyze the contents. The pills IronPort ordered contained sugar and some inert filler, Bhandari said.
A second test sampling from another online pharmacy purchase contained high metal content. The substances could be very harmful to unsuspecting consumers, he said.
IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors, according to IronPort.
Flim-Flam Game
Despite what researchers at IronPort uncovered, they concluded it's next to impossible for law enforcement officials to shut down the phony drug sale operations. Much of the activity resembles a sleight-of-hand operation.
"There is no place to shut this down. We can find a name server and a Web server. But the name server is updated to new locations every five minutes," said Bhandari.
Some of the ever-changing servers are also hosted by compromised computers around the world. This makes it virtually impossible to track down the botmasters and those criminals running the fraudulent operations, he said.
"All investigators can detect are short bursts of activity for short periods of time. It is almost not noticeable as a performance hit on the infected computer, Bhandari said.
Defensive Measures
While law enforcement is hard-pressed to capture the perpetrators, malware protection can help corporations, Internet service providers and consumers stem the tide of new spam attacks.
Some of the malware causing Storm Virus infections are hosted on legitimate Web sites, Bhandari noted. Better E-mail filtering and Web security practices can block this.
"At IronPort we see so much of the world's e-mail through our monitoring network that we can pinpoint and stop the spread of the Storm Virus. We can block even the five-minute URL bursts and switched locations," he said.
Other Trends
IronPort's trend report also identifies several ways in which malware is being used to infect host PCs to bypass security software. These methods include:
Webmail spam. Sophisticated bots are operating in conjunction with automated and manual captcha-breaking processes to create large numbers of free webmail accounts. After the accounts are created, the bots send out spam using these accounts, and the spam recipient observes the messages as originating from a legitimate ISP's mail servers, not from the botnet's. These "theft of reputation" attacks accounted for more than 5 percent of all spam in the first quarter of 2008, up from less than 1 percent the previous quarter.
Google (Nasdaq: GOOG) exploitation. Next-generation malware is using Google's "I'm feeling lucky" search option to channel traffic to infected sites. An estimated 1.3 percent of all Google searches return malware sites as valid results. Given the tremendous volume of searches carried out every minute, this translates into a potentially huge opportunity for malware distributors.
"Out of office" notices. If an e-mail address is spammed when the user has an "out of office" notification turned on, these responses not only validate the address but also allow spammers to hijack the corporate mail server and send spam that appears to be coming from a legitimate address. This style of attack is quite new, and it highlights the sophistication of spammers seeking to circumvent antispam filters.
New Ransomware Making the Rounds June 09, 2008
A new malware variant is making its way around that encrypts nearly every type of file on a victim's hard drive. The malware contains a ransom note offering a decryption key to the user for a price. Kaspersky Lab, which discovered the malware, is working on cracking the 1,024-bit RSA encryption code.
Related Stories
'Free Tibet' Message Masks Rootkit Malware April 22, 2008
Watch out if you receive an e-mail with a Flash animation ridiculing a Chinese gymnast and calling for a free Tibet. It's likely the entertaining little clip is hiding a piece of malware that will log your keystrokes. Security experts are warning that malware creators are taking advantage of the news coverage of the Tibet freedom protests to get you to let your guard down.
Teach a Man to Phish and He'll Feed on Fools for a Lifetime March 29, 2008
Phishing -- trying to trick an e-mail recipient to click here, download that file go to this Web site -- is one of the oldest social engineering tricks in the book. It's been around so long mostly because it still seems to work -- and it's getting increasingly sophisticated. "This isn't malware for the masses anymore," said Jeff Green, senior vice president of McAfee's Avert Labs.
Related News Alerts
More by Jack M. Germain
Microsoft FOSSifies .Net Micro Framework November 18, 2009
Microsoft has declared its .Net Micro framework open source under the Apace 2.0 license. Not all bits of .Net Micro are covered, however. Its TCP/IP stack has been stripped, as has its cryptography libraries. Rights to the TCP/IP stack aren't Redmond's to give, and the cryptography libraries are used outside of the scope of the .Net Micro framework, according to the company.
New Ubuntu OS Features Create Good Karma November 13, 2009
Amidst the OS upgrades from Apple and Microsoft over the last few months, the Linux OS Ubuntu got a version bump of its own. Ubuntu 9.10, or Karmic Koala, is well worth the effort to upgrade, and its developers have made the process easier -- if you're using the full-sized desktop/notebook version. The Remix version, intended for netbooks, caused quite a few headaches.
Samsung Chimes In With Bada Mobile OS November 11, 2009
With Android, iPhone, BlackBerry, WinMo, Symbian, WebOS and plenty other mobile platforms fighting for space, is there room for one more? Samsung believes there is, and it's announced a new open mobile platform called "Bada." The company, which already makes handsets for several existing platforms, says Bada will make app-making easy for developers. The first Bada handset should be out in the first half of 2010.
Headline Feeds
Talkback: 
