© 2008 Websense, Inc. All Rights Reserved.
Blog
09.26.2007 - 1:16 PM
Archive
+ August 2007
+ July 2007
+ June 2007
+ May 2007
+ April 2007
The notorious "Storm Worm" series of spam attacks is interesting for several reasons. One, of course, is its simplicity as a social engineering attack. The lures are presented as very short, simple emails, enticing the victim to click the links proferred, and run the downloaded file.
Bookmark This Post:
Post a Comment:
Previous Posts
September 2007| 09/28/2007 | AV Killer Analysis Report » |
| 09/26/2007 | Storm Worm Chronology » |
| 09/24/2007 | K.I.S.S. Principle » |
| 09/21/2007 | Tapping into the Opera JavaScript Interpreter » |
| 09/19/2007 | The Malware That Keeps On Giving » |
| 09/13/2007 | Phast Phlux Phishing » |
| 09/05/2007 | Tapping into the IE 7 JavaScript Interpreter » |
+ August 2007
+ July 2007
+ June 2007
+ May 2007
+ April 2007
Secondly, the scope of the attacks are unprecedented. It is generally accepted that the point of these attacks is to build a huge botnet for financial gain. Stock pump-and-dump scams, and even DDOS attacks have been blamed on it. In other words, although the attacks are very basic, they have had widespread success.
A third point of interest, and the research focus for this blog, is the structure of the spam runs themselves. The accepted notion is that the runs are distinct from one another based on their subject matter. For example, we consider "NFL" spam to be one instance of the Storm attack, and "ArcadeWorld" another, but we cannot by that alone make an assertion regarding their specific rate of occurrence and precise ordering. Our goal is to confirm the ordered relationship between subjects, and to use the resulting distribution and frequency data to build a volume-based chronology.
We have previously blogged about the Storm attacks before. For additional information, see this post.
Methodology
The focus of our method is to identify as many "Storm Worm" subjects that we can, identify the timelines of the individual subjects, and then group those subjects together into topics. What we should end up with is a report, by-topic, that allows us to analyze specific characteristics of those emails.
The report generation is done through a tool which queries our database. (For more information see the Appendix) This generation has been performed several times throughout the construction of this report in order to reverify against fresh data, and to make incremental corrections to the group and subject arrangement as necessary. The tool is initialized with a list of candidate email subjects. Each subject is analyzed, its emails and urls counted and summated, and the first start date and last end date of every email with that subject is recorded. The results are output to a table, with the following format and legend:
In addition, the tool generates a graph which shows the daily volume of those subjects within the ranges presented in the table. While the table will only show the start and end dates of the subject, the graphs impart information about the actual distribution per-day of those subjects. Subjects are superimposed so we can see the distribution pattern between them.
The subject selection itself is critical to this method. We must attempt to identify every possible subject which was used in the run in question. Much of this information is already possessed internally by Websense Labs, as we have been closely tracking Storm and its variants for some time. The rest were discovered through a combination of external research, and internal research through our portal interface.
Results
So what did we find? First of all, we identified a list of over 50 email subjects, spread over all occurrences since the ecard breakout in June 2007, that are confirmed Storm Worm email threads. Of these 50+ subjects, we identified several distinct groups, each correlating to a chronologically and topically segregated run. The groups which were determined are as follows. Note that this layout is ordered by start time, that is, the date on which we saw the first occurrence of the subject in our spam trap. Therefore, the report timelines reflect the same ordering of groups.
Group 1: ecard
The "ecard" spam run starting in June 2007. These are email subjects that start with the line "Youve (sic) received a greeting card..." followed by a randomly generated endpart: "mate", "neighbor", "classmate" and so forth.
The graph exhibits features that tell us we are on the right track. Subjects are all appearing at similar rates, relatively similar patterns, and nearly identical timeframes. We look for this to tell us if our grouping strategy is working.
Group 2: ecard2
This generally covers the second ecard-related run in the July-August timeframe. Most of these are greeting-card lures as in the first ecard, and the tactics are basically the same. However there is a clear chronological break between ecard/ecard2, plus numerous subjects, so we chose to use two different groups.
Group 3: phishy
Immediately after ecard2, the topic switches to some phishy-sounding subjects such as "New User Info", and fake account login information.
Group 4: help
This is a small run at the end of August. Lures includes "Beta testing" of software, and requests for help and feedback. The spammed executable is "setup.exe", with a detection similar to those that came before.
This one vanishes pretty quickly. Perhaps a test run, or a poor return. This can also suggest some limitations in our analysis. Just one trap may likely have "blind spots" -- it is not guaranteed to receive every possible email from the spam.
Group 5: video
Right after "help", at the end of August, the tactics start shifting. Although there is a small collection of subjects, the volume of the run is quite high. The bait is some variation on getting the user to download some "hot new" video. Tactics remain the same (link to executable)
At first appearance this looks like two runs superimposed on each other. The tail end of the longer run skips over the labor day weekend then vanishes the following week. Guess they don't work holidays.
Group 6: labor_day
...or do they? As if to prove, albeit for a short time, the industrious work ethic of Storm, the hard working fellows push out a special Labor Day spam run. We wait with bated breath for specially branded attacks on our other favorite holidays (Flag Day and Leif Ericson Day come to mind), but we will be content with this one for now.
One might predict from the table that the graph would likewise look wholly uninteresting. They would be right on this one.
Group 7: privacy
Back from the long weekend (well, it's actually Thursday by now, so we suppose the extra two days are for catching up on unfinished drinking), our fine purveyors of potted meat roll up their sleeves and try something different. These are a series of scare-tactic subjects, such as "big brother is watching", "privacy violation" and so forth, and offering a download to "protect your privacy".
This is pretty low-volume run. Either the tactic was not successful, or our trap just didn't get enough of them to establish a greater history.
Group 8: nfl
As if we didn't have enough to worry about, September brings us to the start of football season. It would make sense for the bad guys to remain topical, after all, and they don't disappoint. By using our keenly developed sense of reading comprehension, we can determine that this is, indeed, a collection of football-related subjects, some offering a "Gametracker", others tantalizing us with outrageous lines such as "football season has begun". Two things: how can we resist, and what can possibly go wrong?
As it turns out, quite a bit: now we have an escalation in tactics. All Storm spams to this date were of a fairly pedestrian variety: a short email with a lure as the subject, and direct link and hosting by the zombie of the trojan executable. The "nfl" run has the zombies hosting an entire web page with current NFL game stats, with all links pointing to a "NFL Tracker" trojan download.
The timeframe for the bulk of the run, 9/8 (Sat.) through 9/12 (Wed.) respectively, encompasses the season opener games on Sunday and Monday, with a couple of extra days tacked on to reel in some extra victims. After this it slinks back into the shadows.
Group 9: arcade
This brings us to the latest run, and, sadly, the end of our current timeline. This group is commonly referred to the "ArcadeWorld" variant. Tactics here are escalating once again as well. in addition to hosting a legit-looking web page with clickable links just as in the "nfl" version, the page itself has some malicious obfuscated heapspray-vintage javascript near the end which attempts auto-exploit.
This is a run in progress as of this writing. Note that there are currently three distict start dates for the group: the first on 9/15, a smaller run on 9/19, and the appearance of new subjects on 9/24.
All Groups
Here is every single run, put together. They are ordered chronologically based on start date. The graph is also an aggregate of all groups to show the relationship between the runs.
| Group/Subj | Start | End | Emails | URLs | URLs (New) | URLs (New %) | URLs (Dup) | URLs (Dup %) |
|---|---|---|---|---|---|---|---|---|
| ecard | 20070629 | 20070815 | 46487 | 53428 | 19328 | 36.18% | 34100 | 63.82% |
|
Youve received a greeting card from a partner
|
20070629 | 20070815 | 4227 | 4866 | 1194 | 24.54% | 3672 | 75.46% |
|
Youve received a greeting card from a colleague
|
20070629 | 20070814 | 4277 | 4906 | 2396 | 48.84% | 2510 | 51.16% |
|
Youve received a greeting card from a friend
|
20070629 | 20070815 | 4921 | 5629 | 2120 | 37.66% | 3509 | 62.34% |
|
Youve received a greeting card from a worshipper
|
20070629 | 20070810 | 3736 | 4281 | 666 | 15.56% | 3615 | 84.44% |
|
Youve received a greeting card from a family member
|
20070629 | 20070814 | 3082 | 3656 | 1557 | 42.59% | 2099 | 57.41% |
|
Youve received a greeting card from a school-mate
|
20070630 | 20070815 | 3857 | 4383 | 751 | 17.13% | 3632 | 82.87% |
|
Youve received a greeting card from a class-mate
|
20070630 | 20070815 | 5346 | 5973 | 3559 | 59.58% | 2414 | 40.42% |
|
Youve received a greeting card from a school mate
|
20070630 | 20070814 | 2026 | 2478 | 597 | 24.09% | 1881 | 75.91% |
|
Youve received a greeting card from a class mate
|
20070630 | 20070815 | 3584 | 4185 | 3071 | 73.38% | 1114 | 26.62% |
|
Youve received a greeting card from a neighbour
|
20070630 | 20070815 | 4289 | 4829 | 1311 | 27.15% | 3518 | 72.85% |
|
Youve received a greeting card from a mate
|
20070630 | 20070814 | 3520 | 4073 | 1378 | 33.83% | 2695 | 66.17% |
|
Youve received a greeting card from a school friend
|
20070701 | 20070810 | 2368 | 2792 | 433 | 15.51% | 2359 | 84.49% |
|
Youve received a greeting card from a neighbor
|
20070718 | 20070814 | 1254 | 1377 | 295 | 21.42% | 1082 | 78.58% |
| ecard2 | 20070815 | 20070921 | 7698 | 7925 | 2679 | 33.80% | 5246 | 66.20% |
|
Musical postcard
|
20070815 | 20070817 | 977 | 1016 | 199 | 19.59% | 817 | 80.41% |
|
Movie-quality card
|
20070815 | 20070817 | 1177 | 1225 | 733 | 59.84% | 492 | 40.16% |
|
Birthday e-card
|
20070815 | 20070817 | 1064 | 1091 | 247 | 22.64% | 844 | 77.36% |
|
Greeting e-card
|
20070815 | 20070817 | 1105 | 1123 | 315 | 28.05% | 808 | 71.95% |
|
Birthday Card
|
20070815 | 20070921 | 981 | 1012 | 329 | 32.51% | 683 | 67.49% |
|
Love postcard
|
20070815 | 20070817 | 1424 | 1473 | 664 | 45.08% | 809 | 54.92% |
|
Funny card
|
20070815 | 20070817 | 970 | 985 | 192 | 19.49% | 793 | 80.51% |
| phishy | 20070820 | 20070825 | 17992 | 13194 | 3737 | 28.32% | 9457 | 71.68% |
|
Technical Support
|
20070820 | 20070823 | 2676 | 1970 | 263 | 13.35% | 1707 | 86.65% |
|
Tech Department
|
20070820 | 20070823 | 3424 | 2538 | 923 | 36.37% | 1615 | 63.63% |
|
Login Verification
|
20070820 | 20070825 | 3390 | 2413 | 387 | 16.04% | 2026 | 83.96% |
|
Registration Confirmation
|
20070820 | 20070823 | 3073 | 2198 | 629 | 28.62% | 1569 | 71.38% |
|
User Services
|
20070820 | 20070823 | 2722 | 2065 | 415 | 20.10% | 1650 | 79.90% |
|
New User Details
|
20070820 | 20070823 | 2707 | 2010 | 1120 | 55.72% | 890 | 44.28% |
| help | 20070828 | 20070828 | 1323 | 1323 | 507 | 38.32% | 816 | 61.68% |
|
Beta testers needed
|
20070828 | 20070828 | 264 | 264 | 117 | 44.32% | 147 | 55.68% |
|
We need you
|
20070828 | 20070828 | 247 | 247 | 47 | 19.03% | 200 | 80.97% |
|
New Software needs Beta testers
|
20070828 | 20070828 | 243 | 243 | 50 | 20.58% | 193 | 79.42% |
|
Would you help us with a new program
|
20070828 | 20070828 | 251 | 251 | 68 | 27.09% | 183 | 72.91% |
|
Helps us out and let us say thanks
|
20070828 | 20070828 | 318 | 318 | 225 | 70.75% | 93 | 29.25% |
| video | 20070825 | 20070907 | 18878 | 18172 | 3226 | 17.75% | 14946 | 82.25% |
|
I cant belive you did this
|
20070825 | 20070907 | 6574 | 6276 | 1256 | 20.01% | 5020 | 79.99% |
|
man, who filmed this thing?
|
20070825 | 20070907 | 6828 | 6413 | 748 | 11.66% | 5665 | 88.34% |
|
this video is not out yet
|
20070829 | 20070831 | 1093 | 1094 | 297 | 27.15% | 797 | 72.85% |
|
Hot new video
|
20070829 | 20070831 | 971 | 972 | 463 | 47.63% | 509 | 52.37% |
|
oh man, you got to see this video
|
20070829 | 20070831 | 1066 | 1068 | 131 | 12.27% | 937 | 87.73% |
|
awesome new video
|
20070829 | 20070831 | 1112 | 1112 | 102 | 9.17% | 1010 | 90.83% |
|
your gonna love this, lol
|
20070829 | 20070831 | 1234 | 1237 | 229 | 18.51% | 1008 | 81.49% |
| labor_day | 20070903 | 20070904 | 11102 | 10694 | 1759 | 16.45% | 8935 | 83.55% |
|
Your Friend Sends A Labor Day Greeting
|
20070903 | 20070904 | 1329 | 1286 | 121 | 9.41% | 1165 | 90.59% |
|
A Labor Day E-Card
|
20070903 | 20070904 | 3397 | 3279 | 364 | 11.10% | 2915 | 88.90% |
|
Your E-Greeting is waiting.
|
20070903 | 20070904 | 1795 | 1730 | 240 | 13.87% | 1490 | 86.13% |
|
A Labor Day Greeting
|
20070903 | 20070904 | 1628 | 1563 | 473 | 30.26% | 1090 | 69.74% |
|
The Big Labor Day Weekend
|
20070903 | 20070904 | 1510 | 1453 | 265 | 18.24% | 1188 | 81.76% |
|
Happy Labor Day
|
20070903 | 20070904 | 1443 | 1383 | 296 | 21.40% | 1087 | 78.60% |
| privacy | 20070906 | 20070906 | 3869 | 2776 | 596 | 21.47% | 2180 | 78.53% |
|
Your Privacy is being violated
|
20070906 | 20070906 | 561 | 407 | 44 | 10.81% | 363 | 89.19% |
|
What you do online is at risk.
|
20070906 | 20070906 | 510 | 362 | 110 | 30.39% | 252 | 69.61% |
|
Big brother is watching you.
|
20070906 | 20070906 | 611 | 448 | 190 | 42.41% | 258 | 57.59% |
|
Careful, you.re being watched.
|
20070906 | 20070906 | 533 | 381 | 53 | 13.91% | 328 | 86.09% |
|
The things you do online are being watched.
|
20070906 | 20070906 | 575 | 409 | 55 | 13.45% | 354 | 86.55% |
|
Your online activities are no longer safe.
|
20070906 | 20070906 | 496 | 350 | 55 | 15.71% | 295 | 84.29% |
|
Your online life is not private.
|
20070906 | 20070906 | 583 | 419 | 89 | 21.24% | 330 | 78.76% |
| nfl | 20070908 | 20070914 | 42215 | 42296 | 7894 | 18.66% | 34402 | 81.34% |
|
Football Fan Essentials
|
20070908 | 20070913 | 4541 | 4548 | 485 | 10.66% | 4063 | 89.34% |
|
Are you ready for some football?
|
20070908 | 20070913 | 4647 | 4656 | 560 | 12.03% | 4096 | 87.97% |
|
Free NFL Game Tracker
|
20070908 | 20070912 | 4413 | 4425 | 728 | 16.45% | 3697 | 83.55% |
|
Are you ready for football season?
|
20070908 | 20070913 | 5089 | 5098 | 2248 | 44.10% | 2850 | 55.90% |
|
Do you have your NFL Game List?
|
20070908 | 20070913 | 4680 | 4689 | 660 | 14.08% | 4029 | 85.92% |
|
NFL Season Is Here
|
20070908 | 20070912 | 4519 | 4530 | 489 | 10.79% | 4041 | 89.21% |
|
Football Season Is Here
|
20070908 | 20070913 | 4919 | 4924 | 427 | 8.67% | 4497 | 91.33% |
|
Get Your Free NFL Game Tracker
|
20070908 | 20070913 | 4748 | 4758 | 1005 | 21.12% | 3753 | 78.88% |
|
FOOTBALL Are You ready?
|
20070908 | 20070914 | 4659 | 4668 | 1292 | 27.68% | 3376 | 72.32% |
| arcade | 20070915 | 20070926 | 27028 | 27208 | 8000 | 29.40% | 19208 | 70.60% |
|
The internet just got better
|
20070915 | 20070919 | 1457 | 1464 | 462 | 31.56% | 1002 | 68.44% |
|
Quick, grab this
|
20070915 | 20070919 | 1407 | 1411 | 740 | 52.45% | 671 | 47.55% |
|
New free game software has over 1000 games
|
20070915 | 20070919 | 1268 | 1269 | 197 | 15.52% | 1072 | 84.48% |
|
Life is just a little bit more fun
|
20070915 | 20070919 | 1672 | 1674 | 349 | 20.85% | 1325 | 79.15% |
|
Stop paying for games
|
20070915 | 20070919 | 1527 | 1529 | 561 | 36.69% | 968 | 63.31% |
|
Wow, cool games
|
20070915 | 20070919 | 1544 | 1552 | 340 | 21.91% | 1212 | 78.09% |
|
Thousands of hours of fun, for free
|
20070915 | 20070919 | 1431 | 1436 | 637 | 44.36% | 799 | 55.64% |
|
free games
|
20070915 | 20070922 | 2031 | 2050 | 629 | 30.68% | 1421 | 69.32% |
|
Get 1000 games for free
|
20070915 | 20070925 | 1391 | 1399 | 416 | 29.74% | 983 | 70.26% |
|
Holy cow, 1000 free games online
|
20070915 | 20070919 | 1489 | 1498 | 283 | 18.89% | 1215 | 81.11% |
|
All the free games you want
|
20070915 | 20070926 | 2156 | 2162 | 394 | 18.22% | 1768 | 81.78% |
|
Youll love our new game site
|
20070919 | 20070922 | 881 | 892 | 235 | 26.35% | 657 | 73.65% |
|
Are you ready to play?
|
20070919 | 20070922 | 964 | 981 | 214 | 21.81% | 767 | 78.19% |
|
Your prayers have been answered
|
20070919 | 20070922 | 936 | 952 | 171 | 17.96% | 781 | 82.04% |
|
Ready for some fun?
|
20070919 | 20070922 | 849 | 868 | 378 | 43.55% | 490 | 56.45% |
|
Dont loose this
|
20070919 | 20070922 | 727 | 738 | 210 | 28.46% | 528 | 71.54% |
|
Get all these guys games
|
20070919 | 20070922 | 741 | 754 | 235 | 31.17% | 519 | 68.83% |
|
Games save lives
|
20070924 | 20070926 | 709 | 713 | 156 | 21.88% | 557 | 78.12% |
|
Free Games For Kids
|
20070924 | 20070926 | 615 | 619 | 222 | 35.86% | 397 | 64.14% |
|
Take ten min out to play a game today.
|
20070924 | 20070926 | 662 | 664 | 261 | 39.31% | 403 | 60.69% |
|
Dont forget to play a game today
|
20070924 | 20070926 | 632 | 639 | 339 | 53.05% | 300 | 46.95% |
|
Time for a break, and play a game.
|
20070924 | 20070926 | 674 | 675 | 288 | 42.67% | 387 | 57.33% |
|
Time to Play
|
20070924 | 20070926 | 671 | 671 | 177 | 26.38% | 494 | 73.62% |
|
Come play a game, you know you want to
|
20070924 | 20070926 | 594 | 598 | 106 | 17.73% | 492 | 82.27% |
| TOTALS | - | - | 176592 | 177016 | 47726 | 26.96% | 129290 | 73.04% |
The emerging attack pattern is one of shortening duration, and increasing volume: as the botnet grows, no doubt also does its ability to send out more spam in a shorter time. This "hit-n-run" style of warfare benefits the controllers and makes analysis more difficult.
Another View
The relatively high percentage of "duplicate" URLs in the botnet is evidence of node reuse. We would expect that a single zombie can spam out multiple subject lines. However, the additional question we wanted to answer is whether the zombie is spamming out multiple subject lines from multiple groups, and whether the distribution of that history demonstrates its own timeline. If so, how does it correlate with the global analysis?
The following report was generated using our "Threatseeker" portal: we select one of the subjects (in this case "big brother is watching" from the "privacy" group), and generate a report that shows the subject history for a single node in the botnet.
We can see three very clear areas in the report where the runs change topic (boxed in red). Note that these dates correlate nicely with our globally computed begin-and-end times for the subjects in question.
A similar strategy is used for getting new subjects: generate a report for other IP's which are hosting that email subject, then perform a report for all subjects hosted by that new IP. Often this turns up similar timelines spread across various runs, and for the ongoing spam runs, new subjects, which are them subsequently added to our list of candidates.
Conclusions
This report reinforces some of our existing conclusions about the Storm breakout: it is, generally speaking, highly effective, ubiquitous, and has an escalating attack footprint. It is expected that those responsible will continue "improving" their process and topic selection to maximize return. Due to the ongoing nature of this attack, there are a growing number of research angles to pursue.
We can see from the data that the attack strategy is "hit them hard and fast". Most runs are increasing in volume, but last only a couple to several days, then switch tactics. This is in contrast to the first "ecard" run that lasted for 6 weeks before stopping. This suggests that the botnet at that point reached a critical mass with which they can blitz out new spam.
Lastly, we can see from the duplicate URL percentage within the runs, and backed up by the "ThreatSeeker" report, that singular compromised zombie nodes are participating in sequential multiple spam runs, suggesting their coordination by a single agency. Additional research could be performed to correlate this with an infection/success rate for the run. Such a metric may help predict when tactics are likely to change.
The data generation tool is called "eanalysis", written by the author of this report and customized for use in this blog. Its job is to generate historical reports for logically grouped email subjects within our spam trap. The default is to run with a presupplied configuration of subjects. It may also be called with a custom set of groups and subjects for spot research:
# eanalysis "group1::subject1|subject2" "group2::subject3|subject4"
The output of the tool is the following:
- HTML table with breakdowns of each subject in the group, with totals if appropriate. It also has a stock link to the generated graph.
- A graph generated with gnuplot. It superimposes the volume for all subjects in the group, email frequency along the Y axis, and day/month along the X axis.
- Intermediate files for the graph. These are not included in the blog obviously, but allow regenerating the graph (changing styles for example) without needing to run eanalysis over again.
- A list of urls which were found in the emails. This is also not included in the blog but used for further internal research.
Document assembly was performed by creating the content first then dropping in the generated tables and graphs at the appropriate location.
Researcher: NJ Verenini, Websense Security Labs