The notorious "Storm Worm" series of spam attacks is interesting for several reasons. One, of course, is its simplicity as a social engineering attack. The lures are presented as very short, simple emails, enticing the victim to click the links proferred, and run the downloaded file.

Secondly, the scope of the attacks are unprecedented. It is generally accepted that the point of these attacks is to build a huge botnet for financial gain. Stock pump-and-dump scams, and even DDOS attacks have been blamed on it. In other words, although the attacks are very basic, they have had widespread success.

A third point of interest, and the research focus for this blog, is the structure of the spam runs themselves. The accepted notion is that the runs are distinct from one another based on their subject matter. For example, we consider "NFL" spam to be one instance of the Storm attack, and "ArcadeWorld" another, but we cannot by that alone make an assertion regarding their specific rate of occurrence and precise ordering. Our goal is to confirm the ordered relationship between subjects, and to use the resulting distribution and frequency data to build a volume-based chronology.

We have previously blogged about the Storm attacks before. For additional information, see this post.

Methodology

The focus of our method is to identify as many "Storm Worm" subjects that we can, identify the timelines of the individual subjects, and then group those subjects together into topics. What we should end up with is a report, by-topic, that allows us to analyze specific characteristics of those emails.

The report generation is done through a tool which queries our database. (For more information see the Appendix) This generation has been performed several times throughout the construction of this report in order to reverify against fresh data, and to make incremental corrections to the group and subject arrangement as necessary. The tool is initialized with a list of candidate email subjects. Each subject is analyzed, its emails and urls counted and summated, and the first start date and last end date of every email with that subject is recorded. The results are output to a table, with the following format and legend:

In addition, the tool generates a graph which shows the daily volume of those subjects within the ranges presented in the table. While the table will only show the start and end dates of the subject, the graphs impart information about the actual distribution per-day of those subjects. Subjects are superimposed so we can see the distribution pattern between them.

The subject selection itself is critical to this method. We must attempt to identify every possible subject which was used in the run in question. Much of this information is already possessed internally by Websense Labs, as we have been closely tracking Storm and its variants for some time. The rest were discovered through a combination of external research, and internal research through our portal interface.

Results

So what did we find? First of all, we identified a list of over 50 email subjects, spread over all occurrences since the ecard breakout in June 2007, that are confirmed Storm Worm email threads. Of these 50+ subjects, we identified several distinct groups, each correlating to a chronologically and topically segregated run. The groups which were determined are as follows. Note that this layout is ordered by start time, that is, the date on which we saw the first occurrence of the subject in our spam trap. Therefore, the report timelines reflect the same ordering of groups.

Group 1: ecard

The "ecard" spam run starting in June 2007. These are email subjects that start with the line "Youve (sic) received a greeting card..." followed by a randomly generated endpart: "mate", "neighbor", "classmate" and so forth.

The graph exhibits features that tell us we are on the right track. Subjects are all appearing at similar rates, relatively similar patterns, and nearly identical timeframes. We look for this to tell us if our grouping strategy is working.

Group 2: ecard2

This generally covers the second ecard-related run in the July-August timeframe. Most of these are greeting-card lures as in the first ecard, and the tactics are basically the same. However there is a clear chronological break between ecard/ecard2, plus numerous subjects, so we chose to use two different groups.

Group 3: phishy

Immediately after ecard2, the topic switches to some phishy-sounding subjects such as "New User Info", and fake account login information.

Group 4: help

This is a small run at the end of August. Lures includes "Beta testing" of software, and requests for help and feedback. The spammed executable is "setup.exe", with a detection similar to those that came before.

This one vanishes pretty quickly. Perhaps a test run, or a poor return. This can also suggest some limitations in our analysis. Just one trap may likely have "blind spots" -- it is not guaranteed to receive every possible email from the spam.

Group 5: video

Right after "help", at the end of August, the tactics start shifting. Although there is a small collection of subjects, the volume of the run is quite high. The bait is some variation on getting the user to download some "hot new" video. Tactics remain the same (link to executable)

At first appearance this looks like two runs superimposed on each other. The tail end of the longer run skips over the labor day weekend then vanishes the following week. Guess they don't work holidays.

Group 6: labor_day

...or do they? As if to prove, albeit for a short time, the industrious work ethic of Storm, the hard working fellows push out a special Labor Day spam run. We wait with bated breath for specially branded attacks on our other favorite holidays (Flag Day and Leif Ericson Day come to mind), but we will be content with this one for now.

One might predict from the table that the graph would likewise look wholly uninteresting. They would be right on this one.

Group 7: privacy

Back from the long weekend (well, it's actually Thursday by now, so we suppose the extra two days are for catching up on unfinished drinking), our fine purveyors of potted meat roll up their sleeves and try something different. These are a series of scare-tactic subjects, such as "big brother is watching", "privacy violation" and so forth, and offering a download to "protect your privacy".

This is pretty low-volume run. Either the tactic was not successful, or our trap just didn't get enough of them to establish a greater history.

Group 8: nfl

As if we didn't have enough to worry about, September brings us to the start of football season. It would make sense for the bad guys to remain topical, after all, and they don't disappoint. By using our keenly developed sense of reading comprehension, we can determine that this is, indeed, a collection of football-related subjects, some offering a "Gametracker", others tantalizing us with outrageous lines such as "football season has begun". Two things: how can we resist, and what can possibly go wrong?

As it turns out, quite a bit: now we have an escalation in tactics. All Storm spams to this date were of a fairly pedestrian variety: a short email with a lure as the subject, and direct link and hosting by the zombie of the trojan executable. The "nfl" run has the zombies hosting an entire web page with current NFL game stats, with all links pointing to a "NFL Tracker" trojan download.

The timeframe for the bulk of the run, 9/8 (Sat.) through 9/12 (Wed.) respectively, encompasses the season opener games on Sunday and Monday, with a couple of extra days tacked on to reel in some extra victims. After this it slinks back into the shadows.

Group 9: arcade

This brings us to the latest run, and, sadly, the end of our current timeline. This group is commonly referred to the "ArcadeWorld" variant. Tactics here are escalating once again as well. in addition to hosting a legit-looking web page with clickable links just as in the "nfl" version, the page itself has some malicious obfuscated heapspray-vintage javascript near the end which attempts auto-exploit.

This is a run in progress as of this writing. Note that there are currently three distict start dates for the group: the first on 9/15, a smaller run on 9/19, and the appearance of new subjects on 9/24.

All Groups

Here is every single run, put together. They are ordered chronologically based on start date. The graph is also an aggregate of all groups to show the relationship between the runs.

Group/Subj	Start	End	Emails	URLs	URLs (New)	URLs (New %)	URLs (Dup)	URLs (Dup %)
ecard	20070629	20070815	46487	53428	19328	36.18%	34100	63.82%
Youve received a greeting card from a partner	20070629	20070815	4227	4866	1194	24.54%	3672	75.46%
Youve received a greeting card from a colleague	20070629	20070814	4277	4906	2396	48.84%	2510	51.16%
Youve received a greeting card from a friend	20070629	20070815	4921	5629	2120	37.66%	3509	62.34%
Youve received a greeting card from a worshipper	20070629	20070810	3736	4281	666	15.56%	3615	84.44%
Youve received a greeting card from a family member	20070629	20070814	3082	3656	1557	42.59%	2099	57.41%
Youve received a greeting card from a school-mate	20070630	20070815	3857	4383	751	17.13%	3632	82.87%
Youve received a greeting card from a class-mate	20070630	20070815	5346	5973	3559	59.58%	2414	40.42%
Youve received a greeting card from a school mate	20070630	20070814	2026	2478	597	24.09%	1881	75.91%
Youve received a greeting card from a class mate	20070630	20070815	3584	4185	3071	73.38%	1114	26.62%
Youve received a greeting card from a neighbour	20070630	20070815	4289	4829	1311	27.15%	3518	72.85%
Youve received a greeting card from a mate	20070630	20070814	3520	4073	1378	33.83%	2695	66.17%
Youve received a greeting card from a school friend	20070701	20070810	2368	2792	433	15.51%	2359	84.49%
Youve received a greeting card from a neighbor	20070718	20070814	1254	1377	295	21.42%	1082	78.58%
ecard2	20070815	20070921	7698	7925	2679	33.80%	5246	66.20%
Musical postcard	20070815	20070817	977	1016	199	19.59%	817	80.41%
Movie-quality card	20070815	20070817	1177	1225	733	59.84%	492	40.16%
Birthday e-card	20070815	20070817	1064	1091	247	22.64%	844	77.36%
Greeting e-card	20070815	20070817	1105	1123	315	28.05%	808	71.95%
Birthday Card	20070815	20070921	981	1012	329	32.51%	683	67.49%
Love postcard	20070815	20070817	1424	1473	664	45.08%	809	54.92%
Funny card	20070815	20070817	970	985	192	19.49%	793	80.51%
phishy	20070820	20070825	17992	13194	3737	28.32%	9457	71.68%
Technical Support	20070820	20070823	2676	1970	263	13.35%	1707	86.65%
Tech Department	20070820	20070823	3424	2538	923	36.37%	1615	63.63%
Login Verification	20070820	20070825	3390	2413	387	16.04%	2026	83.96%
Registration Confirmation	20070820	20070823	3073	2198	629	28.62%	1569	71.38%
User Services	20070820	20070823	2722	2065	415	20.10%	1650	79.90%
New User Details	20070820	20070823	2707	2010	1120	55.72%	890	44.28%
help	20070828	20070828	1323	1323	507	38.32%	816	61.68%
Beta testers needed	20070828	20070828	264	264	117	44.32%	147	55.68%
We need you	20070828	20070828	247	247	47	19.03%	200	80.97%
New Software needs Beta testers	20070828	20070828	243	243	50	20.58%	193	79.42%
Would you help us with a new program	20070828	20070828	251	251	68	27.09%	183	72.91%
Helps us out and let us say thanks	20070828	20070828	318	318	225	70.75%	93	29.25%
video	20070825	20070907	18878	18172	3226	17.75%	14946	82.25%
I cant belive you did this	20070825	20070907	6574	6276	1256	20.01%	5020	79.99%
man, who filmed this thing?	20070825	20070907	6828	6413	748	11.66%	5665	88.34%
this video is not out yet	20070829	20070831	1093	1094	297	27.15%	797	72.85%
Hot new video	20070829	20070831	971	972	463	47.63%	509	52.37%
oh man, you got to see this video	20070829	20070831	1066	1068	131	12.27%	937	87.73%
awesome new video	20070829	20070831	1112	1112	102	9.17%	1010	90.83%
your gonna love this, lol	20070829	20070831	1234	1237	229	18.51%	1008	81.49%
labor_day	20070903	20070904	11102	10694	1759	16.45%	8935	83.55%
Your Friend Sends A Labor Day Greeting	20070903	20070904	1329	1286	121	9.41%	1165	90.59%
A Labor Day E-Card	20070903	20070904	3397	3279	364	11.10%	2915	88.90%
Your E-Greeting is waiting.	20070903	20070904	1795	1730	240	13.87%	1490	86.13%
A Labor Day Greeting	20070903	20070904	1628	1563	473	30.26%	1090	69.74%
The Big Labor Day Weekend	20070903	20070904	1510	1453	265	18.24%	1188	81.76%
Happy Labor Day	20070903	20070904	1443	1383	296	21.40%	1087	78.60%
privacy	20070906	20070906	3869	2776	596	21.47%	2180	78.53%
Your Privacy is being violated	20070906	20070906	561	407	44	10.81%	363	89.19%
What you do online is at risk.	20070906	20070906	510	362	110	30.39%	252	69.61%
Big brother is watching you.	20070906	20070906	611	448	190	42.41%	258	57.59%
Careful, you.re being watched.	20070906	20070906	533	381	53	13.91%	328	86.09%
The things you do online are being watched.	20070906	20070906	575	409	55	13.45%	354	86.55%
Your online activities are no longer safe.	20070906	20070906	496	350	55	15.71%	295	84.29%
Your online life is not private.	20070906	20070906	583	419	89	21.24%	330	78.76%
nfl	20070908	20070914	42215	42296	7894	18.66%	34402	81.34%
Football Fan Essentials	20070908	20070913	4541	4548	485	10.66%	4063	89.34%
Are you ready for some football?	20070908	20070913	4647	4656	560	12.03%	4096	87.97%
Free NFL Game Tracker	20070908	20070912	4413	4425	728	16.45%	3697	83.55%
Are you ready for football season?	20070908	20070913	5089	5098	2248	44.10%	2850	55.90%
Do you have your NFL Game List?	20070908	20070913	4680	4689	660	14.08%	4029	85.92%
NFL Season Is Here	20070908	20070912	4519	4530	489	10.79%	4041	89.21%
Football Season Is Here	20070908	20070913	4919	4924	427	8.67%	4497	91.33%
Get Your Free NFL Game Tracker	20070908	20070913	4748	4758	1005	21.12%	3753	78.88%
FOOTBALL Are You ready?	20070908	20070914	4659	4668	1292	27.68%	3376	72.32%
arcade	20070915	20070926	27028	27208	8000	29.40%	19208	70.60%
The internet just got better	20070915	20070919	1457	1464	462	31.56%	1002	68.44%
Quick, grab this	20070915	20070919	1407	1411	740	52.45%	671	47.55%
New free game software has over 1000 games	20070915	20070919	1268	1269	197	15.52%	1072	84.48%
Life is just a little bit more fun	20070915	20070919	1672	1674	349	20.85%	1325	79.15%
Stop paying for games	20070915	20070919	1527	1529	561	36.69%	968	63.31%
Wow, cool games	20070915	20070919	1544	1552	340	21.91%	1212	78.09%
Thousands of hours of fun, for free	20070915	20070919	1431	1436	637	44.36%	799	55.64%
free games	20070915	20070922	2031	2050	629	30.68%	1421	69.32%
Get 1000 games for free	20070915	20070925	1391	1399	416	29.74%	983	70.26%
Holy cow, 1000 free games online	20070915	20070919	1489	1498	283	18.89%	1215	81.11%
All the free games you want	20070915	20070926	2156	2162	394	18.22%	1768	81.78%
Youll love our new game site	20070919	20070922	881	892	235	26.35%	657	73.65%
Are you ready to play?	20070919	20070922	964	981	214	21.81%	767	78.19%
Your prayers have been answered	20070919	20070922	936	952	171	17.96%	781	82.04%
Ready for some fun?	20070919	20070922	849	868	378	43.55%	490	56.45%
Dont loose this	20070919	20070922	727	738	210	28.46%	528	71.54%
Get all these guys games	20070919	20070922	741	754	235	31.17%	519	68.83%
Games save lives	20070924	20070926	709	713	156	21.88%	557	78.12%
Free Games For Kids	20070924	20070926	615	619	222	35.86%	397	64.14%
Take ten min out to play a game today.	20070924	20070926	662	664	261	39.31%	403	60.69%
Dont forget to play a game today	20070924	20070926	632	639	339	53.05%	300	46.95%
Time for a break, and play a game.	20070924	20070926	674	675	288	42.67%	387	57.33%
Time to Play	20070924	20070926	671	671	177	26.38%	494	73.62%
Come play a game, you know you want to	20070924	20070926	594	598	106	17.73%	492	82.27%
TOTALS	-	-	176592	177016	47726	26.96%	129290	73.04%

The emerging attack pattern is one of shortening duration, and increasing volume: as the botnet grows, no doubt also does its ability to send out more spam in a shorter time. This "hit-n-run" style of warfare benefits the controllers and makes analysis more difficult.

Another View

The relatively high percentage of "duplicate" URLs in the botnet is evidence of node reuse. We would expect that a single zombie can spam out multiple subject lines. However, the additional question we wanted to answer is whether the zombie is spamming out multiple subject lines from multiple groups, and whether the distribution of that history demonstrates its own timeline. If so, how does it correlate with the global analysis?

The following report was generated using our "Threatseeker" portal: we select one of the subjects (in this case "big brother is watching" from the "privacy" group), and generate a report that shows the subject history for a single node in the botnet.

We can see three very clear areas in the report where the runs change topic (boxed in red). Note that these dates correlate nicely with our globally computed begin-and-end times for the subjects in question.

A similar strategy is used for getting new subjects: generate a report for other IP's which are hosting that email subject, then perform a report for all subjects hosted by that new IP. Often this turns up similar timelines spread across various runs, and for the ongoing spam runs, new subjects, which are them subsequently added to our list of candidates.

Conclusions

This report reinforces some of our existing conclusions about the Storm breakout: it is, generally speaking, highly effective, ubiquitous, and has an escalating attack footprint. It is expected that those responsible will continue "improving" their process and topic selection to maximize return. Due to the ongoing nature of this attack, there are a growing number of research angles to pursue.

We can see from the data that the attack strategy is "hit them hard and fast". Most runs are increasing in volume, but last only a couple to several days, then switch tactics. This is in contrast to the first "ecard" run that lasted for 6 weeks before stopping. This suggests that the botnet at that point reached a critical mass with which they can blitz out new spam.

Lastly, we can see from the duplicate URL percentage within the runs, and backed up by the "ThreatSeeker" report, that singular compromised zombie nodes are participating in sequential multiple spam runs, suggesting their coordination by a single agency. Additional research could be performed to correlate this with an infection/success rate for the run. Such a metric may help predict when tactics are likely to change.

Appendix

The data generation tool is called "eanalysis", written by the author of this report and customized for use in this blog. Its job is to generate historical reports for logically grouped email subjects within our spam trap. The default is to run with a presupplied configuration of subjects. It may also be called with a custom set of groups and subjects for spot research:

# eanalysis "group1::subject1|subject2" "group2::subject3|subject4"

The output of the tool is the following:

• HTML table with breakdowns of each subject in the group, with totals if appropriate. It also has a stock link to the generated graph.
• A graph generated with gnuplot. It superimposes the volume for all subjects in the group, email frequency along the Y axis, and day/month along the X axis.
• Intermediate files for the graph. These are not included in the blog obviously, but allow regenerating the graph (changing styles for example) without needing to run eanalysis over again.
• A list of urls which were found in the emails. This is also not included in the blog but used for further internal research.

Document assembly was performed by creating the content first then dropping in the generated tables and graphs at the appropriate location.

Researcher: NJ Verenini, Websense Security Labs