Below you will find 12 steps that you can take today to reduce email spam.

The word “Spam” as applied to Email means “Unsolicited Bulk Email”. Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. –Spamhaus

1. Do not post your email address online in clear text.  If you must post it online be sure that your address is munged so that the bots will not see it.
2. Never respond to suspicious emails.
3. Do not unsubscribe to spam email.
4. Do not use your personal email address for public use. Instead, use a disposable email address and set it up to forward messages to your personal email account.  If you begin to receive spam in a disposable account –simply delete the disposable account and sign up for a new one.
5. Do not open suspicious attachments, links, or images. This could lead to malware downloading on your computer.
6. If you are using a software email program (and not a web-based one) be sure to disable the preview pane.
7. Use spam-blocking tools and filters.
8. If you need to forward email to groups of people use a disposable email address in the TO: field and add all recipients to the BCC: field.  This will shield the email address from others as well as from spam harvesters.
9. Be sure to have antivirus software installed on your computer, run a full scan every week, and keep it updated!  You should run some form of an anti-malware software each week too, such as Malwarebytes.
10. When you sign up for something on the web, be sure to uncheck the box that says “YES, I want to be contacted by select third parties concerning products I might be interested in.”
    
11. Be sure to take advantage of reputable and free computer scans such as the firewall leak and ShieldsUP tests over at Gibson Research Corporation.
12. Report spammers.  Register for free spam reporting service at SpamCop.

Check over at Software Candy for more tips here.

Some helpful Links:

Federal Trade Commision FTC

If you are a victim of a financial solicitation contact
the Internet Crime Complaint Center

Medical fraudulent claims (devices or products)
Email: webcomplaints@ora.fda.gov

Investment-related email- *Copy headers and forward to:
Email: enforcement@sec.gov

*How to copy email headers

Trademytweets[SCAM]com is a new variation of the old Tweeterfast, Tweeterfollow theme. Recent domains that have operated under the same gray umbrella are gettwitterfollowersforfree.com and
SpreadMyTweets.com.

Trademytweets claims:

“How does it work? When you sign in with your Twitter details, our system will find you 20, 40, 60 or 100 other Tweeters. Then with these people it will begin to make them follow you as you follow them, instantly. “An eye for an eye.” This service will continue until you choose to stop it.”

Current keyword tweets:with approximately 10 tweets per minute involving numerous affected accounts.

“Want some Free Twitter Followers?”
“Just used TMT for some free followers”
“Get Free Twitter Followers!”

Update for March 30, 2010:
You have been using this shortened link since March 25, 2010 http://isDOTgd/aXDme on Twitter.
Here is one example account with much more than ONE tweet every 20 hours…

You certainly have great marketing skills.

Update 8:49 PM March 30, 2010

It appears that if one receives more tweets from this service than one tweet every 20 hours, they are logging into the site and requesting to add more followers.  The site is currently down at the moment.

Until Next time – stay safe online!

Disclaimer: This blog post is in relation to my collection of spam. I am not a spam expert.

The past few weeks have elicited all manner of spam at Teksquisite, and also at Gmail and Yahoo accounts.  Spammers often collect email addresses from customer lists, chatrooms, email chain letters, forums, newsgroups, websites, and viruses. Current email accounts that are receiving spam have connections to prior chain mails, forums, and newsgroups. Spam or junk email is almost always unsolicited and unwanted.

“Increasingly, e-mail spam today is sent via “zombie networks”, networks of virus- or worm-infected personal computers in homes and offices around the globe; many modern worms install a backdoor which allows the spammer access to the computer and use it for malicious purposes. This complicates attempts to control the spread of spam, as in many cases the spam doesn’t even originate from the spammer.” –Wikipedia

Most common email spam:

1. Chain mail – Gordon Brown Hoax 
2. Trojans – botnets, bredolab, Pushdo
3. Phishing – Please log into your financial account and confirm
4. You are a winner – congratulations, lotteries
5. Offers – Viagra, educational, OEM software
6. Personals – find true love here
7. Scam news – generally will contain a link to malware

With an increase in botnet-related spam (mainly Bredolab,) a sharp rise in educational and pharmaceutical/medical spam, and definitely far more activity in the arena of phishing spam regarding financial accounts – you really should pay close attention to what lands in your inbox, because Trojans in the form of zipped files do not always end up in your spam folder.

I find it inconceivable, and somewhat disturbing that I collected almost 900 spam emails last week.  This is quite a jump in spam, considering, that during the first week of January spam for all accounts leveled slightly below 300.

Over the past three weeks I have seen a sharp rise in UPS Postal Support email that always contains an attachment “invoice” that is spoofed from some.address@ups.com with signatures such as:
Postal Support RANDOM NAME
UPS Manager, RANDOMNAME

The attachment currently arrives as a ZIP file: 

My advice to you is to KEEP IT ZIPPED AND DELETE IT!

Spam Examples

• Chain Mail: Gordon Brown Virus

Chain mail claiming that if you receive a picture of British Prime Minister, Gordon Brown smiling, your computer will become infected with a virus.

You can read more about this hoax over at Graham Cluley’s Blog.

• Trojans: Trojan.Downloader, Bredolab, Pushdo, Zeus [botnets]

Once the zip file is extracted, an exe file (disguised as an Excel file) downloads Pushdo (a malacious bredolab downloader.) In an article at cnet News, Joe Stewart, director of malware research at SecureWorks stated:

“Pushdo downloads different Trojans onto infected machines and has been used to send spam as part of the Cutwail spambot…”It’s a typical pay-per-install system,” used to distribute banking Trojans, password stealers, ad clickers, and search hijackers”

“For those unfamiliar, Bredolab is a simplified botnet – a loader which simply connects to a remote server to report and receive files to download/execute. Apart from rogue antivirus software (”scareware”), Bredolab’s other favorite download is Pushdo.” –Fortinet

Since Pushdo is not written to disk and is memory resident, botnet owners frequently change the code and behaviors of Pushdo, which further makes it difficult to classify variants over time.  What I have posted here today, may not be applicable tomorrow!

For a better understanding of Bredolab see You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence by David Sancho, Senior Threat Researcher at Trend Micro.

• Phishing – Please log into your account

1. This type of spam requests that you verify your account via a spoofed link where your personal details will be captured for the phishers
2. HSBC Bank will never send an email asking you to verify details.
3. There are all types of variations in these spoofed emails.  If you receive e-mail claiming to be from HSBC, call HSBC at 1-800-975-4722. Follow the instructions regarding fraudulent email here.

• You are a winner – congratulations, lotteries

Never reply to this type of email because you will end up on a global spammer list.  Delete it.

• Offers: OEM Software (Original Equipment Manufacturer)

OEM software is NOT FOR RESALE (NFR) and always includes licensing along these lines: “For distribution with a new personal computer only. This software may not be sold independently.” OEM software must be sold with hardware.

Some spam email often links to ebay where you can purchase OEM software. The seller appears compliant with the hardware requirement by advertising to remove hardware from the original system (or so they claim!)

“In accordance with eBay policy, I offer the HDD that came with the system (it currently has bad sectors and is not usable), which I can ship at the buyer’s request.”

Many recent OEM emails that I received are claiming to be a company located at 1100 South State Rd 7, Suite 501 in Margate, FL 33068.  Their website is registered to a Russian domain.  Thanks to Twitter folks @ChrisMuncy, @dckovar and @Lisa827 for advice on contacting the tax office in order to find out about the building that the business is located in.  In this particular case, the City of Margate, Florida was unable to find any records for a business registered at Suite 501 at the above address.  They will be sending out a code officer today to inspect the location since they only have four active businesses registered at this building.

Also be sure to stop by SIIA (Software & Information Industry Association) and brush up on
What You Need to Know About OEM and Academic Software.

12 steps to less spam:

1. Do not post your email address online in clear text.  If you must post it online be sure that your address is munged so that the bots will not see it.
2. Never respond to suspicious emails.
3. Do not unsubscribe to spam email.
4. Do not use your personal email address for public use. Instead, use a disposable email address and set it up to forward messages to your personal email account.  If you begin to receive spam in a disposable account –simply delete the disposable account and sign up for a new one.
5. Do not open suspicious attachments, links, or images. This could lead to malware downloading on your computer.
6. If you are using a software email program (and not a web-based one) be sure to disable the preview pane.
7. Use spam-blocking tools and filters.
8. If you need to forward email to groups of people use a disposable email address in the TO: field and add all recipients to the BCC: field.  This will shield the email address from others as well as from spam harvesters.
9. Be sure to have antivirus software installed on your computer, run a full scan every week, and keep it updated!  You should run some form of an anti-malware software each week too, such as Malwarebytes.
10. When you sign up for something on the web, be sure to uncheck the box that says “YES, I want to be contacted by select third parties concerning products I might be interested in.”
    
11. Be sure to take advantage of reputable and free computer scans such as the firewall leak and ShieldsUP tests over at Gibson Research Corporation.
12. Report spammers.  Register for free spam reporting service at SpamCop.

If you plan on using this service often, consider making a donation!

Some helpful Links:

Federal Trade Commision FTC

If you are a victim of a financial solicitation contact
the Internet Crime Complaint Center

Medical fraudulent claims (devices or products)
Email: webcomplaints@ora.fda.gov

Investment-related email- *Copy headers and forward to:
Email: enforcement@sec.gov

*How to copy email headers

Until next time — stay safe online!

I am currently reading a read me from a recent .rar that I downloaded and extracted over at Tubnut (that is a pet name for  my virtual station that analyzes files.)  The one question in the read me that consistently catches my attention is —How can I get somebody to login to my phisher— The answer: “That’s for you to find out, use your mind. Probably the simplest way is Social Engineering and some phishing skill. Here is an example : hXXp://imgdevil.com/pfiles/11140/munged”

The one commonality between affiliate marketers and cyber-criminals is that they are both highly adept in the art of social engineering. Michigan.gov defines social engineering as “an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals.”

Most affiliate marketers remain in the gray area of social engineering.  They also hold a strong emphasis on scam-type marketing campaigns in order to promote traffic to their website, specifically for the purpose of financial gain.  In comparison, Cyber-criminals fully embark in blackhat social engineering techniques, developing fake “phishing” sites in order to gain access to financial accounts.

Today I found an affiliate marketer on Twitter who participates in both forms of social engineering.  Though his account is not listed in Twitter search, I assume that he is from Pakistan and that he only uses anonymous accounts/sites to post content.  I am not posting his information here at the Tekblog.  For the purpose of this post I will refer to the affiliate marketer/phisher as P-man. So lets now move on to disclose some of the findings from P-mans phishing .rar.

I was 100% amazed to not find a Twitter Phisher here!

The major points that P-man promotes is that a phisher must:

1- Find a web host that supports php
2- Have a plan in place to send victims to the Index page
3- Learn how to hide links in forums
4- Seek free hosting/free domains (all anonymous)
5- What email spamming service to use
6- The use of URL shortening services to hide the phish
7- Proxies

There are also text files in many of the phishing folders that direct you to other underground technology websites.  You will be instructed to register at these sites before you are allowed access.  I believe that these underground sites will also be looking at your IP, OS vulnerabilities, etc in order to asses your intentions in registering.  You can anticipate that there will be many sites that will also redirect you to set up a meeting in mIRC, regarding more complex phishing site configurations.

Paypal

While perusing the Paypal directory I noticed that there was a possible paypal phishing tutorial located at  the free domain of DaveDaDon.  His motto: Touch ME? Neva. His domain is now suspended…

Ironically Touch ME? Neva guy who goes by the online name of DAVEDADON,  had the balls last year to post at the Microsoft Fóruns do Visual Studio.  Perhaps ego rides a wild donkey too?

Freewebs

DAVEDADON also allegedly provided a Freewebs phishing tutorial at his now defunct site. This was the one and only folder in the .rar that included a WARNING.

This warning, apparently intended to pose as a disclaimer against holding DaveDaDon liable for anything that smacked of criminal intent:

DaveDaDon is not playing nice with his phishing students either!

P-man is anonymous…He uses Twitter and Facebook to push traffic back to an anonymous website.  P-man has myriad Pakistani friends.  P-man affiliates with phishers, may be phishing,  and emulates  viral marketing.

Online age: 13-21

Country: Pakistan

Twitter: 1007 followers (affiliate marketer, filtered from Twitter search)

Facebook: Fan page, 104 followers (most download links lead back to P-mans blog)

Until Next time — Stay safe online!

Comcast

Comcast Corp, a U.S. high-speed Internet service provider recently released a ‘pop-up, in-browser automated alert service’ known as “Constant Guard.“   The trial system (currently available in Denver, Colorado) warns customers of potential virus infection, if their computer behaves as though it has been compromised by malware.  Aside from the automated alert, the customer will also receive email verification of the alert at their primary Comcast email account.

The alerts are triggered “when we see computers on our network that are doing things that are known bot activities–say, a computer is spewing out thousands of spam e-mails,” said Jay Opperman, senior director of security and privacy at Comcast. — cnet news

“As the nation’s largest residential Internet service provider, our goal is to provide a safe and secure Internet experience for our customers,” said Mitch Bowling, senior vice president and general manager of online services at Comcast. “The Constant Guard Security Program is the result of many years of working to assemble the right people, technologies and resources to help ensure our customers are protected from hackers and bots in real time.” –PR-Inside.com

Comcast customers currently have free access to McAfee Internet security software.  Overall, Comcast Corp is a major ISP leader and shining example of how an Internet Service Provider (ISP) can be supportive of Internet security initiatives, embrace social responsibility at the gateway, and stay proactive in the continuous fight against cybercrime.

Comcast has been ranked as one of the TOP 5 ISPs in Shadowserver.orgs Hall Of Fame “for going the extra mile in helping us rid the world of malware.”

ISPs in General

During a keynote presentation at the Virus Bulletin conference 2009, Head of Google’s anti-malvertising team,  Eric Davis, wanted ISPs to become more proactive in their approach in dealing with malware-infested computers on their networks.

“The ISPs are in the best position to detected [SIC] infected machines. They’re in the best place to do something about malware.  They already have monitoring systems that could be used to identify signs of malware and botnet activity…However, because ISPs have no monetary incentive to notify and help disinfect machines, the botnets live and thrive within ISP networks.”

Eric also recommended ISPs use the Australia Internet Security Initiative (AISI) as a model to fight malware.  The AISI group mandates minimum customer security levels and isolate infected machines into “walled gardens” until the malicious software is removed. Clap, clap, bravo Eric!

Finjan’s Malicious Code Research Center (MCRC) research reveals that malware is installed on computers when visiting compromised websites serving malicious code. Cough. Hey Twitter. Let’s not suspend the account of a prominent  researcher who helps thwart botnets and malware, why not just suspend the account of @softwaregenius who pushes malware urls to MALWAREREMOVALBOT?

“The sophistication of the malware and the staggering amount of infected computers proves that cybergangs are raising the bar,” said Yuval Ben-Itzhak, CTO of Finjan. “As big money drives today’s cybercrime activities, organizations and corporations need to protect their valuable data to prevent theft by these kind of sophisticated cyberattacks.” –PR Hub

Pekka Andelin, a Malware Analyst at Lavasoft asked this question earlier this year: “Should Internet Service Providers (ISPs) supply their customers with an Internet connection over a network feed that is clean from illegal Web content and malware – programs that could cause network lag, compromise system security and threaten user privacy? — ISP Level Malware Filtering, An Extended Clean Feed?

Pekka used the analogy of how a water company has to make sure that the water they provide via pipes is “uncontaminated and flows securely all the way to their customers’ water taps.”

Conclusion

Comcast, walled gardens, and water pipes, oh my!  What do they all have in common?  They are all a part of  the anti-botnet cornerstone that is pivotal in securing the foundation of our financial systems .  The Internet can no longer be stymied within the context of wild, wild west discourses.  Globally, there is too much at stake.  The old Internet is no more.

We now sit on the verge of a SUPER Internet that has the potential to bring down our financial systems worldwide.  Every time we get one step ahead of the bad guys, they reinvent, they morph, and they grow bigger. We have to learn to grow bigger too.  We must learn to embrace  social responsibility. In order to keep the new Internet safe, we have to let go of me, Me ME and work toward the good of the whole.

Until next time — Stay safe online!

Majority of spam I have been receiving for the past two weeks:
From: software_innovations5@setuta.com
Canonical name: lice.powatih.com
Addresses:
38.103.164.130

Some of the URLs in these campaigns attempt to immediately download the file after a few redirects to other sites. The majority of software download sites have shifty or no company information and remain secretive about their identity. Most sites push affiliate programs with 65%+ earnings.

Today I will briefly examine Spyware Nuker
8,646,618 registered users as of 08/16/2009, 5:46:59pm PST
None of the IPs listed are in the SBL.

I received this email last week:

New Update to fix Windows File Errors [software_innovations5@setuta.com]

File Error Notification – Instructions To fix File Errors in your Registry:
Your PC may be suffering from serious file errors in your WINDOWS registry which may be the reason why your PC is running so slow, or crashing and freezing from time to time. Also, these can lead to major system problems and possible memory leaks.

Below are instructions that will enable you to Increase Your Computer’s Speed, Power, Stability and Reliability in just a few minutes.

Press below to launch the Diagnostics Test download for no cost at all:
This URL instantly attempts to load errornukerinstaller.exe

Spam Path

Email URL: setupa.com [IP: 75.127.82.10 Error: 302] redirects to flxclick.com. [IP: 209.124.80.94 Error: 302]
flxclick.com redirects to 123.fluxads.com. [IP: 207.67.0.17 Error: 301]
The cookie from 123.fluxads.com attempts to set domain to:
directtrack.com (Online marketing and tracking systems)

Final Destination:

Open download from: Resolving hxxp://www.nukerdownloads.com IP: 64.18.156.154

When you check out “about us” at hxxp://www.nuker.com/ you are directed to hxxp://www.trekblue.com/about/

I think we should also go after the affiliates of these spam campaigns and make them responsible for trying to profit at our expense!

1. Make the company liable for the spam actions of affiliates – they must monitor their affiliates closely.
2. Provide name, address, references, and a working phone number of affiliate for public preview if the affiliate is involved in found to be involved in a spam campaign.
3. Two weeks prior to an affiliate sending out an email campaign bundle, the affiliate must certify with their company and with the state regarding how each email address was obtained.
4. Create a BAB (Better Affiliate Bureau) to rate affiliates along with their company. This would also be a place to lodge complaints.
5. No redirecting or disguising URLs and all domains must be fully disclosed in a whois: lookup. If redirects are used (for click purposes) this must be disclosed in the footnotes of the originating email.

Spamhaus.org has an excellent write up about how we should be controlling affiliate spammers.

Until next time — Stay safe online!

Though Waledac has not been high profile news since April 2009, it was still
functional even in stealth mode. The gist of Waledac, is that it can copy perfectly
legitimate web sites, send out an email with a link to the spoofed (cloned) site, and once
you click on the link in an email you end up on a spoofed site replete in visual deception.
Don’t be fooled though! Most Waledac image-propped sites will silently download
a binary executable file in order to enlist your computer into the Waledac botnet.

According to the Microsoft Malware Protection Center, “Waledac is a complex spam bot.
It also has the ability to download and execute arbitrary files, harvest email addresses from the
local machine, perform denial of service attacks, proxy network traffic and sniff passwords.”

Waledac social engineering tactics have mainly been launched around holiday scenes.
The July 4th fireworks (Independence Day) spam is a little different because they are
now enticing you to view a “fabulous” July 4 video at a fake Youtube page.  When this
video is viewed, the victim is offered an .exe file.  Once the .exe file is downloaded
the system will become infected with Waledac malware (WORM_WALEDAC.DU.)

You can visit TrendLabs for more information on the July 4th version of Waledac.

According to ESET “detection of the new variants of Waledac is quite low, with only a handful of anti-virus products detecting the newest threat.”

ESET also reminds us that Waledac is controlled via peer-to-peer networks receiving commands
from its controllers. The Waledac campaign main objective is ultimately always engaged in
utilizing the infected computers to send spam.

I just received a Waledac update yesterday from the Shadowserver mailing list. You can view the latest Shadowserver calendar entry here. They also have a comprehensive list of Waledac domains that you can block via a windows hosts file.  Home users can surf over to MVPS and SpyWareVoid to learn how to block these destructive sites.

Domain owners: Malware domain block list | Shadowserver

More Waledac information:

Waledac is back just in time to have a BANG on the 4th of July

Trendmicro provides a comprehensive view of the WALEDAC botnet [awesome article]: INFILTRATING WALEDAC BOTNET’S COVERT OPERATIONS

Until Next Time – Stay Safe!

On Tuesday Waledac was baaaaccckkk again anxiously Joe jobbing two adult foot fetish sites: barefootsies.com and ticklefootsies.com. ShadowServer theorizes that “Waledac is advertising/spamming/joe jobbing the same people again.”

Wikipedia describes Joe jobbing as “a spam attack using spoofed sender data and aimed at tarnishing the reputation of the apparent sender and/or induce the recipients to take action against him.”

During the April 1, 2009 campaign Waledac targeted Blizzard Image Hosting and it is believed by Shadowserver that the attack may not be random.  It was also noted by Shadowserver that the IP address 216.17.107.72 hosts Blizzard Image Hosting and also hosts the footsie sites currently being targeted by Waledac.

Tekblog note: IP 216.17.107.72 hosts 60+ domains (many inactive,) including adult content sites.

Safe surfing–Stay tuned!

Shockingly, I’ve noticed a definite drop in spam today.  Surprisingly Teksquisite’s Outlook junk folder does not hold one spam message. Of course I am delighted – almost every morning there is a minimum of at least a dozen new spam messages in the Tek junk folder.  My personal Gmail account was also down in volume today and only contained 23 spam messages which is about 1/4 of the spam that it normally holds.  I’m impressed!

Allegedly, McColo.com, a Silicone Valley spam source was taken down on Tuesday.  MSNBC reports that immediately after McColo was unplugged that security companies charted a precipitous drop in spam volumes worldwide.

“The servers are operated by McColo Corp., experts say has emerged as a major U.S. hosting service for international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography via email.”

Sophos states that the company is alleged to have been hosting command-and-control (C&C) mechanisms for a number of large botnets, perhaps including Rustock, Srizbi, Dedler, Storm, Mega-D and Pushdo. When considered together these botnets are estimated to contain over 600,000 infected home computers capable of sending more than 100 billion spam emails per day, according to Wikipedia’s entry on botnets.

You can read the complete Sophos article here.

World expert on botnets, Gadi Evron, during his Pause For Reflection post on the linuxbox botnets list in October stated,  “Cyber crime is a war waged against the Western world. At first, no one even noticed and it was a niche.. an art. While the artists still exist, they are a minority, the hackers. For the criminals however, motive is as irrelevant as nationality. Whatever actions are taken, be it a political defacement, fraud or spam, the unavoidable secondary impact remains the same: damage to the Western economy and security in an exponential growth which will become ever clearer in the coming years.”

“Who is next on the target list?  I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe.”

Stay Tuned!

Update: November 17, 2008

McColo.com briefly came online again last Saturday via connecting with Swedish ISP TeliaSonera giving cybercriminals running botnets out of McColo’s networks to take steps to preserve their operations. You can read the entire article here.

Teksquisite strongly believes that all E-mail service providers are responsible for stopping spam at the server.  We also realize that spoofing is not something an E-mail service provider can prevent.

When an E-mail service provider will not take responsibility for spammers or abusers who utilize their servers, somebody needs to make the rest of the internet community aware of the E-mail providers that refuse to protect legitimate customers.

During the next few months Teksquisite will be examing E-mail abuse and how various E-mail providers address these issues.

When it comes to email abuse MSN Hotmail takes reports of abuse seriously, investigates in a timely manner, and proactively shuts abusive accounts down within 48 hours.

Gmail does not respond to reports of abuse.  It appears that Gmail allows spammers and abusers to proliferate their servers at the expense of online safety.

~Stay Tuned!

Botnet trackers are still wondering this month what happened to the Storm botnet.  Storm’s command and control servers continue to remain unresponsive.   No doubt Storm is probably  evolving in the wild as something yet to be discovered.

Marshal security analysts  at TRACE ((Threat Research and Content Engineering) stated in the October 15 issue of Techlinks  ” While Microsoft certainly made a major contribution to the downfall of the Storm botnet, no one is clear on what precisely happened to Storm. Some suggest that the botnet was sold or morphed into another botnet and still continues to produce spam.”

Even if turns out that this lull was merely the quiet before a Storm surge, it’s unlikely that even a reinvented Storm — now at about 47,000 infected machines, according to Damballa — would ever operate at the massive size it once was, at close to a half-million bots at its peak in early January. This is likely the end of the era of massive botnets, and the beginning of a new generation of smaller, more targeted botnets, says Paul Royal, director of research for Damballa.

Storm used the tactic of using spam to spread malware on a mass scale that was unprecedented in January 2007.  Security experts dubbed this as “Malicious Spam.”

“Storm was one of the first botnets to use these tactics on a mass scale. It became the most successful botnet of its type and established the basic template for developing a spam empire that other botnets have since copied,” said Phil Hay, lead threat analyst for Marshal TRACE.

“They also led the way in using self-perpetuating malicious spam to grow the botnet. They utilised every social engineering trick and invented quite a few of their own.”

Wikipedia describes The Storm botnet as “a remotely-controlled network of “zombie” computers (or “botnet”) that has been linked by the Storm Worm, a Trojan horse spread through e-mail spam. “   Storm uses social engineering technicques via email providing storm-related subject lines and links in the infected email to infectious websites.

Wikipedia further explains The botnet, or zombie network, comprises computers running Microsoft Windows as their operating system.  Once infected, a computer becomes known as a bot. This bot then performs automated tasks—anything from gathering data on the user, to attacking web sites, to forwarding infected e-mail—without its owner’s knowledge or permission.

Storm first derived it’s name in January 2007 with a first delivery of spam consisting of fake news headlines that linked to malware.  Coincidentally this first batch of spam occured during severe winter storms in Europe.  Storm’s early campaigns used headlines that described lethal storms in Europe.

The two possible avenues of attack that STORM used:

1- Spam with links to fast-flux sites utilizing operating system vulnerabilities
2- Injection of malicious iFrame tags into legitimate websites utilizing third-party applications such as WordPress.   (with links to malware that download seamlessly to the uer machine.)

December 20, 2007 one of Tesquisites sister domains was hit with a malacious iframe attack pushing a rather large MPack compromise which ironically was traced back to the Russian Business Network (RBN).

Storm Timeline:

Jan 2007: Storm botnet comes to prominence with the headline “230 Dead as Storm Batters Europe” and rapidly infects hundreds of thousands of computers in a matter of days.

Feb 2007: Storm’s next campaigns feature malicious executable attachments. But, the Storm controllers quickly change tactics to drive-by malware provided through URL links when they realize that attachments are often detected by anti-spam/anti-virus solutions.

Feb-Sep 2007: Storm uses fast flux DNS to avoid detection and ever-changing malicious spam campaigns to infect as many as 1 million computers worldwide. Storm’s self-perpetuating malicious spam campaigns establish the templates for other would-be botnet spammers to develop their own botnets.

Sep 2007: Marshal announces Storm has become the single biggest spam producer by volume and attributes 20 percent of all spam globally to Storm. This is the peak of Storm’s dominance.Microsoft targets Storm with the Malicious Software Removal Tool, cleaning almost 275,000 infected computers in the first month.

Oct 2007: – Jan 2008: Storm dwindles steadily down to just 2 percent of spam according to Marshal. Microsoft claims credit for reducing the Storm threat with MSRT.

Jan-Sep 2008: Storm is never a major spam player again. Rarely exceeding 1 percent in Marshal’s spam statistics, Storm carries on at a trickle compared to other botnets – the top botnets now routinely exceed 20 percent of spam and cumulatively account for over 90 percent of spam in circulation.

Sep 2008: Marshal’s TRACE security analysts conclude that Storm has stopped sending spam.