Storm Botnet Zombie computers now hosting spam web pages
I analyze sources and destinations of various types of spam I capture in my honeypot accounts and I've begun seeing numeric IP links in spam for fake pharmacies. The numeric links point to Windows based PC's that are Zombie members of the Storm Trojan Botnet, because they did not have all available patches or good security programs installed and updated. These compromised computers are, unknown to their owners, hosting web pages containing advertisements for fake pharmacies and counterfeit drugs and male/female enhancement solutions.
As my regular readers already know, virtually all numeric links in spam messages are actually the IP addresses assigned to the modems of residential, or business customers, of DSL and Cable Internet companies. The people who think they own these computers are not aware that their computer is now owned by a criminal Botmaster, who has herded millions of insecure PC's into his network, called a Botnet. Most of the numeric links in spam messages are sent by computers in the "Storm" Botnet, the World's largest, at this time. Each one of these computers are acting like "sleeper agents," acting normally until their Botmaster sends them a remote command - to send spam, or launch a denial of service attack, or to receive a web page and file that they will host, to infect curious web surfers who are enticed there by cleverly worded spam messages.
We are 11 days away from this year's Valentine's Day celebration, and the Storm Botnet is already busy generating love messages to sucker as many people as possible, into infecting their own computers by following links in spam messages sent from other Storm Botnet zombie computers. Now, you also have them using pharmaceuticals and male enhancement as bait. The authors of these messages, while being 100% criminals, are nonetheless brilliant at social engineering. They jump on major news stories to rewrite scripts that their zombie computers will use to send spam runs, with current topics in the subject or body, all linking to infected computers that attempt to spread this Trojan to every sucker that is sent to them. Don't be one of those suckers!
I discuss how the Storm Trojan uses hidden rootkit technology to hide its presence from the computer owners, in my extended comments.
If you are using a Windows based computer and are operating it with administrator level privileges, you are at risk from all manner of malware threats. Most, if not all malware requires full administrator privileges to properly install its components into the operating system of Windows computers. Users who are smart about these matters have learned to operate as Limited, Standard, or Power Users, especially Windows Vista customers - where this is the standard setup. These types of account are less or least privileged and often require extraordinary physical interaction to even install an update to some programs. I operate as a Power User and have to jump through hoops sometimes, but it is well worth the protection this offers me against drive-by downloads, or threats embedded in hijacked web pages or servers. It also protects me and others running with reduced privileges from "rootkits."
Rootkits are computer programs and services that are able to completely hide their existence behind the workings of the operating system into which they are hooked. Although there are some tricks that can be used to reveal their presence, like trying to create a new file or folder with a particular file name, that won't always work on the newest variations of these stealthy applications. Rooting out rootkits takes big guns.
The current version of the Storm Trojan hides its presence from visible detection by employing rootkit technology. The criminal Botmaster who planted it on your computer doesn't want you to know that it is there. He is making lots of money oby exploiting your PC. This type of infection is difficult to detect by normal anti-virus methods and requires advanced anti-rootkit applications that have special detection engines. Most of the top anti-virus and anti-spyware programs have been updated recently to ferret out rootkits, but they require constant online updates to know about the latest changes to those hidden applications. If you have a security program that is capable of detecting and removing rootkits, but haven't updated it in a month, you better do that right now, then scan for malware of any kind that you may have inadvertently picked up. If your security program is more than 6 months old it may not be able to even detect such a threat.
Here are some links to reputable companies that have security products capable of detecting rootkits.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.