Mega-D sticks it to Storm in spam contest

Summary:A botnet used solely to send junk e-mail promoting penis enlargement products has taken over from the Storm botnet as the most prolific sender of spam, according to security researchers.

A botnet used solely to send junk e-mail promoting penis enlargement products has taken over from the Storm botnet as the most prolific sender of spam, according to security researchers.

The botnet Mega-D -- so named because of the products being offered by the spam it generates -- now accounts for 32 percent of all spam being captured by security firm, Marshal.

"This exceeds the level of spam being generated by the Storm botnet at its height, which was at 21 percent of the total spam we captured," Marshal VP of products Bradley Anstis told ZDNet.com.au. "Storm has now reduced to less than two percent of the spam we're tracking at the moment."

Efforts by antivirus vendors and initiatives such as Microsoft's malicious software removal tool have helped counter the spread of the Storm botnet, said Anstis. However, botnet operators appear to be applying lessons learned from the reaction against Storm. Unlike the Storm botnet, which attracted too much media attention, the operators of Mega-D are growing the number of bots they control because they have received little exposure, he added.

However, Anstis said Mega-D is gaining momentum through regions such as Asia and North America -- mimicking spread of the Storm botnet -- which are characterised by high broadband penetration and low antivirus protection.

And like Storm, Mega-D's controllers are using trojans which change on a regular basis to avoid signature-based detection, and working on a distributed peer-to-peer basis to prevent it being shut down. The trojan also turns itself off when it detects it is within a virtualised environment -- commonly used by AV vendors to analyse and report on spam.

"It turns itself off if it runs into a virtualised environment. AV vendors use this for virus analysis so if it detects this it turns itself off and pretends it's not there. It can tell if it's running on a VMware shell or other virtualised shells," said Anstis.

This was one of the features the operators of the Storm botnet did not develop until June last year, he added.

The main method of infection is by luring potential victims to visit fake Web pages and mimicking social networking sites. "They're using Facebook by creating e-mail messages that look like Facebook invites to view information. But when you click on the link it tells you to update your Flash Player. When you do that you're actually installing the trojan," said Anstis.

In order to maintain the deception, the victim will then actually be able to view the content being offered through the link.

According to Marshal's research, 70 percent of all spam is coming from five botnets: Mega-D, Pushdo, HTML, One Word Sub and Storm.

Topics: Broadband, Malware, NBN, Security

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.