Pump-and-dump bot war?
In one scenario spotted by Websense Security Labs, two separate spam runs were launched earlier this week, attempting to lure targets into buying a penny stock.
It was the usual image spam that included a Web forum component where the stock was also being pumped on financial newsgroups and Web forums.
However, according to Websense, the second spam message -- sent hours after the original -- had a noticeable link embedded at the top. The link pointed to a compromised Web server that was rigged with a downloader from a do-it-yourself malware creation kit called "RootLauncher."
RootLauncher, which is available for sale at underground hacker sites, includes scripts that simplify the task of infecting computers and sending sophisticated spam e-mail).
Websense discovered that the malicious code that gets downloaded and run has the sole purpose of turning making the target machine inoperable. "[It] does nothing except reboot your machine over and over. Users have to boot into safe mode or off a disk and clean the machine in order to make it work again," the company explained.
This is a clear sign that the second spam run is not affiliated with the first. As Websense speculates, the motive behind disabling the victim's computer might be linked to the fact that a competing spam group wants to prevent the sale of the penny stock after it had been purchased.
It could also mean that a rival bot herder took control of a botnet and modified the e-mail with the added link, all part of a plot to disrupt the scam.