Network News

X My Profile
View More Activity

Researchers Hijack Storm Worm to Track Profits

A single response from 12 million e-mails is all it takes for spammers to turn annual profits of millions of dollars promoting knockoff pharmaceuticals, according to an unprecedented new study on the economics of spam.

Over a period of about a month in the Spring of 2008, researchers at the University of California, San Diego and UC Berkeley sought to measure the conversion rate of spam by quietly infiltrating the Storm worm botnet, a vast collection of compromised computers once responsible for sending an estimated 20 percent of all spam.

workerbots.jpg

The teams at Berkley and UCSD conducted the experiment by impersonating a key component of the Storm worm network used to hand off instructions from the worm's master control servers to the "worker bots" -- the tens of thousands of infected end-user systems that do all the spamming.

This allowed them to redirect a subset of the spam to virtual storefronts created by the researchers to mimic the pharmaceutical Web sites advertised by the real Storm spam.

The dummy sites were fully functional until the instant when a visitor, who had loaded up his shopping cart, tried to check out. Before entering credit card and shipping information, the servers were designed to return a site error message, so that the researchers never gained access to their personal information and the buyer was unable to make a purchase.

stormcap.jpg

After 26 days, the Storm worm sent 350 million e-mails advertising the researchers' counterfeit pharmacy sites. Only 28 would-be sales resulted, and all but one of the potential clients ordered male enhancement drugs. The average "buy" from each "sale" was about $100, which would have totaled roughly $2,731 for the researchers.

"Our study interposed only a small fraction of the overall Storm network - we estimate roughly 1.5 percent based on the fraction of worker bots we proxy," the researchers wrote. "Thus, the total daily revenue attributed to Storm's pharmacy campaign is likely closer to $7,000 or $9,500 during periods of campaign activity."

While the researchers hijacked hundreds of millions of Storm worm e-mails pitching knockoff drugs and bogus sites designed to foist malware on unsuspecting users, their actual results were based only on a relatively few missives that actually made it into recipients' in-boxes. The research team estimates that about three-quarters of all e-mail sent by the Storm worm was snagged by junk e-mail filters, ISP blacklists, and other e-mail security applications.

"Under the assumption that our measurements are representative over time, we can extrapolate that... Storm-generated pharmaceutical spam would produce roughly $3.5 million dollars of revenue a year," the team concluded.

Still, the researchers acknowledge their figures don't take into account perhaps the most profitable aspect of the pharma spam business: The repeat customer who comes back time and again to purchase refills.

The study also presents alarming evidence of just how many people actually click on links in unsolicited e-mail, a key propagation method used by much of today's malware.

According to their research, about ten percent of those who clicked on the link designed to spread the malware ended up running and installing the malware. Again, extrapolating out from their limited access to the Storm botnet, the researchers concluded: "By the same logic, we estimate that Storm self-propagation campaigns can produce between 3,500 and 8,500 new bots per day."

To determine Storm's spread rate, the research team hijacked e-mails that Storm sent as part of its daily campaign to infect new machines. The researchers redirected about 120 million of these propagation e-mails to their own fake download sites, which merely recorded the number of visitors who actually clicked the link.

"One in 10 people clicking through to receive the malware is a pretty sobering number," said Stefan Savage, associate professor in the systems and networking group at UCSD and one of the lead researchers on the study. "That suggests that the ability of the worm's authors to grab even more victims is little more than a marketing issue."

A copy of the academic paper is available here (PDF).

By Brian Krebs  |  November 6, 2008; 5:39 PM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Malware Piggybacks on Obama Win
Next: Extortionists Target Major Pharmacy Processor

Comments

Wow. One in ten will click on a link in an unsolicited email. That is incredible.

Posted by: lostinthemiddle | November 6, 2008 11:02 PM | Report abuse

The morons who respond to spam are responsible for all the spam the rest of us have to deal with.

Posted by: khote14 | November 7, 2008 12:52 AM | Report abuse

"Under the assumption that our measurements are representative over time, we can extrapolate that... Storm-generated pharmaceutical spam would produce roughly $3.5 million dollars of revenue a year," the team concluded.

Still, the researchers acknowledge their figures don't take into account perhaps the most profitable aspect of the pharma spam business: The repeat customer who comes back time and again to purchase refills.
---------------------------------------
Interesting

I was always of the impression that these sites were likely frauds, which merely ripped off the consumer, sent nothing, collected the bucks and then split.

My one experience trying to buy 'hot software' [a $10 purchase of an alleged hacking book] downloaded only pages 1-25 and then wanted me to keep going somewhere else for the next download. I figured they got ONLY my $10 rather than much more for a hot copy of a major suite, etc.

Posted by: brucerealtor@gmail.com | November 7, 2008 4:53 AM | Report abuse

I find it amusing that their spelling of the awesomepostcard(s).com domain wasn't even consistent.

"Awesome postcards" and a clip art banana. So utterly banal, it's genius.

Posted by: pwfisher | November 12, 2008 12:54 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company