Windows PCs infected with the Conficker worm have turned into junk mail-spewing robots capable of sending billions of spam messages a day, a security company warned today.
According to Kaspersky Lab, a Moscow-based antivirus firm, yesterday's update to Conficker, which in some cases was accompanied by the Waledac spam bot, has resulted in a floodtide of junk e-mail.
“In just 12 hours, one bot alone sent out 42,298 spam messages,” said Kaspersky researcher Alex Gostev in a message Friday. “A simple calculation shows that one bot sends out around 80,000 e-mails in 24 hours. Assuming that there are 5 million infected machines out there, the [Conficker] botnet could send out about 400 billion spam messages over a 24-hour period!”
The spam is pitching pharmaceuticals exclusively at the moment, said Gostev, primarily erectile dysfunction medications such as Viagra and Cialis, with message subject headings, including “She will dream of you days and nights!” and “Hot life — our help here. Ensure your potence [sic] today!”
Gostev also noted that almost every message contained a unique domain in the embedded link, a tactic spammers sometimes use to side-step antispam filters, which analyze the frequency that any one domain is used. “We detected the use of 40,542 third-level domains and 33 second-level domains,” said Gostev. “They all belonged to spammers and the companies that ordered these mailings.”
Most of the domains are hosted in China, he added.
Conficker, the worm that first appeared in November 2008, exploded in early 2009 to infect several million machines and set off a near-panic as an April 1 trigger date approached, was fed a new version early Thursday that restored its ability to spread and beefed up its defenses against security tools. If it successfully updated an already-infected PC, Conficker.e — as the new variant has been labeled — also downloaded and installed a noted spam bot, Waledac.
Waledac has its own checkered history, in that it's assumed to have been created by some of the same hackers who operated the notorious Storm botnet during 2007 and 2008.
The spam coming from Conficker.e-infected systems is actually generated and sent by the Waledac bot Trojan.
Some Conficker bots have also downloaded and installed Spyware Protect 2009, one of the many “scareware” programs in circulation. Scareware is the term given to fake anti-malware software that generates bogus infection warnings and then nags users with endless alerts until they pay to $50 to buy the useless program. According to Microsoft, the scam — also called “rogue software” — is one of the biggest threats to Internet users. In the second half of 2008 alone, Microsoft's anti-malware tools cleaned nearly 6 million PCs of scareware-related infections.
Yesterday, another researcher raised the alarm about the new Conficker and the software it drops, saying that the spam and scareware angles were clearly the first solid evidence of how the worm's makers planned to profit from their crime. “I don't want to be a scaremonger,” said Kevin Hogan, director of security response operations at Symantec Corp. “But the situation now, as Conficker does go back to propagating, is actually more serious than a couple of weeks ago.”