Step 1 – infect millions of computers. Step 2 – ?

Someone somewhere is trying hard.

The “someone” is a cybercriminal or organization, and since the 8th of August they have been trying hard to infect millions of computers worldwide. The purpose of this vast computing force is still not clear. 

The attacks of the last month have made extensive use of email-attached malware, resulting in abnormally high levels. The increase is clearly illustrated in the graph below. Pre-outbreak levels varied between a few hundred million emails to around 2 billion per day. The peak outbreak included distribution of nearly 25 billion emails with attached malware in one day.

The various peaks each represent different “themes” used to trick users into opening the attachments:

  • UPS/FedEx – certainly not a new tactic, but clearly still effective. Recipients receive a notification of a package that is due to arrive or has been held up with more details promised in “the attached notice”
  • Map of love – promising juicy information about global sites of “interest”, the attached map displays a PDF icon but is actually an executable file.
  • Hotel charge error – recipients are informed about an erroneous hotel bill. The attachment uses special text which reverses the direction of the last 6 letters of the file. Instead of showing “cod.exe” the user sees “exe.doc” and assumes that the attached doc will provide details about the incorrect charge.

A review of several end-user forums reveals that the email campaigns have been successful – with many users having opened the malware attachments. The infection rate is generally linear – the more malware is emailed, the greater the final number of infections. Once opened the malware contacts external servers and downloads several other malware files which are then run on the infected machine. The purpose of these files is unclear.

Although these emails are unwanted and unsolicited, we don’t define them as “spam” due to the attached malware. This is an important distinction since it allows us to differentiate between malware distribution, and spam distribution which is generally focused on product “marketing”.

In the past large malware outbreaks have resulted in the expansion of botnets which have then been used to send large volumes of spam. Malware distribution therefore aimed to increase spam distribution, but this does not seem to be the case now. The spam levels of the past few months are shown below, with the flat generally decreasing trend clearly visible.

Spam levels have been at their lowest in years following the Rustock botnet takedown in March. The malware outbreaks of the last month do not appear to have had any effect on these levels.

Consider the effort that has gone into creating the different email themes, templates, and of course undetected variants of malware in the past month. And consider the size of the attacks relative to the levels of the preceding months – increases of hundreds of percent.

Where is the payoff for those behind this activity?

What is the purpose of all of these newly created bots?

Some possibilities:

  • Spam – so far they haven’t been used to send spam (see above)
  • Distributed denial of service (DDOS) – No reported large-scale attacks yet
  • Stealing banking credentials – No reported increase in bank fraud yet
  • Stealing Facebook/Gmail/Yahoo accounts – No report about a substantial increase in compromised accounts – and in most cases these would be used to send spam.
  • Some other evil activity – we just haven’t heard about it yet (maybe we never will)
  • Preparation of some large-scale internet-wide attack

To be continued… (maybe).