14 DAY TRIAL // A security researcher has identified a new pharma spam botnet which uses fast-flux technologies in order to increase its resiliency to takedown attempts.
Dubbed "Wibimo," the botnet was discovered by Joe Stewart, director of malware research at Dell's SecureWorks Counter Threat Unit, who presented it at the recent RSA security conference.
"I don't think it's huge. But if feels like a new botnet. It doesn't mesh with what we've seen," said Stewart, who, according to Darkreading, finished analyzing the malware shortly before his talk.
The fast-flux technology involves quickly rotating DNS records using a pool of IP addresses, so that if one of them is taken down, the hostname doesn't go offline.
The first malware to use the fast-flux technology was Storm, one of the most successful botnets of all times. At its peak, in 2007, it was composed of millions of infected computers and could take entire countries off the Internet.
This made researchers think at the time that fast-flux will become the de-facto technology used by botnets, however, this never really happened, because malware writers favor simplicity.
Each Wibimo infection acts as a proxy server and can host a pharma spam site, which makes it hard for researchers and anti-spam groups to close them down, especially if the domains were registered with a registrar unresponsive to abuse reports.
In addition to pharma spam, the botnet is also part of a pay-per-install scheme, where other cybercriminals pay its authors to distribute their malware.
Victims infect their computers with Wibimo by visiting malicious links spread via email. The malware has four separate modules: a proxy Trojan, a DNS proxy, a reverse-HTTP proxy and a system information gathering component.
The botnet package might be available for purchase on the underground market, it which case the separation of modules makes sense because it offers more selling options.
According to Stewart, the data so far points to a Russian author, and one that is above average when it comes to writing malware. "Fast-flux is harder to pull off... you have to be at a slightly higher programmer level," the researcher said.