Botnet Operators Gearing Up for Valentine’s Day

Every year around this time, spammers send out millions of spam related to Valentine’s Day. This year, they’re making a particularly strong effort to regain lost ground.

Spammers are trying to regrow their botnets to make up for the loss of botnet host McColo, which was taken down in November. That shutdown slashed spam levels worldwide by up to 70 percent.

“The amount of Valentine’s Day-related spam we’re seeing this year is 50 percent higher than last year,” Adrian Duigan, product marketing manager at Web and e-mail security vendor Marshal8e6, told

The spammers’ increased activity bears out predictions made last month by Google (NASDAQ: GOOG) that spammers would try to regrow their botnets this year.

As they always do around this time of year, spammers are sending out e-mails with subject lines containing keywords such as “Valentine’s Day,” “February 14,” “Love,” or claiming the recipient has received a Valentine’s Day card. These e-mails contain links that either serve up advertisements or redirect the victim to another site where malware is downloaded to take over the victim’s computer.

Some sites have pictures of hearts or puppies and ask visitors to guess which one is for them. When a visitor clicks anywhere on the site, it downloads Trojans named onlyyou.exe or youandme.exe, which can connect to remote command and control Web sites and receives commands from them or sends information to them about the victim’s PC, Carl Leonard, threat research manager at Web security vendor Websense, said in an e-mail.

Or, they post links on victims’ blogs or social networking sites such as Facebook, Twitter and MySpace. They also send out e-mails to people purporting to be from their friends’ social networking sites. Clicking on these e-mails downloads a banking Trojan which will steal the victims online banking login credentials, Leonard said.

At least four botnets – Cutwail, Pushdo, Donbot and W32/Waledac – are involved. According to Marshal8e6’s blog, Pushdo and Donbot are focusing on advertisements for pornographic material and male enhancement drugs, while W32/Waledac is focusing on building up its botnet.

W32/Waledac, which could be worse than the notorious Storm worm, first emerged in December, sending out bogus
holiday e-cards.

Stopping or tracking the spammers is difficult because they are using advanced technology, Stephan Chenette, manager of security research at Websense Security Labs, told The botnets communicate over encrypted HTTP channels to evade detection, Chenette said. In addition, they use fast flux DNS , a technology that brings up a new server if the current one is blacklisted by Internet service providers (ISPs) for spamming.

Also, the spam gets around antivirus applications because it changes every time, Websense Security Labs’ Chenette said. “The botnet operators are using completely polymorphic executables so every time someone is redirected to a site with their malware they get one with a brand new binary,” he explained.

News Around the Web