Pump'n'Dump spam botnets: new rootkit-enabled malware

Here's a quick overview of the latest happenings in the world of stock-kiting botnet malware.

In case you've been living in a cave for months, stock-kiting spam (AKA pump'n'dump spam) is a huge part of most people's inbound spam right now. Most of it's being sent by botnets (networks of malware-infected PCs).

The key news is a nasty new derivative in the CME-711 family of Trojan Horses (AKA Trojan.Peacomm, TROJ_SMALL.EDW, Small.DAM, Downloader-BAI, Troj/Dorf-Fam).

It uses a simple-yet-effective social engineering technique to fool unwary recipients into opening an executable. It promises video of Saddam Hussein, European storms, Chinese missiles, or other breaking news, designed to make people put their critical faculties to one side (assuming they had any in the first place ;-).

Symantec's Amado Hidalgo has an in-depth writeup of how the Trojan builds a botnet. Money quotes:

The bot ... has fully fledged rootkit capabilities, albeit not very sophisticated. It would appear that the malware writers were in a rush to get the new version out as quickly as possible and some functionality of the rootkit has not been implemented correctly ... So, what is the purpose of all this renewed activity, you ask? The primary goal is to create a botnet that sends tons and tons of penny stock spam.
...
We saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped.

Interesting. In my next post, I'll talk about how timing is all-important, when running a stock-kiting scam.