Wednesday, September 26, 2007

Websense: Storm Worm Chronology

Via Websense Security Labs.

The notorious "Storm Worm" series of spam attacks is interesting for several reasons. One, of course, is its simplicity as a social engineering attack. The lures are presented as very short, simple emails, enticing the victim to click the links proferred, and run the downloaded file.

Secondly, the scope of the attacks are unprecedented. It is generally accepted that the point of these attacks is to build a huge botnet for financial gain. Stock pump-and-dump scams, and even DDOS attacks have been blamed on it. In other words, although the attacks are very basic, they have had widespread success.

A third point of interest, and the research focus for this blog, is the structure of the spam runs themselves. The accepted notion is that the runs are distinct from one another based on their subject matter. For example, we consider "NFL" spam to be one instance of the Storm attack, and "ArcadeWorld" another, but we cannot by that alone make an assertion regarding their specific rate of occurrence and precise ordering. Our goal is to confirm the ordered relationship between subjects, and to use the resulting distribution and frequency data to build a volume-based chronology.

Much more here.

Very, very nicely done! - ferg

0 Comments:

Post a Comment

<< Home