It’s not the usual maximizing of resources to achieve as many goals as possible. It’s rather the opposite; and it’s actually using all resources, and all possible means in order to achieve one big goal – and that is to amass a lot of money!
This is probably what the creators of the malware families of STRATION and MEDBOT are doing. On one hand, there’s this comeback of mass-mailers whose main purpose is just to make zombies out of the hundred of thousands of computers to serve Image Spam. This is described in the paper, The Real Motive Behind Stration.
Meanwhile, there’s this fairly new strain of IRC bots that was released almost at the same time as the first variant of STRATION came out – and that was last August 2006. This is MEDBOT, an IRC bot that also attempts to infect computers with the goal of making them zombies to send out SPAM regarding the usual pharmaceutical line of ‘viagra’ and ‘cialis’. This is further described in the previous blog, WORM_MEDBOT.AI and SPAM.
Here are some snapshots of the spam mails we generated and that are being sent out from MEDBOT-infected machines to millions of target recipients:
What’s the connection you say?
Running WHOIS on the domains of the advertized ‘viagra’ sites from the MEDBOT spam emails gives us:
Domain Name:genrunkasderunkion.com
Registrant: Dima li
jungonglu1219hao
200093
Administrative Contact: Dima li
Whoa! Now does that name or alias sound familiar! Dima Li! But of course, this is one of the aliases, along with Wang Pang, used by the same registrants or admins of the domains being used by the STRATION worms. Coincidence?… Add to that the fact that both malware families appeared almost at the same time adds more to the assumption that these malware families may indeed be connected. Coincidence again?… And the ultimate goal – which is sending ‘viagra’ spam…
Take a look at the advertized site from MEDBOT:
And now take a look at the one advertized by STRATION:
Coincidence?…
And the plot thickens! Are they using more than one malware family to acheive their goal of SPAM? Are they using two, three or possibly more stones to hit the grand prize? More chances of winning, eh? More on this as we continue our investigations…