Tuesday 23 January 2007

Pump'n'Dump: It's all About the Timing, Baby

Funny guy: What's the secret of great comedy?
Straight man: I don't know, what is the secret of gr...
Funny guy: Timing.

And timing is also the secret to profitable stock kiting. In my previous post, I quoted Symantec's Amado Hidalgo, who hinted that the Trojan writers appeared to be working to a deadline. Presumably it was a deadline imposed by their stock-kiting scam-masters.

I'm guessing from the date of the blog post that the "burst of almost 1,800 emails" that Hidalgo talks about would have been over the weekend, or certainly before the markets opened on Monday.

Yes, timing is everything when encouraging fools to part with their cash. The botnet needs to be ready to spew out its quota of kiting come-ons at what the scammers calculate is just the right moment:

  • Too soon, and they risk clever day-traders buying in on the upswing and cashing out before the scammers do, thus reducing the ill-gotten profits

  • Too late, and the regulators might take an interest in the scammers' unusual transactions, before the scammers have had a chance to cash out and launder the profit

Not only that, but the spam needs to be sent in as short a time as possible -- in one, concentrated burst. If it's too spread out, the scammers can suffer either or both of the problems above. I conclude that this is why we're seeing these new botnets send a load of messages quickly, then falling silent -- as opposed to dribbling out fewer over a longer period.

This new strategy risks quicker discovery, but there seems to be no end to virus writers' ingenuity in infecting new victims' PCs.

Pump'n'Dump Spam Botnets: New Malware

This post is a quick overview of the latest happenings in the world of stock-kiting botnet malware. The key news is a nasty new derivative in the CME-711 family of Trojan Horses (AKA Trojan.Peacomm, TROJ_SMALL.EDW, Small.DAM, Downloader-BAI, Troj/Dorf-Fam).

In case you've been living in a cave for months, stock-kiting spam (AKA pump'n'dump spam) is a major part of most people's inbound spam right now. Most of it's being sent by botnets (networks of malware-infected PCs).

It uses a simple-yet-effective social engineering technique to fool unwary recipients into opening an executable. It promises video of Saddam Hussein, European storms, Chinese missiles, or other breaking news, designed to make people put their critical faculties to one side (assuming they had any in the first place).

Symantec's Amado Hidalgo has an in-depth writeup of how the Trojan builds a botnet. Money quotes:

The bot ... has fully fledged rootkit capabilities, albeit not very sophisticated. It would appear that the malware writers were in a rush to get the new version out as quickly as possible and some functionality of the rootkit has not been implemented correctly ... So, what is the purpose of all this renewed activity, you ask? The primary goal is to create a botnet that sends tons and tons of penny stock spam.
We saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped.

In my next post, I'll talk about how timing is all-important, when running a stock-kiting scam.