Tim Ebringer CA
In 2005 we investigated a unique and novel family of malware, generally known as the Bagle family. Bagle used several new and different techniques for expanding, controlling and exploiting a group of compromised machines for financial gain. At the time we asked the question: 'Does Bagle and its brood represent the new standard for Internet malware?'
We now believe the answer to that question is 'Yes', and in this paper we establish why. We look at several examples of successful malware today, and note that many of the features pioneered by the Bagle group are now commonplace. We also examine how these methods have evolved and developed over the past two years.
As we did with the Bagle family, we attempt to show the connections, both direct and indirect, between the development of each feature and the malware creator's overall goal. Through this process we see that the distinct focus of many of the most prevalent pieces of malware today is to facilitate the distribution of spam. We also see how malware writers have not only used malware to help them send spam, but have gone even further than Bagle, by leveraging spamming techniques to distribute malware.
In concentrating on malware whose functionality deals directly with spam, we present some of the most interesting and complex malware families of the last year, such as the Luder/Sinteri group (which gained notoriety as the 'Storm Worm'), Stration/Warezov, Boxed/Medbot and Rustock. We look in detail at some of their newest features, such as peer-to-peer communication on both public and private networks, and why these features came about; specifically, how these developments contribute to the aim of so much malware today, that is, distributing spam.
