Botnets pitching online casinos
Donbot – aka Bachsoy and Buzus – is known to be capable of generating an incredible volume of spam. At its height in the summer of 2009, the swarm was noted as generating around 800 million spam messages a day from around 125,000 infected PCs.
This equates to around 1.3% of global spam volumes, although some reports have noted spikes reaching the 4.0% mark.
According to David Broome, a researcher with M86 Security, Donbot’s spam deluge paused recently for 15 minutes and came back with a gambling pitch.
The pitch, he says in his latest security blog, is one his security colleagues have seen for over a year on and off in their spam traps.
“It is designed to encourage the reader to gamble money on roulette with what is presented as a winning strategy. Conveniently, a link to an online casino is provided to the user in order to use this strategy and make easy money”, he reports.
Following the link, says Broome, leads to a web splash page where clicking any button on the page – including the language flags at the top – starts a download of Casino-Online.exe.
The WHOIS information for the casino domain lists it as having been registered at namecheap.com on the 24th of May 2011.
“So, if there was any doubt to the possible legitimacy of this casino, here’s the proof that it is in fact an illegitimate operation. The domains that lead to the casino software are changing regularly and being spammed out fresh”, he said.
After downloading the Casino-Online.exe binary and scanning it through the VirusTotal test site, 4 of 42 anti-virus packages detected it as various malware executables.
“When we ran the Casino-Online.exe in our environment and set up an account, no unusual traffic was seen going out. While it may not be malware in the traditional sense, it’s certainly operating in a highly dubious fashion. We normally advise against clicking links in spam messages, so downloading and executing arbitrary executable files is a definite no-no”, he said.
The information gathered during the account creation process, he explained, is quite thorough, which is also concerning given what data could be collected and used for future spam campaigns, or sold.
“Assuming the casino isn’t rigged, the odds are still stacked in favour of the house. Despite their description of the strategy, the odds for Red/Black in roulette are not actually 50/50, instead being 48.6/48.6/2.8 – the 2.8% being for the 0 that is also on the wheel”, he observes.
This means, he goes on to say, that regardless of a bet on red or black, you have a 51.4% chance of losing the bet.
Whilst this may seem reasonable odds, he adds, it gives the casino enough of a winning margin that – given enough time they will eventually come out on top.
“Using the strategy outlined in the spam message of multiplying a bet 2.5 times after every loss, it would take only 10 losses in a row for you to have lost $6,000, and 13 losses in a row for you to have lost just shy of $100,000″, he says.
“Without an unlimited bankroll you will surely come to grief at some point”, he adds.
from http://www.infosecurity-magazine.com/view/18297/donbot-dumps-fake-av-spam-pitches-gambling-site-instead/
{ Comments on this entry are closed }
