August 15, 2008, 3:46 PM — Hackers targeting Georgia in the midst ofits conflict with Russia have started sending out a new batch ofmalicious spam messages, apparently with the aim of building a newbotnet network of remote-controlled computers.
The poorly worded messages started going out early Friday morning, and now make up close to five percent of the spamtraffic measured by the University of Alabama at Birmingham's Spam DataMine, according to Gary Warner, a director of computer research andforensics at the university. That's about a third of the volume of theCNN- and MSNBC-related spam that has been flooding inboxes this week,but it's still significant, he said.
With headlines like "Mikheil Saakashvili gay scandal! New of thisweek!" the stories try to trick victims into clicking on a fake BBCstory about the president of Georgia. When the victim clicks on thelink, however, he is taken to a malicious Web server that then tries toinfect his computer.
Disturbingly, the attack code used by this Web server is not blocked bymost antivirus products, Warner said. In tests, his team found thatonly four out of the 36 antivirus products featured in the Virus Total malware testing service spotted the code.
So far, Warner's team has tracked the messages back to 44 spam-sendingcomputers, none of which has previously been associated with junke-mail. Interestingly, six of these computers are located in Russia,which is rarely a direct source of spam, and one of them lies withinthe Russian Ministry of Education.
Although the spammers seem to be setting up a botnet, the ultimate useof this network remains unclear. Warner speculated that it could beused to launch further cyber-attacks against Georgian governmentcomputers.
Symantec has identified the malicious software as a variant of the Trojan.Blusod program, said Kevin Haley, director of product management with SymantecSecurity Response. In the past, spammers have used this program toinstall fake antivirus software on victim's computers, which thenfalsely identifies problems and offers to clean them up for a fee, hesaid.
Warner disputed Symantec's analysis, noting that Symantec itself wasnot detecting the Trojan program, according to Virus Total. "This isnew malware," he said.
The question of whether Georgia and Russia are engaging instate-sponsored cyber-warfare has been a matter of some debate,following the eruption of hostilities between the two countries on Aug.7.
On Monday, Georgia moved its Ministry of Foreign Affairs Web site to Google's Blogspot, claiming that a Russian cyberattack had knocked its server offline.
Security experts say that while the recent Georgian cyber-attacks aremore intense then those launched a year ago against Estonia, there isno evidence that either of the events were actually state-sponsoredcyber-warfare.
Some have likened those events to a "cyber brawl," with nationalisticRussian hackers launching spontaneous computer attacks againstneighboring Estonia.
"I think it's almost exactly what we saw back in Estonia," Warner saidof the recent events in Georgia. "I really doubt this is any action bythe Russian government."
