IronPort Research Discovers Links Between Malware Originators and Illegal Online Pharmaceutical Supply Chain

  SAN BRUNO, CA, Jun 11 (MARKET WIRE) -- 
 IronPort(R) Systems, a leading provider of enterprise spam, virus and
spyware protection, and now part of Cisco (NASDAQ: CSCO), today announced that
recent research has identified a link between originators of malware, such as
Storm, and illegal pharmaceutical supply chain businesses that recruit the
botnets to
send spam promoting their websites. By converting spam into high-value
pharmaceuticalpurchases, these supply chain enterprises allow the monetization
of spamming
botnets, providing an enormous profit motivation for botnet attacks. In an
update to its annual Internet Security Trends Report, IronPort analyzes the
impact of these botnets and uncovers the true drivers of pharmacy spam and
continued malware innovation.

    "Our previous research revealed an extremely sophisticated supply chain
behind
the illegal pharmacy products shipped after orders were placed on
botnet-spammed Canadian pharmacy websites. But the relationship between
thetechnology-focused botnet masters and the global supply chain
organizationswas murky until now," said Patrick Peterson, vice president of
technology at
IronPort and a Cisco fellow. "Our research has revealed a smoking gun that
shows that Storm and other botnet spam generates commissionable orders, which
are then
fulfilled by the supply chains, generating revenue in excess of (US)$150 million
per year."

    IronPort's research revealed that more than 80 percent of Storm botnet
spamadvertises online pharmacy brands. This spam is sent by millions of
consumers' personal computers, which have been infected by the Storm worm via
a multitude of sophisticated social engineering tricks and web-based exploits.
Further investigation revealed that spam templates, "spamvertized" URLs, website
designs, credit card processing, product fulfillment and customer support were
being provided by a Russian criminal organization that operates in conjunction
with Storm.

    This criminal organization recruits botnet spamming partners to advertise
their
illegal pharmacy websites, which receive a 40 percent commission on sales
orders.  The organization offers fulfillment of the pharmaceutical product
orders,
credit card processing and customer support services. However,
IronPort-sponsored
pharmacological testing revealed that two-thirds of the shipments contained
the active ingredient but were not the correct dosage, while the others were
placebos. As a result, consumers take a significant risk of ingesting an
uncontrolled substance from overseas distributors.

    Details on the Storm botnet and the connection with the supply chain can
befound in IronPort's special report "2008 Internet Malware Trends: Storm
andthe Future of Social Engineering." This report also identifies a number of
ways in which malware is being used to infect host PCs to bypass security
software. These methods include:


--  Webmail spam. Sophisticated bots are operating in conjunction with
    automated and manual Captcha-breaking processes to create large numbers of
    free webmail accounts. ("Captcha" stands for Completely Automated Public
    Turing Test to Tell Computers and Humans Apart.  A common Captcha test
    requires someone to type a series of distorted letters and numbers to
    ensure that the response is not computer-generated.)  After the accounts
    are created, the bots send out spam using these accounts, and the spam
    recipient observes the messages as originating from a legitimate ISP's mail
    servers, not from the botnet. These "theft of reputation" attacks accounted
    for more than 5 percent of all spam in the first quarter of 2008, up from
    less than 1 percent the previous quarter.
--  Google exploitation. Next-generation malware is using Google's "I'm
    feeling lucky" search option to channel traffic to infected sites. An
    estimated 1.3 percent of all Google searches return malware sites as valid
    results. Given the tremendous volume of searches carried out every minute,
    this translates into a potentially huge opportunity for malware
    distributors.
--  iFrame Injections. This is a redirection that happens when a user
    visits a website that has malicious code embedded, like JavaScript. These
    websites can appear to be well-known, "legitimate" websites or specifically
    created botsites that rank high in search engine results. The JavaScript
    tells the browsers to grab a file from another web server hosting the
    actual malicious Trojan, often through an embedded iFrame. The Trojan then
    installs in the background without the users knowledge. Once installed the
    Trojan can do a number of things like stealing passwords or system data.
    

    
The botnets examined in the report are unique in that they tied spam
campaigns to current events or websites of interest, using a blend of
emailand the web to propagate. Additionally, these decentralized and highly
coordinated attacks enabled a variety of Internet assaults, from email and
blog spam to phishing, instant messaging (IM) attacks and distributed
denial-of-service (DDoS) attacks.

    Storm malware was the first of this trend of sophisticated social
engineering,
affecting a cumulative 40 million computers around the world between January
2007 and February 2008, according to IronPort researchers. At its peak in July
2007,
Storm accounted for more than 20 percent of all spam messages and had
infected and was active in 1.4 million computers simultaneously. It continued to
infect or reinfect about 900,000 computers per month.  By September 2007, the
number of simultaneous active computers generating Storm messages was reduced to
280,000 a day, and the total number of spam messages accounted for 4 percent of
all spam.  Storm currently represents only a tiny sliver of the more than 161
billion spam messages sent every day, yet variants of Storm are still active.

    In addition to assessing the damage from such social-engineering-based
attacks, the report details
trends that portend the future of spam and viruses and the measures that
businesses should take to ensure that their networks are protected. No longer
is spam just an irritation created by individuals seeking glory. Today it
has morphed into organized, technically savvy, well-funded malware efforts that
are
comparable in scale to the business operations of legitimate software
vendors. To increase efficiency and profitability, malware creators are even
beginning to offer their products as complete solutions, including technical
support, analytics and administration tools, and software updates. Among the
recent botnet malware discoveries are Bobax, Kraken/Kracken and Srizbi.

    To prevent the spread of botnets such as Storm and its successors,
IronPort's report
recommends that every business employ spam filtering, assess its web reputation,
monitor port and communications activity, and keep all antivirus and
antimalware products updated.

    The full update can be found online at http://www.ironport.com/trends.

    About IronPort Systems

    IronPort Systems, now part of Cisco, is headquartered in San Bruno, Calif.
IronPort is the leading provider of antispam, antivirus and antispyware
appliances
for organizations ranging from small businesses to the Global 2000. IronPort
appliances utilize SenderBase(R), the world's largest email and web
threat-detection network and database. IronPort products are innovative and
easy-to-use, providing breakthrough performance and playing a mission-critical
role in a company's network infrastructure. To learn more about IronPort
products and services, please visit: http://www.ironport.com/.

    Copyright Copyright 2008 Cisco Systems, Inc. All rights reserved.
IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco
Systems,Inc. All other trademarks are the property of Cisco Systems, Inc. or
their
respective owners. While every effort is made to ensure the information given is
accurate, Cisco does not accept liability for any errors or mistakes which
may arise. Specifications and other information in this document may be
subject to change without notice.

    For direct RSS Feeds of all Cisco news, please visit "News@Cisco" at the
following link:

    http://newsroom.cisco.com/dlls/rss.html

Press / Analysts

If you are a reporter or analyst and want more information on IronPort
Systems please contact:

David Oro
IronPort Systems
707.558.8585
oro@ironport.com

Copyright 2008, Market Wire, All rights reserved.

-0-