Home / Blogs

More on ‘Researchers Hijack Storm Worm to Track Profits’

Always good for information on the spam economy, Brian Krebs of the Washington Post has just published a truly fascinating article: Researchers Hijack Storm Worm to Track Profits.

Bottom line: a one-in-twelve-million conversion rate of spam to sales seems to be enough to keep the spam economy going.

The article covers a project by researchers at UC San Diego and UC Berkeley, who managed to infiltrate the Storm Worm bot network and take over a small portion of it.

They then redirected some of the spam payloads to fake websites which had been set up to mimic the actual websites advertised in the spam. Would-be customers would go to the fake web sites and try to order their penis pills and become another statistic for the researchers. (At which point the sale fails to go through—the researchers were fishing for statistics, not credit card info.)

All told, 350 million spams over 26 days resulted in 28 sales, for a total of just over $2700. Researchers estimate that they took over just 1.5% of the Storm Worm network, meaning that the network sends about—let’s see, carry the one—just under 900 million spam emails per day, with a revenue of just about $7000 per day.

That’s it. There’s your math. $7000/day pays for something like 20% of the total spam load we all endure, day after day. And the vast majority of it going to penis pills that don’t even work.

One more piece of math: The worm propagates as a virus mailed from victim to victim. Researchers discovered that a whopping one in ten people will click on the link and download the virus.

So what does this mean in terms of fighting spam?

Well, first of all, educating people about spam, or getting them to sign the Boulder Pledge to not buy anything advertised via spam, is hopeless. You’ll never convince everybody. If the spammers only have to reach one person in twelve million spams, then educating 99% of the people, or 99.99% of the people, or even 99.9999% of the people just isn’t enough.

In other words, Just Hit Delete won’t work.

Technological means? So far, no good. We build better filters, spammers add more entropy to their message text to bypass them. I’m sitting behind at least three good filters at home, and I’m flooded with the stuff.

Legal means? Not very effective so far, mainly thanks to CAN-SPAM, which protects spammers from almost all legal remedies. Only state governments and the very largest ISPs have been able to take legal actions against spammers, and the spammers generally make themselves judgment-proof well before it comes to that.

The Federal government can theoretically put a spammer in jail, but I’m unaware of any such cases except when other crimes such as wire fraud are involved, in which case CAN-SPAM violations are added on the side.

Other questions about this research present themselves. Such as, if the researchers could take over a small portion of Storm Worm, why can’t they take all of it over and shut it down?

Can Storm Worm be repurposed for good? Maybe launch a popup on the user’s screen when it’s installed, saying “hey dumbass what did you think you were doing when you clicked on that link?” or “are you really so stupid that you believed a Nigerian prince wanted your help laundering a vast fortune out of the country?” Sheesh.

I’ve always dreamed that someone would write a virus that takes over the victim’s system and installs all the necessary security updates. Or maybe upgrade them to Linux. It would be a public service.

Here’s a thought: credit card companies should run fake sites like this, and use it as a way to educate consumers who get caught in the net—or maybe just take their credit cards away and do us all a favor.

More seriously, I would have liked to see some effort by the researchers to track the worm to its source, but I think it’s likely that they tried without success. It’s believed that the bulk of this spam originates from Russia, where there is little or no hope of getting any real information on the spammers. Given that restriction, I think the researchers were forced to be satisfied with the information they were able to collect.

The academic paper is available from Berkeley’s International Computer Science Institute (pdf).

Update Nov 10, 2008 11:12 am PST: This morning, the BBC had a good article on the report. In it, they made one very good point: the conversion rate is so low, and the profit margin so slim, that this suggests some avenues of attack on the spammers.

As for myself, I’m not convinced. My first thought was that the old idea of charging postage for email might be worth pursuing. At a conversion rate of less than $1 per hundred thousand emails, an e-postage rate of 1/100 of a penny per email would pose no burden on ordinary consumers, but break the economic back of spam. However, I quickly dismissed this idea upon realizing that since the majority of spam is sent by ‘bots, it’s the consumers who will be paying the postage, and not the spammers. Further, the postage would be so cheap that most victims wouldn’t be charged enough money to motivate them to do something about the problem, and certainly not enough to make law enforcement—who don’t even get out of bed for anything less than grand theft—take any notice.

Is there any other way to pass the economic burden spam—any economic burden at all?—to spammers? If there is, word of it has yet to reach my ears.

By Edward Falk, Computer professional

Filed Under


Maths Simon Waters  –  Nov 11, 2008 10:25 PM

If the response rate is 1 in 12.5 million and you educate half the remaining people clicking on spam the response rate will be 1 in 25 million. So whilst I agree education isn’t the answer, it is part of it. If you educated 99.99% of the remaining users spammers would be out of business.

The problem here is that tens of thousands of people will let their PC become infected and used for spamming. Botnet spam is a symptom not a root cause, if it wasn’t email spam the programs would be looking for your bank account password.

Largely this is due to old software that is poorly maintained. Having recently worked on browser detection code on one of our websites and focused on the issue of encouraging users to upgrade (because IE6 has bugs we just can no longer work around), it is depressing seeing how many XP users are still using IE6. This means they haven’t clicked the fairly prominent “Windows Update” controls in the last 4 years and 2 months (or the update mechanism no longer works - it is pretty fragile in Microsoft Windows).

Recent Windows installs ship with more of this stuff enabled by default, but the reality is that most people won’t do any maintenance on their PC (unless it stops working), so maintenance and malware protection has to “just happen” (or not be needed).

Worse yet one of the PCs in the office didn’t work with flash in one of our websites. Turned out it has an old version (and vulnerable) of flash - but it had been freshly re-installed. The Microsoft mess of all the individual packages installing and maintaining themselves is madness and incredibly fragile. There needs to be central, and maintained channels to do this for all software on a machine (like most Linux distros do), where all software is packages in similar well defined formats, so it can be validated, identified, upgraded (and if needed uninstalled if no secure version is available - say the vendor went bust).

But that is the worst possible solution I have outlined, it requires lot of people to change what they are doing. Worse yet the global advantage is obtained later, where as the immediate costs are upfront. So our best hope is probably that Windows is supplants by a system that already does something similar.

Is Spam Profitable? David MacQuigg  –  Dec 23, 2008 7:33 PM

What I found most interesting about the Kanich article was the estimate of spammer profits after paying the crooks who run the botnets.  Using their figure of $80 cost per million spams, the cost of a 10B spam campaign would be $800K.  Using also Kanich’s figures of one sale per 12.5 million spams, and an average sale of $96, the result of the campaign would be 800 sales totaling $77K, not enough to pay the bot masters.

I suspect the $80 figure is bogus, but it would not surprise me if the only people making money are the bot masters, and spammers are actually just losers who are drawn to dishonest get-rich-quick schemes.  Campaigns to recruit spammers certainly support this hypothesis.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byVerisign