A week before Christmas, Diamant Art seemingly got a holiday bonus: On 18 December, the small Canadian maker of plastic food wrap saw its sub-penny stock price triple from 0.08 cents to a peak of 0.25 cents while trading in shares of the firm skyrocketed.

Yet, the price boost was not driven by good news issued by the company but a massive unsolicited email campaign sent from a host of computers - a botnet - compromised by a difficult-to-detect Trojan horse program known as Rustock. Each computer received an image touting the stock that had been designed to foil anti-spam software and started sending out email messages with the attachment.

The activity is part of the latest internet age pump-and-dump stock scheme. The people involved typically buy stock at a low price, use a bulk email campaign to pump up prices, and then sell - or dump - the stock at the higher price. Because many companies touted by such spam are immediately suspected of involvement in the promotion, Diamant Art went on the defensive and quickly released a press release disavowing the campaign.

"The corporation has again found itself the victim of persons or of self-proclaimed investment advisors who issue spam email (using information) they acquire...directly from public domain sources or public speculation (and) purporting to come from the Corporation," Diamant Art stated in a press release issued on the same day (The company did not respond to requests for comment).

Companies will likely have to keep on issuing such statements.

A year ago, stock spam made up only about five per cent of all spam email messages, according to email service provider MessageLabs. Now, stock spam is on a trajectory to become the biggest category in unsolicited email marketing, with 35 per cent or more of spam touting a stock, according to the firm.

Anti-virus firm Symantec - the owner of SecurityFocus - has also noted the trend, finding that the monthly fraction of spam dedicated to stocks varies between 20 and 40 per cent.

The increasing popularity of stock-touting spam is also notable because the total amount of spam - driven by bot net activity - is on the rise (http://www.securityfocus.com/news/11420). While a Christmas drop (http://www.securityfocus.com/brief/395) in the number of compromised PCs appears to have led to a general drop in spam volume (http://www.securityfocus.com/news/11434), the number of PCs coopted by botnets for use in spamming operations continues to increase.

Of course, the rise of stock spam should come as no surprise.

Stock spam tends to boost prices, though the average gain is far more modest than the trebling in price for Diamant Art. Last year, two researchers studied 93 stocks (http://www.securityfocus.com/brief/180) touted by unsolicited email and found that the price increased by 1.7 per cent on average on the day the spam was first received. On the following day, the stock price dipped 0.9 per cent on average and then rose by that same amount on the second day.

Such minuscule gains are now more the rule than the exception, said John Reed Stark, chief of the Office of Internet Enforcement at the US Securities and Exchange Commission (SEC).

"Stocks do go up because of spam in some cases," Stark said. "In the early days, the price changes were more like 15 cents to $15. Now I don't see the significant price jumps that we use to see."

Yet, stock spammers are becoming more savvy about the practice. While the overwhelming majority of email touting the stocks of specific companies are fraudulent and violate securities regulations, the spammers do at least attempt to dress up the emails in the trappings of legality.

"The spam in the early days - by which I mean the late 1990s - used to contain blatant falsehoods," Stark said. "It was very easy to prove the false statements. Now, the spammers aren't as bold in their projections and use disclosures to attempt to appear legitimate."

Moreover, the programs used to send spam are evolving as well. Pump-and-dump spam campaigns are increasing sent by computers that have been compromised by bot software - programs that turn a victim's system into a component of a massive network that can be remotely commanded.

In the Diamant Art pump-and-dump campaign, a bot program - dubbed Rustock and flagged by anti-virus firms as the latest advanced threat - was used to compromise PCs.

In many cases, the exact means that spammers use to send out stock-touting email is unknown, but this time, south of the Canadian border in the United States, a security researcher witnessed the entire attack.

---

Researching the impact of bot software and Trojan horses is what Joe Stewart does.

The senior security researcher at SecureWorks has reverse engineered bot software (http://www.securityfocus.com/news/11390) and purposely infected his own systems (http://www.securityfocus.com/brief/359) to monitor what goes on in the illicit networks. When he came across a copy of Rustock, a program that drafts PCs into botnet armies, he decided to take a look into how the program was being used.

"Rustock is very advanced in the amount of stealth is uses once it is on the system," Stewart said in an interview with SecurityFocus. "When it first came out, people were warning because it was a new rootkit, but its spam features are also interesting."

Stewart found that his Rustock-infected system received spam for a single stock, that of Diamant Art. The spam message, which took the form of an email with an embedded image touting the stock, came into his compromised system on the weekend before Monday, 18 December, with a command to start the spam campaign.

Stewart researched the stock activity for the company and found that the week before, more than 11.5m shares were bought on a single day for anywhere from $0.0008 and $0.0011 a share. A normal trading day rarely saw more than a tenth of those shares trade hands.

On 18 December, a Monday, the market opened to brisk trading in Diamant Art's stock, driving the price to a peak of $0.0025. If the 11.5m shares were sold at the peak for more than $28,000, the sellers may have made more than $18,000 for a single week's worth of effort.

The profit, while modest for cybercrime, underscored the appeal of stock spam, Stewart said in a blog post on the research (http://www.secureworks.com/researchcenter/weblog.html).

"I wonder if the spams touting Viagra and Rolexes have ever made that much profit so quickly for the spammers with so little effort and almost zero overhead," he wrote. "It's little wonder why stock spam is taking over."

In the second half of 2006, a program called SpamThru drove a large increase in stock spam (http://www.securityfocus.com/brief/359) using a botnet of more than 70,000 computers. There is some evidence that the same Russian spammers behind that increase are replacing the SpamThru software with the latest bot program, Rustock, according to Matt Sergeant, senior anti-spam technologist with mail service provider MessageLabs.

"Rustock seems to be one of the most popular bot programs at the moment," Sergeant said. "It probably is a successor to the earlier stock spam program, SpamThru. It is probably written by the same crew."

Rustock, which appeared in June 2006, brings together a host of features found in other malicious software, making the program difficult to detect and remove. The software has rootkit-like features, hiding itself among the components of the Windows operating system. The program also uses polymorphism, changing itself each time it infects a system in order to avoid antivirus software. Moreover, a bot net created using Rustock sends out messages with random words and an image with the actual message. Such image spam is difficult for antispam software to detect and block.

The technical knowledge exhibited by the writer of the program makes it unlikely that the person is actually committing the attack, but part of a specialised team, said David Cole, director of Symantec's Security Response team.

"The person that wrote Rustock had a deep technical knowledge of how anti-virus and anti-rootkit technology works today," Cole said. "A person with that sort of knowledge is not going to be thinking about a stock pump-and-dump scam. The whole attack is probably involves multiple people."

Because the bot software does not take commands through chat rooms but uses the language of the World Wide Web, the Hypertext Transfer Protocol or HTTP, SecureWork's Stewart could not eavesdrop on the people controlling the bot net. He could merely watch what his compromised computer downloaded and was asked to do.

While such difficulties could inhibit investigating the fraudsters behind the Diamant Art pump-and-dump scheme, stock transactions allow the US Securities and Exchange Commission (SEC) to use other methods to track down the suspects.

"The bottom line is that investigations are basically gumshoe work," said the SEC's Stark. "You track all three trails - the money trail, the trading trail, and the internet infrastructure trail - and you see where it leads."

In some cases, the best the SEC can do is block the profits from such scheme from reaching the fraudsters. In December, the regulatory agency filed a civil case (http://www.securityfocus.com/news/11431) against an alleged account intruder, charging that the person used their access to victims' PCs to liquidate assets in their portfolios and use that money to buy a targeted stock and pump up the security's price. In more than two dozen schemes, the suspected fraudsters made more than $353,000, according to the SEC.

Yet, average consumers should not look to cash in. For anyone considering investing in a stock because they get an email touting the security, Stark's advice is black and white.

"We have been very good at telling people that you shouldn't invest in a security touted by a spam," he said. "It should treated like a flyer that you find on your windshield - either rip it up or notify us."

This article originally appeared in Security Focus (http://www.securityfocus.com/news/11435).

Copyright © 2007, SecurityFocus (http://www.securityfocus.com/)

Related stories

• Srizbi spam botnet in failed resurrection (26 November 2008)

  http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/

• Booming cybercrime economy sucks in recruits (24 November 2008)

  http://www.theregister.co.uk/2008/11/24/cybercrime_economy/

• Spam King Ralsky indicted over stock spam scam (4 January 2008)

  http://www.theregister.co.uk/2008/01/04/spam_king_ralksy_indicted/

• And now for something completely different: Good news on spam (4 October 2007)

  http://www.theregister.co.uk/2007/10/04/sec_antispam_initiative_gets_results/

• PDF spam tsunami hits email inboxes (9 August 2007)

  http://www.theregister.co.uk/2007/08/09/pdf_spam_blitz/

• Pump-and-dump scammers issue German prospectus (22 June 2007)

  http://www.theregister.co.uk/2007/06/22/pump-and-dump_scam_pdf/

• Image spam fattens junk mail (26 March 2007)

  http://www.theregister.co.uk/2007/03/26/image_spam/

• Three more charged for pump-and-dump hacking (12 March 2007)

  http://www.theregister.co.uk/2007/03/12/more_pump_and_dump_charges/

• Cybercrime? Forget it (7 February 2007)

  http://www.theregister.co.uk/2007/02/07/untouchable_cybercriminals/

• Dutch botnet herder fined €75K for sending 9bn spams (2 February 2007)

  http://www.theregister.co.uk/2007/02/02/dutch_spammer_fined/

• Feds charge pump and dump hacker (26 January 2007)

  http://www.theregister.co.uk/2007/01/26/pump_and_dump_charge/

• Spam on IP telephony (19 January 2007)

  http://www.theregister.co.uk/2007/01/19/spam_on_ip_telephony/

• Man-in-the-Middle phishing kit netted (12 January 2007)

  http://www.theregister.co.uk/2007/01/12/phishing_kit/

• Contract killer spam scam hits the net (12 January 2007)

  http://www.theregister.co.uk/2007/01/12/hit_man_spam_scam/

• Email marketing abuse is rife among top UK companies (12 January 2007)

  http://www.theregister.co.uk/2007/01/12/email_marketing_abuse_rife_among_uk_companies/

• 1RT Group fined £5,000 for fax spam (11 January 2007)

  http://www.theregister.co.uk/2007/01/11/1rt_fined_for_fax_spam/

• Mysterious drop in fraud and spam (9 January 2007)

  http://www.theregister.co.uk/2007/01/09/scam_decline/

• Stock scammer gets coal for the holidays (28 December 2006)

  http://www.theregister.co.uk/2006/12/28/sec_freezes_stock_scammer_accounts/

• Spamty Claus is coming to town (21 December 2006)

  http://www.theregister.co.uk/2006/12/21/christmas_spam_bonanza/

• Anti-spam tech reborn as web activist tool (18 December 2006)

  http://www.theregister.co.uk/2006/12/18/collactive/