Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2006
06:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Spammers Turn the Tables Again

SpamThru trojan pirates AV software, encrypts it, then uses P2P to keep sophisticated botnet alive

This botnet means business: A spam trojan in the wild is using pirated antivirus software to clean the bots it infects to ensure it has plenty of their CPU resources to send out its spam messages.

The so-called SpamThru trojan also uses other sophisticated techniques such as encrypting the spam message templates it sends to the bots as well as its own custom peer-to-peer protocol for communicating among botnet machines. Joe Stewart, the senior security researcher for SecureWorks who dissected the unusual trojan, says it appears to be backed by a well-financed and organized spam operation.

That theory rang true not long after Stewart went public with some of his findings: He found the spammers had locked him out of their botnet this morning. "I think the servers may have been taken down -- all the template servers are no longer answering," he says. "I don't have any evidence that the encryption key has changed, but it's possible."

The underlying trojan itself has been out in the wild for at least several months or longer, but its code has been frequently updated to evade detection. Iterations of the original trojan have been reported by Sophos and Secunia, for instance.

But the latest version of the trojan is chillingly complex, using pirated Kaspersky Lab AV software, P2P, and encryption. "The backend is one of the more sophisticated ones," Stewart says.

The exploit shows all the signs of an experienced and organized operation. "They've been at it for awhile and have developed their software."

Jose Nazario, software and security engineer for Arbor Networks, says it's part of a trend researchers are seeing in spammers deploying more sophisticated code. "The quality of the code overall is improving," Nazario says. As for SpamThru: "This one is production-quality criminal code."

It's not a relatively large botnet thus far, however, with only about 2,000 bots at this point, Stewart says. But the question is whether this is part of a larger spam initiative. SecureWorks is teaming up with spam researchers such as Spamhaus to see if SpamThru is related to the recent upswing in spam volume. "There's been rumors there's a large botnet behind" this upswing, Stewart says. "We don't know if this is related."

SpamThru sends copies of pirated and retooled Kaspersky Lab AV for WinGate software to the bots and hides in the background, where it scans them for other malware -- all but for SpamThru, that is. "They figured out how to get an AV they could download easily but wouldn't erase their own code," he says, by using the very same APIs embedded in WinGate's proxy software to Kaspersky's software.

The user of an infected machine won't likely notice it, except that his or her email may be slower. The only obvious sign of infection is it forces a host-based firewall to automatically click "yes" to allow executables, which the user would see in popups, Stewart says. "They might see the dialog boxes appear quickly" with "yes" automatically checked.

Most spam trojans set up a proxy, get on the bot systems, and have them report back to a central controller. But SpamThru uses P2P to share information -- IP addresses, ports and software versions of the control server, template servers, and the peers -- among the botnet systems. That helps keep the botnet alive, Stewart says. If the control server gets shut down, the spammer can then update all the other systems with the location of the new control server he sets up (if he controls at least one of the peer machines).

So how does the trojan infect the bots? "We don't know how this is getting on people's systems," Stewart says. "My feeling is it's probably a Web-based thing, because if you look at the IP addresses involved, you see a lot of hosts names associated with spyware." That would mean a Web exploit such as Windows Metafile (WMF), for instance.

"Its main objective is to send as much spam as it can," Stewart says. "If the bot system has other malware on it, it takes CPU and bandwidth away from their ability to send spam... So it cleans them up so it maintains all the resources to itself."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Kaspersky Lab
  • SecureWorks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15820
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
    CVE-2020-15821
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
    CVE-2020-15823
    PUBLISHED: 2020-08-08
    JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
    CVE-2020-15824
    PUBLISHED: 2020-08-08
    In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
    CVE-2020-15825
    PUBLISHED: 2020-08-08
    In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.