Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2006
06:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Spammers Turn the Tables Again

SpamThru trojan pirates AV software, encrypts it, then uses P2P to keep sophisticated botnet alive

This botnet means business: A spam trojan in the wild is using pirated antivirus software to clean the bots it infects to ensure it has plenty of their CPU resources to send out its spam messages.

The so-called SpamThru trojan also uses other sophisticated techniques such as encrypting the spam message templates it sends to the bots as well as its own custom peer-to-peer protocol for communicating among botnet machines. Joe Stewart, the senior security researcher for SecureWorks who dissected the unusual trojan, says it appears to be backed by a well-financed and organized spam operation.

That theory rang true not long after Stewart went public with some of his findings: He found the spammers had locked him out of their botnet this morning. "I think the servers may have been taken down -- all the template servers are no longer answering," he says. "I don't have any evidence that the encryption key has changed, but it's possible."

The underlying trojan itself has been out in the wild for at least several months or longer, but its code has been frequently updated to evade detection. Iterations of the original trojan have been reported by Sophos and Secunia, for instance.

But the latest version of the trojan is chillingly complex, using pirated Kaspersky Lab AV software, P2P, and encryption. "The backend is one of the more sophisticated ones," Stewart says.

The exploit shows all the signs of an experienced and organized operation. "They've been at it for awhile and have developed their software."

Jose Nazario, software and security engineer for Arbor Networks, says it's part of a trend researchers are seeing in spammers deploying more sophisticated code. "The quality of the code overall is improving," Nazario says. As for SpamThru: "This one is production-quality criminal code."

It's not a relatively large botnet thus far, however, with only about 2,000 bots at this point, Stewart says. But the question is whether this is part of a larger spam initiative. SecureWorks is teaming up with spam researchers such as Spamhaus to see if SpamThru is related to the recent upswing in spam volume. "There's been rumors there's a large botnet behind" this upswing, Stewart says. "We don't know if this is related."

SpamThru sends copies of pirated and retooled Kaspersky Lab AV for WinGate software to the bots and hides in the background, where it scans them for other malware -- all but for SpamThru, that is. "They figured out how to get an AV they could download easily but wouldn't erase their own code," he says, by using the very same APIs embedded in WinGate's proxy software to Kaspersky's software.

The user of an infected machine won't likely notice it, except that his or her email may be slower. The only obvious sign of infection is it forces a host-based firewall to automatically click "yes" to allow executables, which the user would see in popups, Stewart says. "They might see the dialog boxes appear quickly" with "yes" automatically checked.

Most spam trojans set up a proxy, get on the bot systems, and have them report back to a central controller. But SpamThru uses P2P to share information -- IP addresses, ports and software versions of the control server, template servers, and the peers -- among the botnet systems. That helps keep the botnet alive, Stewart says. If the control server gets shut down, the spammer can then update all the other systems with the location of the new control server he sets up (if he controls at least one of the peer machines).

So how does the trojan infect the bots? "We don't know how this is getting on people's systems," Stewart says. "My feeling is it's probably a Web-based thing, because if you look at the IP addresses involved, you see a lot of hosts names associated with spyware." That would mean a Web exploit such as Windows Metafile (WMF), for instance.

"Its main objective is to send as much spam as it can," Stewart says. "If the bot system has other malware on it, it takes CPU and bandwidth away from their ability to send spam... So it cleans them up so it maintains all the resources to itself."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Kaspersky Lab
  • SecureWorks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-19040
    PUBLISHED: 2019-11-17
    KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
    CVE-2019-19041
    PUBLISHED: 2019-11-17
    An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
    CVE-2019-19012
    PUBLISHED: 2019-11-17
    An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
    CVE-2019-19022
    PUBLISHED: 2019-11-17
    iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
    CVE-2019-19035
    PUBLISHED: 2019-11-17
    jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.