Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2006
06:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Spammers Turn the Tables Again

SpamThru trojan pirates AV software, encrypts it, then uses P2P to keep sophisticated botnet alive

This botnet means business: A spam trojan in the wild is using pirated antivirus software to clean the bots it infects to ensure it has plenty of their CPU resources to send out its spam messages.

The so-called SpamThru trojan also uses other sophisticated techniques such as encrypting the spam message templates it sends to the bots as well as its own custom peer-to-peer protocol for communicating among botnet machines. Joe Stewart, the senior security researcher for SecureWorks who dissected the unusual trojan, says it appears to be backed by a well-financed and organized spam operation.

That theory rang true not long after Stewart went public with some of his findings: He found the spammers had locked him out of their botnet this morning. "I think the servers may have been taken down -- all the template servers are no longer answering," he says. "I don't have any evidence that the encryption key has changed, but it's possible."

The underlying trojan itself has been out in the wild for at least several months or longer, but its code has been frequently updated to evade detection. Iterations of the original trojan have been reported by Sophos and Secunia, for instance.

But the latest version of the trojan is chillingly complex, using pirated Kaspersky Lab AV software, P2P, and encryption. "The backend is one of the more sophisticated ones," Stewart says.

The exploit shows all the signs of an experienced and organized operation. "They've been at it for awhile and have developed their software."

Jose Nazario, software and security engineer for Arbor Networks, says it's part of a trend researchers are seeing in spammers deploying more sophisticated code. "The quality of the code overall is improving," Nazario says. As for SpamThru: "This one is production-quality criminal code."

It's not a relatively large botnet thus far, however, with only about 2,000 bots at this point, Stewart says. But the question is whether this is part of a larger spam initiative. SecureWorks is teaming up with spam researchers such as Spamhaus to see if SpamThru is related to the recent upswing in spam volume. "There's been rumors there's a large botnet behind" this upswing, Stewart says. "We don't know if this is related."

SpamThru sends copies of pirated and retooled Kaspersky Lab AV for WinGate software to the bots and hides in the background, where it scans them for other malware -- all but for SpamThru, that is. "They figured out how to get an AV they could download easily but wouldn't erase their own code," he says, by using the very same APIs embedded in WinGate's proxy software to Kaspersky's software.

The user of an infected machine won't likely notice it, except that his or her email may be slower. The only obvious sign of infection is it forces a host-based firewall to automatically click "yes" to allow executables, which the user would see in popups, Stewart says. "They might see the dialog boxes appear quickly" with "yes" automatically checked.

Most spam trojans set up a proxy, get on the bot systems, and have them report back to a central controller. But SpamThru uses P2P to share information -- IP addresses, ports and software versions of the control server, template servers, and the peers -- among the botnet systems. That helps keep the botnet alive, Stewart says. If the control server gets shut down, the spammer can then update all the other systems with the location of the new control server he sets up (if he controls at least one of the peer machines).

So how does the trojan infect the bots? "We don't know how this is getting on people's systems," Stewart says. "My feeling is it's probably a Web-based thing, because if you look at the IP addresses involved, you see a lot of hosts names associated with spyware." That would mean a Web exploit such as Windows Metafile (WMF), for instance.

"Its main objective is to send as much spam as it can," Stewart says. "If the bot system has other malware on it, it takes CPU and bandwidth away from their ability to send spam... So it cleans them up so it maintains all the resources to itself."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Kaspersky Lab
  • SecureWorks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/14/2020
    Omdia Research Launches Page on Dark Reading
    Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
    Why Cybersecurity's Silence Matters to Black Lives
    Tiffany Ricks, CEO, HacWare,  7/8/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-14499
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
    CVE-2020-14501
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
    CVE-2020-14503
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
    CVE-2020-14497
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
    CVE-2020-14505
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...