Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2006
06:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Spammers Turn the Tables Again

SpamThru trojan pirates AV software, encrypts it, then uses P2P to keep sophisticated botnet alive

This botnet means business: A spam trojan in the wild is using pirated antivirus software to clean the bots it infects to ensure it has plenty of their CPU resources to send out its spam messages.

The so-called SpamThru trojan also uses other sophisticated techniques such as encrypting the spam message templates it sends to the bots as well as its own custom peer-to-peer protocol for communicating among botnet machines. Joe Stewart, the senior security researcher for SecureWorks who dissected the unusual trojan, says it appears to be backed by a well-financed and organized spam operation.

That theory rang true not long after Stewart went public with some of his findings: He found the spammers had locked him out of their botnet this morning. "I think the servers may have been taken down -- all the template servers are no longer answering," he says. "I don't have any evidence that the encryption key has changed, but it's possible."

The underlying trojan itself has been out in the wild for at least several months or longer, but its code has been frequently updated to evade detection. Iterations of the original trojan have been reported by Sophos and Secunia, for instance.

But the latest version of the trojan is chillingly complex, using pirated Kaspersky Lab AV software, P2P, and encryption. "The backend is one of the more sophisticated ones," Stewart says.

The exploit shows all the signs of an experienced and organized operation. "They've been at it for awhile and have developed their software."

Jose Nazario, software and security engineer for Arbor Networks, says it's part of a trend researchers are seeing in spammers deploying more sophisticated code. "The quality of the code overall is improving," Nazario says. As for SpamThru: "This one is production-quality criminal code."

It's not a relatively large botnet thus far, however, with only about 2,000 bots at this point, Stewart says. But the question is whether this is part of a larger spam initiative. SecureWorks is teaming up with spam researchers such as Spamhaus to see if SpamThru is related to the recent upswing in spam volume. "There's been rumors there's a large botnet behind" this upswing, Stewart says. "We don't know if this is related."

SpamThru sends copies of pirated and retooled Kaspersky Lab AV for WinGate software to the bots and hides in the background, where it scans them for other malware -- all but for SpamThru, that is. "They figured out how to get an AV they could download easily but wouldn't erase their own code," he says, by using the very same APIs embedded in WinGate's proxy software to Kaspersky's software.

The user of an infected machine won't likely notice it, except that his or her email may be slower. The only obvious sign of infection is it forces a host-based firewall to automatically click "yes" to allow executables, which the user would see in popups, Stewart says. "They might see the dialog boxes appear quickly" with "yes" automatically checked.

Most spam trojans set up a proxy, get on the bot systems, and have them report back to a central controller. But SpamThru uses P2P to share information -- IP addresses, ports and software versions of the control server, template servers, and the peers -- among the botnet systems. That helps keep the botnet alive, Stewart says. If the control server gets shut down, the spammer can then update all the other systems with the location of the new control server he sets up (if he controls at least one of the peer machines).

So how does the trojan infect the bots? "We don't know how this is getting on people's systems," Stewart says. "My feeling is it's probably a Web-based thing, because if you look at the IP addresses involved, you see a lot of hosts names associated with spyware." That would mean a Web exploit such as Windows Metafile (WMF), for instance.

"Its main objective is to send as much spam as it can," Stewart says. "If the bot system has other malware on it, it takes CPU and bandwidth away from their ability to send spam... So it cleans them up so it maintains all the resources to itself."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Kaspersky Lab
  • SecureWorks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-5118
    PUBLISHED: 2019-11-18
    A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
    CVE-2019-12422
    PUBLISHED: 2019-11-18
    Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
    CVE-2012-4441
    PUBLISHED: 2019-11-18
    Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
    CVE-2019-10764
    PUBLISHED: 2019-11-18
    In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
    CVE-2019-19117
    PUBLISHED: 2019-11-18
    /usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.