informa
3 min read
article

Malware Pair Boosts Bots

The infamous Warezov/Stration and SpamThru are behind the latest mega-surge in spam and botnet activity, according to MessageLabs

Two cagey bits of malware are behind a recent dramatic surge in spam and botnet activity, researchers say.

The Trojan downloader virus Warezov (a.k.a. Stration) and the SpamThru Trojan, have been major drivers in a 70 percent increase in spam detected by MessageLabs, according to a new report issued by the company today.

The Warezov/Stration virus, which drops an aggressive spam trojan, has gained attention of late due to its ability to rapidly spread variants of itself, thereby keeping the antivirus vendors on their toes. (See Mutating Email Bugs Swarm.) And SpamThru has awed researchers with its bold attributes -- using pirated antivirus software to clean bots it infects to ensure they get plenty of CPU resources to send out its spam, and keeping its botnet alive and kicking by using peer-to-peer communications among the bots. (See Spammers Turn the Tables Again.)

MessageLabs caught over 900,000 copies of Warezov within a 24-hour period last month, when multiple batches of the virus were released, each with different variants in an attempt to evade detection.

Spam traffic rose 8.5 percent from September, according to MessageLabs' Intelligence Report for October 2006, released today. Much of that is due to the use of the more sophisticated and wily Warezov and SpamThru malware, says Paul Wood, senior analyst at MessageLabs.

Although spammers are utilizing the more sophisticated code, it's unclear whether they are actually using Warezov and SpamThru in combination, Wood says. That would be a deadly alliance, he says. "Warezov is downloading spam, but it could be downloading SpamThru."

Joe Stewart, a senior security researcher for SecureWorks who has been closely tracking SpamThru for some time and made some interesting discoveries after recently dissecting the code, says SpamThru's proliferation is impressive. "We were able to get a fairly accurate count of the botnet's overall size, at around 60,000 infected hosts," Stewart says. "That's a lot of capacity for sending spam."

SpamThru indeed is a factor in the upswing of spam and botnets, but it's not the only malware responsible for the increase, says Jose Nazario, software and security engineer for Arbor Networks. "There's all different kinds of spam being generated here, and we've seen a massive uptick in the last couple of months."

Unlike traditional methods of spamming, where each botnet sends out spam emails one at a time, SpamThru uses templates that lets them send millions of emails from a single bot-infected computer, MessageLabs' Wood says. "The template approach is the equivalent to a mail merge."

Wood says MessageLabs found that phishing traffic, meanwhile, remained mostly unchanged since September. "There was a rush in phishing in September," he says. "But it hasn't changed much since then. It's stabilized at the moment."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • MessageLabs Ltd.
  • SecureWorks Inc.
  • Arbor Networks Inc.