Spammers Turn the Tables Again

SpamThru trojan pirates AV software, encrypts it, then uses P2P to keep sophisticated botnet alive

This botnet means business: A spam trojan in the wild is using pirated antivirus software to clean the bots it infects to ensure it has plenty of their CPU resources to send out its spam messages.

The so-called SpamThru trojan also uses other sophisticated techniques such as encrypting the spam message templates it sends to the bots as well as its own custom peer-to-peer protocol for communicating among botnet machines. Joe Stewart, the senior security researcher for SecureWorks who dissected the unusual trojan, says it appears to be backed by a well-financed and organized spam operation.

That theory rang true not long after Stewart went public with some of his findings: He found the spammers had locked him out of their botnet this morning. "I think the servers may have been taken down -- all the template servers are no longer answering," he says. "I don't have any evidence that the encryption key has changed, but it's possible."

The underlying trojan itself has been out in the wild for at least several months or longer, but its code has been frequently updated to evade detection. Iterations of the original trojan have been reported by Sophos and Secunia, for instance.

But the latest version of the trojan is chillingly complex, using pirated Kaspersky Lab AV software, P2P, and encryption. "The backend is one of the more sophisticated ones," Stewart says.

The exploit shows all the signs of an experienced and organized operation. "They've been at it for awhile and have developed their software."

Jose Nazario, software and security engineer for Arbor Networks, says it's part of a trend researchers are seeing in spammers deploying more sophisticated code. "The quality of the code overall is improving," Nazario says. As for SpamThru: "This one is production-quality criminal code."

It's not a relatively large botnet thus far, however, with only about 2,000 bots at this point, Stewart says. But the question is whether this is part of a larger spam initiative. SecureWorks is teaming up with spam researchers such as Spamhaus to see if SpamThru is related to the recent upswing in spam volume. "There's been rumors there's a large botnet behind" this upswing, Stewart says. "We don't know if this is related."

SpamThru sends copies of pirated and retooled Kaspersky Lab AV for WinGate software to the bots and hides in the background, where it scans them for other malware -- all but for SpamThru, that is. "They figured out how to get an AV they could download easily but wouldn't erase their own code," he says, by using the very same APIs embedded in WinGate's proxy software to Kaspersky's software.

The user of an infected machine won't likely notice it, except that his or her email may be slower. The only obvious sign of infection is it forces a host-based firewall to automatically click "yes" to allow executables, which the user would see in popups, Stewart says. "They might see the dialog boxes appear quickly" with "yes" automatically checked.

Most spam trojans set up a proxy, get on the bot systems, and have them report back to a central controller. But SpamThru uses P2P to share information -- IP addresses, ports and software versions of the control server, template servers, and the peers -- among the botnet systems. That helps keep the botnet alive, Stewart says. If the control server gets shut down, the spammer can then update all the other systems with the location of the new control server he sets up (if he controls at least one of the peer machines).

So how does the trojan infect the bots? "We don't know how this is getting on people's systems," Stewart says. "My feeling is it's probably a Web-based thing, because if you look at the IP addresses involved, you see a lot of hosts names associated with spyware." That would mean a Web exploit such as Windows Metafile (WMF), for instance.

"Its main objective is to send as much spam as it can," Stewart says. "If the bot system has other malware on it, it takes CPU and bandwidth away from their ability to send spam... So it cleans them up so it maintains all the resources to itself."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Kaspersky Lab
  • SecureWorks Inc.

  • Recommended Reading:
    Editors' Choice
    Amichai Shulman, CTO and Co-founder of AirEye
    Biagio DeSimone, Enterprise Solution Architect, Aqua Security