IT PRO: Blogs: Davey Winder: Botnet spam tricks are bad for business

Home

Davey Winder's Blog

Botnet spam tricks are bad for business

Posted in Spam on October 22, 2006 at 3:29 pm

Look out folks, the SpamThru Trojan which has been out in the wild for some months has just got even more dangerous, or so my security vendor research lab insiders tell me, and it was already one mean mother. The latest version of the thing has all the trappings of being backed by one of the better funded criminal gangs, it is no script kit concoction that is for sure, despite it being based on an already existing exploit.

Indeed, it uses pirated copies of Kaspersky Lab AV software to clean the bots that it infects and so get rid of competing infections that would otherwise use CPU resources that it wants total ownership of. One really cannot help but to have just the slightest tinge of admiration for the pond-life that come up with these things, purely from the devious use of technology perspective of course. These guys figured out that by using the same API as embedded within the WinGate proxy software they could get Kaspersky software to do their dirty work for them. The code being developed now is not your typical back bedroom spotty oink stuff of a few years back, but of a quality right up there with games developers, application software developers and the like. Indeed, one has to suspect that talented coders are making the conscious decision to take the dark-development route, most likely spurred on by a hefty financial incentive.

Indeed, SpamThru is so clever that it actually encrypts all the spam message templates that it distributes to the bot network, and even uses a fully custom P2P protocol for inter-bot machine communication. This allows it to avoid the problem that some spam botnets encounter when a central control server is knocked out of play. SpamThru can simply and quickly update all bots with new control server details using the P2P network.

So should you be worried? You betcha. Ignore the small size of the botnet as it stands currently, which I am led to believe is between 2000 and 3000 bots, it is the technology being used that concerns me and should concern you. This, plus the fact that some researchers are pointing to links between these small botnets and a much larger controlling botnet in the background. Spam is big business that is bad for your business, that is the bottom line. But it is likely to be the smaller business that is infected, as enterprise level protection should kick SpamThru out of the field before it could do any damage. By forcing host based firewalls to click through ‘allow executables’ dialog boxes, the giveaway being they appear only briefly on-screen with the yes box already ticked, the Trojan can get on with the job all but unnoticed.

And unnoticed also applies to the original infection methodology in this case. Nobody I have spoken to seems to know for sure how the infection is spread, although the clever money is on a web exploit of course. One thing I do know is that the payload, unlike the delivery mechanism, is highly predictable: spam, spam, spam…

Not yet rated

Loading ...

Previous Post | Next Post

Comments

This article has no comments yet.

Make a comment

Tag cloud

open source development printing Web Development hypervisor Top 500 credit card fraud InfoSec Project Firefox web MSNBC security Video trust home VM size Windows 7 linkedin phishing digitise Bill Gates BOFH Government news Obama data report exploit Space help virtual world theft betting science payment server IDC Health code universe Deal Yahoo Mars terrorism network carbon copy payments privacy OS copyright BSI iPhone Microsoft dumb Software Digg Big Brother global documentation Gartner holidays Funny Battery Vista museum Silverlight staffing Supercomputer Energy SMS patch management money symantec China IP worker transactional security USA AMD Internet debian Finjan work compromise Russia sick MiniBook Death stupidity Flash Linux VPN crime SSL XP survey mobile xmas Ballmer MSN Rumour black hat MessageLabs adware migration avatar social networking ID Theft computing gaming spam search ecommerce Texas Instruments library hacking computer green millions Rant worm NASA Eee Blogging fool Texting Noro Programming archiving scam web 2.0 Windows Research Business DNS environment teleworking chips botnet Microchip tech politics ASUS FBI rootkits Olympics fraud email HPC shopping hacker office Google malware surveys e-commerce technology scan christmas statistics students standards Paris Hilton Steve Jobs banks The Federation Jesus Phone NBC graphics Twitter virus Kill Switch data protection economics Hack hardware service Adobe Performance computing policy storage stupid virtual machine hubdub Apple books outsourcing workplace remote biometrics prison CAPTCHA Facebook Zango Eee PC Lotus productivity Mobile Phone banking OCR Trojan scareware broadband man-in-the-middle second life world of warcraft IBM iPhone 3G ISPA fun remote working Application

Highest Rated Blog Posts

Why ecommerce fails (100%)
Betting on Hubdub technology (100%)
Chinese whispers as government implicated in UK hack attacks (100%)
Crimeware toolkit targets 10,000 trusted sites (100%)
Black Hat risk to migrating VMs (100%)
Tough on cyber crime, tough on the causes of cyber crime (100%)
Firefox 3, Beta 4, Enhancements 900, Tested 5 (100%)
Slowly slowly catchee Government IT monkey (100%)
Who needs another set of web standards? (100%)
The 6.5 billion quid hello (100%)

Botnet spam tricks are bad for business

Tag cloud

Archives

Most commented posts

Highest Rated Blog Posts

Advertisement