The Jealous Trojan

Trojan construction has reached the next level of sophistication with the discovery of a new Trojan-borne spambot. Dubbed “SpamThru” by SecureWorks, the Trojan has its own anti-virus scanner, which attempts to disable any other malware infecting a machine it resides in.

By neutralizing any competing malware, SpamThru is able to commandeer more of the PC’s resources for its own malicious ends.

SpamThru’s sophistication reveals the ever-growing level of professionalism among today’s hackers, says Joe Stewart, a SecureWorks senior security researcher. The spambot is built with a degree of care comparable to off-the-shelf software. The individuals who create this level of malware, “Treat this like a real business,” he tells eSecurityPlanet, even going so far as to provide ratings for each other’s malware.

“We don’t know how people got infected by it,” he says, though it probably wasn’t via e-mail or IM, “because that malware ends up in the mailbox of security experts and they take a look at it.”

Since that hasn’t happened, the infections were probably Web-based, occurring when a user whose browser wasn’t properly patched visited a site that hosts malicious code.

A P2P Spam Machine

SpamThru, like many of its malware brethren, is designed to send spam from an infected PC. Nothing new there.

Taking this black hat scheme a step further, SpamThru incorporates a P2P protocol to send and receive data from other machines it infects. This P2P infrastructure makes SpamThru far more hardy than stand-alone malware residing on a single machine.

Recent Security Articles

Dangers of Web 2.0 Hacking for Profit How Insecure Do You Think You Are? The Rise of Patch Vigilantism FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum Text Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet Text E-Security Planet HTML Virtual Dr. Text

Although Stewart has seen P2P used in other Trojans, it’s a new concept for a spam Trojan, he says. “Bot owners got tired of [having their network shutdown] so they put in P2P capabilities.”

SpamThru’s P2P network is controlled by a central server. But – in true P2P fashion – even if this control server goes down, the network lives on. Each node shares the IP address and key information about the control software with other nodes. As long as the hacker can access one peer, they can create a new controller.

Based on Stewart’s research, a SpamThru network typically contains one control server, a handful of template servers (which are needed to generate the spam) and approximately 500 peers per port. Apparently the number of peers each port can command is limited by the substantial overhead created by sharing information between hosts.

Earlier P2P networks driven by malware did not have a single controller like this one, Stewart says, noting that P2P “is difficult to make work” in the context of malware.

In the future, however, “P2P will be used again and again [in malware] because it’s such a good idea,” in a black hat kind of way.

Includes Anti-Virus Software

Many Trojans and viruses attempt to disable an infected machine’s anti-virus software, but SpamThru does this in a particularly ingenious way.

When it boots up, SpamThru loads a DLL from the control server. The DLL then downloads a pirated version of Kaspersky AntiVirus for WinGate from the P2P’s control server to a concealed directory on the infected PC.

The Kapersky software scours the machine for malware. But SpamThru’s author has programmed this pirated anti-virus app to skip SpamThru’s code, Stewart says. Any viruses or other malware not part of SpamThru are “set up to be deleted by Windows at the next reboot,” he writes in his research.

Time to Spam!

Once SpamThru has established itself and “cleaned” an infected machine of competing malware, it begins its true mission: sending blizzards of spam.

Every SpamThru node on the P2P network has its own spam engine. Each node downloads a template complete with the spurious e-mail message (sometimes a stock pump-and-dump scheme), a multitude of “from” names, and long list of e-mail addresses.

Lest a third party attempt to download one of the templates, an AES-based challenger-response authentication wall stands in their way – SpamThru doesn’t like to share with anyone.

The size of the SpamThru network is still modest, estimated to be a couple thousand nodes at this point.

“Overall, detection by AV vendors is sparse, but that's to be expected given that SpamThru is a money-making operation, and the author takes great care to make sure that detection by the major vendors is avoided by frequently updating the code,” writes Stewart.