Everything you know about viruses is about to change, because this week’s security article is about a spamming Trojan that marches to the beat of a different drummer. The SpamThru Trojan, as they are calling the new threat on the block, not only eliminates other malware on your system, but uses P2P technology in order to communicate with its master, among other things.
The virus is very elusive with hardly any current anti spyware catching it, thanks to the few subtle registry entries it creates in order to stay concealed. The malware was created by a company for money making spam distribution and they have gone to great lengths to keep the whole infection a secret to you and your system. Not only is the SpamThru Trojan elusive, but it also takes the whole process even further by eliminating all other malware on your system. That’s right, this Trojan wants to be the sole infection on your system and it’s able to do this by installing a pirated copy of Kaspersky’s  antivirus engine on your machine to take care of its dirty work.
As if that wasn’t enough, the virus also takes a unique approach to communicating with its master. It uses customized P2P protocol, which is usually known for its online file sharing programs, like Kazaa or Napster. Using this protocol makes the communication channels flexible and since PCs all exchange information with each other, including the control servers information, if parts of the bot network can go, it will have little effect on the rest of the network.
The main purpose of the Trojan is to send out spam using as many infected PCs as possible. It’s a numbers game. The more infected PCs, the more spam the infecting entity can send out. The Trojan uses Template Based Spam, which is a process by which the infected PC downloads the spam template from the control server. Since the infected PC ultimately becomes spam proxy for the powers that be, the template it downloads sets up vital information for the system, such as random “From” names, Hash-Busters, a long list of e-mail addresses to send the spam to and of course, the spam message itself.
The message body of the spam is made up of two components: the .gif image, which is basically a message, but presented in an image so as not to be blocked and the Hash-Buster. A Hash-Buster, in case you’re not familiar with it, is a process of inserting different data into e-mails to avoid detection from anti spyware solutions that detect static images. With the SpamThru Trojan, the Hash-Buster comes in the form of some random pixels at the bottom of the .gif message. This then ultimately changes every e-mail, making every spam e-mail the infected system sends, unique.
Below is a copy of one of the .gif messages used in the spam e-mail. Notice the random pixels at the bottom of the message to the right.
This is what the spam e-mail would actually look like in your Inbox.
There is a removal procedure you can perform with a third party download, called Snort IDS, but I haven’t had a chance to test it yet. I will get to that and hopefully have an article for you next week.
Until then, stay safe out there!
~ Chad Stelnicki