- Worldstart's Tech Tips And Computer Help - http://www.worldstart.com -

SpamThru Torjan

Posted By On October 27, 2006 @ 2:38 PM In Security Help | Comments Disabled

SpamThru Trojan

Everything you know about viruses is about to change, because this week’s security article is about a spamming Kaspersky’s [1] antivirus engine on your machine to take care of its dirty work.

As if that wasn’t enough, the virus also takes a unique approach to communicating with its master. It uses customized P2P protocol, which is usually known for its online file sharing programs, like Kazaa or Napster. Using this protocol makes the communication channels flexible and since PCs all exchange information with each other, including the control servers information, if parts of the bot network can go, it will have little effect on the rest of the network.

The main purpose of the Trojan is to send out spam using as many infected PCs as possible. It’s a numbers game. The more infected PCs, the more spam the infecting entity can send out. The Trojan uses Template Based Spam, which is a process by which the infected PC downloads the spam template from the control server. Since the infected PC ultimately becomes spam proxy for the powers that be, the template it downloads sets up vital information for the system, such as random “From” names, Hash-Busters, a long list of e-mail addresses to send the spam to and of course, the spam message itself.

The message body of the spam is made up of two components: the .gif image, which is basically a message, but presented in an image so as not to be blocked and the Hash-Buster. A Hash-Buster, in case you’re not familiar with it, is a process of inserting different data into e-mails to avoid detection from anti spyware solutions that detect static images. With the SpamThru Trojan, the Hash-Buster comes in the form of some random pixels at the bottom of the .gif message. This then ultimately changes every e-mail, making every spam e-mail the infected system sends, unique.

Below is a copy of one of the .gif messages used in the spam e-mail. Notice the random pixels at the bottom of the message to the right.

This is what the spam e-mail would actually look like in your Inbox.

There is a removal procedure you can perform with a third party download, called Snort IDS, but I haven’t had a chance to test it yet. I will get to that and hopefully have an article for you next week.

Until then, stay safe out there!

~ Chad Stelnicki


Article printed from Worldstart's Tech Tips And Computer Help: http://www.worldstart.com

URL to article: http://www.worldstart.com/spamthru-torjan/

URLs in this post:

[1] Kaspersky’s: http://www.kaspersky.com/