HOME > VIRUS ALERTS


VIRUS ALERTS

Spamthru Trojan/Botnet

Original issue date: November 06, 2006
Updated on: December 01, 2006

Spamthru is a Trojan horse that has been observed with additional
functionality from conventional Trojans like “keylogger”,”proxy”
and “backdoor”.

Spamthru has its own spam engine that downloads templates for
sending spam messages from the remote control server with random from: names and pharase to list of e-mail addresses. The spam templates uses GIF file, size of which is modified each time spam is sent. This is done to evade detection from antispam solutions.

It uses P2P network for its C&C (control & communication) mechanism and shares port, IP address and other information
with the other peers and control server.

It has been observed that the spamthru bot is gradually formulating a botnet to send spam to the victim machines. Further, the bot network could participate in other malicious activities.

Spamthru uses various registry keys to execute itself from different locations
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler and SOFTWARE\Microsoft\Windows
\CurrentVersion\ ShellServiceObjectDelayLoad

Additionally, Spamthru is using a pirated copy of antivirus engine of Kaspersky Antivirus for WinGate to remove other malware from the infected system. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a antivirus engine from the control server into a concealed directory on the infected system.


Users are advised to implement the following countermeasures:

  • Keep update Anti-Virus Signatures.
  • Maintain Anti-Spam solution at the gateway level
  • Apply appropriate security updates at the OS level and applications such as web browsers.
  • Keep update Anti-Spywares.
  • Block access to the IPs 65.19.154.94 and 65.19.154.94 identified as C&C server at the perimeter level.

References

http://www.secureworks.com/analysis/spamthru/
http://www.secureworks.com/research/threats/spamthru-stats/
http://www.eweek.com/article2/0,1895,2034680,00.asp
http://www.scmagazine.com/uk/news/article/600066
/spamthru-trojan-uses-p2p-anti-virus-solutions-
wipe-competitors-spread-spam/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003