Admin

Look out folks, the SpamThru Trojan which has been out in the wild for some months has just got even more dangerous, or so my security vendor research lab insiders tell me, and it was already one mean mother. The latest version of the thing has all the trappings of being backed by one of the better funded criminal gangs, it is no script kit concoction that is for sure, despite it being based on an already existing exploit.
Indeed, it uses pirated copies of Kaspersky Lab AV software to clean the bots that it infects and so get rid of competing infections that would otherwise use CPU resources that it wants total ownership of. One really cannot help but to have just the slightest tinge of admiration for the pond-life that come up with these things, purely from the devious use of technology perspective of course. These guys figured out that by using the same API as embedded within the WinGate proxy software they could get Kaspersky software to do their dirty work for them. The code being developed now is not your typical back bedroom spotty oink stuff of a few years back, but of a quality right up there with games developers, application software developers and the like. Indeed, one has to suspect that talented coders are making the conscious decision to take the dark-development route, most likely spurred on by a hefty financial incentive.
Indeed, SpamThru is so clever that it actually encrypts all the spam message templates that it distributes to the bot network, and even uses a fully custom P2P protocol for inter-bot machine communication. This allows it to avoid the problem that some spam botnets encounter when a central control server is knocked out of play. SpamThru can simply and quickly update all bots with new control server details using the P2P network.
So should you be worried? You betcha. Ignore the small size of the botnet as it stands currently, which I am led to believe is between 2000 and 3000 bots, it is the technology being used that concerns me and should concern you. This, plus the fact that some researchers are pointing to links between these small botnets and a much larger controlling botnet in the background. Spam is big business that is bad for your business, that is the bottom line. But it is likely to be the smaller business that is infected, as enterprise level protection should kick SpamThru out of the field before it could do any damage. By forcing host based firewalls to click through ‘allow executables’ dialog boxes, the giveaway being they appear only briefly on-screen with the yes box already ticked, the Trojan can get on with the job all but unnoticed.
And unnoticed also applies to the original infection methodology in this case. Nobody I have spoken to seems to know for sure how the infection is spread, although the clever money is on a web exploit of course. One thing I do know is that the payload, unlike the delivery mechanism, is highly predictable: spam, spam, spam...