Researchers at BitDefender have discovered a new botnet that is trying to use military and educational servers to do its dirty work. It starts with malicious spam sent to unsuspecting users that claims to contain a link to a video. When a recipient clicks on it, they are asked to download a media player. The “media player” is actually the Backdoor.Edunet.A trojan. The trojan then hijacks that PC and uses it to try and send spam through university and military email systems by attempting to find open relays.

It locates the servers it attacks by sending commands to a group of servers that contain a list of targets. The researchers speculate that the target list is located either on the attacker’s network or on a group of compromised servers. Since that group is constantly changed, it is difficult to pinpoint the origin of the commands.

“It’s not every day that you stumble on the workings of an honest-to-God hacking ring, let alone one that has a predilection for using military and university-run mail servers as spam relays,” declared Sorin Dudea, BitDefender’s head of AV Research. “It would be interesting to identify what, if anything, the institutions that own the targeted servers have in common.”

Not surprisingly, none of the targeted servers host any open relays, so the attacks have been in vain. Researchers say this is one of the most intricate and puzzling they’ve ever come across, labeling it a scheme of “Byzantine complexity”. It will be interesting to see if it can be unravelled further. Why exactly would a hacker try and use military and educational servers to send spam? You’d think those would be the toughest to penetrate, and so far, it seems they are, as no open relays have been found. Is it the idea that .edu and .mil addresses are not likely to be blocked by spam filters, or is it simply the challenge of turning the military in spammers? Right now, only the attackers know for sure.