Anatomy of a Spam Virus

Written by Carl E. Reid on September 15, 2008

A botnet created by a trojan virus is sometimes referred to as SpamThru.

According to the Don’t Bounce Spam organization, spammers have become very sophisticated in the way they manage their botnets , and the SpamThru Trojan is the leading example. In at least one case the botnet consisted of over 73,000 computers.

SpamThru operates by using a peer-to-peer configuration, but all bots report to a central control server. The bots are separated into different server ports, depending on which variant of the trojan is installed. The bots are further segmented into peer groups of no more than 512 bots. This keeps the exposure overhead involved in exchanging information about other peer connections to a minimum. The SpamThru controller keeps statistics on the country of origin of all bots in the botnet.  The SpamThru controller also keeps statistics on what version of Windows each infected client is running, down to the service pack level.  The SpamThru bot also has the capability to scan the system for other malware on a system.  Imagine the intelligence of people who take the time to develop this type of sophisticated software, which is used for a very foolish purpose.

SpamThru uses a few registry keys to keep its hold on the system. It uses the classic HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun key in order to launch at startup, but also tries to start from HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler and SOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad, just in case the Run key is removed.

The SpamThru spammer has general lists of millions of email addresses. The SpamThru bot remote-control mechanism is designed to harvest email addresses from hard drives of infected systems. This gives the spammer a powerful advantage of being to reach individuals who never published their email address on the Internet or have given it out only to people they know.

With this type of botnet spammers are to develop targeted email address  lists. They accomplish this by hacking into smaller investment news websites and other ecommerce sites. Then the spammers downloading the customer database.

Armed with this information, administrators must be ever vigilant in protecting our email user community from our spammer foes.  It coninues to be an never ending battle.

About Carl E. Reid

Developing his career from the mail room to the board room, Carl E. Reid has achieved success by skillfully blending 40 years of technology and business intelligence experience with his passion for helping companies succeed. Carl is founder and CEO of NetTECH Systems Reid & Associates, Inc., an emerging technology consulting company located in the New York City area. One of his specialties is 15 years as a collaboration and email infrastructure consultant. He has implemented and supported Lotus Notes/Domino and other types of SMTP gateway/network configurations in small to large global companies up to 33,000 employees. Some of his clients have included IBM, Citi, JPMChase, Oxygen, LVMH - Moet Hennessy, MeadWestvaco, non-profits and professional organizations. Carl is a Savvy Business Owner, Public Speaker and Author. His articles have appeared in Network World, Computer Monthly magazines and hundreds of web sites. Combining business technology consulting with professional blogging, Carl specializes in advising clients how to best leverage the Internet as a tool for high impact visibility. Carl's speaking style combines humor with expertise, and his advice is always down-to-earth and practical. He personally publishes Library of Congress recognized newsletter blog, http://www.SavvyIntrapreneur.com and http://www.iTechSpeak.com. Carl wrote the original "Professional Blogger Job Description", being used as standard document within companies. As a business career coach, Carl teaches professionals how to run their career as a profitable business.

Comments

antivirus September 26, 2008

is this a new virus which is going to hit

  • (required)
  • (required)