Some of my past few "Threat Thursdays" have been devoted to the threat botnets pose (Threat Thursday: Botnet Service Providers?) and also what measures law enforcement has been taking to investigate and prosecute the people who control these botnets (Threat Thursday: FBI Reports Progress Battling Botnets). Well, I ran across a good post on The Register that provides an interesting description of a recently identified botnet and how it works.
According to the post "a small blizzard of spam" was sent about six weeks ago promoting Ron Paul, the Republican underdog candidate for president and Joe Stewart, an employee of SecureWorks, a leading Managed Security Services Provider, investigated the incident:
"he uncovered new information about "Reactor Mailer," the sophisticated piece of spamware used by Ukrainians to send the Ron Paul messages to more than 162 million addresses.
Now in its third version, Reactor is piece of software written in the Python language that runs on a botnet's command and control server. It operates off the software-as-a-service model made popular by legitimate companies such as Salesforce.com and offers some powerful features. To whit, it comes integrated with SpamAssassin, to make it easier for spammers to evade filters."
Stewart reported that botnets created by the Trojan.Srizbi work seamlessly with Reactor Mailer through the use of templates which "gave the spam engine spewing out the Ron Paul emails the capacity to send more than 200 million emails in a single day, far more than would be possible through more traditional proxy-based methods of sending spam."
When Stewart obtained a copy of Reactor and logged into it, "he found a list of saved tasks that included one titled RonP_3 belonging to a spammer calling himself nenastnyj. The console had about 3,000 zombies under its command and included a 3.4GB file containing more than 162 million addresses and a feedback mechanism so the spammer would know when emails were rejected."
He never discovered why nenastnyj, or any Ukrainians, were such big fans of Ron Paul and I seriously doubt that Ron Paul's campaign paid for this type of advertising. There is a very good forensic report on this incident located on the SecureWorks site if you would like more details. So, I'll reiterate again the importance of keeping your systems secure and ensuring you have up-to-date security software.
Comment Preview