Latest Threat: The Medbot Menace
TROJ_STRAT.GN, WORM_STRAT.GN, and MEDBOT are malware variations that perform spamming tasks. They infect PCs, go to designated URLs to download an email template, and then send out image spam (spam email with images embedded in the body of the email) to other targets, infecting more and more PCs and turning them into zombies or bots that send out as much spam as possible.
“It’s all about the money,” said Trend Micro Senior Threat Analyst and Researcher Ivan Macalintal.
“MEDBOT, like the majority of recent threats, is geared towards one motive—making money. And they achieve that by creating as many drones or zombies as possible, and having them send out image spam.”
Arriving in a spam email containing images selling pharmaceuticals, such as Viagra and Cialis, MEDBOT is a malware package composed of a Trojan downloader, a copy of the Trojan, and a worm. The worm drops the downloader to the shared folders, while the hidden copy acts as a backup in case the main Trojan is removed from the system.
When the system is infected the Trojan downloader connects to several URLs and downloads updated copies of the malware package. It may also download variants and other malicious files. It not only infects computers with these recent variants, but also allows the malware to improve itself by replacing earlier versions with updated ones. Thus the downloader Trojan may receive updated routines like network propagation or new backdoors. This reflects the increasing sophistication of malware and its growing quest to remain hidden from detection.
“MEDBOT is in essence hitting two birds with one stone: proliferating as much image spam as possible to ensure the group behind it has control of more infected zombies, and in turn proliferating more image spam,” said Macalintal.
They “spamvertise” their business of selling Viagra or Cialis. They target male insecurity and it works because people do buy from them. And it’s quite an economical means of marketing and selling their product.
Infection attacks usually come via Internet Relay Chat (IRC). When a bot connects to the more commonly used IRC port 6667, it can be found and shut down by security companies, such as Trend Micro.
MEDBOT differs slightly from other common malware. It uses Web IRC to connect to the IRC server then waits for commands via a private message, which allows remote users to send commands with less risk. This ability of allowing other users to send commands appears to indicate that MEDBOT is available for rent.
STRAT and MEDBOT connect to URLs that are registered by the same entity. There is likely only one group working behind these bots; possibly “Wang Pang” or “Bai Ming”, a group from China deemed responsible for the spam. The names are well known to those in spam forums and domain/URL abuse networks and services.
Macalintal has found an “.exe” email template for the spam they use. From the same URL the group also gathers the email addresses. Then spam messages are sent to over 20 million email addresses that have been gathered from the URL. The addresses include hundreds of thousands of addresses, including major ISPs, government, and high profile enterprise customers.
Based on data from the Trend Micro spam collection, 30 percent of spam messages consist of image spam. Image spam is a trend that the company expects to see increase in 2007.
