Malware - Ransomware

Analysis of an Active Malware Campaign

Sébastien Goutal

March 12, 2012

1 min

A major malware campaign is beeing conducted since several weeks. Beyond the facts, that is the operating mode that draws our attention as it demonstrates the growing sophistication of spammers. Following the example of fast flux service networks, spammers have set up a mechanism to increase the availability of resources involved in the spread of the malware, which eventually maximizes their return on investment. Analysis of an Active Malware Campaign.

For this purpose the spammer has a hacked servers pool, and a single server hosting the malware. The spam contains, classically, a link to a document hosted on a hacked server:

This document contains several references to the same script, which itself is hosted on several hacked servers:

The spammer's trick consists in searching a single resource on many different servers. This is the concept of "high availability": all hacked servers must be identified and corrected so that the resource is no longer available. Finally, the script contains a javascript redirect :

This redirect will load the malware, which is hosted on a server that probably belongs to the spammer.


All other spam messages of this campaign proceed in the same way: they contain a link to a document hosted by a server in the pool of hacked servers, which itself runs the redirection script located on multiple servers in the pool of hacked servers. The spammer thus has an optimal mesh: to defeat it, it will be necessary to fix all hacked servers or to shut down the site hosting the malware.

I hope you Enjoy this Analysis of an Active Malware Campaign

Sébastien GOUTAL 
Filter Lab Manager