Posted by Virus Bulletin on Aug 29, 2013
Role of node in a botnet dependent on whether the IP address is blacklisted.
Whenever I look at the results of the VBSpam tests, it always amazes me how large a percentage of spam is blocked because the sending IP address appears on a DNS blacklist.
It is not that I wouldn't expect those that maintain such blacklists not to do a good job: I know that they work hard to keep the lists up to date to block as much spam as possible. But I regularly wonder whether spammers care that most of the emails they send will be blocked by just about any blacklist in existence.
Some spammers apparently do care. In a post for the ZScaler blog, Chris Mannon analyses a recent Kelihos sample that I thought was interesting in this context.
Upon installation on a new machine, the malware queries the machine's public IP address against a number of widely used DNS blacklists. The role the node will play in the botnet then depends on whether or not the IP address is blacklisted: only if it isn't, will the machine be used to send spam.
The blacklisting of IP addresses isn't the only reason why botnet spam - especially when sent from compromised home PCs - is relatively easy to block. Sending spam only from addresses that don't appear on blacklists won't give the spammers a shortcut to users' inboxes - if only because it won't take long before these addresses end up being blacklisted too.
But it does show that cybercriminals haven't given up on spam - and are still actively trying to find ways to get their emails delivered. As can already be seen from some interesting posts on the Malware Must Die blog, despite a number of prominent 'shutdowns', Kelihos is still very much alive and kicking.
Posted on 29 August 2013 by Martijn Grooten