Intelligent Spambot Checks Blacklists

A type of malware that Microsoft calls Sarvdap, which is designed to turn the computers it infects into spambots, has been modified in recent months to make it more intelligent. A research team in Palo Alto, California, have discovered a variant of Sarvdap distributed by the same group that were responsible for the venerable Andromeda botnet , which exhibits behaviour not previously seen in such malware. The new variant has been designed to ensure that it doesn’t waste time attempting to send spam mail from computers that are unlikely to prove an efficient vehicle for such activity.

Checking Blacklists

The way in which this particular Sarvdap variant ensures it is not wasting its time is simple yet ingenious. The first thing it does once it has installed itself on a target computer is to create an entry in the %windir% folder, start an svchost.exe process, and attempt to reach Microsoft.com, in order to establish whether there is a live Internet connection on the machine. Having done this, it then determines what the external IP address of the computer is and proceeds to query a number of Reputation BlackLists (RBLs) to see whether this IP address appears on any of them. In the event that it finds a match, the malware terminates and will not be used in spam email campaigns. In this way, it avoids wasting time trying to send spam emails from an IP address that is already blacklisted.

How Reputation BlackLists Work

Commercial spam filters use RBLs to block incoming mail from IP addresses that have been identified as the source of spam. The lists are constantly updated so this is a dynamic process that may change from day to day but what it basically means is that any malware attempting to send emails from a blacklisted IP address to computers protected by an effective spam filter will be wasting its time. Once an IP address has been added to a blacklist, a request can be made to have it removed if the user of the IP address believes that it has been added by mistake or it is a dynamic IP address that was previously being used by distributors of malware. However, if the same IP address is found to be the source of spam mails in the future, it will once again be added to the various RBLs that exist across the globe.

Avoiding Sarvdap Malware

In addition to installing an effective anti-spam solution, the easiest way to avoid being infected by malware is to delete any suspicious-looking emails that actually manage to make their way through to your inbox. However, if you use a quality filter – one that employs AI algorithms to identify unwanted emails – you are unlikely to see spam mails on a regular basis.

If you are responsible for protecting the IT network at a company, educational institution, or government department, please do not hesitate to contact the MailCleaner team to request further information about our highly effective range of anti spam products.