Role of node in a botnet dependent on whether the IP address is blacklisted.
Whenever I look at the results of the
VBSpam
tests, it always amazes me how large a percentage of spam is blocked because the sending IP address appears on a DNS blacklist.
It is not that I wouldn’t expect those that maintain such blacklists not to do a good job: I know that they work hard to keep the lists up to date to block as much spam as possible. But I regularly wonder whether spammers care that most of the emails they send will be blocked by just about any blacklist in existence.
Some spammers apparently
do
care. In a
post
for the
ZScaler
blog, Chris Mannon analyses a recent Kelihos sample that I thought was interesting in this context.
Upon installation on a new machine, the malware queries the machine’s public IP address against a number of widely used DNS blacklists. The role the node will play in the botnet then depends on whether or not the IP address is blacklisted: only if it isn’t, will the machine be used to send spam.
The blacklisting of IP addresses isn’t the only reason why botnet spam – especially when sent from compromised home PCs – is relatively easy to block. Sending spam only from addresses that don’t appear on blacklists won’t give the spammers a shortcut to users’ inboxes – if only because it won’t take long before these addresses end up being blacklisted too.
But it does show that cybercriminals haven’t given up on spam – and are still actively trying to find ways to get their emails delivered. As can already be seen from some
interesting
posts
on the
Malware Must Die
blog, despite a number of prominent ‘shutdowns’, Kelihos is still very much alive and kicking.
Posted on 29 August 2013 by
Martijn Grooten
Leave a Reply