NEWS FROM THE LAB - Thursday, January 18, 2007

Commercial-grade redundant client-server backend systems - for SPAM Posted by Mikko @ 13:53 GMT

Oh man, there's a lot of spam out there nowadays.

No wonder, too.

The Warezov gang is using variants of Warezov and Medbot/Horst to send out medication and replica spam. The Rustock gang is using Mailbot.AZ and variants to send out stock spam. The Warezov gang is apparently operating from China and the Rustock boys from Russia.

For more background info, read the "Connecting the Warezov domain dots" entry posted two months ago.

Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.

The server addresses keep changing. Last week seek21.zootseek.com was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 Gigabytes of e-mail addresses from this server.


Another good example of the client-server architecture is the service running at http://seeky.zootseek.com/d/body.html. This URL serves randomized HTML templates for different spam mails.

The URL is live at the moment of this posting. If you access it and reload the page, you'll get a different spam template every time (but do visit it at your own risk).


And by the way, you might want to block access to all hosts under the domain medbod.com (as it is used by Medbot to download updated bot code).