Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Sarvdap Spambot Checks IP Blacklists

The Sarvdap spambot was recently observed checking the IP addresses of infected hosts against common blacklists, in an attempt to ensure that its spam email is successfully delivered, Palo Alto Networks security researchers reveal.

The Sarvdap spambot was recently observed checking the IP addresses of infected hosts against common blacklists, in an attempt to ensure that its spam email is successfully delivered, Palo Alto Networks security researchers reveal.

While other spambots typically start sending spam emails as soon as a host has been infected, Sarvdap first checks to see whether the IP isn’t on a blacklist, and shuts itself down if it is. Commonly downloaded by the Andromeda botnet, the spambot has been used to deliver pharmaceutical spam and to distribute the main Andromeda bot to more targets.

After initial execution, Sarvdap drops a copy of itself into the %windir% folder, launches a new svchost.exe process, and then initializes itself by allocating memory. Next, the malware injects the main bot code into this process, checks the system for a debugger to ensure it isn’t being analyzed, and creates the mutex “Start_Main_JSM_complete”.

Next, the malware checks the Internet connection by attempting to connect to www.microsoft.com and, if the check passes, it starts enumerating multiple blacklist feeds to verify the host IP’s reputation status. In the event that the IP isn’t blacklisted, the malware starts beaconing to the hardcoded command and control (C&C) server over TCP port 2352. Should the host be blacklisted, the malware terminates itself.

If the C&C is online and the Real-time Blackhole List (RBL) checks are passed, a configuration file is downloaded. However, because the server was offline during analysis, the security researchers couldn’t determine what exactly the configuration contained.

The most interesting capability of Sarvdap, researchers say, is present within the original code: a hardcoded list of commonly known blacklist servers. Because the referenced blacklists are from all around the world, the Palo Alto Networks researchers concluded that the spambot’s author was looking for global coverage rather than focusing on a specific region.

“Phishing emails remain a highly prevalent threat for enterprise, government and home users. For-hire, large-scale spam focused botnets continue to churn out hundreds of thousands of messages a day from compromised hosts. Sarvdap is particularly interesting not due to its scale, but rather due to its attempts to increase overall spam delivery by abusing reputation blacklists,” the security researchers note.

Using blacklist functions isn’t a novel technique when it comes to malware, though most malicious programs use them to evade detection. While many pieces of malware blacklist only the most popular anti-malware solutions or sandboxes out there, there are some that pack extensive lists of programs and websites to be avoided, such as the Furtim malware.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.