For the past several months, a new trend surfaced when it comes to email-borne malwares. We’re seeing lesser numbers of mass-mailers; instead, we’re seeing more trojans arriving through emails.
These trojans are not capable of mass mailing itself to a bunch of email addresses. They’re usually small programs (usually not more than 5 kB in size) that executes a secondary payload, which can download and execute a file, or just set up a backdoor. This begs the obvious question: If these trojans don’t have the mass mailing capability, then how do these critters arrive at our Inbox?
This, of course, obviously means one thing: these malwares are deliberately spammed, in massive quantities. Massively spamming these malwares, however, cannot be sustainable. A spammer cannot just continuously spam the same malware over a long period of time – it would be just plain expensive. Moreover, once AV firms picked up the sample, systems with AV will protected within the day.
As is oftentimes observed, spam runs of these downloaders occur within just a day, or at the most, two. This would give the spammer enough time to reach a multitude of Inbox, and just enough time before the majority of AV vendors can release signatures to detect the new critter. Of the spammed trojans captured over several months, lets take a look at three.
TROJ_YABE.R was first intercepted late July 4, 2006. The number kept piling up to the next day. After which, TROJ_YABE.R was no longer seen beeing spammed.
Two weeks later, TROJ_DLOADER.DHX made its debut appearance. A LOT was intercepted within the day. But, as with TROJ_YABE.R, TROJ_DLOADER.DHX was never to be seen again.
Just this week, another malware was heavily spammed: BKDR_HAXDOOR.IL. The spam run started very late on August 28, and peaked the next day. The day after, no more email samples with BKDR_HAXDOOR.IL was seen.
Spammed malwares are currently dominating the current threat landscape. As the number of mass mailers go down, expect to see more and more spammed trojans.