Email pests seek clean machines for better hit rates.
Malware authors are consulting IP blacklists designed to help fight spam in a bid to avoid detection and increase inbox hit rates.
The novel abuse allows malware authors to determine if they have infected clean and benign machines.
“This malware is interesting because it contains a hardcoded list of commonly known blacklist servers,” say
Palo Alto malware men Brandon Levene and Bradon Young, who Young ratethe attack as “unusually clever”.”
“These servers are used as a means to check the infected host/zombie to determine if this infection is live and not on any of the provided blacklists.
“The blacklists checked are from all around the world and rather comprehensive, indicating the author was trying to get global coverage rather than that of a specific region.”
The malware doing these checks, branded Sarvdap, terminates if it finds the infected machine on a blacklist.
It will shut itself down if debugging software is found on infected machines, as such applications often indicate the presence of a malware researcher.
If those checks pass, Sarvdap then attempts to connect to Microsoft’s homepage to test connectivity and then links to its command and control server.
It is a similar tactic to the use malware detection test services like Virus Total by VXers seeking to test whether their trojans will slip underneath anti-virus radars.
This trick is likely to spread. Malware writers constantly borrow from rivals. Authors of massive for-hire spam-focused botnets could benefit significantly by adding blacklist checks to increase spam hit rates. ®