“Get thee to heaven, Beatrice, get thee to heaven. Hell’s no place for maids.” Beatrice wasn’t a spammer.
After the de-peering of internet provider McColo took its badness offline last year, several researchers examined the impacted spamming botnets and concluded that a few smaller operations uneffected by the de-peering were gaining momentum. The Tedroo spambot was one of those predicted to gain momentum in 2009, and made Joe Stewart’s list of 2009 botnets to watch over at Secureworks.
A group that seems to be out of Indonesia is delivering exploits from various servers around the world with the intention of downloading and executing Tedroo spambot variants. We have observed reliable pdf-based exploits attacking user systems with vulnerable third party plugins over the past couple of days. Once running on a compromised system, the Tedroo bots connect back to a server hosted in northeastern U.S or Canada, sending up the user’s ip address, a quick report of collected system information, and a task request.
The server responds to the task request with a table-based html list containing email addresses to spam and the message content to send out. The email lists contain domains from all over the world, including cancer fighting non-profits, professional training organizations, and anyone else with an accessible email address. Spoofed senders’ addresses include domains hosted throughout Indonesian ip space. The delivered content is somewhat interesting in that it abuses akamai links to sprinkle credible business logos throughout their spam that are somewhat related to the message content.
Right now, the group is including a well-known men’s magazine’s logo claiming to be from an official site in an attempt to build credibility for their spammed links and content:
These links are redirected to a site (hxxp://freshvalued(dot)com) hosting the same online Canadian pharmacy content as the Waledac spam.
As posted earlier, please take a minute to update the software on your system. ThreatFire prevents related pdf-based exploits that we have observed and Tedroo’s spamming capabilities as well.