In an earlier analysis, we revealed a botnet created by a trojan sometimes called SpamThru. By working with the anti-spam group SpamHaus and the ISP, we were able to receive access to files from the SpamThru control server. We have analyzed the files, and in this report we will look at some of the statistics and interesting finds. SpamThru operates in a limited peer-to-peer capacity, but all bots report to a central control server. The bots are segmented into different server ports, determined by which variant of the trojan is installed. The bots are further segmented into peer groups of no more than 512 bots, keeping the overhead involved in exchanging information about other peers to a minimum. In the following graph, the total count as recorded by the control server is shown for each control port.

In the chart below, we can see the number of connections each control port received each day from the bots. The 2236 and 2238 variants gained a great deal more infected users than any of the other variants, sometimes bringing up to 3 million connections to the control server a day. Frequent connections are necessary to ensure that the information about the other peers is not stale, making it easier to recover in case the control server goes down.

The link for this article located at Secure Works is no longer available.