Edunet Trojan Facilitates Spamming via E-Mail Servers of University & Military Institutions

Researchers at BitDefender, a security company based in Romania, on April 30, 2008, have revealed a spam distribution technique of "Byzantine complexity" that uses university and military e-mail servers to push out junk e-mail.

BitDefender's discovery follows the company's detection of spam mails containing worthwhile video links. But, the e-mail recipients, who try the links in order to watch the video, are directed to download a media program that actually is a backdoor Trojan called Backdoor.Edunet.A. This Trojan effectively uses the victim's system as a mean to control and command a list of e-mail servers.

BitDefender researchers laso revealed that the Trojan acts as a substitute mass mailer having a backdoor feature to recover configuration details from the hacker. Interestingly, the malware attempts to establish a connection with a large number of Simple Mail Transfer Protocol (SMTP) servers held with military centers and universities across the world.

According to an Internet post by BitDefender, the Edunet Trojan builds a botnet through which spam is sent via a series of e-mail servers. These servers are primarily in the .mil and .edu domains.

BitDefender's Head of anti-virus Research, Sorin Dudea, said that one rarely comes across a well intended hacker, not to mention one, who has a propensity for using university and military-run e-mail servers to relay spam, as reported by SCmagazine on May 2, 2008.

Sorin added that it would also be interesting to determine the common aspects that might be there among the establishments that own these targeted e-mail servers.

BitDefender researchers also say that the Trojan forwards the commands with the hope that it would come across an open relay channel, an e-mail server misconfiguration with which spammers could camouflage their spam sources. This technique, therefore, makes it seem that any message arising from the Edunet Trojan is actually one sent out of the open relay.

Besides, the Trojan retrieves the series of e-mail servers from a group of computers compromised either of their own or is a part of a botnet within the attacker's hold. While the number of Web-connected computers keeps on changing, those that have been targeted, so far, have remained constant.

» SPAMfighter News - 5/7/2008