New trojan peddles porn while you work

Spammers based in Russia are using stealth and a sophisticated new trojan program to turn home workstations into unwitting hosts in a pornography and spam distribution ring, according to security experts.

The deceptive and potentially illegal practice came to the attention of experts in late June and has been a topic of conversation among spam fighters on Internet discussion groups since then, according to Joe Stewart, senior intrusion analyst with LURHQ Corp., a Chicago-based managed security services company.

Experts observed that one spammer who was sending out spam e-mail pointing to spoofed PayPal Web sites and Russian pornography sites appeared to be able to change the addresses of his Web sites every few minutes, according to Richard Smith, an Internet security and privacy consultant based in Boston.

Smith stumbled upon the problem in early July while investigating e-mail messages pointing to a phony PayPal Inc. site that was being used to harvest personal financial information from customers of the online payment service.

After reporting the address of the site that he believed was the source of the phony Web site to the ISP (Internet service provider) responsible for that address, Smith was surprised to see the same Web domain associated with a different Internet address belonging to a different ISP a few minutes later, and still another address a few minutes after that.

"I said, 'Whoa! That's interesting'," Smith recalled.

After writing a program to monitor the Web sites associated with the pornography and bogus PayPal domains, Smith collected the IP addresses of hundreds of computers being used as hosts for the illicit content, each for only a few minutes at a time.

The trick lies in a sophisticated trojan program placed on the remote systems and used by the spammer, according to Stewart, who obtained a copy of the program from an infected system belonging to an employee of one of LURHQ's enterprise customers.

The program, which Stewart dubbed "migmaf," acts as both a proxy server for spam and a reverse proxy server for a master Web server serving the spoofed and pornographic content, Stewart said.

Domain names and e-mail addresses for the pornography sites point to Russia as the source, Smith said.

In its capacity as a proxy server, the trojan forwards outgoing spam from its source to the intended recipient, replacing the source address with its own IP (Internet Protocol) address and covering the spammer's tracks.

As a reverse proxy server, the trojan receives requests from spam recipients who, for example, click on a link to a pornographic Web site, and passes that along to the master Web server. That server responds with the requested Web page and sends that content along to the compromised computer, which then serves it to the requesting machine, Stewart said.

Users never know where the content they're receiving is really coming from, and the Web site's owners are shielded from pressure by their ISP to shut down the site, according to Smith and Stewart.

Because such behind-the-scenes activity might eventually arouse the suspicions of victims, each compromised user machine acts as a DNS (Domain Name Service) host for the illicit Web domains for only 10 minutes, before being replaced by another compromised system known to the spammer, Smith said.

To continually move Web properties around, the spammer installs DNS software on the compromised machines, turning them into their own DNS servers. Then, using features of DNS, the spammer sets a short expiration, or "time to live" setting on what is referred to as the DNS "host name mappings," which specify a relationship between a domain name, such as and a numeric Internet address, Smith said.

Using online domain registration services like Network Solutions Inc. and automated scripts, the spammer updates the host mapping information at regular intervals, replacing the DNS address for one compromised machine with that of another, Smith said.

Such techniques are attractive to spammers who are looking to bypass IP address blacklists, which are the most widely used antispam technology, according to Linus Upson, a spam expert for antispam company Qurb Inc. of San Mateo, California.

"As a spammer, you care about deliverability -- getting spam into people's mailboxes. A solution like this nullifies the most widely used antispam technology," Upson said.

And, for spammers involved in fraudulent activity, hiding the source of the spam is a way to avoid getting caught, he said.

Neither Stewart nor Smith knew how the trojan came to be installed on the affected systems.

A virus such as W32.Sobig could have dropped it on systems that it infected, or a malicious Active X control on a Web site could have planted it on vulnerable machines, Smith said. Alternatively, the program could have been distributed through the IRC (Internet Relay Chat) network or peer-to-peer (P-to-P) networks like Kazaa, Stewart said.

While the new trojan cannot spread itself like a virus, migmaf has a number of features that report the statistics of systems it compromises back to the master Web server, according to an analysis written by Stewart and posted on the LURHQ Web site. The trojan can report statistics and information about its current state back to the master server and monitor the available bandwidth on the infected system, he said.

By dissecting a copy of the trojan, Stewart was able to trace the location of the master Web server back to a machine owned by Houston Web-hosting company Everyones Internet.

Everyones Internet did not respond to a request for comment, but Stewart said that the master Web server has been deactivated and Smith said that his monitoring shows that the PayPal and pornography Web sites are down. Nevertheless, the new distribution system will make it extremely difficult to track down the source of future illicit content and spam, according to Smith.

"It took Joe Stewart seven days to locate that server. It usually takes a couple minutes," Smith said.

Like Kazaa and other P-to-P networks, the new spam network is distributed and lacks a single point of failure, which will make it difficult to dismantle, Smith said.

The sample trojan program has been passed along to major antivirus companies, which are developing signatures to detect the stealth program, Stewart said. However, multiple versions of the migmaf trojan probably exist, many of which will not have antivirus signatures developed for them, he said.

Users are advised to install personal firewalls on any unprotected home computers, especially those with "always on" broadband Internet connections, both Smith and Stewart said.

Even if it doesn't prevent users from having the new trojan installed, firewall software will prevent the spammers master server from communicating with an infected host and becoming a distribution point for spam or pornography, they said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?