Symantec has detected a new Trojan horse program that shows users fake advertisements when viewing web-pages. Trojan uses an extension of the protocol for sending email SPF (Sender Policy Framework) for instructions from intruders. This technique allows the malware to remain unnoticed by the victim’s computer.
The most interesting aspect of the malware is the way it gets updated URL-address of the attackers.
Trojan periodically generates a domain name in accordance with a specified algorithm and looking for the right SPF-protocol. Scammers know in advance exactly what domain will be generated, they record it and set up for him with SPF IP-addresses and hosts that a malicious program could create new URL-address.
Note that the policy of using SPF-protocol must verify the authenticity of e-mails. However, in the case of the Trojan Spachanel, this protocol generates a list of fake hosts. This allows attackers to hide malicious traffic from firewalls and other software that ensures security of computer systems and blocking direct connections to known malicious C & C-servers.
“In some cases, certain domains are blocked by the local DNS-Server, but detected a Trojan creates such domain names that are rarely filtered” – said Kattsuki.