A few weeks ago, the folks over the Arbor Security Engineering and Response Team uncovered and analyzed another spambot which they dubbed "Lethic". We recently got hold of some samples and did some analysis ourselves.
Although recently uncovered, the Lethic spambot (or its predecessors) have probably been in existence for some time. For over 2 years, we have observed a type of spam from an unknown botnet which we simply called "Type 11". Lethic is a proxy type spambot which relays spam from a control server to its destination. It is focused mainly on sending pharmaceutical and replica watch spam campaigns.
Below are some typical Lethic spam messages:
At this stage, we are not certain on how big the Lethic botnet is. However as it is currently responsible for about 8-10% of the spam in our traps, we figure it is a sizeable botnet.
As of this writing, Lethic spam campaign comprises of 8-10% of the spam volume.
Most of Lethic's command & control servers are hosted by an ISP based in Chicago,IL called FDCservers.net. Looking around, others have also noticed this provider - there have been complaints regarding FDCservers.net, here, here and here.
For those interested, we have added the Lethic Trojan to our list of notorious spambots. Go here for our full technical analysis of this malware.
