StealRat Description

StealRat is a spam botnet, which uses compromised websites to send out spam messages. StealRat is made of three main things that include compromised websites for sending spam, hacked computer systems for gathering and sending the spam data and hijacked websites for delivering the payload. StealRat botnet is able to circumvent new security technologies. The actual spam server conceals behind three layers of unwary victims: two hijacked websites and a targeted PC. The corrupted PC acts as a liaison between the spam server and the vulnerable website. As there is no interaction between the spam and server, it will seem that the email have originated from the affected computer. The spam email itself does not deliver the malware threat, so there is no visible connection between them as well. They have split up the main functions and minimized interactions among them to cut-off any threads that could connect them to each other. A compromised website includes the payload link and a spamming script. The payload is usually porn or an online pharmacy website. The spamming script is coded in PHP and waits for data from a victimized computer (malware victim). The attacked PC connects to the malicious spam server to gather the spam data, which covers backup mail server, 'sender' name, recipient address and email template. A hacked website will usually contain a randomly named folder with several PHP scripts.