Increase in Andromeda botnet spam (April 26, 2013)


The Dell SonicWall Threats Research team has observed an increase in active spam campaigns involving the Andromeda botnet in the wild. The Trojan arrives in the form of emails that masquerade as messages from financial institutions or service providers with attachments of receipts, form notifications or a service invoice as pictured below:

Andromeda is a highly modular kit that makes it easy for a botnet operator to combine functionalities that will serve their purpose. With a few purchasable plugins, an operator can add proxy capabilities, a rootkit and a form grabber. The following screenshot is an example of an ad we found for the Andromeda loader in a hacker forum; a kit starts at $300:

Infection Cycle:

Upon execution The Trojan makes the following DNS queries to verify internet connectivity:


Once internet connectivity has been verified, it will connect and send data to a remote server:

It will then download additional files. In this case it downloaded plugins such as r.pack, which is the rootkit component and s.pack, the socks4 proxy component.

The Trojan loader copies itself to the following location:

  • %APPDATA%svchost.exe [Detected as GAV: Androm.EB_2 (Trojan)]

To enable startup after a reboot, it adds the following key to the Windows registry:

  • HKLMsoftwaremicrosoftwindowscurrentversionrun [sunjavaupdatesched] “%APPDATA%svchost.exe”

The sample we analyzed uses the IsDebuggerPresent API to detect and prevent malware analysts from debugging and understanding its behavior.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Androm.EB_2 (Trojan)
  • GAV: Androm.PSG (Trojan)
  • GAV: Injector.AFKU (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.