As we wrote yesterday, the Kido botnet has installed another well-known worm – Iksmas, aka Waledac – on infected computers.

Iksmas was downloaded from the server, a resource that researchers have known about for some time and which is currently one of the main sources used to distribute Iksmas.

The variant that was downloaded by Kido was detected proactively by Kaspersky Anti-Virus as HEUR:Worm.Win32.Generic using heuristic technology. The new version of Kido (Worm.Win32.Kido.js) was also detected by the same heuristics and with the same verdict.

We decided to keep tabs on the botnet to see what the spambot worm Iksmas would do once it was installed on infected computers.Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received commands to send out spam mailings. All the spam messages sent by the botnet last night were advertising pharmaceuticals. Here are a few sample messages:

Subject: A unique opportunity to live healthier life!
Hot News for You

Subject: Add power to your man’s hammer
We supply porno studios since 1972. Try blue-pills and stay up with your girls! ^M

Subject: Hot life – our help here. Ensure your potence today!
Solution to low-sized perks

Subject: Perfect solutions to have it hard as stone!
Your one and only online Chemist.

Subject: She will dream of you days and nights!
Love her everywhere.

In just 12 hours, one bot alone sent out 42 298 spam messages.

As you will have noticed, the messages contain domain links. Virtually every email contained a unique domain. This was obviously done to prevent anti-spam filters from detecting the mass mailings using methods that analyze the frequency with which a specific domain is used.

We detected the use of 40 542 third-level domains and 33 second-level domains. They all belonged to spammers and the companies that ordered these mailings.

Here are a couple of screenshots from the sites:

Here is a full list of the second-level domains used in the mailings:

Virtually all of these sites are located in China and are registered in the names of various people, most probably invented.

A simple calculation shows that one Iksmas bot sends out around 80 000 emails in 24 hours. Assuming that there are 5 million infected machines out there, the botnet could send out about 400 000 000 000 (400 billion!) spam messages over a 24-hour period.


Your email address will not be published. Required fields are marked *



Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox