In recent years, we have seen a steady increase in the volume of spam originating from compromised websites. While these could be attributed to many parallel and isolated attacks primarily due to the vulnerable nature of the sites that are exploited, one particular operation we have dubbed “Stealrat” caught our attention. In as little as over two months, we have seen more than 170,000 compromised domains or IP addresses running WordPress, Joomla!, and Drupal send out spam.
The spamming technique used did not leave traces of communication between the compromised sites and the actual spam server. This makes it difficult for spam filters to authenticate emails since they come from legitimate sites and the compromised site owners to trace the origin of the spam since they come from compromised user machines.
Even though some believe the Stealrat botnet has been active since 2010, it was not until late last year when site owners started to notice that their sites were sending out porn-related spam. These had links that pointed to landing pages hosted on compromised domains (i.e.,
not theirs).
We also found spam samples written in other languages like Portuguese, Spanish, Lithuanian, and German. Note, however, that other samples in other languages can exist.
While porn remains the underlying theme of Stealrat spam, we also saw samples that contained snippets from Harry Harrison’s “The Stainless Steel Rat,” a science fiction book series about a con man and bank robber nicknamed “Slippery Jim.”
All of the spam samples we were able to obtain had links that pointed to either porn or online pharmacy sites hosted on compromised domains (i.e., not the compromised site senders’).
Simply put, the operation:
1. Exploited sites by injecting malicious PHP and HTML pages into vulnerable folders
2. Compromised user machines to harvest spam information
3. Compromised web pages to deliver payloads
The three-step method above was likely intended to further evade spam engines and filters.
Normally, an IP address or domain that sends out spam has a very short life span because spam engines would blacklist them as soon as they are verified to be spam domains. In the setup shown in the diagram, the actual spam domain hides behind three layers of unsuspecting victims—the two compromised sites and the infected machine.
Though some files have already been deleted, we were still able to compile files typically found in a compromised site’s folder.
