Reverse-Proxy Spam Trojan – Migmaf
Joe Stewart (LURHQ):
Migmaf Reverse-Proxy Spam Trojan
In late June 2003, spam-fighters from the news.admin.net-abuse.email Usenet group noticed a particular spammer seemed to be able to move his websites around at will, minute-by-minute. This activity was also pointed out in an article by Richard M. Smith of computerbytesman.com.
It appeared at first that the spammer had managed to infect thousands of systems with a small webserver trojan – rotating them in and out of the DNS for the domain names he owned every 10 minutes. It made it nearly impossible for ISPs to track and shut down, as the IP addresses were largely owned by dialup users, so ISPs would be fighting a constant battle to keep track of all the reports.
The sites being advertised in the emails were generally Russian porn sites, and Richard Smith pointed out the same servers were involved in a Paypal scam email he had seen.
LURHQ was able to obtain a copy of the trojan – detected from suspicious activity originating from a VPN user on a firewall on a network we monitor. What we found was the trojan was not a webserver at all, but instead: a reverse proxy server. Instead of hosting the content on the victim’s computer, the spammer instead maintained a “master” webserver. We have dubbed this trojan “Migmaf”.
