The Andromeda botnet – first spotted in late 2011 – has recently resurfaced. This threat arrives via a familiar means: spammed messages with malicious attachments or links to compromised websites hosting Blackhole Exploit Kit (BHEK) code. Here is one spam message we saw recently:

Figure 1. Sample spammed message

Andromeda itself is highly modular, and can incorporate various modules, such as:

• Keyloggers
• Form grabbers
• SOCKS4 proxy module
• Rootkits

As is typical of backdoors, it can download and execute other files like ZeuS, as well as update and remove itself if needed. Typically, variants of the Andromeda malware can be bought online for 300-500 US dollars. However, each of the plugins mentioned above costs an extra sum of money. The most recent version number we have identified is version 2.60. The top affected countries of this threat are Australia, Turkey, and Germany based on our Smart Protection Network feedback below:

Figure 2. Andromeda infection count from January- February 25 2013

Read the rest of this entry »