Increase in Andromeda botnet spam

April 26, 2013

The Dell SonicWall Threats Research team has observed an increase in active spam campaigns involving the Andromeda botnet in the wild. The Trojan arrives in the form of emails that masquerade as messages from financial institutions or service providers with attachments of receipts, form notifications or a service invoice as pictured below:

Andromeda is a highly modular kit that makes it easy for a botnet operator to combine functionalities that will serve their purpose. With a few purchasable plugins, an operator can add proxy capabilities, a rootkit and a form grabber. The following screenshot is an example of an ad we found for the Andromeda loader in a hacker forum; a kit starts at $300:

Infection Cycle:

Upon execution The Trojan makes the following DNS queries to verify internet connectivity:


Once internet connectivity has been verified, it will connect and send data to a remote server:

It will then download additional files. In this case it downloaded plugins such as r.pack, which is the rootkit component and s.pack, the socks4 proxy component.

The Trojan loader copies itself to the following location:

  • %APPDATA%svchost.exe [Detected as GAV: Androm.EB_2 (Trojan)]

To enable startup after a reboot, it adds the following key to the Windows registry:

  • HKLMsoftwaremicrosoftwindowscurrentversionrun [sunjavaupdatesched] "%APPDATA%svchost.exe"

The sample we analyzed uses the IsDebuggerPresent API to detect and prevent malware analysts from debugging and understanding its behavior.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Androm.EB_2 (Trojan)
  • GAV: Androm.PSG (Trojan)
  • GAV: Injector.AFKU (Trojan)