Light Dark
October 24, 2016 By Larry Loeb 2 min read

Palo Alto Networks discovered a new spambot that determines whether the IP address on an infected host appears on a blacklist. If it does, the bot terminates itself without bothering to download the rest of the drop. Its Real-time Blackhole List (RBL) is specially designed and updated to prevent spam transmission by marking and blocking malicious addresses.

Sarvdap Scans Blacklists

According to SecurityWeek, the spambot, called Sarvdap, is distributed by the Andromeda botnet to deliver pharmaceutical spam or new copies of the Andromeda bot.

The spambot’s overall process is fairly detail-oriented. When it tries to inject itself, for example, it checks for the presence of a debugger. In normaly circumstances, the presence of a debugger could mean it is being observed.

“Sarvdap is particularly interesting not due to its scale, but rather due to its attempts to increase overall spam delivery by abusing reputation blacklists,” the Palo Alto researchers said.

Whereas other spambots simply pop up and start sending out spam, Sarvdap first conducts an IP check of the host to see if its even worth the effort. If the host passes the RBL check and Sarvdap doesn’t self-destruct, it attempts to communicate with the Microsoft website.

If that works, it sends messages to the host to determine whether it can communicate freely over TCP port 2352. If the command-and-control (C&C) server is online, it downloads a configuration file.

A Conceptual Advance

Palo Alto researchers found one interesting file inside the source code of the spambot: a hard-coded list of commonly known blacklist servers. Interestingly, this list was global in reach. That led the researchers to believe that the malware author was planning a widespread distribution of the spambot from the beginning.

Other strains of malware that predate Sarvdap, such as Furtim, also use blacklists. Unlike Sarvdap, however, they use these lists primarily to evade detection. The use of RBLs for nefarious purposes represents a conceptual advance for spambots — and it’s something users will increasingly have to watch out for in the future.

 |  | 
Larry Loeb
Principal, PBC Enterprises

More from

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature