Advertisement
The Sarvdap spambot was recently observed checking the IP addresses of infected hosts against common blacklists, in an attempt to ensure that its spam email is successfully delivered, Palo Alto Networks security researchers reveal.
While other spambots typically start sending spam emails as soon as a host has been infected, Sarvdap first checks to see whether the IP isn’t on a blacklist, and shuts itself down if it is. Commonly downloaded by the Andromeda botnet, the spambot has been used to deliver pharmaceutical spam and to distribute the main Andromeda bot to more targets.