By 1 August, abuse.ch had netted 20 instances of the malware, and this morning published its analysis. Symantec had said that both containment and removal are easy, but abuse.ch notes that only 3 of its 20 binaries are known to VirusTotal – albeit those three are well covered (34 or 35 of VirusTotal's 46 anti-virus engines). This does not, of course, mean that the remaining 17 versions won't be detected by the behavioral side of AV.
Once a computer is infected, Rodecap goes to some extent to disguise its purpose. On the surface, it looks as if it downloads two JPGs from google.com. In reality, it is two Windows executables from a server hosted in Russia.
One of these is a spam module that exhibits, says abuse.ch, "some interesting methods for C&C communication and for sending out spam that I’ve never seen before. In fact, the idea is quite good..."
The modus is to first compromise CMS sites like WordPress and Joomla. "Within a few hours," says the researcher, "I was able to retrieve more than 3,500 unique websites that seems to run an outdated content management system (CMS, such as Joomla!) and which have already been compromised and hosting a malicious PHP file."
Rodecap uses these compromised servers to CMS systems to send out its spam. Sometimes the compromised CMS doesn't transmit, and returns an error message – for example, "Unfortunately, some messages from 92.53.113.126 weren’t sent. Please try again. We have limits for how many messages..."
By examining these error messages, the researcher concluded that that the spam currently targets the big free email providers such as Windows Live, Yahoo and AOL. And because the spam is coming from a legitimate CMS system, many get through the mail providers spam filters.
"There are ten thousands of websites out there running vulnerable (unpatched) CMSes that can easily be exploited to install malicious software on the victims webspace," explains abuse.ch. "The Rodecap gang seizes this opportunity to install a PHP backdoor that then allows them to send emails through the compromised webservers. By doing this, the criminals avoid common blacklists, especially blacklists that are listing dynamic IP space used by end users (DSL / cable subscribers) such as Spamhaus PBL or SORBS DUL."
The threat may be low, says Symantec; but the threat is interesting, says abuse.ch.