Today Nuwar/Zhelatin spammed out several thousand mails, which are very similar to those we saw yesterday. Although the spam template did not change at all, the format of the mail changed:

It changed to HTML instead of plain text, but it does not contain any active content such as JavaScript or ActiveX.

Compared with the last spam wave, the IP address is no longer visible. Users might have learned not to click on http://xx.xx.xx.xx/ IP addresses in spam mails, and now they need to get educated again.

The bots are communicating with each other using a peer-to-peer network. The parameters for DDoS attacks and also the spam templates get pushed to the bots over the network. So it’s not hard-coded and therefore it’s hard to write a generic signature in an antivirus product for the next wave. Using an antispam product to detect and block those mails is the appropriate approach.