The discovery by Romania-based BitDefender came after the company identified spam e-mails that claimed to contain links to videos. When users click the link to view the video, however, they were prompted to download a media player, which actually was Backdoor.Edunet.A, a trojan that uses victims' compromised computers as a channel for sending commands to a series of mail servers.
The Edunet backdoor creates a botnet used to attempt to send spam via a list of mail servers, BitDefender said in an online posting available here. The mail servers are mostly in the .edu and .mil domains.
"It's not every day that you stumble on the workings of an honest-to-God hacking ring, let alone one that has a predilection for using military- and university-run mail servers as spam relays," Sorin Dudea, BitDefender's head of antivirus research, wrote in the online posting. "It would be interesting to identify what, if anything, the institutions that own the targeted servers have in common."
The trojan sends the commands hoping to find an open relay -- a mail server misconfiguration that spammers often use to camouflage the origins of their spam. This techniques essentially makes it appear that any email originating from the trojan is in fact one sent from the open relay, according to BitDefender.
The list of servers is retrieved by the trojan from a series of web servers that are compromised themselves or part of the attackers' own network, according to BitDefender. The list of web servers is continuously changing, but that of the targets has, so far, remained constant, the company said.
BitDefender researchers said that none of the servers in the current target list is actually vulnerable.