{
	"id": "eadbf20d-499b-48cb-9ce2-e66999ae1e3c",
	"created_at": "2026-04-06T00:18:21.499723Z",
	"updated_at": "2026-04-10T03:20:26.885121Z",
	"deleted_at": null,
	"sha1_hash": "3d29d151dabc6555cad95a100ae70472385693a3",
	"title": "How To Guide | Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine | Spamhaus Technology",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1101835,
	"plain_text": "How To Guide | Neutralizing Tofsee Spambot – Part 1 | Binary file\r\nvaccine | Spamhaus Technology\r\nArchived: 2026-04-05 20:54:59 UTC\r\nAn introduction to malware vaccines\r\nThis security concept works by proactively introducing a small piece of harmless code into a computer system to\r\ndisrupt and prevent malware from executing and spreading. This is not dissimilar to how medical vaccines work\r\n(hence the use of the same terminology). Essentially, the premise is to “immunize” the system against specific\r\ntypes of malware by providing the system, in advance, with a form of defense.\r\nThere are various types of malware vaccines, including file-based, memory-based, and network-based. They can\r\nbe delivered as standalone software tools or integrated into other security products such as antivirus software.\r\nWhile malware vaccines can be an effective defense against certain types of malware, they should never be used\r\nas a substitute for other security measures such as keeping software and operating systems up to date, using strong\r\npasswords, and avoiding suspicious email attachments or downloads, to name but a few. It’s also important to note\r\nthat as new malware strains are developed, the vaccines must be updated accordingly to remain effective.\r\nLet’s move on to the malware taking center stage in this series…\r\nWhat is Tofsee malware?\r\nTofsee, also known as Gheg, is a sophisticated modular malware primarily designed to send spam email along\r\nwith other full-fledged botnet activities such as mining and stealing login and email credentials, as well as\r\ndownloading further malware. Generally, the additional malware downloaded is either ransomware or banking\r\nTrojans.\r\nThe malware is written in C/C++ and uses various techniques to avoid detection and remain persistent on infected\r\nsystems.\r\nIdentifying where a vaccine can be “injected” in Tofsee\r\nTo create a vaccine for a malware family, you need to have the ability to mimic the existence of part of the\r\nmalware, for example, its binary file. This tricks the malware into believing that an instance of the malware code\r\nis already running on the system and, therefore, won’t try to re-infect it.\r\nThe first stage in identifying points to distract from the normal execution of the binary file is to reverse engineer\r\nthe malware to understand the flow process of the code.\r\nTo explore the possibility of imitating the binary file, you need to check if it’s in the installer/installed path.\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 1 of 11\n\nInstaller/Installed path checks in Tofsee\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 2 of 11\n\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 3 of 11\n\nTofsee installer/installed paths deviate from the norm\r\nWhen we ran these checks with Tofsee, we noticed a slight deviation from the typical routine. Instead of checking\r\nfile or registry-based artifacts, Tofsee cross-checks against an in-memory variable injected during installation.\r\nInstaller checks Tofsee\r\nThis makes it impossible to imitate the binary file; however, it did make us ask the following question:\r\n“How does Tofsee manage the duplicate runs of the same binary?”\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 4 of 11\n\nThe answer is that Tofsee handles this process using Inter-Process Communication (IPC) pipes\r\n[https://www.geeksforgeeks.org/ipc-technique-pipes/].\r\nIPC communications initiate an exist\r\nIn the binary, we noticed a subroutine where Tofsee opens an IPC pipe and processes various data. The malware\r\nuses this IPC channel to communicate with another running instance to trigger an exist.\r\nAn algorithm is used to generate the pipe name, creating a name based on a predetermined value. This value is\r\nspecific to the infected machine and is based on the hard drive’s volume serial number. The malware purposefully\r\ndoes this to make hardcoded indicator of compromise (IOC) detection impossible on machines.\r\n***\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 5 of 11\n\n***Pipe name generation code\r\nAfter generating the pipe name, the data received from the pipe is cross-checked as follows:\r\n1. A 4-byte random integer is generated and sent across the pipe.\r\n2. A 4-byte integer is read from the pipe.\r\n3. The integrity of communication is checked using the following check (WRITE_DWORD \u003e\u003e 2) +\r\nWRITE_DWORD == READ_DWORD.\r\n4. If the check is passed, another DWORD is written, which is generated from (READ_DWORD \u003e\u003e 2)\r\n5. The calling process terminates.\r\nA chink in Tofsee’s armor\r\nHere, where the data check creates the binary, there is the potential to leverage this process for the vaccine on the\r\nproviso that the binary isn’t already running. If it is running, unfortunately, the opportunity to stop it is missed.\r\nBut let’s focus on the scenario where the pipe doesn’t exist; from here, an IPC pipe of the same name is created,\r\nand another set of data is received and cross-checked with specific parameters. These checks are a little more\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 6 of 11\n\ncomplex than the previous ones:\r\n1. A 4-byte integer is read from the pipe.\r\n2. A 4-byte integer is generated from right-shifting the integer by 2 and adding it back.\r\n3. Two internally defined structures are read successively from the pipe. These structures are defined as\r\nfollows:\r\nAt this point, the vaccine packet can be used.\r\nTofsee Vaccine structures\r\nThe entire code for the Tofsee vaccine\r\nBelow is the complete C code that you can use as a vaccine for new infections of Tofsee and existing ones, named\r\nas first dose vaccine and booster vaccine (ring any bells from the COVID days?!?).\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 7 of 11\n\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 8 of 11\n\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 9 of 11\n\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 10 of 11\n\nHappy vaccination coding!\r\nIn our next blog post, we’ll look at a second vaccine you can use to protect against Tofsee. This one concentrates\r\non injecting code into the memory configuration store.\r\nAuthor: Raashid Bhat, Malware Reverse Engineer, Spamhaus. Active 2017 - 2023.\r\nSource: https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/"
	],
	"report_names": [
		"neutralizing-tofsee-spambot-part-1-binary-file-vaccine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434701,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d29d151dabc6555cad95a100ae70472385693a3.pdf",
		"text": "https://archive.orkl.eu/3d29d151dabc6555cad95a100ae70472385693a3.txt",
		"img": "https://archive.orkl.eu/3d29d151dabc6555cad95a100ae70472385693a3.jpg"
	}
}