{
	"id": "ef644144-a596-466d-9d36-4dfe1aeaf423",
	"created_at": "2026-04-06T01:30:06.007572Z",
	"updated_at": "2026-04-10T03:21:41.719313Z",
	"deleted_at": null,
	"sha1_hash": "5a03cda35f0e275458b9d89c8ce0b13d36bd5be9",
	"title": "How To Guide | Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch | Spamhaus Technology",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 409335,
	"plain_text": "How To Guide | Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch | Spamhaus Technology\r\nArchived: 2026-04-06 01:02:27 UTC\r\nPlaying catch-up?\r\nIf you missed the first two posts in this series, they focus on malware vaccines. These are proactive measures\r\nhelping prevent malware infections by patching vulnerabilities in the system or blocking known attack vectors.\r\nMalware vaccines are not dissimilar to medical vaccines that provide the body immunity to a particular disease.\r\nThe first malware vaccine revealed by our researchers, concentrated on the binary file and the second one centered\r\naround the InMemoryConfig store.\r\nWhat is a malware kill switch?\r\nA malware kill switch is a feature that some malware authors include in their code that enables them to shut down\r\nthe malware or prevent it from causing harm under certain circumstances, such as if the malware is spreading too\r\nquickly, causing damage to critical systems, or should their operations be tracked or compromised.\r\nA good example is the case of the WannaCry ransomware attack in 2017\r\n[https://www.bbc.co.uk/news/technology-41753022]; a researcher discovered a kill switch that the cybercriminal\r\nhad built into the malware. By registering a specific domain name, the researcher could trigger the kill switch and\r\nstop the malware from spreading further.\r\nWhat is a network-based kill switch?\r\nIn some cases, security researchers or organizations can develop a network-based kill switch for a specific\r\nmalware threat. This reactive measure allows security experts to remotely disable or shut down malware\r\ninfections, allowing them to neutralize the threat quickly and effectively if it is detected.\r\nWhile using a network-based malware kill switch can be an effective way to limit the damage caused by malware,\r\nit is key to note that it may not be a foolproof solution. Malware can evolve rapidly, and attackers may be able to\r\nfind ways to work around a kill switch or develop new malware that is not vulnerable to it. Therefore, it is\r\nessential to use a variety of security measures, such as anti-malware software, firewalls, and regular security\r\nupdates, to protect against malware infections.\r\nHow can a network kill switch be implemented for Tofsee?\r\nOne way to render Tofsee useless and kill it without access to the remote infected machine is to locate a bug in its\r\nbinary code and crash the malware.\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/\r\nPage 1 of 5\n\nThe first part of this process is to get our data parsed by Tofsee, and to do this, we need to follow its protocol\r\nspecification.\r\nTofsee’s protocol specification\r\nCommunication is bi-directional and encrypted using a custom algorithm that requires two state keys. These state\r\nkeys are specific to each SocketConnection in Tofsee and are modified based on each Transmission Control\r\nProtocol (TCP) data transfer between the botnet command and control server (C\u0026C) and the infected bot. This is\r\nknown as rolling key encryption.\r\nEncryption Algorithm\r\nTofsee has a complex way of communicating with a C\u0026C – it sends various structures to “latch” the connection\r\nwith the C\u0026C server. To keep this blog post as short and sweet as possible, we will only reference the relevant\r\nones required as an attack vector to crash the binary.\r\nOne is operation number 2 (OP2) the receive resource command.\r\nTofsee packets are encapsulated in a header packet defined below:\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/\r\nPage 2 of 5\n\nEncapsulated packet for OP2\r\nTaking advantage of this vulnerability\r\nWe can exploit this lack of a cross-check, i.e., in the code of the CRC32 hash function, where the length of data is\r\nnot bound-checked, we can craft a packet with a size greater than the buffer, causing an out-of-bounds read error,\r\nleading to a crash.\r\nWhen the CRC32 hash function is called to calculate the hash of the packet’s data, it continues reading and\r\nprocessing data from memory beyond the allocated buffer size, potentially crashing Tofsee. This function is\r\npresent when an InmemoryConfig Struct is parsed and populated so that the resource received is stored in the\r\nmemory.\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/\r\nPage 3 of 5\n\nNo length verification checks\r\nFor a 4-byte integer, we have the freedom of corrupting the len variable in the range of 0x00-0xFFFFFFFF. This\r\nhigh-range value in the ResourceStructure packet would look something like this (complete with the manipulated\r\nlen field):\r\nThis data is parsed by update_config_resource and eventually fed to the CRC32 hash calculation routine. Due to\r\nthe manipulated value of len, an out-of-bound read exception is created, ultimately resulting in the binary\r\ncrashing.\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/\r\nPage 4 of 5\n\nFinal words\r\nBoth the vaccines discussed in this series and the kill switch are essential tools for protecting computer systems\r\nfrom the ever-evolving threat of the Tofsee malware.\r\nWhile a malware vaccine can help to prevent infections, and a malware kill switch can help to minimize the\r\ndamage caused by an ongoing attack, as we’ve previously discussed, neither tool is foolproof, and you should\r\nalways use them in conjunction with other security measures.\r\nHappy coding.\r\nAuthor: Raashid Bhat, Malware Reverse Engineer, Spamhaus. Active 2017 - 2023.\r\nSource: https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/"
	],
	"report_names": [
		"neutralizing-tofsee-spambot-part-3-network-based-kill-switch"
	],
	"threat_actors": [],
	"ts_created_at": 1775439006,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a03cda35f0e275458b9d89c8ce0b13d36bd5be9.pdf",
		"text": "https://archive.orkl.eu/5a03cda35f0e275458b9d89c8ce0b13d36bd5be9.txt",
		"img": "https://archive.orkl.eu/5a03cda35f0e275458b9d89c8ce0b13d36bd5be9.jpg"
	}
}