Those watching our spam stats may have noticed a new spam bot named Xarvester appearing at the top of our charts over the last several weeks. The Xarvester botnet began to increase its spam output soon after the McColo shutdown. At that time three of the major botnets, Rustock, Srizbi and Mega-D were unable to send spam. Since then Rustock and Mega-D have returned to being two of the largest spamming botnets however Srizbi has yet to return.
Currently Xarvester is the third largest spammer, responsible for over 13 percent of spam. It sends mainly spam advertising replica and pharmaceutical products. We have been analyzing a sample (md5: 65dfbb9166589affda5132beedaa4ef9) we received (Thanks to Joe Stewart of SecureWorks for the sample) and have noticed a number of similarities between the Xarvester and Srizbi bots.
- HTTP C&C over non-standard ports
- Encrypted template files contain several files needed for spamming
- Bots don't need to do their own DNS lookups to send spam
- Config files have similar format and data
- Spam run results sent back to control server
- Uploads Minidump crash file
- Communicates with servers in McColo network
When a Xarvester bot starts up it connects to a control server and receives an encrypted template file containing everything it needs to begin spamming. The protocol is HTTP but it does not use the standard port 80. Srizbi also communicates with its control servers over HTTP using a non-standard port and downloads an encrypted template file.
Once decrypted we can see that this template file is in fact a collection of files. Here are the decrypted files downloaded by a Xarvester bot for a current spam campaign:
and here are the files that were downloaded by a Srizbi bot before McColo was shutdown:
Some of the files for both bots are very similar, for example both Xarvester's x-cache file and Srizbi's mxdata file contain IP address for target mail servers, avoiding the need for either bot to perform DNS lookups while sending spam. All of the other spam bots we monitor do their own DNS queries.
The config file, used by each bot also has similar entries such as 'task id' and 'atom id'
A Xarvester config file:
taskid 25 atomid 96695 retryip_disabled retrymx_enabled log_disabled
A partial Srizbi config file:
task_owner 319218395 task_id 568 atom_id 121437 pass 0 pipeline 10 max_mails 1000
The Xarvester botnet has a feedback mechanism where each bot returns the results of the previous spam run when requesting a new template file. Srizbi had this functionality as well. The bots are able to record if an email is sent successfully or if unsuccessful, if it was blacklisted, the user did not exist or there was a connection error. The following files are returned by a Xarvester bot:
Just like Srizbi, Xarvester has the ability to upload the Windows minidump crash dump file to a control server in the event that the bot crashes a system. This is presumably to help the botnet controllers debug their bot software.
Our samples of Xarvester and Srizbi have McColo IP addresses hard coded in them. Srizbi used these as control servers and Xarvester to upload the minidump file. However, we are yet to find a sample of each bot that communicates with the same server.
While these similarities are not all unique to these two botnets, it is surprising to see two botnets with this much in common. Perhaps these two botnets were created by the same group and the reason why Srizbi has not returned is because it was easier for the spammers to move to the Xarvester botnet.
Here is an example of one type of spam Xarvester is sending today: