View All Botnets

New Bots, Old Bots: Xarvester Returns

By Phil Hay  •  May 24th, 2011  •   Botnets

There has been quite a shake up in the spamming underworld ever since SpamIt.com closed shop and the Rustock botnet was disrupted. A look at our weekly spam statistics shows that spam volume has dropped substantially, making this year (so far) a happy one for anti-spammers. While spam output has remained low, the statistics also show quite a shakeup in the bots used to distribute spam.

Surprisingly, since around March, we have observed a big rise in spam from two botnets well known to us from the past – Donbot and Xarvester.  Six months ago, spam from these botnets hardly got our attention.  But now, clearly, someone has breathed new life into these spamming machines.

Xarvester first came to our attention over two years ago, when it rose to prominance after the hosting provider McColo was unplugged, decimating the then leading spamming botnet Srizbi.  We have also seen Xarvester clearly linked to Spamit.com, when we discovered Spamit ‘footprints’ in Xarvester spam templates.  So when we recently came across a Xarvester bot, we decided to take a closer look. The sample we used is not named Xarvester by any anti-virus vendor, Microsoft were calling it Bymot, and AVG called it simply SpamTool (VirusTotal Report).  A look at the strings in the malware body confirmed to us that what we we looking at was indeed Xarvester, as we had seen these strings in previous Xarvester bots.

Both the highlighed command and control domains are hard coded into the malware and both point to the same IP address.

The spambot itself is relatively simple.  When the executable is run, it first performs a query to checkip.dyndns.com to check the IP address of the host. The bot then connects to the def2010cnt[dot]biz domain on port 12309, and requests an encrypted file, which, when decrypted, proves to be a container for a bunch of files the bot needs to spam.

Again, this is very similar to what we saw with Xarvester over two years ago. The bot typically does not perform DNS lookups for each spam message, instead the IP address for each target domain are downloaded in the package.  The headers of the spam messages are very uniform, and closer inspection shows that the bulk of the header is hard coded in the malware body, which is unusual when compared to many of the other bots we see today that vary headers regularly.  Even the content of the message body has a familiar look to it.  Compare the message body today:

With a message we saw from Xarvester two years ago:

 

So, Xarvester has been dusted off and is back to flogging replica watches – who would have thought?

We have updated our spambot description for Xarvester, which you can find here.

Thanks to Gavin Neale and Rodel Mendrez who contributed to the analysis of this bot.

Tags:    |    |    |    |    |    |  

Comments are closed.