Archive for the ‘Botnets’ Category

View All Botnets

New Bots, Old Bots: Xarvester Returns

By Phil Hay  •  May 24th, 2011  •   Botnets

There has been quite a shake up in the spamming underworld ever since SpamIt.com closed shop and the Rustock botnet was disrupted. A look at our weekly spam statistics shows that spam volume has dropped substantially, making this year (so far) a happy one for anti-spammers. While spam output has remained low, the statistics also show quite a shakeup in the bots used to distribute spam.

Surprisingly, since around March, we have observed a big rise in spam from two botnets well known to us from the past – Donbot and Xarvester.  Six months ago, spam from these botnets hardly got our attention.  But now, clearly, someone has breathed new life into these spamming machines.

Xarvester first came to our attention over two years ago, when it rose to prominance after the hosting provider McColo was unplugged, decimating the then leading spamming botnet Srizbi.  We have also seen Xarvester clearly linked to Spamit.com, when we discovered Spamit ‘footprints’ in Xarvester spam templates.  So when we recently came across a Xarvester bot, we decided to take a closer look. The sample we used is not named Xarvester by any anti-virus vendor, Microsoft were calling it Bymot, and AVG called it simply SpamTool (VirusTotal Report).  A look at the strings in the malware body confirmed to us that what we we looking at was indeed Xarvester, as we had seen these strings in previous Xarvester bots.

Both the highlighed command and control domains are hard coded into the malware and both point to the same IP address.

The spambot itself is relatively simple.  When the executable is run, it first performs a query to checkip.dyndns.com to check the IP address of the host. The bot then connects to the def2010cnt[dot]biz domain on port 12309, and requests an encrypted file, which, when decrypted, proves to be a container for a bunch of files the bot needs to spam.

Again, this is very similar to what we saw with Xarvester over two years ago. The bot typically does not perform DNS lookups for each spam message, instead the IP address for each target domain are downloaded in the package.  The headers of the spam messages are very uniform, and closer inspection shows that the bulk of the header is hard coded in the malware body, which is unusual when compared to many of the other bots we see today that vary headers regularly.  Even the content of the message body has a familiar look to it.  Compare the message body today:

With a message we saw from Xarvester two years ago:

 

So, Xarvester has been dusted off and is back to flogging replica watches – who would have thought?

We have updated our spambot description for Xarvester, which you can find here.

Thanks to Gavin Neale and Rodel Mendrez who contributed to the analysis of this bot.

Tags:    |    |    |    |    |    |  

View All Botnets

Pushdo Botnet Crippled – II

By Phil Hay  •  September 9th, 2010  •   Botnets

Two weeks ago we reported on the sudden drop in spam from the Pushdo botnet as a result of many of its control servers being taken down.  Since then, spam output from this botnet has remained subdued, as the following updated chart shows.

As Pushdo (otherwise known by its spamming component Cutwail) was only responsible for about 10% of spam prior to the takedown, overall spam volumes have not been hugely affected.  It is not uncommon to see 10% volume swings in a day.  Having said that, last week our spam volume index did show slightly reduced overall levels of spam for the week.

Things seem to be warming up, however.  Other researchers have observed more Cutwail control servers being added. Also,  yesterday we saw a resumption of malicious spam from Pushdo with the Sasfis downloader as the payload.  This simply reaffirms our earlier suspicions that these guys will not be down for long.

Tags:    |    |    |    |  

View All Botnets

Pushdo Botnet Crippled

By Phil Hay  •  August 27th, 2010  •   Botnets

This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble.  The chart below shows an index of Pushdo spam volume over the month of August.

Pushdo Stats

So what’s the reason for this sudden decline? It turns out that the folks at TLLOD have been busy analyzing Pushdo command and control servers, and coordinating their take down.  According to their blog, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers.  However, there still remains a few active control servers still serving up spamming data.

As the chart above shows, this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months.  Still, we must sound a note of caution.  Previous experience has taught us that these botnet take downs are short lived.  Disabling control servers does not incapacitate the people behind the botnet.  It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about.

Tags:    |    |    |  

View All Botnets

Revisiting the King of Spam

By Rodel Mendrez  •  July 29th, 2010  •   Botnets

We keep a close eye on spam and the malware that drives spam production. Our recent report highlighted some of the worst offenders, and Rustock is without a doubt the leader of the pack. Over the last six months, the proportion of Rustock spam in our spam traps peaked to nearly 60% and it has never returned to levels lower than 20% of total spam.

Who’s the Rustock spambot that we know?

Over time, we have observed regular updates to Rustock. There is no consistent name given to it by anti-virus vendors, but recent Rustock binaries are detected by some anti-virus engines as Bubnix. The newest Rustock variant was first detected last December 2009. A month after that we observed a large influx of Rustock spam that spiked to over 50% of the spam we observed over the next few months. Though the malware may have different detection names and OS installation behavior, it employs a similar rootkit-based spamming engine, similar command and control architecture, and similar observable patterns in spam traffic.

Read More

Tags:    |    |  

View All Botnets

Another round of Asprox SQL injection attacks

By Rodel Mendrez  •  June 23rd, 2010  •   Botnets

Earlier this month, we reported on a new variant of Asprox malware which was being spammed out by the Pushdo botnet. At that time, the Asprox executables we analyzed were purely sending spam. However, a few days after our post, we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks.

As of this writing, there are three fast-flux domains that the bot attempts to contact.

CL63AMGSTART.RU
HYPERVMSYS.RU
ML63AMGSTART.RU

These domains resolve to Asprox’s control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites.

When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks.

Figure 1: SQL statement in the Asprox malware body used to launch the SQL injection attack. As of this writing this malware had a poor detection rate .

The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search for more potential targets.

Figure 2: The decrypted XML file which the bot receives. Contains a list of information such as target websites.

When the Asprox bot launches an SQL injection attack, the initial request looks similar to this:

The SQL statement is passed to a target ASP website and executes a series of URL encoded SQL queries, which when decoded, look like this:

Enclosed in the SQL CAST function is another hexadecimal encoded string. Decoding it reveals a <script> tag that reveals malicious JavaScript code hosted on a remote site. The sub-domain part of this URL varies, so administrators should seek to block the domain:

Update:

We have seen new domains hosting the malicious JavaScript, although, as yet, the number of infected sites are not as numerous. Again, the sub-domain part varies.

http://manage[dot]webservicekuz[dot]ru/js.js
http://stream[dot]webservicesttt[dot]ru/js.js
http://media[dot]webservicefull[dot]ru/js.js
http://edit[dot]webservicezok[dot]ru/js.js
http://redir[dot]webserviceforward[dot]ru/js.js
http://shell[dot]webserviceget[dot]ru/js.js
http://rid[dot]webservicedevlop[dot]ru/js.js

The SQL attack queries a special table in the SQL server sysobjects and syscolumns in an attempt to get the available “user” tables and fields in the website’s database. Walking through the tables and fields, the attack appends the malicious <script> tag to the selected values, in effect poisoning the website’s database. Once a web page uses a string from the poisoned database, the malicious <script> tag is injected into that web page. When we performed a Google search of this domain, we saw over 5000 websites infected:

So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection. Anyone have a feeling of déjà vu?

Tags:    |    |    |