Spam « M86 Security Labs Blog

Archive for the ‘Spam’ Category

New Bots, Old Bots II: Donbot

By Phil Hay • June 2nd, 2011 • Spam

Last week we blogged about the rise of two botnets in our spam statistics and provided details of Xarvester. Today, we take a closer look at the other botnet in question: Donbot.

Donbot has been around for about three years but lately has surged to the top of our spam statistics chart with masses of dating and gambling spam. We recently found a suitable sample (VirusTotal report) and took a look.

When executed, the malware immediately contacted its control server at 91.212.135.158 on port 80 and did the following POST request:

POST /gateway/index HTTP/1.0

The server replied NO_TASK_WAIT. And wait we did – for a long time with the bot checking in like this roughly every 20 minutes. Then after two days the server suddenly sprang into life and responded with a download file svchosta.exe (VirusTotal report):

This led to the installation of the Donbot spamming component, where four similar processes were spawned on the infected host. These executables were all dropped in the c:\documents and settings\administrator\application data folder on our Windows XP host:

The four processes were all spamming simultaneously. When we killed some of the processes, the bot simply spawned more copies to replace them. The combined spam output rate was quite impressive, we measured 1800 messages per minute (108,000 messages per hour) in our lab. Before anyone thinks we’re spamming, rest assured that these messages were all captured by our spam sinkhole servers. This kind of spamming rate quickly leads to big numbers. For example, take a botnet of just 1000 bots, multiply that by 108,000 messages per hour and assume each host is spamming for 8 hours per day, and you get a spamming machine capable of over 800 million spam messages per day.

The control instructions and reports between the bot and its control server are all communicated in plain text. Here, for example is part of the template used in the gambling spam campaign we discussed last week.

Donbot also sends regular reports back to the server, which includes success rates and whether the host may be blacklisted at any IP blacklist (RBL). Below you can see two characteristics of Donbot traffic – the HALLO and CHUNK:

The success of sending to individual email addresses is also recorded, so that the operator can continually clean his email address lists of ‘bad’ addresses.

In amongst the template instructions, there is also a bunch of text which looks like it is pulled from a Wiki somewhere. Although we didn’t see it being used in the gambling campaign, this may be for inserting random text into spam messages.

All this is very similar to what we have seen before from Donbot (see our original write up here). What’s interesting is its sudden rise from obscurity and its high output per host. Why build a new fancy spamming botnet when you simply tweak some old ones?

Tags: Dating | Donbot | Gambling | Spam Volume | Spambots

Donbot’s “Money Maker” Gambling Scheme

By David Broome • May 26th, 2011 • Spam

Last week, we observed the Donbot botnet changed its spam campaign to one promoting online casinos. The barrage of of Fake AV we saw coming out of Donbot suddenly stopped and within 15 minutes we started receiving this new campaign.

The theme of the campaign is not entirely new, as it is one we have seen for over a year on and off in our spam traps. It is designed to encourage the reader to gamble money on roulette with what is presented as a ‘winning strategy’. Conveniently, a link to an online casino is provided to the user in order to use this strategy and make ‘easy money’.

Tags: Donbot | Gambling | MailMarshal | Online Casino | Spambots

Malicious Spam on the increase again

By Rodel Mendrez • April 29th, 2011 • Spam

Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

Your Music Order – a loaded PDF

By Phil Hay • March 31st, 2011 • Spam

We are noticing a spam campaign at the moment that purports to be a Music or Cell Phone “Order” with an attached PDF file with the following similar Subject lines:

Your Order No 129589 – Warner Music Inc.
Your Order No 489889 – Cell Phone Inc.

The attached PDF contains a bunch of obfuscated JavaScript, which attempts to exploit the Adobe getIcon vulnerability (CVE-2009-0927). If successful, the following payload is downloaded:

hxxp://kawabungashop.ru/flash/1.php

The 1.php file is an executable downloader (VirusTotal Report). Another piece of malware is then downloaded and installed (VirusTotal Report), which is a spambot that proceeds to spam further copies of the PDF file, as you can see from the template we captured:

These days, PDF files arriving in unexpected emails should be treated with extreme suspicion. And please be sure to keep your PDF reader meticulously up to date to avoid getting exploited by old vulnerabilities such as this.

Malicious Spam Campaign Preys on Japanese Disaster

By Phil Hay • March 17th, 2011 • Spam

There is a large-scale malicious spam campaign going on currently. The spam comes in a few different types, one of which imitates a Twitter notification. The subjects of the spam varies, but sadly, many focus on the recent events in Japan.

The links, which you can see in the image above, or if you look at the raw HTML, are distinctive:

http://lowercase_gibberish.(com|org|net)/base64string

The links lead to a page hosting obfuscated malicious JavaScript, which seek to exploit a Java vulnerability. Our host was immediately compromised, botted (added to a botnet), and some not-so-subtle fake anti-virus malware was installed complete with scary desktop warning:

The spam is originating from one of the Cutwail spambot variants. We managed to get this template from Cutwail command and control traffic, which clearly shows the Twitter template being used.

We are still investigating the nature of the malicious landing page and subsequent infection.

With the rise in social networking, we have been seeing increased use of fake ‘notifications’ being used by spammers. As ever, remain on guard, especially when it comes to Twitter ‘notifications’.

Tags: Current Events | Cutwail | Japan | Malicious Spam | Twitter

Rustock down?

By Phil Hay • March 16th, 2011 • Spam

A story emerged today on KrebsonSecurity about the Rustock botnet being disabled, and spam volumes from this rogue spammer plummeting.

A brief look at at our spam traps today confirmed that output from Rustock did indeed dry up today. The chart below shows an index of daily spam volume changes from Rustock over the last few weeks:

Today, Rustock spam completely stopped (16 March, 3pm GMT). We can also confirm that the Rustock control servers that we know about are not responding. It is unclear yet who or what caused the shutdown. Its also possible it has been abandoned. Over the past three years, Rustock has been responsible for a huge amount of spam, at times representing half of all spam caught in our spam traps. But since September last year, when Spamit.com was shut down, its output diminished significantly, and its spam templates hardly changed.

Whatever the reason, lets hope this one sticks. Previous attempts at botnet shutdowns have tended to be short lived as the botnet herders simply regroup and start again. Its too early to say bye bye Rustock, but the thought is certainly nice.

Update: According to a Wall Street Journal report here it looks like Microsoft, in conjunction with US Federal authorities, was responsible for the takedown of Rustock.

Tags: Rustock | Spam Volume | Spambot | takedowns

UPS Spam.. Oh Wait, It’s an FDIC Spam Campaign

By Rodel Mendrez • February 15th, 2011 • Spam

After more than a week of malicious UPS spam campaigns, the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the Federal Deposit Insurance Corporation or FDIC claiming to notify users of important changes in FDIC regulations, hence a “document” is attached for further reading. However, the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com.

And even worse, yesterday it left the Subject line as “United Parcel Service notification #<6 digits>“. Fail!

FDIC spam campaign with Subject line and From field pertaining to UPS.

The ZIP attachment contains malware which aims to steal online banking credentials, the same payload as the last week’s UPS spam campaign.

Decompressing the ZIP file exposes an executable Trojan file bearing an Adobe PDF icon

This spam campaign contains enough weird errors for users to take notice that the email is indeed suspicious. It may not last however, we expect this spammer will fix or come up with new (and recycled) spam campaigns as they try to distribute their malware.

Tags: Cutwail | FDIC | Malicious Spam | UPS

Spammed Malware Ramps Up Again

By Phil Hay • February 14th, 2011 • Spam

It was probably too good to last. The past few months has been blissfully quiet on the spam front, and in particular, spam with accompanying malware. The chart below shows an unusually quiet period during December and January.

However, over the last week, we have seen the return of two familiar-looking malware spam campaigns.

Post Express: Package Available
United Parcel Service: Notification

While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads.

PDF Exploit Disguised as a Xerox Scanned Document

By Rodel Mendrez • February 7th, 2011 • Spam

Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner.