Posts Tagged ‘Spambot’

Newer Entries »
View All Spam

The Asprox Spambot Resurrects

By Rodel Mendrez  •  June 5th, 2010  •   Spam

Pushdo spams a Trojan that downloads Asprox

Last week, we noticed a high volume malicious spam campaign using a “$50 iTunes Gift Certificate” theme. The spam was emitted from the Pushdo/Cutwail botnet.

This wasn’t the first time we had seen Pushdo using this specific “Gift Certificate” theme. A campaign was first observed in mid May where the Bredolab downloader Trojan was embedded in an RTF (Rich text format) file attachment. Bredolab, also known as Sasfis or Oficla by various antivirus vendors, is known to be responsible for installing the Pushdo/Cutwail spambot, as well as Zbot and fake antivirus on to the infected host.

With this latest iTunes campaign, instead of using an RTF document as the malware container, a ZIP archive was used. Although both the previous and latest spam campaigns contain the same type of downloader Trojan, the payload was different. The previous payload downloaded and installed fake antivirus, while this latest one downloaded and executed Asprox – a spambot we have not seen active for over a year.

The image above shows the downloader contacting its command and control server. The red text shows the downloader “phone home” to its command and control via the domain name funnylive2010.ru. The HTTP GET request incorporates essential bot parameters for the command and control server such as the bot version and ID as well as the date when the bot was installed. The blue text shows the reply from the command server that issues a runurl command to download and execute a binary from a URL link. That URL link points to an Asprox executable. The domain name funnylive2010.ru is hosted behind a fast-flux network where the IP address constantly changes. Here is the Whois information:

domain:     FUNNYLIVE2010.RU
nserver:    ns1.funnylive2010.ru. 67.247.69.183
nserver:    ns2.funnylive2010.ru. 24.170.54.248
nserver:    ns3.funnylive2010.ru. 98.235.148.218
nserver:    ns4.funnylive2010.ru. 97.89.228.33
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +79766512311
e-mail:     kurk@sovbiz.net
registrar:  NAUNET-REG-RIPN
created:    2010.03.14
paid-till:  2011.03.14
source:     TCI

Asprox phones home and spams the same Trojan downloader

After the Asprox bot is downloaded and installed in the system, it immediately does some internet connectivity checks by sending SYN packets to ns.uk2.net, www.yahoo.com and www.web.de.com. The bot then attempts to phone home to its command server by sending an HTTP POST request, which looks similar to this:

The command server is again hosted behind a fast-flux network which uses the domain name porsche911start.ru. Here is the Whois lookup:

domain:     PORSCHE911START.RU
nserver:    ns1.porsche911start.ru. 81.110.164.220
nserver:    ns2.porsche911start.ru. 24.170.54.248
nserver:    ns3.porsche911start.ru. 69.207.117.210
nserver:    ns4.porsche911start.ru. 97.93.131.158
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +7976651111
e-mail:     ssa@yandex.ru
registrar:  NAUNET-REG-RIPN
created:    2010.05.23
paid-till:  2011.05.23
source:     TCI

The command server then replies with an encrypted XML file that contains further command and control information, and a spamming template:

In the image above, the Asprox command server domains are listed. Its interesting that Whois lookup information reveal that Pushdo, Bredolab/Oficla/Sasfis and Asprox have something in common – all of the domains they connect to are registered at the same registrar, registered by a “Private Person”, with similar looking phone numbers.

1. CL63AMGSTART.RU

domain:     CL63AMGSTART.RU
nserver:    ns1.cl63amgstart.ru. 99.246.20.196
nserver:    ns2.cl63amgstart.ru. 24.170.54.248
nserver:    ns3.cl63amgstart.ru. 75.81.189.14
nserver:    ns4.cl63amgstart.ru. 69.207.117.210
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +79766512344
e-mail:     ssa1@yandex.ru
registrar:  NAUNET-REG-RIPN
created:    2010.05.23
paid-till:  2011.05.23
source:     TCI

2. HYPERVMSYS.RU

domain:     HYPERVMSYS.RU
nserver:    ns1.hypervmsys.ru. 81.110.164.220
nserver:    ns2.hypervmsys.ru. 67.247.69.183
nserver:    ns3.hypervmsys.ru. 24.170.54.248
nserver:    ns4.hypervmsys.ru. 97.89.228.33
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +79766512311
e-mail:     vadim.rinatovich@yandex.ru
registrar:  NAUNET-REG-RIPN
created:    2010.03.30
paid-till:  2011.03.30
source:     TCI

3. ML63AMGSTART.RU

nserver:    ns1.ml63amgstart.ru. 67.247.69.183
nserver:    ns2.ml63amgstart.ru. 72.252.193.94
nserver:    ns3.ml63amgstart.ru. 69.207.117.210
nserver:    ns4.ml63amgstart.ru. 24.153.239.180
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +79766542344
e-mail:     ssa21@yandex.ru
registrar:  NAUNET-REG-RIPN
created:    2010.05.23
paid-till:  2011.05.23
source:     TCI

At this point, Asprox receives and decrypts an XML file with the filename “COMMON.BIN” and the spamming begins. The spam template received was a fake UPS notification spam campaign.

Here is the decrypted spam template:

And here is the actual spam we received in our spam traps last week sent by the Asprox bot. The spam contains a ZIP attachment of a Bredolab downloader Trojan:

Asprox updates and spam continues

The spam coming from the Asprox botnet dried up temporarily last weekend. However, on the first day of June, the spamming resumed – this time focused on pharmaceutical campaigns.

During our analysis we also noticed that an updated binary was also downloaded. The packet capture below shows the bot downloading an updated version of the Asprox binary from its command and control server. The domain name hypervmsys.ru was again used in this case.

Conclusion

With the help of Pushdo and Bredolab downloader, it seems Asprox has risen from the dead to build another spamming bot network. The above analysis also highlights the intricate relationships between individual malware components, and hint at a common gang behind it all.

Tags:    |  

View All Spam

Canadian Pharmacy no Longer King

By Gavin Neale  •  May 5th, 2010  •   Spam

The majority of spam people see contains a link to some sort of pharmacy or replica website, offering the recipient cheap Viagra, weight loss pills, dating sites, Rolex watches or designer handbags. Most of these websites are designed around a brand created by an affiliate program which affiliates are paid, usually on commission of sales, to promote.

About seven months ago we posted a blog about our survey of affiliate brands in spam and determined that Canadian Pharmacy was by far the most spammed brand with over 60 percent of all spam containing links to Canadian Pharmacy websites. The next closest brand, Prestige Replicas, was advertised in less than 10 percent of spam.

In the last month a pharmaceutical brand named Canadian RX Drugs has overtaken Canadian Pharmacy as the most spammed affiliate brand, stealing almost half of the market share that Canadian Pharmacy once held. Another brand, Dr Maxman, has also increased from less than one percent to just over 10 percent.

The chart below is from a sample taken from spam we have received over the past seven days and only from spam that contains links to a website. All percentages will be slightly lower when considering total spam.

Casino Generic is the name we have given to a group of casino brands such as King spin, Golden mummy, Ruby royal and Seven stars, all available from a single affiliate program. These casino brands are usually promoted by the Maazben botnet.

Casino Websites we categorized as 'casino generic'

Other than Mega-D and Maazben which exclusively spam out links to Canadian Pharmacy and Casino websites respectively, the top spam botnets promote a range of brands. This could either be because the botnet controllers belong to multiple affiliate programs or because they rent out spamming capacity to different people who are affiliates trying to promote their chosen brand.

The table below shows which, of the top six affiliate brands, promoted in 90 percent of spam in the last week, was sent by the top spam botnets.

Some of the botnets involved in sending this stuff have a huge amount of spamming capacity, like Rustock which is currently sending around 40 percent of the spam we see. As such, botnet operators have the ability to greatly influence the market shares of affiliate programs simply by changing their spam templates. So with a flick of a switch, what we see today could easily be different tomorrow.

Tags:    |    |  

View All Spam

The Storm is back? Well, not exactly.

By Phil Hay  •  April 28th, 2010  •   Spam

The Storm Worm is aptly named, for any mention of it creates a media storm, regardless of the reality behind the malware. Yesterday reports surfaced today of a renewed Storm, as researchers from CA announced the “Come back of the Storm Worm.” The news media was not slow to pick it up, for example, the Register’s headlines read “Infamous Storm botnet rises from the grave.”

Despite its nickname, the Storm Worm was actually not a worm. Rather, it was once a major spamming botnet, representing some 20% of spam at its peak in mid-2007. It was also one of the most discussed and studied botnets ever, due to its size, distinctive spam campaigns, and revolutionary peer-to-peer communication model. Following all the attention and the targeting of Storm by Microsoft with its Malicious Software Removal Tool in September 2007 among other infiltration attempts, Storm died a slow death, which we duly noted here.

So what is going on with these latest pronouncements? Has Storm suddenly sprung back from the dead?

The folks at the Honeynet Project have done a detailed analysis of the malware, and consider it to share a significant amount of code with the original Storm. Notable similarities include:

  • Use of the same-named config file herjek.config located in the C:\WINDOWS directory.
  • TCP Communications are base64 encoded and gzipped compressed.
  • Peculiar random letter path data followed by jpg, htm or gif, and the “Windoss” user agent specified in the HTTP POST request, see below:

Figure 1: Random 3 letter path and “Windoss” user agent in HTTP POST request.

The Spamming templates, too, are very similar. Take this example from the original Storm:

%^G%^Fpharma^% http://%^Flinksh^%/%^P%^R2-7^%:qwertyuiopasdfghjklzxcvbnmeui=oaeuioa^%/^%
~!3~!1201910750~!Received: from [%^C6%^I^%.%^I^%.%^I^%.%^I^%^%] (helo=3D%^C=
0%^P%^R3-6^%:qwertyuiopasdfghjklzxcvbnm^%^%)
    by %^A^% with smtp (Exim 4.62 (FreeBSD))
    id %^M%^C5%^R20-300^%^%^%-000%^P1:12345678^%%^P1:GHIJKLMNOPQRSTUVWXYZabcde=
fghijklmn^%%^P1:0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw=
xyz^%-%^P1:0123456789ABCDEFGHIJKLMNOPQRSTUV^%%^P1:0123456789ABCDEFGHIJKLMNO=
PQRSTUVWXYZabcdefghijklmnopqrstuvwxyz^%; %^D%^V5^%^%
Message-ID: <%^Z^%.%^R1-9^%0%^R0-9^%0%^R0-9^%0%^R0-9^%@%^C1%^Fdomains^%^%>
Date: %^D^%
From: <%^Fnames^%@%^V1^%>
User-Agent: Thunderbird %^Ftrunver^%
MIME-Version: 1.0
To: %^0^%
Subject: %^Fwormsubj^%
Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed
Content-Transfer-Encoding: 7bit

And compare it with this one from the new bot:

5~!1272366542~!Date: %^D^%From: "%^C2%^Fnames^%^%" <%^V2^%@%^C1%^Fdomains^%^%>
MIME-Version: 1.0
To: %^0^%
Subject: %^Fpharma2^%
Content-Type: text/plain; charset=%^Fcharset^%
Content-Transfer-Encoding: 7bit
Message-ID: <%^Z^%.%^R1-9^%0%^R0-9^%0%^R0-9^%0%^R0-9^%@%^V1^%>

%^Forder.txt^% %^Frxmeds.txt^%  online today!
%^Fbrowse.txt^% our web site today  -> %^Frxdomains2.txt^%

Incidentally, both of these spamming templates also closely resemble the template used by the Waledac bot, again indicating shared code.

The glaring difference is that the new malware does not use a peer-to-peer communication model based on the Overnet protocol. The original Storm communicated over UDP with many other nodes using a modified version of this protocol, whereas this malware has none of that. In its place is a stripped down and more standard model, where the infected node contacts a command server via HTTP and downloads spam templates and other instructions. Broadly speaking, it is little no different in concept to the many other template-based spambots that we regularly encounter.

So in essence, this is a new stripped down spambot, based on a portion of Storm code. The spam emanating from it is hardly registering in our spam traps – less than 0.01 percent, so it is a very minor spamming botnet at this stage – merely another one to add to the dozens out there already.

Tags:    |    |  

Newer Entries »