Posts Tagged ‘SpamIt’

View All Botnets

New Bots, Old Bots: Xarvester Returns

By Phil Hay  •  May 24th, 2011  •   Botnets

There has been quite a shake up in the spamming underworld ever since SpamIt.com closed shop and the Rustock botnet was disrupted. A look at our weekly spam statistics shows that spam volume has dropped substantially, making this year (so far) a happy one for anti-spammers. While spam output has remained low, the statistics also show quite a shakeup in the bots used to distribute spam.

Surprisingly, since around March, we have observed a big rise in spam from two botnets well known to us from the past – Donbot and Xarvester.  Six months ago, spam from these botnets hardly got our attention.  But now, clearly, someone has breathed new life into these spamming machines.

Xarvester first came to our attention over two years ago, when it rose to prominance after the hosting provider McColo was unplugged, decimating the then leading spamming botnet Srizbi.  We have also seen Xarvester clearly linked to Spamit.com, when we discovered Spamit ‘footprints’ in Xarvester spam templates.  So when we recently came across a Xarvester bot, we decided to take a closer look. The sample we used is not named Xarvester by any anti-virus vendor, Microsoft were calling it Bymot, and AVG called it simply SpamTool (VirusTotal Report).  A look at the strings in the malware body confirmed to us that what we we looking at was indeed Xarvester, as we had seen these strings in previous Xarvester bots.

Both the highlighed command and control domains are hard coded into the malware and both point to the same IP address.

The spambot itself is relatively simple.  When the executable is run, it first performs a query to checkip.dyndns.com to check the IP address of the host. The bot then connects to the def2010cnt[dot]biz domain on port 12309, and requests an encrypted file, which, when decrypted, proves to be a container for a bunch of files the bot needs to spam.

Again, this is very similar to what we saw with Xarvester over two years ago. The bot typically does not perform DNS lookups for each spam message, instead the IP address for each target domain are downloaded in the package.  The headers of the spam messages are very uniform, and closer inspection shows that the bulk of the header is hard coded in the malware body, which is unusual when compared to many of the other bots we see today that vary headers regularly.  Even the content of the message body has a familiar look to it.  Compare the message body today:

With a message we saw from Xarvester two years ago:

 

So, Xarvester has been dusted off and is back to flogging replica watches – who would have thought?

We have updated our spambot description for Xarvester, which you can find here.

Thanks to Gavin Neale and Rodel Mendrez who contributed to the analysis of this bot.

Tags:    |    |    |    |    |    |  

View All Spam

Mega-D Botnet Operator Revealed

By Phil Hay  •  December 2nd, 2010  •   Spam

Interesting details emerged today regarding the Mega-D botnet. The FBI has identified the Russian Oleg Nikolaenko as the operator of the botnet and has filed papers with a US District Court for his arrest. Brian Krebs from KrebsOnSecurity has a good article on the issue here, including a link to the court documents.

M86 Security Labs has monitored the Mega-D botnet closely ever since we noticed huge volumes of spam emanating from it in early 2008.  In fact we originally dubbed it Mega-D because of its numerous and distinctive “Megadik” spam campaigns at that time.  Mega-D has since had its ups and downs as various researchers and law enforcement authorities took ever greater interest in it. The timeline below shows the blog entries we have done on events relating to Mega-D over time.

The court document makes interesting reading.  The FBI found Nikolaenko through data revealed in the 2008 US Federal Trade Commission investigation into Affking, the affiliate program linked to Genbucks that was responsible for “Megadik” and other similar brands. M86 Security Labs provided assistance to the FTC and New Zealand authorities in this original investigation.  Between 6 June 2007 and 14 December 2007, payments totalling around $465,000 were made by Affking into an ePassporte account registered to Nikolaenko for the services of spamming.

Over the last few months, Mega-D spam activity has dried up and its control servers have become non-responsive. It no longer features in our spam tracking statistics. In reality, Mega-D has been on the decline for some time, probably as a result of all the interest by researchers and the authorities.

It’s encouraging to see law enforcement agencies going after these bot-herding criminals. Identifying and incapacitating the individuals behind the malware is one of the best ways to keep these giant spam-spewing systems in check.

Timeline:

Feb-2008: Spam from botnet “Mega-D” constituted 32% of spam, malware identified and control servers disabled

Feb-2008: Mega-D recovers and resumes spamming

October-2008: FTC initiates action against AffKing affiliate program

November-2008: McColo takedown halted operations on Mega-D and other spamming botnets

December-2008: Mega-D resumes spamming

November-2009: Mega-D operations disrupted by FireEye

February-2010: Mega-D resumes spamming…again

December-2010: FBI identifies Mega-D’s operator

Tags:    |    |    |    |  

View All Spam

Spam Volumes Drop After Spamit Shakeup

By Phil Hay  •  October 14th, 2010  •   Spam

The last few weeks has seen quite a shakeup in the spamming world.  Our Spam Volume Index, which records relative movements in spam volume sent to a bundle of domains we monitor, has recorded a substantial drop two weeks in a row.

M86 Security Spam Volume Index

A major cause of the drop was a sudden drop in spam output from Rustock, one of the major spamming botnets of recent times.  We noticed the decline starting around 20 September and dropping to negligible levels by 23 September.  This happened at the same time as initial reports surfaced that the notorious SpamIt.com operation was shutting down.

Rustock Spam Volume Decline

Spamit.com is underground group of email spam affiliates closely linked to GlavMed, which in turn is responsible for one of the largest and oldest affiliate programs called “Canadian Pharmacy”. In recent times Canadian Pharmacy has been the dominant spammed program, simultaneously spammed by most of the major spamming botnets.  In late September, the SpamIt.com domain had the following message announcing its impending shutdown on 10 October.

SpamIt.com web page prior to 10 October

Today, the SpamIt.com domain has the following page, which translated, reads “10.10.10 The King is dead! Long live the king!”

SpamIt.com: "The King is Dead. Long Live the King!"

Rustock, in particular, has had a long history of association with the Canadian Pharmacy program. In fact, for much of its life that we have observed, its spam output has been mostly or solely Canadian Pharmacy spam.  The Rustock botnet itself has not gone away. Its control servers are still up, we have observed Rustock spamming in our lab, and some of our customers are still experiencing a low level of Rustock spam hitting their servers.

So what of the other botnets? There has been some suggestion that we may have confused Rustock spam with Pushdo.  Not so. We observe these bots closely in our lab and know their traits, habits and templates well. The following chart shows Pushdo’s spam output over the same time frame.

Pushdo's ouput dips, gains and dips again

In the chart above we can see the big dip following the disruption to Pushdo’s control servers in late August.  But inevitably Pushdo’s output recovered as it added new control servers.  We observed another big dip on 3rd October, in line with other observers.  At this stage we are unsure whether this latest dip is related to the SpamIt.com closure. Researchers are taking a close interest in Pushdo and there may well be other factors impacting on it (for instance see here).

Even more recently, since the weekend, the Grum botnet, another major spammer has also gone very quiet. Here is a chart from the same period, that shows a marked drop in spam output after 8 October, very close to the 10 October “official” SpamIt.com closure.

Grum's output dips after 8 October

So, what to make of all this?  It seems that the SpamIt.com closure has had a major impact on the volume of spam output, as some botnet operators/spammers have lost one of their major affiliate programs, or in other words, sources of cash. How long it will last is another question entirely. There are competing affiliate programs for botnet operators to sign up for.  We have  noticed that one of the smaller botnets, Xarvester, who we have previously linked to Spamit.com has already swapped from Canadian Pharmacy to Ultimate Replicas.  And it may well be that SpamIt.com and Canadian Pharmacy have gone into hiding, and after a brief hiatus, will reemerge in another guise.  Only time will tell.  In the meantime we are not complaining.

Tags:    |    |    |    |    |  

View All Spam

More Spamit Footprints

By Rodel Mendrez  •  May 11th, 2010  •   Spam

Two weeks ago, many, including us, highlighted the emergence of a new Storm-Like botnet. A few days ago, when we decrypted and analyzed one of the templates that this bot uses to spam, we noticed a footprint that links it to the notorious spamming affiliate program, Spamit.

Spamit is an underground email affiliate program behind one of the dominant spammed brands “Canadian Pharmacy”. As you can see above, the template uses a parameter frxdomains_spamit.txt which contains a list of URLs leading to Canadian Pharmacy websites. Earlier this year, we observed another botnet – Xarvester – also sending a spam campaign referencing Spamit.com in its message body.

This footprint in the template reminds us that the emergence of the Storm II bot has a financial motivation. It also goes to show that as long as nefarious spamming affiliate programs such as Spamit exist and continue to offer tempting rewards, bot herders will continue to build bot networks to spam.

Tags: