Spam and All Things Salty: Spambot v2013

Jessa dela Torre1 and Sabrina Lei Sioting2

1 Forward-Looking Threat Research Team2 Threat Cleanup and Analysis Team

Trend Micro, Inc., Philippines

Abstract. This paper will discuss our research on a threat that involvesthe massive attacks on Wordpress, Joomla and Drupal sites and wherethey attempt to test the waters on a new spamming cycle. This routineinvolves different forms of web threats working independently of eachother and has posed a challenge when it comes to email authentication.We will look into the (1) compromised website, (2) compromised ma-chine, (3) command and control server, the (4) payloads and/or affiliatesinvolved, (5) the telemetry of the data we collected, and(6) how we em-ulated the threat to “milk” the server.

1 Introduction

In a paper we have previously released, we detailed the malware and spammingroutines of Stealrat3, a new botnet that we have been monitoring. In this paperwe will look at the various Content Management Systems (CMS) that are usedextensively by the botnet operators as well as the other components that arepart of this operation that we have yet to discuss. However, for continuity, wewill still include some key points that we have already mentioned before.

Stealrat introduced a new spamming technique wherein the communicationbetween the spamming websites and the actual spam server is mediated by acompromised machine. This makes it difficult for spam filters to authenticateemails since they come from legitimate sites.

While porn still remains to be the primary theme in the spam emails theysend, we have also seen a spike in emails that take excerpts from The StainlessSteel Rat4 science fiction series, albeit, the subject is still porn-related.

3 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf

4 http://en.wikipedia.org/wiki/The Stainless Steel Rat

Fig. 1. Email samples

One of the ways Stealrat is unique from the other spam botnets is howthey have set up their model: there are 2 compromised websites (one does thespamming and the other contains the payload) and a compromised machine. Thecompromised machine (end-user) will connect to a server to collect spam dataand send it over to a compromised website where the email will be constructedand sent to the recipient. The email contains a link to another compromisedwebsite.

Fig. 2. Stealrat model

In a nutshell, the binary component in the compromised machine connects toseveral URLs to gather the following data needed to construct the spam email:

– Mail server (backup)

– “Sender” name

– Recipient’s email address

– Email template (subject and body)

It then sends a POST request to a compromised website where a PHP scriptbuilds the actual spam email and sends it to the recipient.

Detailed descriptions of the malware (binary and PHP) components is inthe previous paper under the sections “Modules” and “PHP Scripts”5 and asummary of each component is briefly mentioned below.

2 Content Management Systems

During the course of our research, we have found the compromised websites tobe running Content Management Systems (CMS) . While only a small fractionof Drupal sites are affected, Joomla! and Wordpress comprise of 51% and 19%of the infection, respectively6.

5 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf

6 based on our data and may vary with the actual statistics

Fig. 3. CMS infection breakdown

While we have not determined most of the exploits and vulnerabilities usedto gain access to the websites, we looked at these sites and plugins that arecommonly compromised and enumerated some of the popular and interestingones.

On some instances, we have also seen some of the exploits used to gainroot privilege to webservers running on Linux. One of them is the Abacus ex-ploit which affects Linux kernel versions 2.6.37 to 3.8.8 and involves a poisonedperf swevent enabled array in a perf event open system call.

Fig. 4. Sample abacus exploit snippet and files

Once successfully exploited, the other websites hosted in that webserver willbe accessible and vulnerable as well. Using the WSO web shell, the attackerscan create, view, upload and execute files in all the hosted sites (see image).

Fig. 5. Other websites hosted in a webserver

2.1 Joomla!

Joomla! is an open source Content Management System coded in PHP and canbe modified or expanded functionally by using “extensions.” Officially, there are5 different kinds of extensions:

– Component– Plugin– Template– Modules– Languages

In Joomla! sites, we found most of the malicious scripts inside the followingcomponents’ directory:

– com virtuemart– com jce– com weblinks

Com virtuemart Virtuemart7 is an e-commerce component for Joomla!. Itacts as a shopping cart, catalog and payment system for online merchandise. Anormal installation contains the following files in the /components/com virtuemartfolder:

– fetchscript.php– show image in imgtag.php– virtuemart.php

7 http://virtuemart.net/features/what-is-virtuemart

– virtuemart parser.php

Fig. 6. Sample compromised com virtuemart directory content

Com weblinks Weblinks8 is Joomla!’s component for adding links to a web-page. A normal installation contains the following files in the /components/-com weblinks folder:

– controller.php– router.php– weblinks.php

Fig. 7. Sample of a compromised com weblinks directory content

8 http://docs.joomla.org/Help31:Components Weblinks Links

Com jce Joomla Content Editor (JCE)9 is Joomla!’s component for editingpages which includes styling and other WYSIWYG tools. A normal installationhas the following files in the /components/com jce folder:

– jce.php

– popup.php

Fig. 8. Sample of a compromised com jce directory content

2.2 Wordpress

Similar to Joomla!, Wordpress10 is also coded in PHP and is a popular bloggingtool as well as a Content Management System. In Wordpress sites, we foundmost of the malicious scripts inside the directory of the following plugins:

� tell-a-friend

� akismet

� tv1/tv1mod

Tell-a-friend Tell-a-friend is a Wordpress plugin that allows website visitorsto “tell their friends” about the site by clicking on a button (see image) andsending an email to their contact list.

A normal installation only has the tell-a-friend PHP file in the /plugins/tell-a-friend folder plus several image files.

9 http://extensions.joomla.org/extensions/edition/editors/8810 http://wordpress.org/

Fig. 9. Sample of a compromised tell-a-friend directory content

Interestingly, with the tell-a-friend plugin, all of the compromised sites wehave seen have the tell-a-friend.php file modified and appended with the WSO2.5 web shell.

Fig. 10. Modified tell-a-friend.php

Fig. 11. Original tell-a-friend.php

Akismet Ironically, Akismet11 is a Wordpress plug-in for spam filtering, al-though it is for the comments section only. A normal installation has the follow-ing files in the “/plugins/akismet” folder:

admin.php akismet.jsakismet.css akismet.phpakismet.gif widget.php

Fig. 12. Sample of a compromised Akismet directory content

TV1 The most intriguing plugin we have seen is TV1. According to the Word-press site , there is no plugin named TV1. In most of the sites we checked,aside from the malicious files, there are always the following PHP scripts in the“/plugins/tv1” folder:

– class-wp-importer-cron.php

– tumblr-importer.php

These scripts (see image below) are part of the tumblr-importer plugin whichimports a Tumblr blog to a Wordpress blog.

11 http://codex.wordpress.org/Akismet

Fig. 13. Tv1 directory content

3 The Malware

Aside from exploiting CMS-run websites, another important aspect of Stealratis the array of malware in its arsenal. While we have seen other componentsassociated with this campaign, we will only look at those directly involved in itsspamming routine. This section will briefly describe these components. A moredetailed analysis of each component is discussed in our previous paper.

3.1 The Downloader (Mutator/Rodecap)

Rodecap, or Mutator (according to its PDB debug string) downloads the SmMgrcomponent from a specified URL. What has made Mutator interesting is itsmethod of connecting to the C&C server to get its download instructions. Oneof its variants would connect to the mail servers of what seems like innocentlynamed sites (eg. lyrics-db.org) and after a connection has been established, itwould modify the hostname in the HTTP header to “google.com”.

Its initial check-in to the C&C follows the format below:

– protocol.php?p=[volume serial number]&d=[B64 encoded string]

3.2 The Collector (SmMgr/Symmi)

Symmi, or SmMgr (according to its PDB debug string), is the component thatdownloads the spam data (which includes the sender name, subject and body)and the list of email addresses to send the spam email to. It then encrypts thisinformation and sends it to the compromised websites. One interesting aspectabout SmMgr (at least for the versions that we analyzed) is that it for everysuccessful or failed function, it will send a debug string via UDP to what we callthe “Testing” or “Debug” server.

Recently, we have also seen a Linux version of SmMgr (ELF file). It checksfor some Linux environment variables if present in the system. The values foundin these variables are used as parameters to the link where this malware willconnect to. It will connect to a URL (spam server) which contains the emailaddresses where the spam mails are sent. Similar to its Windows counterpart,the URL has the following format:

– http://{domain}/img/seek.cgi?db={data}&lin={data}

It also possibly connects to other URL where the configuration, spam mail data,email format and compromised page is given. It will send the spam mail whichis B64 encoded to a compromised page via POST request. If all parameters in thePOST request are correct the site replies the string “OKe807f1fcf82d132f9bb018ca6738a19f+0”.Then it is up to the compromised page to send the spam mail.

3.3 The Spammer (PHP script)

Downloaded as “Sm[number]e.php”, this PHP script receives the spam templatefrom SmMgr and constructs the spam email that will be sent to the recipients.By default, the script uses the compromised site’s mail server, but has a backupserver included in the spam data which is typically Google (Gmail).12 This scriptcomes in multiple and different file names and the number of scripts usually varyin each site.

4 Command and Control

Over time, the operators have moved the C&C to several domains scatteredacross several IP addresses. It seems that they are using a single domain structureand just copy the entire thing when moving to different domains (see image)13.

12 http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-check-if-your-website-is-part-of-the-stealrat-botnet/

13 current domains are circled in RED

Fig. 14. Domains and IPs associated with Stealrat

Communications with the C&C vary among the components and done viaTCP or UDP. Though implemented, the various encryption methods are simpleand not overly complicated. Detailed description of each method is discussed inthe “Malware and Network Communication” section of the previous paper.

5 Payloads and Affiliations

The links embedded in the emails are compromised sites injected with severalHTML pages that are frequently updated. These pages range from pornographyto online pharmacy.

5.1 Porn

Pornography is still the main theme of Stealrat’s payload.

Fig. 15. Sample payload page

Once the page loads, it will redirect to another compromised webpage thathas been planted with pornographic links and images.

Fig. 16. Sample compromised webpage injected with porn

5.2 Online Pharmacy

Another common landing page is an online pharmacy site, particularly doctor-pied.com (previous sites were doctorpot.com and doctoregpg.com).

Fig. 17. Online pharmacy site

Interestingly, doctorpied.com is registered by the email address floodmink@yahoo.comwhich also registered several other online pharmaceutical sites that we have at-tributed to a certain actor. While we have not yet determined their exact rela-

tionship, we are not discounting the possibility that the same actor is involvedhere.

Fig. 18. Pharma domains and IPs associated with floodmink@yahoo.com

6 Telemetry

We have been monitoring this botnet intermittently since mid-April of 2013 andso far we have recorded about 215,000 websites that have been, at one point oranother, compromised.

Some of these websites had not denied directory listings, so we were able toview their files and contents. Using the access logs and data available from 3random sites, we compiled and averaged some of the information we know aboutthis threat. Although 3 out of 215,000 may not glean a good representation ofthe entirety of this operation, at the very least, we hope to get a glimpse andestimate its size.

Fig. 19. Geographic distribution of the IP addresses that connected to the 3 compro-mised websites

Table 1. Average content of the 3 random compromised websites

Description Average Number

Spam mailer scripts (PHP) 4

Spam emails sent on a single date (Sep 21, 2013) 1,497.33

Unique IPs (end-users) that sent spam data ona single date (Sep 21, 2013) 1,065.33

Currently, there are about 17 million email addresses that get periodic spamemails from these sites.

7 Emulation

To uncover a significant part of this operation, we emulated the binary (SmMgr)responsible for collecting the spam data and sending it over to a compromisedwebsite. Every 10 seconds, this binary spawns a thread that will perform theseprocesses.

We created several scripts to download and decode (see appendix) the fol-lowing:

– email recipients– spam template– website to post the spam data to

8 Conclusion

While it is relatively small compared to the more established botnets such asAsprox14 and Pushdo15, its spam cycle is one of the ways that makes Stealratunique. Its operators used compromised sites to send out spam. They also usedcompromised machines but only as mediators between the compromised sitesand the spam server. This allowed them, in a way, to cover their tracks, as theyleft no clear evidence of a connection between the sites and their server.

Another interesting characteristic is that they also attempted to mask theirnetwork traffic by modifying its HTTP header to make it seem like they areaccessing normal domains. This shows the operators’ resiliency in adapting tothe security enforced in networks and their attempt to stay under the radar foras long as possible.

While compromising websites to send out spam is not a new technique, webelieve that this particular botnet is worth a look not just because of the volumeof spam it has managed to send out but because of the subtle and gradual

14 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf

15 http://blog.trendmicro.com/trendlabs-security-intelligence/latest-pushdo-variants-challenge-antimalware-solution/

improvement of their methods. The StealRat botnet is a perfect example ofdetermined operators who will try anything to thwart the security defenses.

A Appendix

A.1 MD5 of Hashes

MD5Mutator/Rodecap 06406bb4957d552dec81c2c288c56106

5376f5e93efec7c87b97e062979511bbSymmi/SmMgr 60acc7b343e51e61f240e66ca9a35623

693c689488d9f7e6ddb7de45dd4e2bb16d478471ed054e5d2f9436ba8c770f0649a7ef24fd53697294760498ee7d1b8b10ce473a1d7acd67e15a798f5f495c1e19e26ea780139c92691d372a3ac9c663a3bcbf239b15262f5a7e8fe264d5edd19faf609654db710587c40542f181bdf679f944513251bbf88f9fd137fe76074291e831f73b7f20e3e0e20030927600139339ce095ab289e7dbc13630739aab1b3c039993b98103a1c974e6cd64d3bbef59b3654564b5ad8b98f696c0f4eee6340990c06ac0e77f889ab4d11cf1659e9595d565d232133560d9db3061666044620f1bd556eb165a3ae0f887e7e1831d00345b4a2f59aeb6e50c00fbaa7aa8130b1c5a24297a6631b95afadc39b84e9250247dce7e1309dd09df0998f7c5be8219bedbb698bf2fb05394fd831efab2d09144f200ad1e561ec6a533521c4cb865b6d098b9114482b08b7c4a27d0769b6079aa6741593155e1a8008a61cbf01b5df211dfd5daa3359fe6967fe69e2413e59dc6c5886b685d2d33f7be0704ba5da951

ELF e2035725a82beb775faa1024670280e0a6752df85f35e6adcfa724eb5e15f6d0

PHP scripts 9b6d87c50b58104e204481c580e630f1d3c35d2fe48d8767fbb32c6ef974e26a6fdd4a5f517b0faead39a681e62c86f1

A.2 Sample Decryption Script (decrypt.py)

#! / usr / b in /env pythonimport s t r i n g

import base64import b i n a s c i iimport sysimport ctypesimport operator

i f ( l en ( sys . argv ) < 3 ) :#Usage :#dec . py <type> < f i l e >#

#Type :#1 − Config f i l e#2 − UDP t r a f f i c#3 − Email address l i s t#4 − Spam templa te##Output : < f i l e >. decsys . e x i t

else :encrypted = sys . argv [ 2 ]source = open ( encrypted , ” rb” )s1 = source . read ( )source . c l o s e ( )s r c l e n = len ( s1 )

i f ( sys . argv [ 1 ] == ”1” ) :DecConfig ( s1 , s r c l e n )

i f ( sys . argv [ 1 ] == ”2” ) :DecUDPTraffic ( s1 , s r c l e n )

i f ( sys . argv [ 1 ] == ”3” ) :DecEmailList ( s1 , s r c l e n )

i f ( sys . argv [ 1 ] == ”4” ) :DecEmailTemplate ( s1 , s r c l e n )

i f ( s1 ) :out = open ( encrypted+” . dec ” , ”wb” )out . wr i t e ( b i n a s c i i . unhex l i f y ( s1 ) )out . c l o s e ( )

def DecConfig ( s1 , s r c l e n ) :c t r = 0ptr = 0

while True :i f ( c t r < s r c l e n ) :

d1 = s1 [ ptr ] . encode ( ”hex” )va l = hex ( i n t ( d1 , 16) − 1)ab = val [ + 2 : ]i f ( l en ( ab ) == 1 ) :

ab = ”0” + abs1 = s1 [ : ptr ] + ab + s1 [ ptr +1: ]ptr = ptr + 2c t r = c t r + 1

else :break

def DecUDPTraffic ( s1 , s r c l e n ) :c t r = 0ptr = 0while True :

i f ( c t r < s r c l e n ) :d1 = s1 [ ptr ] . encode ( ”hex” )va l = hex ( i n t ( d1 , 16) ˆ 12)ab = val [ + 2 : ]i f ( l en ( ab ) == 1 ) :

ab = ”0” + abs1 = s1 [ : ptr ] + ab + s1 [ ptr +1: ]ptr = ptr + 2c t r = c t r + 1

else :break

def DecEmailList ( s1 , s r c l e n ) :ptr = s r c l e n − 1c t r = 0while True :

i f ( c t r < s r c l e n ) :d1 = s1 [ ptr −1] . encode ( ”hex” )d2 = s1 [ ptr ] . encode ( ”hex” )i f ( ptr == 0 ) :

va l = hex (18 ˆ i n t ( d2 , 16) )else :

va l = hex ( i n t ( d1 , 16) ˆ i n t ( d2 , 16) )ab = val [ + 2 : ]i f ( l en ( ab ) == 1 ) :

ab = ”0” + abs1 = s1 [ : ptr ] + ab + s1 [ ptr +1: ]ptr = ptr − 1

c t r = c t r + 1else :

break

def DecEmailTemplate ( s1 , s r c l e n ) :s1 = base64 . b64decode ( s1 )s r c l e n = len ( s1 )ptr = 0c t r = 0while True :

i f ( c t r < s r c l e n ) :d1 = s1 [ ptr ] . encode ( ”hex” )va l = hex ( i n t ( d1 , 16) ˆ 2)ab = val [ + 2 : ]i f ( l en ( ab ) == 1 ) :

ab = ”0” + abs1 = s1 [ : ptr ] + ab + s1 [ ptr +1: ]ptr = ptr + 2c t r = c t r + 1

else :break