Spam botnets

Project goals:Track a spam bot, and: Discover how does the bot receive orders Characterize its activity in the affected computer and in the

network Discover how does the bot compose SPAM messages.My work and findings: I tracked its network activity and discovered that every time it

runs, it connects to and donloads data from 66.199.251.242 The bot executable is encrypted. I extracted the original

executable and found that the address 66.199.251.242 is hard coded in the executable.

I analyzed the memory of the bot after receiving data from this server and from the “network replayer” which i created, and found there the template of the SPAM and data used in them as mail server addresses, mail usernames and spam content.

The spam:

•This is an advertise for site which promises pirate videos (of popular series)

•The fake sender is xxq@boldin.com, and the recipient is ska@mitsubishi-motors.by

The message source<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><HTML><HEAD><TITLE></TITLE></HEAD><BODY><center><style>(...(...טקסט באנגלית</style> Полное собрание сериалов <br> "Доктор Хаус","Остаться в живых" (Lost)<br><style>NOT to use them). neurobiology, cognitive the latest research in

the patterns that or on the real relationship to use them (and when Facade, Proxy, and Factorysomewhere in the worlddesign problems, and better principles will helpbrain in a way that sticks. </style>

"Отчаянные домохозяйки","Побег из тюрьмы" <br>И десятки других!<a href="http://2009serial.com"><br>Дешевле не бывает!</a><br><style>(...(...טקסט באנגלית </style></center></BODY></HTML>

The english text is surrounded by ‘style’ tags, which make it invisible.

It consists of meaningless mix of parts of english sentences. My assumption: it’s porpuse is to confush anti-spam application

which filter messages by their text, by addind meaningless text.

Discovery of the bot executable הקובץ חדר למחשב הביתי, כנראה דרך פרצה ב

internet explorer.לפני ניקוי המחשב, שמרתי את הקובץ בדיקה באתרvirustotal.com גילתה שהוא מזוהה

, וע"י Spam-Mailbot כ mcafee(בין השאר) ע"י kaspersky כ Trojan-

Mailfinder.Win32.Mailbot.dp. הרצה שלו (תוך כדי מעקב אחרי התקשורת) גילתה

, 66.199.251.242שהוא מתקשר עם שרת בכתובת ושולח ספאם.

The spam bot has strange executable...

There are no

DLL imports The file may be

created byobfascuating tools,or contain encryptedexecutable.

Another problem:the bot hides itself The bot hides itself partially:

Its PID is hidden from the task

manager, but not from netstat. 66.199.251.242 is the C&C

server address. The pid 1944

doesn’t appear in the task manager

Idea: use a debugger In the memory of the bot, starting from address 0x00405000

there is new executable (which is the decrypted code) The adderss

66.199.251.242is hard-codedin the originalexecutable.

The dependency walker shows the difference Now there are

DLL imports,which meansthat realexacutable was indeedencryptedinside thebot executable

Network activity monitoring

Bot’s network acitivity was monitored, and analyzed using WireShark.

After its launch, the bot connect to some mail server which are hard-coded in it, but sends no data to them.

Then, it connects to 66.199.251.242, sends short messges and recieves data.

After receiving the data, it start to send SPAM. Every minute it requests more data from

66.199.251.242, and if it indeed receives data – it send more SPAM.

The most communicated hosts (in 6-hour tracking)

•The most significant communication is withthe C&C server

•The bot connected to morethan 800 mail servers

More information...

Every minute it sends and receives data from 66.199.251.242.

The data is not encoded in known plain-text protocol as IRC or HTTP.

Every two minutes it connects to some mail servers (which their hostname is hard-coded in the executable), apparently to theck the internet connectivity.

During the thacking, it was discovered that many servers use partial protection from spam botnets: Some servers refuse to recieve mail from private internet users (if the IP is in suitable range):554 5.7.1 DSL or DialUp sender bzq-79-176-101-96.red.bezeqint.net [79.176.101.96] (1), please use Provider SMTP

Some statistics:

During 6 hours, the bot sent spam only in the first 30 minutes.

After 30 minutes, the server ceased to send new information to the bot.

During these 30 minutes, it tried to send to more than 300 servers approximately 4000 messages, about 300 of them were sent.(as explained in the previous page, most of the servers refuse to accept messages from private IP).

The C&C server sent 900KB to the bot.

More statictics

שרתים (כרבע 80) התקבלה ע"י כ 300המכתבים שהתקבלו (בערך מהשרתים). התקבלו בממוצע בערך ארבעה מכתבים לשרת.

סירבו לקבל את המכתבים בגלל שהם 200שאר השרתים (יותר מ ( דינמי, או בגלל שגיאות אחרות (למשל אם כתובת המייל IPנשלחו מ

שאליה נשלח הספאם לא קיימת). הבוט המשיך להתחבר גם לשרתים שסירבו לקבל ממנו מכתבים

(כלומר, הוא לא שמר רשימה של שרתים שמסרבים לקבל ממנו ספאם). הוא כנראה גם לא שמר רשימות של שרתים שקיבלו ממנו מייל, אלא

.C&Cפעל אך ורק לפי רשימות הכתובות שהוא קיבל משרת ה מהניסיונות שלו לשלוח הודעות הצליחו.10%פחות מ הודעות בכל דקה.10הוא הצליח לשלוח בערך בקצב הזה, כדי לשלוח מיליון הודעות הוא יצטרך לנסות לשלוח יותר מ

דקות - 100,000 מיליון הודעות למיליון שרתים שונים, וזה יקח לו 10יותר מחודשיים.

Network graphs•The scale is bytes/sec.

•First graph: the beginning

•Second graph: after 30 minutes

•Third graph: after more than three hours

•The colors:

•Communication with 66.199.251.242

•DNS queries

•SMTP communication

Using the debugger again reveals the template of the spam Received: from {BOT_IP} by {MAILFROM_MX}; {DATE}Date: {DATE}

From: {_nTagMailFrom}X-Mailer: The Bat! ({nTheBat_2_ver}) {nTheBat_1_type}Reply-To: {MAIL_FROM}X-Priority: 3 (Normal)Message-ID: <{DIGIT[9]}.{DIGIT[14]}@{MAILFROM_DOMAIN}>To: {MAIL_TO}Subject: {SUBJECT}MIME-Version: 1.0Content-Type: text/html; charset=koi8-rContent-Transfer-Encoding: 8bit

{ENCODE}<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML><HEAD><TITLE></TITLE></HEAD><BODY>{_BODY_HTML}</BODY></HTML>{/ENCODE}

The C&C server sends also the recipient addresses:

The address in thefirst spam is:ska@mitsubishi-motors.byAfter each mail domain,

there are mail usernames: here they are3dsales,hsales,...

There are thousands ofmail server names,addresses andnames in bot’s memory.

The network replayer תוך כדי העבודה יצרתי (בהתבסס על קוד של

פשוט) תוכנה שמאפשרת לשדר winsockשרת שנשמרו, מה C&Cשוב לבוט הוראות משרת ה

שמאפשר הרצה מבוקרת של הוירוס עם קלט קבוע.

השיטה מבוססת על ייצוא התקשורת מwireshark למערכים בשפת C סקריפט שעובר ,

על המערכים ומוסיף מידע (עבור כל מערך – לאיזה כיוון התקשורת, ומה אורכה), והשרת

שעובר עליהם ומשדר אותם לבוט.