Watch a live spam bot in action.
Wednesday November 1, 2006 at 9:56 am CST
Posted by Chris Barton
Ever wondered how a trojan infected computer gets its orders to spam? Take a peek with me into one trojan’s junkmail activities. The following account is happening as I type, and shows that some image spam is not unique even though it appears to be random.
The smtp sending trojan first phones home for its task list, via http on the smtp port (25). Port 25 on the host machine is running Apache/1.3.37 — this is a very unusual place to find apache running.
The task list looks like this:
$GET "http://example.com:25/outtask/urlTask8_c_2.txt?id=MAGID-ID-STRING&flag=1" 10 12|http://serv2.example.com/outtask/tasks/task_12_letter_1162390208.txt| http://get.example.com:8092/cgi-bin/cgi2.cgi| http://serv2.example.com/report2.cgi|1|| http://mail.example.com:8888/cgi-bin/put| 20|http://serv2.example.com/outtask/tasks/task_20_letter_1162390209.txt| http://get.example.com:8091/cgi-bin/cgi2.cgi| http://serv2.example.com/report2.cgi|1|| http://mail.example.com:8888/cgi-bin/put| 22|http://serv2.example.com/outtask/tasks/task_22_letter_1162390209.txt| http://get.example.com:8092/cgi-bin/cgi2.cgi| http://serv2.example.com/report2.cgi|1|| http://mail.example.com:8888/cgi-bin/put|
(line breaks and spaces added for readability)
The response it got is in the following format:
“tasknumber|spam-text URL|Address-list URL|Report address|1||Report address2|”
So in the example above, the bot got 3 tasks. We’ll take a look at the first one in more detail….
The first url in the task format is the message to be spammed. In this case it is image spam.
Received: (qmail 8366 invoked by uid 7); [%DATE%] Received: from unknown (HELO kwkpxyfcv) (6.67.3.0) by [%MY_IP%] with SMTP; [%DATE%] Message-ID: From: "JEFF R. BORKGREN" To: Subject: Re: Re: Re: Re: Date: Wed, 1 Nov 2006 08:10:08 -0600 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_[%BOUNDARY_ID_1%]" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 This is a multi-part message in MIME format. ------=_NextPart_[%BOUNDARY_ID_1%] Content-Type: multipart/alternative; boundary="----=_NextPart_[%BOUNDARY_ID_2%]"
There is a fairly mundane html body, filled with the usual bayes poison text. This is followed by a mime block containing “yXvYg8bLkB.gif”: a simple base64 encoded pharmacy spam image with “random noise”. You’ll notice below that this mail is being sent to many recipients, not just one. Things to note about this template are that the date in the header is hard coded, as is the from header, subject and the 2 fake received headers.
The next URL in the task is the address list. They are in the following format, at around 200 lines long.
username_was_here@example.com 209.202.208.20,205.158.62.116 another_username@another.example.com 64.4.50.50,65.54.244.8,...
This is in the format “address mail exchanger IP address list”. This is a very interesting point: the bot is told where to connect to send the mail for every single address. This saves it looking up the MX record, making it quicker and giving the spammer greater control over delivery.
The workflow is thus:
- The bot connects to the subscription server for a tasklist.
- The bot processes that list on a line by line basis:
- It downloads the spam.
- It downloads the address and mail exchanger list.
- It sends the spam, making the appropriate local macro substitutions for Date, address, mime boundary, etc.
- The bot reports back delivery data via the two report URLs.
- The bot starts again from the beginning.
November 1st, 2006 at 11:31 am
Hi Chris,
William Salusky here, a volunteer handler with the Internet Storm Center. Great post, but maybe it’s worth mentioning that what you’ve overviewed here is only one particular methodology used by spambots that are phone home and template driven vs. a typical generic socks proxybot that requires an upstream controller to manage all smtp sessions.
Can you also provide us with the AV classification that McAfee has given to this particular sample? If possible I’d also love it if you could share the md5 hash from the original sample to determine we’ve seen this one specifically.
thanks,
W
November 5th, 2006 at 11:34 pm
Thankyou, I have been TRYING to let McAffee know for a year that they have had trouble with viruses and worms. Whether from a third party I don’t know, but I traced it through an independent scan for PUPS, and McAffee kept coming up again & again, from Soth America, Venezuela.
I rang McAffee, and was told “This is aload of bullshit, we don;t have ANY problems, thankyou. Now just redownload & she’ll be right mate, ansd stop trying to say we have “PUP.
But I have just been reconnected again, after being offline, and had to Downlad McAffee again, and again I got up on Saturdy, Australian Daylight Savings Time, and my pc was acting weirdly, and I scanned, it came up with nothing until today 6/11/06 monday. pup worm”W32/IRCbot.worm. well, well, well, what a surprise hey. i have downloaded “stinger” thankyou, and hope this helps. it”s (worm) has crashed my pc today over & over. Spybot won’t work. Microsoft Works 8 has disappeared, and I keep getting “error-500″ messages constantly, so closing & restarting.
I think this “worm is QUITE More seriou than low Profile, as my pc has even returned to WINDOWS 98 Edition.!!!! please warn others that this may have mutated and seems to hide in the Hard Drive, just waiting for the “right” program to attack It is VERY selective, But EXTREMELY tough & resilient even to the latest Remval Tools etc. OK. So PLEASE let it be posted on the web if you could.And perhaps have another look at its functioning capabilities and destructive capabilities.
Thankyou for your help with keeping us posted out here, we rely on you people.
Featherfire Lennon
striker@bigpond.net.au