190 likes | 210 Views
This project aims to track a spam bot and analyze its activity in the affected computer and network. Findings include identifying the bot's server address, decoding its spam messages, and discovering its purpose.
E N D
Project goals: Track a spam bot, and: • Discover how does the bot receive orders • Characterize its activity in the affected computer and in the network • Discover how does the bot compose SPAM messages. My work and findings: • I tracked its network activity and discovered that every time it runs, it connects to and donloads data from 66.199.251.242 • The bot executable is encrypted. I extracted the original executable and found that the address 66.199.251.242 is hard coded in the executable. • I analyzed the memory of the bot after receiving data from this server and from the “network replayer” which i created, and found there the template of the SPAM and data used in them as mail server addresses, mail usernames and spam content.
The spam: • This is an advertise for site which promises pirate videos (of popular series) • The fake sender is xxq@boldin.com, and the recipient is ska@mitsubishi-motors.by
The message source <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML><HEAD><TITLE></TITLE></HEAD><BODY> <center><style>(...(...טקסט באנגלית</style> Полное собрание сериалов <br> "Доктор Хаус","Остаться в живых" (Lost) <br><style>NOT to use them). neurobiology, cognitive the latest research in the patterns that or on the real relationship to use them (and when Facade, Proxy, and Factorysomewhere in the worlddesign problems, and better principles will helpbrain in a way that sticks. </style> "Отчаянные домохозяйки","Побег из тюрьмы" <br> И десятки других! <a href="http://2009serial.com"><br>Дешевле не бывает!</a><br> <style>(...(...טקסט באנגלית </style> </center> </BODY></HTML> • The english text is surrounded by ‘style’ tags, which make it invisible. • It consists of meaningless mix of parts of english sentences. • My assumption: it’s porpuse is to confush anti-spam application which filter messages by their text, by addind meaningless text.
Discovery of the bot executable • הקובץ חדר למחשב הביתי, כנראה דרך פרצה ב internet explorer • לפני ניקוי המחשב, שמרתי את הקובץ. • בדיקה באתר virustotal.com גילתה שהוא מזוהה (בין השאר) ע"י mcafee כ Spam-Mailbot , וע"י kaspersky כ Trojan-Mailfinder.Win32.Mailbot.dp . • הרצה שלו (תוך כדי מעקב אחרי התקשורת) גילתה שהוא מתקשר עם שרת בכתובת 66.199.251.242, ושולח ספאם.
The spam bot has strange executable... • There are no DLL imports • The file may becreated byobfascuating tools,or contain encryptedexecutable.
Another problem:the bot hides itself • The bot hides itself partially: Its PID is hidden from the task manager, but not from netstat. • 66.199.251.242 is the C&C server address. The pid 1944 doesn’t appear in the task manager
Idea: use a debugger • In the memory of the bot, starting from address 0x00405000 there is new executable (which is the decrypted code) • The adderss66.199.251.242is hard-codedin the originalexecutable.
The dependency walker shows the difference • Now there areDLL imports,which meansthat realexacutable was indeedencryptedinside thebot executable
Network activity monitoring • Bot’s network acitivity was monitored, and analyzed using WireShark. • After its launch, the bot connect to some mail server which are hard-coded in it, but sends no data to them. • Then, it connects to 66.199.251.242, sends short messges and recieves data. • After receiving the data, it start to send SPAM. • Every minute it requests more data from 66.199.251.242, and if it indeed receives data – it send more SPAM.
The most communicated hosts (in 6-hour tracking) • The most significant communication is withthe C&C server • The bot connected to morethan 800 mail servers
More information... • Every minute it sends and receives data from 66.199.251.242. • The data is not encoded in known plain-text protocol as IRC or HTTP. • Every two minutes it connects to some mail servers (which their hostname is hard-coded in the executable), apparently to theck the internet connectivity.
During the thacking, it was discovered that many servers use partial protection from spam botnets: • Some servers refuse to recieve mail from private internet users (if the IP is in suitable range): 554 5.7.1 DSL or DialUp sender bzq-79-176-101-96.red.bezeqint.net [79.176.101.96] (1), please use Provider SMTP
Some statistics: • During 6 hours, the bot sent spam only in the first 30 minutes. • After 30 minutes, the server ceased to send new information to the bot. • During these 30 minutes, it tried to send to more than 300 servers approximately 4000 messages, about 300 of them were sent.(as explained in the previous page, most of the servers refuse to accept messages from private IP). • The C&C server sent 900KB to the bot.
More statictics • המכתבים שהתקבלו (בערך 300) התקבלה ע"י כ 80 שרתים (כרבע מהשרתים). התקבלו בממוצע בערך ארבעה מכתבים לשרת. • שאר השרתים (יותר מ 200) סירבו לקבל את המכתבים בגלל שהם נשלחו מ IP דינמי, או בגלל שגיאות אחרות (למשל אם כתובת המייל שאליה נשלח הספאם לא קיימת). • הבוט המשיך להתחבר גם לשרתים שסירבו לקבל ממנו מכתבים (כלומר, הוא לא שמר רשימה של שרתים שמסרבים לקבל ממנו ספאם). • הוא כנראה גם לא שמר רשימות של שרתים שקיבלו ממנו מייל, אלא פעל אך ורק לפי רשימות הכתובות שהוא קיבל משרת ה C&C. • פחות מ 10% מהניסיונות שלו לשלוח הודעות הצליחו. • הוא הצליח לשלוח בערך 10 הודעות בכל דקה. • בקצב הזה, כדי לשלוח מיליון הודעות הוא יצטרך לנסות לשלוח יותר מ 10 מיליון הודעות למיליון שרתים שונים, וזה יקח לו 100,000 דקות - יותר מחודשיים.
Network graphs • The scale is bytes/sec. • First graph: the beginning • Second graph: after 30 minutes • Third graph: after more than three hours • The colors: • Communication with 66.199.251.242 • DNS queries • SMTP communication
Using the debugger again reveals the template of the spam Received: from {BOT_IP} by {MAILFROM_MX}; {DATE} Date: {DATE} From: {_nTagMailFrom} X-Mailer: The Bat! ({nTheBat_2_ver}) {nTheBat_1_type} Reply-To: {MAIL_FROM} X-Priority: 3 (Normal) Message-ID: <{DIGIT[9]}.{DIGIT[14]}@{MAILFROM_DOMAIN}> To: {MAIL_TO} Subject: {SUBJECT} MIME-Version: 1.0 Content-Type: text/html; charset=koi8-r Content-Transfer-Encoding: 8bit {ENCODE}<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML><HEAD><TITLE></TITLE> </HEAD> <BODY> {_BODY_HTML} </BODY></HTML>{/ENCODE}
The C&C server sends also the recipient addresses: The address in the first spam is: ska@mitsubishi- motors.by After each mail domain,there are mail usernames: here they are3dsales,hsales,... • There are thousands ofmail server names,addresses andnames in bot’s memory.
The network replayer • תוך כדי העבודה יצרתי (בהתבסס על קוד של שרת winsock פשוט) תוכנה שמאפשרת לשדר שוב לבוט הוראות משרת ה C&C שנשמרו, מה שמאפשר הרצה מבוקרת של הוירוס עם קלט קבוע. • השיטה מבוססת על ייצוא התקשורת מ wireshark למערכים בשפת C, סקריפט שעובר על המערכים ומוסיף מידע (עבור כל מערך – לאיזה כיוון התקשורת, ומה אורכה), והשרת שעובר עליהם ומשדר אותם לבוט.