Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Spam botnets Project goals: Track a spam bot, and: Discover how does the bot receive orders Characterize its activity in the affected computer and in the network Discover how does the bot compose SPAM messages. My work and findings: I tracked its network activity and discovered that every time it runs, it connects to and donloads data from 66.199.251.242 The bot executable is encrypted. I extracted the original executable and found that the address 66.199.251.242 is hard coded in the executable. I analyzed the memory of the bot after receiving data from this server and from the “network replayer” which i created, and found there the template of the SPAM and data used in them as mail server addresses, mail usernames and spam content. The spam: •This is an advertise for site which promises pirate videos (of popular series) •The fake sender is [email protected], and the recipient is [email protected] The message source <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML><HEAD><TITLE></TITLE></HEAD><BODY> <center><style>(...טקסט באנגלית...(</style> Полное собрание сериалов <br> "Доктор Хаус","Остаться в живых" (Lost( <br><style>NOT to use them). neurobiology, cognitive the latest research in the patterns that or on the real relationship to use them (and when Facade, Proxy, and Factorysomewhere in the worlddesign problems, and better principles will helpbrain in a way that sticks. </style> "Отчаянные домохозяйки","Побег из тюрьмы" <br> И десятки других! <a href="http://2009serial.com"><br>Дешевле не бывает!</a><br> <style>(...טקסט באנגלית...( </style> </center> </BODY></HTML> The english text is surrounded by ‘style’ tags, which make it invisible. It consists of meaningless mix of parts of english sentences. My assumption: it’s porpuse is to confush anti-spam application which filter messages by their text, by addind meaningless text. Discovery of the bot executable הקובץ חדר למחשב הביתי ,כנראה דרך פרצה ב internet explorer לפני ניקוי המחשב ,שמרתי את הקובץ. בדיקה באתר virustotal.comגילתה שהוא מזוהה (בין השאר) ע"י mcafeeכ , Spam-Mailbotוע"י kasperskyכ . Trojan-Mailfinder.Win32.Mailbot.dp הרצה שלו (תוך כדי מעקב אחרי התקשורת) גילתה שהוא מתקשר עם שרת בכתובת ,66.199.251.242ושולח ספאם. The spam bot has strange executable... There are no DLL imports The file may be created by obfascuating tools, or contain encrypted executable. Another problem: the bot hides itself The bot hides itself partially: Its PID is hidden from the task manager, but not from netstat. 66.199.251.242 is the C&C server address. The pid 1944 doesn’t appear in the task manager Idea: use a debugger In the memory of the bot, starting from address 0x00405000 there is new executable (which is the decrypted code) The adderss 66.199.251.242 is hard-coded in the original executable. The dependency walker shows the difference Now there are DLL imports, which means that real exacutable was indeed encrypted inside the bot executable Network activity monitoring Bot’s network acitivity was monitored, and analyzed using WireShark. After its launch, the bot connect to some mail server which are hard-coded in it, but sends no data to them. Then, it connects to 66.199.251.242, sends short messges and recieves data. After receiving the data, it start to send SPAM. Every minute it requests more data from 66.199.251.242, and if it indeed receives data – it send more SPAM. The most communicated hosts (in 6-hour tracking) •The most significant communication is with the C&C server •The bot connected to more than 800 mail servers More information... Every minute it sends and receives data from 66.199.251.242. The data is not encoded in known plain-text protocol as IRC or HTTP. Every two minutes it connects to some mail servers (which their hostname is hard-coded in the executable), apparently to theck the internet connectivity. During the thacking, it was discovered that many servers use partial protection from spam botnets: Some servers refuse to recieve mail from private internet users (if the IP is in suitable range): 554 5.7.1 DSL or DialUp sender bzq-79-176-10196.red.bezeqint.net [79.176.101.96] (1), please use Provider SMTP Some statistics: During 6 hours, the bot sent spam only in the first 30 minutes. After 30 minutes, the server ceased to send new information to the bot. During these 30 minutes, it tried to send to more than 300 servers approximately 4000 messages, about 300 of them were sent.(as explained in the previous page, most of the servers refuse to accept messages from private IP). The C&C server sent 900KB to the bot. More statictics המכתבים שהתקבלו (בערך )300התקבלה ע"י כ 80שרתים (כרבע מהשרתים) .התקבלו בממוצע בערך ארבעה מכתבים לשרת. שאר השרתים (יותר מ )200סירבו לקבל את המכתבים בגלל שהם נשלחו מ IPדינמי ,או בגלל שגיאות אחרות (למשל אם כתובת המייל שאליה נשלח הספאם לא קיימת). הבוט המשיך להתחבר גם לשרתים שסירבו לקבל ממנו מכתבים (כלומר, הוא לא שמר רשימה של שרתים שמסרבים לקבל ממנו ספאם). הוא כנראה גם לא שמר רשימות של שרתים שקיבלו ממנו מייל ,אלא פעל אך ורק לפי רשימות הכתובות שהוא קיבל משרת ה .C&C פחות מ 10%מהניסיונות שלו לשלוח הודעות הצליחו. הוא הצליח לשלוח בערך 10הודעות בכל דקה. בקצב הזה ,כדי לשלוח מיליון הודעות הוא יצטרך לנסות לשלוח יותר מ 10 מיליון הודעות למיליון שרתים שונים ,וזה יקח לו 100,000דקות -יותר מחודשיים. Network graphs •The scale is bytes/sec. •First graph: the beginning •Second graph: after 30 minutes •Third graph: after more than three hours •The colors: •Communication with 66.199.251.242 •DNS queries •SMTP communication Using the debugger again reveals the template of the spam Received: from {BOT_IP} by {MAILFROM_MX}; {DATE} Date: {DATE} From: {_nTagMailFrom} X-Mailer: The Bat! ({nTheBat_2_ver}) {nTheBat_1_type} Reply-To: {MAIL_FROM} X-Priority: 3 (Normal) Message-ID: <{DIGIT[9]}.{DIGIT[14]}@{MAILFROM_DOMAIN}> To: {MAIL_TO} Subject: {SUBJECT} MIME-Version: 1.0 Content-Type: text/html; charset=koi8-r Content-Transfer-Encoding: 8bit {ENCODE}<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML><HEAD><TITLE></TITLE> </HEAD> <BODY> {_BODY_HTML} </BODY></HTML>{/ENCODE} The C&C server sends also the recipient addresses: The address in the first spam is: [email protected] After each mail domain, there are mail usernames: here they are 3dsales,hsales,... There are thousands of mail server names, addresses and names in bot’s memory. The network replayer תוך כדי העבודה יצרתי (בהתבסס על קוד של שרת winsockפשוט) תוכנה שמאפשרת לשדר שוב לבוט הוראות משרת ה C&Cשנשמרו ,מה שמאפשר הרצה מבוקרת של הוירוס עם קלט קבוע. השיטה מבוססת על ייצוא התקשורת מ wireshark למערכים בשפת ,Cסקריפט שעובר על המערכים ומוסיף מידע (עבור כל מערך – לאיזה כיוון התקשורת ,ומה אורכה) ,והשרת שעובר עליהם ומשדר אותם לבוט.