Today while I was casually going through my sandnet logs, one malware outbound communication suddenly caught my attention. This communication certainly looked like a SPAM template download. Unlike other famous botnets like Cutwail, Rustock, Tofsee, Srizbi, Xarvester, etc, the spam template was in plain text and all the artifacts were clearly visible.
This first question in my mind was to find the name of this SPAM bot. A virustotal report could help, but in this case, it confused me further.
See it for yourself:
292a5adf25ddf66b98616243fdd11ed7
My next attempt was to search for some information based on the command and control name 'endsolar.com'. But no luck..
I had no choice but to start my investigation from point zero. Here are some of my findings:
Name:
I'm not sure.
Infection Vector:
The name of the malware binary file (as it reached me) was e-card.exe. It's not difficult to understand that this might be the outcome of yet another social engineering based mail campaign which lures users to click on fake greeting cards link.
Rootkit:
No real attempt was made by this malware instance to hide itself deeply on the infected system. Upon execution, this malware copies itself under %WINDOWS%/SYSTEM with the name of 'winlogon.exe', and further adds itself under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it will start on every system start up.
SPAM:
It's another template based SPAM bot like all the major players. This SPAM template was divided into different logical sections which I'll explain one by one:
The top most part is a big list of harvested email addresses. This list is used by the bot to send SPAM emails.
The second part of the template looks like this:
..Return-Path: %_FROM%
Date: %_DATE%
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
From: %_FROM%
To: %_TO%
Subject: %_SUBJECT% %RANDOM_TEXT[4-6]%
This is the template for the SPAM email header where the text between '%' signs is a dynamic field. "%_SUBJECT%" will be filled by any of these strings:
{Impress every single woman !|Impress her now |Are you a stud
?|Don't be left behind |Supercharged in bed|Supercharge and
impress!|Women will worship you|Best enhancement product|Brand new E D
product|Last change to enlarge|Huge en largement sale|Boyfriend has it
too small ?|Why be average and small ?|Don't settle for small|Be better
than other man|Biggest one around|She will love you the most|Blow her
mind tonight}
Subject: %_SUBJECT% %RANDOM_TEXT[4-6]%
Furthermore, the subject text will be appended by random text of 4 to 6 characters. Clearly it's an attempt to evade signature based SPAM filters.
The next part of the template looks like this
http://www.bing.com/search?q=powermaxxx+powergain&go=%RANDOM_TEXT[2-4]%%RANDOM_TEXT[5-10]%%_REAL_SENTENCE[8-15]
%_REAL_SENTENCE[3-10]%%_REAL_SENTENCE[2-10]%.H.
Pretty interesting move here as well. The search query to bing.com is just there to pop up a site name www.powermaxxx.com which is supposed to be an online pharmacy selling male enhancement pills. Instead of giving a direct link to this phishing site, this malware wrapped it inside a 'bing' search query and added randomized text in the end to make it further difficult for SPAM filters.
Command and Control:
The server responsible for distributing the SPAM template was 'endsolar.com' which at the time of writing this article is resolving to 208.77.45.146.
The WHOIS record for this domain looks like this
Registration Service Provided By: NameCheap.com
Contact:
Visit: http://www.namecheap.com/
Domain name: endsolar.com
Registrant Contact:
n/a
David Posada ()
Fax:
2464 Lawrence Ave W
Toronto, Ontario M4K5N5
CA
Administrative Contact:
n/a
David Posada ()
+1.4169285255
Fax: +1.5555555555
2464 Lawrence Ave W
Toronto, Ontario M4K5N5
CA
Creation date: 25 Feb 2009 18:26:55
Expiration date: 25 Feb 2011 18:26:55
The WHOIS record for the 208.77.45.146 is:
OrgName: AKANOC Solutions Inc.
OrgID: AKANO
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US
An IP reverse look up shows that there are 4 more domains hosted on the same server..
B00mer.com
Fullpharm.com
Powerfuller.com
Solarwon.com
All are serving different variants of the same malware…
Binary Analysis:
The main binary was packed. A binary scan against my packer database did not yield any match. With a little effort I was able to extract the unpacked version from the physical memory. This dump was good enough to give me some clues about hidden malware functionality.
1. Binary compilation date, or rather packing date, from IMAGE_FILE_HEADER structure is as follows:
2009/03/25.
2. Code structure and symbol analysis shows that it was developed in Microsoft Visual C++ 6.0 where some part was written with MFC.
3. This malware has the ability to snatch Windows address book for harvesting emails (WAB):
4. It has the ability to search for an Outlook Express installation on the infected system and further use it to extract emails addressed from Outlook databases.
5. It opens a backdoor on a random TCP port. This backdoor functionality is somewhat unusual for a SPAM bot.
There are many other aspects of this botnet which I am skipping for today; I will try to cover them in some future article.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
How did you extract the binary from memory? Ollydump?
Response:
You may use volatility…
https://www.volatilesystems.com/
Atif Mushtaq