HOW TO FIND AHIDDEN SPAMMERBy Andrew BrandtSolera Networks
HOW IT STARTSThe typical spam campaign startswith a social engineering hook,which attempts to convince thereader to click a link in themessage body.
SAY HELLO TO MALWAREThese links can lead to pageshosting malware .EXE files insideof .ZIP folders.They can also use browser exploitsto force and install on thevictims computer.
THESE ARE STEPPING STONESThese specialized Trojans retrieveinstructions from a command-and-control server that include thebody of the spam message, and alist of mail servers and victimemail addresses to which theTrojan sends the messages.
HOW THEY WORKThese Trojans retrieve instructionsfrom a server that include thebody of the spam message, and alist of mail servers and victimemail addresses to which theTrojan sends the messages.
THE GOOD NEWS / THE BAD NEWSGOOD NEWSEasy to identify and segregate theoffending machines.BAD NEWSThousands more people could endup receiving malicious messages— which might result in your ownnetwork ending up on a spamblacklist
USING THE RIGHT TOOLS Using Soleras DeepSee, it detected that in just 20 seconds the Trojan dispatched 181 identical messages.
USING DEEPSEEUsing DeepSee, you can take note of theIP address(es) of your usual mailservers, then create a Favorite withqueries. ipv4_address!=your_mail_server application_id=SMTPThat will bring to the fore all non-mailservers that are sending email usingthe SMTP protocol.
SETTING UP ALERTSOnce you’ve created that Favorite, youcan set up alerts to watch for trafficmatching the rule. Typical maliciousbehavior might involve a large volume ofmail being sent by machines meetingthese criteria in a short period of time.The most obvious standouts will besending messages at odd hours, such aswhen nobody should be at work(holidays/weekends).
CATCHING THE SLOWER ONESLook at the traffic generatedby a much more low-keyspam relay Trojan. TheTrojan responsible sentthese Canadian pharmacy,knockoff watch, and “datingsite” spams, transmitted ata much slower rate of abouttwo messages per minute.While the volume may keepthe messages under theradar, you might considersetting up alerts looking forthe subject matter of themessages.
CATCHING THE SLOWER ONES Detect and extract the command-and-control traffic between the infected host and its botnet HQ. Spam relay Trojans must receive instructions, or they can’t do their job. Check out this extraction of traffic generated by just such a Trojan.
CATCHING THE SLOWER ONES The CnC traffic is made even more obvious by its inclusion of a second, extraneous port number" (Hint: Search for http_uri~:8080:80 in the Path Bar.)
MORE DISCOVERIESOnce you find the CnC traffic, extractioncan lead to more discoveries, but in thiscase, the traffic seems to be unreadable.
IS IT REALLY UNREADABLE?Well, unreadable but not indecipherable. A little bit-shifting of the binary data in this artifact reveals thetrue contents of the CnC message. The first set ofCnC exchanges usually include all the instructionsthe bot needs, such as…
HOW TO DECODE …the message body of the spam it will send…
HOW TO DECODE …the link to the site hosting the malicious code, which will be embedded in the message…
HOW TO DECODE…and, to my utterly astonished amusement, a list of CnC server IP addresses the botmaster will use to control the Trojan.
THE LAST EXERCISEThis last one really makes the whole exerciseworthwhile:The bot itself downloads these IPs every time itchecks in with the CnC server. In essence, it’skeeping us updated with a list of who the bot cantalk to.