Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    Advances in spam detection meant that spam operators had to find ways to circumvent new technologies. For instance, Asprox made significant improvements in their spam and module architecture whereas Pushdo made use of decoy network traffic.

    Recently, we have discovered a new simple method used by a spam botnet we named StealRat. It consists of 3 essential things:

    • Compromised website for sending spam
    • Compromised systems for harvesting and delivering the spam data
    • Compromised website for delivering the payload

    stealrat_infectiondiagram_final

    Figure 1. StealRat method

    In this set up, the actual spam server is hiding behind three layers of unsuspecting victims: two compromised websites and an infected machine. The infected machine acts as a liaison between the spam server and the compromised website. As there is no interaction between the spam and server, it will appear the email have originated from the infected machine. The spam mail itself does not spread the malware, so there is no visible link between the two as well. In essence, they have separated the core functions and minimized interactions among them to cut-off any threads that could link them to each other.

    A compromised website has the payload link and a spamming script. The payload is typically porn or an online pharmacy webpage. The spamming script is coded in PHP and waits for data from an infected machine (malware victim). The infected machine connects to the malicious spam server to collect the spam data which includes the following:

    1. backup mail server
    2. “sender” name
    3. recipient address
    4. email template

    A compromised website will typically have a randomly named folder with several PHP scripts.

    sample_compromisedsite_stealrat

    Figure 2. Sample of a compromised website

    Another interesting behavior is that it uses the compromised website’s domain as its email service domain. For instance, if xyz.com is hosting the spamming script, the email will appear to have come from [sender name]@xyz.com.

    In a compromised system (infected machine), the malware component also exhibits some conspicuous traits. For instance, some variants attempt to cloak its network traffic by modifying the host name to google.com while receiving its instructions from its C&C server. If the C&C is example.com, instead of directly connecting to it, it queries for the domain’s mail server (eg. mx1.example.com) and connects there instead. The network traffic won’t show an established connection to either example.com or mx1.example.com, the hostname would appear to be google.com instead.

    connection-google-stealrat copy

    Figure 3. Connection to google.com

    During the course of our investigation, we have identified the following:

    • about 85,000 unique IPs/domains that sent out spam emails in 1 month
    • each IP/domain contains an average of two spamming scripts
    • each infected machine sends at least 8,640 spam data to compromised websites per day
    • they are currently rotating around seven million email addresses to send spam to

    While exploiting vulnerable websites to send out spam has already been exhausted by other botnets, StealRat stood out because it used simple yet subtle methods to improve the botnet’s resiliency. Its operators set very clear boundaries. They used compromised sites to send out spam. They also made use of compromised machines but only as mediators between the compromised sites and the spam server.

    This allowed them to cover their tracks, as they left no clear evidence of a connection between the sites and their server. They also used legitimate mail servers and modified hosts to mask their traffic. This operation certainly proves that cybercriminals are always out looking for ways to evade the security defenses.

    For more details about StealRat, you may read the full paper Stealrat: An In-Depth Look at an Emerging Spambot.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice