DDoS and Security Reports

There’s another spambot afoot, and of its activities is to spam pharmacy and pill spam. We found it via the malcode in our zoo and the C&C traffic that we hadn’t characterized previously. AV coverage of the samples is modest. The botnet appears to be spamming the usual unwanted junk, and appears to be a medium sized botnet.

Malcode Details

Once launched, the malcode installs itself as:

C:\WINDOWS\system32\ldfrmmd.exe

It then makes the registry changes to ensure it always runs at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "" = C:\WINDOWS\system32\ldfrmmd.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "" = C:\WINDOWS\system32\ldfrmmd.exe

And it creates a mutex with what appears to be a semi-random name, e.g. adrerdbbbddeil12 (also seen: jjwsmmmwinasllp2, dsdsduehsgser533, etc).

Newer versions appear to try and avoid or kill common analysis tools:

Find Window - Class Name () Window Name (The Wireshark Network Analyzer)
Find Window - Class Name () Window Name (Process Monitor - Sysinternals: www.sysinternals.com)
Find Window - Class Name () Window Name (File Monitor - Sysinternals: www.sysinternals.com)
Find Window - Class Name () Window Name (Registry Monitor - Sysinternals: www.sysinternals.com)

Here’s an example of what appears to be the C&C:

Host Name IP Address
happymanwoman.cn 67.159.44.237
Destination: happymanwoman.cn port 8900/TCP

And the communications data:

RECEIVED
$0000 | 00 00 00 00 06 | .....
SEND
$0000 | 00 00 00 00 06 | .....
RECEIVED
$0000 | 6E 33 0F 00 01 D1 55 D2 54 00 19 | n3....U.T..
SEND
$0000 | 6E 33 0F 00 21 01 | n3..!.
SEND
$0000 | 6E 33 0F 00 03 4C 00 34 32 31 20 34 2E 34 2E 35 | n3...L.421 4.4.5
$0010 | 20 53 65 72 76 65 72 20 62 75 73 79 2C 20 74 72 | Server busy, tr
$0020 | 79 20 61 67 61 69 6E 20 6C 61 74 65 72 2E 20 28 | y again later. (
$0030 | 6D 78 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 29 20 31 | mx.google.com) 1
$0040 | 36 73 69 31 32 38 37 32 30 33 79 78 65 2E 31 32 | 6si1287203yxe.12
$0050 | 38 0D 0A | 8..
RECEIVED
$0000 | 6E 33 0F 00 13 01 | n3....
SEND
$0000 | 6E 33 0F 00 02 | n3...
RECEIVED
$0010 | 6E 33 0F 00 02 6F 33 0F 00 01 C3 82 84 31 00 19 | n3...o3......1..
SEND
$0000 | 6F 33 0F 00 21 01 | o3..!.
RECEIVED
$0000 | 70 33 0F 00 01 C3 32 6A 8F 00 19 | p3....2j...
SEND
$0000 | 70 33 0F 00 21 01 | p3..!.
SEND
$0000 | 6F 33 0F 00 03 38 00 32 32 30 20 6E 61 70 6F 6 | o3...8.220 napol
$0010 | 65 6F 6E 2E 74 65 6C 65 6E 65 74 2D 6F 70 73 2E | eon.telenet-ops.
$0020 | 62 65 20 62 69 7A 73 6D 74 70 20 45 53 4D 54 50 | be bizsmtp ESMTP
$0030 | 20 73 65 72 76 65 72 20 72 65 61 64 79 0D 0A | server ready..
SEND
$0000 | 70 33 0F 00 03 39 00 32 32 30 20 6D 74 61 38 33 | p3...9.220 mta83
$0010 | 34 2E 6D 61 69 6C 2E 75 6B 6C 2E 79 61 68 6F 6F | 4.mail.ukl.yahoo
$0020 | 2E 63 6F 6D 20 45 53 4D 54 50 20 59 53 6D 74 70 | .com ESMTP YSmtp
$0040 | 20 73 65 72 76 69 63 65 20 72 65 61 64 79 0D 0A | service ready..

After this C&C communications bit it starts to spam on TCP port 25 using fairly standard SMTP dialogues.

Apparent C&C hostnames and TCP ports used:

busnotstop.com:1430
goodhearme.cn:8090
happymanwoman.cn:8900
iamnothere.cn:8090
itsyourservice.cn:8900
linktomem.cn:8900
somethingwrong.cn:8090
sometimesgood.com:1430
tenverybest.com:5050
verywellhere.cn:8090
wasyoujoy.cn:8090
younotgood.cn:8900


For those who want to check their own zoos for samples, here they are by by date acquired and their MD5 hash:

2009-11-20-4d8412a55ba9c27849674cb93da64e0e
2009-11-20-707e1e1f80cbefb1679ae6b653b54e92
2009-11-25-4d8393b7a771dafb7f0d92b6fe614aff
2009-11-26-767a1557b151842ada5170ce5db3f664
2009-11-27-5fb97bb3111515e338a68d1a63f568c8
2009-11-28-1f940d85a0bb563fdfb93676ca01ad2a
2009-11-28-af46e22557a93ef01890fb45efc9ee1d
2009-12-02-335b2b5534b387108d2fb892e1ca13f2
2009-12-02-7ba1e56bc8e9a95cc84954eebaa2cb4d
2009-12-02-9ac2104ec5316818e2093f45f8b0a67b

And origins by MD5 (all of which had been referenced by downloaders we analyzed):

707e1e1f80cbefb1679ae6b653b54e92 http://208.110.82.26/...
4d8412a55ba9c27849674cb93da64e0e http://67.216.89.170/...
4d8393b7a771dafb7f0d92b6fe614aff http://67.216.89.170/...
767a1557b151842ada5170ce5db3f664 http://208.85.4.122/...
335b2b5534b387108d2fb892e1ca13f2 http://67.216.89.170/...
9ac2104ec5316818e2093f45f8b0a67b http://208.85.4.122/...
7ba1e56bc8e9a95cc84954eebaa2cb4d http://208.110.82.26/...

We have several other EXE URLs on those malcode distribution sites in the past 90 days.

Botnet details and spamming behavior

This graphic shows the relationships of these servers to each-other and their supporting infrastructure, such as their host networks and name servers.

Here’s some of the info about the C&C hostnames, including registrars and ASN info:

-------------[ busnotstop.com
30058 | 66.90.101.84 | FDCSERVERS - FDCservers.net
Registrar: TODAYNIC.COM, INC.
multi.surbl.org sa-blacklist and other sources
uri.ca2.sophosxl.com Reactively blacklisted
.
-------------[ goodhearme.cn
30058 | 66.90.101.194 | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网互联科技有限公司
.
-------------[ happymanwoman.cn
30058 | 67.159.44.237 | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网数码信息技术有限公司
.
-------------[ iamnothere.cn
20473 | 64.237.61.132 | AS-CHOOPA - Choopa, LLC
Sponsoring Registrar: 北京新网互联科技有限公司
.
-------------[ itsyourservice.cn
30058 | 66.90.101.93 | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网数码信息技术有限公司
.
-------------[ linktomem.cn
30058 | 66.90.101.189 | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网数码信息技术有限公司
.
-------------[ somethingwrong.cn
30058 | 66.90.103.223 | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网互联科技有限公司
.
-------------[ sometimesgood.com
30058 | 67.159.44.78 | FDCSERVERS - FDCservers.net
Registrar: TODAYNIC.COM, INC.
multi.surbl.org sa-blacklist and other sources
uri.ca2.sophosxl.com Reactively blacklisted
.
-------------[ tenverybest.com
30058 | 66.90.103.237 | FDCSERVERS - FDCservers.net
Registrar: TODAYNIC.COM, INC.
multi.surbl.org sa-blacklist and other sources
uri.ca2.sophosxl.com Reactively blacklisted
.
-------------[ verywellhere.cn
30058 | 67.159.44.236 | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 易名中国
.
-------------[ wasyoujoy.cn
33642 | 208.69.112.58 | CPCTECHNOLOGIES-LLC - CPC Technologies, LLC.
Sponsoring Registrar: 北京万网志成科技有限公司
.
-------------[ younotgood.cn
33642 | 208.69.113.130 | CPCTECHNOLOGIES-LLC - CPC Technologies, LLC.
Sponsoring Registrar: 北京新网互联科技有限公司

The minimal blacklist listings were as of yesterday.

When we analyze our spamtrap data, we see 694 distinct spamming zombies for this botnet (based on an observed spam template for “CheapViagra”) in the past day and a half. We know, based on some external measurements, that this is only a small fraction of the botnet. Just four unique subjects in this time that mention “CheapViagra”:

_Buy CheapViagra? $1.05/100mg. Pay 20 Times Less $ Online.. 100%
CheapViagra? Just $1/100mg if Order Online. Cheapest Price - Highest
Order CheapViagra Online,
Spam:Order CheapViagra Online, NoPrescription. Name-BrandViagra.


In at least one of the mails, the link in the message was pointing to wapanyf.cn, which is live and redirects to www.medz-sales.com. Here’s some DNS blacklist data on that from yesterday:

-- Thu Dec 3 21:22:53 2009 GMT
==> Checking wapanyf.cn
multi.surbl.org Blacklisted
uri.ca2.sophosxl.com Reactively blacklisted
dnsbl.mailshell.net Blacklisted
==> Checking wapanyf.cn (58.218.250.107)
zen.spamhaus.org Direct UBE sources, verified spam services and ROKSO spammers
b.barracudacentral.org Listed

And whois information on that domain:

Domain Name: wapanyf.cn
ROID: 20091106s10001s97618457-cn
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registrant Organization: é˙√ä¿¡ä¿¡
Registrant Name: é˙√ä¿¡ä¿¡
Administrative Email: changshegnjia@126.com
Sponsoring Registrar: æˇ å·ıå¤§ç˝…å∫å…¡ç∏Œç»˛æ˛≈é˙∆å¬å∂¸
Name Server:ns3.knewblock.com
Name Server:ns6.6gl.ru
Name Server:ns4.knewblock.com
Name Server:ns2.painteager.com
Name Server:ns1.painteager.com
Name Server:ns5.6gl.ru
Registration Date: 2009-11-06 23:12
Expiration Date: 2010-11-06 23:12

The final resting place of the pills spam:

-- Thu Dec 3 21:24:03 2009 GMT
==> Checking medz-sales.com
multi.surbl.org sa-blacklist and other sources
==> Checking medz-sales.com (58.218.250.107)
zen.spamhaus.org Direct UBE sources, verified spam services and ROKSO spammers
b.barracudacentral.org Listed

And whois information on that domain:

Domain Name: MEDZ-SALES.COM
Registrar: CHINA SPRINGBOARD INC.
Whois Server: whois.namerich.cn
Referral URL: http://www.namerich.cn
Name Server: NS1.TALLMADE.COM
Name Server: NS2.TALLMADE.COM
Name Server: NS3.PLENTYUNIQUE.COM
Name Server: NS4.PLENTYUNIQUE.COM
Name Server: NS5.JF5.RU
Name Server: NS6.JF5.RU
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 03-dec-2009
Creation Date: 18-nov-2009
Expiration Date: 18-nov-2010

Here’s all of the URLs we’ve seen advertised in this “CheapViagra” campaign based on our spamtrap analysis from the past 36 hours:

Lethic bots have also been seen spamming diploma spam, watch spam, and the like. Here’s a few example subject lines from this botnet:

Subject: 0nline Pharmacy, Save on Medications from a safe and reliable canadian 0nline Pharmacy qnq kfi
Subject: Valued customer smeg_69dd@ops-netman.net 80% OFF on Pfizer.
Subject: Valued customer smeg_69d@ops-netman.net 80% OFF on Pfizer.
Subject: Great Popular Soft At Prices You Will Like.
Subject: Need Good Software? Ask Us For Help.
Subject: Extenze Ma1eEnhancement. PenisEn1argement Pills that work! Try it Risk Free.. 100% Guaranteeed uearej t7o
Subject: jRo1exRep1ica Watches & more, browse our collection of perfect rep1icaWatches: jRo1exCartier, Breitling, Omega & many more. ljhlzq 98
Subject: only $200 for SwissRo1ex, Breitling, Chanel, Cartier, Corum, IWC, Hublot, Omega, DeWitt, LouisVuiton, Panerai, Patek Philippe & .. zsyl vzzu
Subject: Get a diploma for a better job.


Conclusions

Lethic is yet another spambot to join the fray. It is unclear what its future holds, and we do not know when it emerged. However this shows how “full” the “ecosystem” for spambots is. Lethic’s complexity is minimal when compared to other spam botnets (no rootkit seen, etc) but it appears effective enough at this time.

This entry was posted on Friday, December 4th, 2009 at 1:55 pm and is filed under Arbor Networks - DDoS Experts, ATLAS, Attacks and DDoS Attacks, Botnets, DDoS Tools and Services, Interesting Research, Malware, Spam, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.