Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 9 June 2009

Yet another SPAM Bot

Today while I was casually going through my sandnet logs, one malware outbound communication suddenly caught my attention. This communication certainly looked like a SPAM template download. Unlike other famous botnets like Cutwail, Rustock, Tofsee, Srizbi, Xarvester, etc, the spam template was in plain text and all the artifacts were clearly visible.

This first question in my mind was to find the name of this SPAM bot. A virustotal report could help, but in this case, it confused me further.

See it for yourself:

292a5adf25ddf66b98616243fdd11ed7

My next attempt was to search for some information based on the command and control name 'endsolar.com'. But no luck..

I had no choice but to start my investigation from point zero. Here are some of my findings:

Name:

I'm not sure.

Infection Vector:

The name of the malware binary file (as it reached me) was e-card.exe. It's not difficult to understand that this might be the outcome of yet another social engineering based mail campaign which lures users to click on fake greeting cards link.

Rootkit:

No real attempt was made by this malware instance to hide itself deeply on the infected system. Upon execution, this malware copies itself under %WINDOWS%/SYSTEM with the name of 'winlogon.exe', and further adds itself under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it will start on every system start up.

SPAM:

It's another template based SPAM bot like all the major players. This SPAM template was divided into different logical sections which I'll explain one by one:


http://blog.fireeye.com/research/2009/06/yet-another-spam-bot.html

No comments: