HOW TO FIND ABy Andrew BrandtSolera Networks

HIDDEN SPAMMER

HOW IT STARTSThe typical spam campaign starts with a social engineering hook, which attempts to convince the reader to click a link in the message body.

SAY HELLO TO MALWAREThese links can lead to pages hosting malware .EXE files inside of .ZIP folders.They can also use browser exploits to force and install on the victims computer.

THESE ARE STEPPING STONESThese specialized Trojans retrieve instructions from a command-and-control server that include the body of the spam message, and a list of mail servers and victim email addresses to which the Trojan sends the messages.

HOW THEY WORKThese Trojans retrieve instructions from a server that include the body of the spam message, and a list of mail servers and victim email addresses to which the Trojan sends the messages.

THE GOOD NEWS / THE BAD NEWS

Thousands more people could end up receiving malicious messages — which might result in your own network ending up on a spam blacklist

Easy to identify and segregate the offending machines.

GOOD NEWS

BAD NEWS

USING THE RIGHT TOOLS

Using Solera's DeepSee, it detected that in just 20 seconds the Trojan dispatched 181 identical messages.

USING DEEPSEEUsing DeepSee, you can take note of the IP address(es) of your usual mail servers, then create a Favorite with queries.

That will bring to the fore all non-mailservers that are sending email using the SMTP protocol.

ipv4_address!=your_mail_server application_id=SMTP

SETTING UP ALERTSOnce you’ve created that Favorite, you can set up alerts to watch for traffic matching the rule. Typical malicious behavior might involve a large volume of mail being sent by machines meeting these criteria in a short period of time. The most obvious standouts will be sending messages at odd hours, such as when nobody should be at work (holidays/weekends).

CATCHING THE SLOWER ONESLook at the traffic generated by a much more low-key spam relay Trojan. The Trojan responsible sent these Canadian pharmacy, knockoff watch, and “dating site” spams, transmitted at a much slower rate of about two messages per minute. While the volume may keep the messages under the radar, you might consider setting up alerts looking for the subject matter of the messages.

CATCHING THE SLOWER ONES

Detect and extract the command-and-control traffic between the infected host and its botnet HQ. Spam relay Trojans must receive instructions, or they can’t do their job. Check out this extraction of traffic generated by just such a Trojan.

CATCHING THE SLOWER ONES

The CnC traffic is made even more obvious by its inclusion of a second, extraneous port number"

(Hint: Search for http_uri~:8080:80 in the Path Bar.)

MORE DISCOVERIES

Once you find the CnC traffic, extraction can lead to more discoveries, but in this case, the traffic seems to be unreadable.

IS IT REALLY UNREADABLE?

Well, unreadable but not indecipherable. A little bit-shifting of the binary data in this artifact reveals the true contents of the CnC message. The first set of CnC exchanges usually include all the instructions the bot needs, such as…

HOW TO DECODE

…the message body of the spam it will send…

HOW TO DECODE

…the link to the site hosting the malicious code, which will be embedded in the message…

HOW TO DECODE

…and, to my utterly astonished amusement, a list of CnC server IP addresses the botmaster will use to

control the Trojan.

THE LAST EXERCISEThis last one really makes the whole exercise worthwhile:The bot itself downloads these IPs every time it checks in with the CnC server. In essence, it’s keeping us updated with a list of who the bot can talk to.

Read the full article here