Watch a live spam bot in action.

Ever wondered how a trojan infected computer gets its orders to spam? Take a peek with me into one trojan’s junkmail activities. The following account is happening as I type, and shows that some image spam is not unique even though it appears to be random.

The smtp sending trojan first phones home for its task list, via http on the smtp port (25). Port 25 on the host machine is running Apache/1.3.37 — this is a very unusual place to find apache running.

The task list looks like this:

$GET "http://example.com:25/outtask/urlTask8_c_2.txt?id=MAGID-ID-STRING&flag=1"
10
12|http://serv2.example.com/outtask/tasks/task_12_letter_1162390208.txt|

http://get.example.com:8092/cgi-bin/cgi2.cgi|

http://serv2.example.com/report2.cgi|1||

http://mail.example.com:8888/cgi-bin/put|

20|http://serv2.example.com/outtask/tasks/task_20_letter_1162390209.txt|

http://get.example.com:8091/cgi-bin/cgi2.cgi|

http://serv2.example.com/report2.cgi|1||

http://mail.example.com:8888/cgi-bin/put|

22|http://serv2.example.com/outtask/tasks/task_22_letter_1162390209.txt|

http://get.example.com:8092/cgi-bin/cgi2.cgi|

http://serv2.example.com/report2.cgi|1||

http://mail.example.com:8888/cgi-bin/put|

^{(line breaks and spaces added for readability)}

The response it got is in the following format:
“tasknumber|spam-text URL|Address-list URL|Report address|1||Report address2|”

So in the example above, the bot got 3 tasks. We’ll take a look at the first one in more detail….

The first url in the task format is the message to be spammed. In this case it is image spam.

Received: (qmail 8366 invoked by uid 7); [%DATE%]
Received: from unknown (HELO kwkpxyfcv) (6.67.3.0)
by [%MY_IP%] with SMTP; [%DATE%]
Message-ID:
From: "JEFF R. BORKGREN"
To:
Subject: Re: Re: Re: Re:
Date: Wed, 1 Nov 2006 08:10:08 -0600
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_[%BOUNDARY_ID_1%]"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506

This is a multi-part message in MIME format.

------=_NextPart_[%BOUNDARY_ID_1%]
Content-Type: multipart/alternative;
boundary="----=_NextPart_[%BOUNDARY_ID_2%]"

There is a fairly mundane html body, filled with the usual bayes poison text. This is followed by a mime block containing “yXvYg8bLkB.gif”: a simple base64 encoded pharmacy spam image with “random noise”. You’ll notice below that this mail is being sent to many recipients, not just one. Things to note about this template are that the date in the header is hard coded, as is the from header, subject and the 2 fake received headers.

The next URL in the task is the address list. They are in the following format, at around 200 lines long.

username_was_hereexamplecom 209.202.208.20,205.158.62.116
another_usernameanotherexamplecom 64.4.50.50,65.54.244.8,...

This is in the format “address mail exchanger IP address list”. This is a very interesting point: the bot is told where to connect to send the mail for every single address. This saves it looking up the MX record, making it quicker and giving the spammer greater control over delivery.

The workflow is thus:

1. The bot connects to the subscription server for a tasklist.
2. The bot processes that list on a line by line basis:
1. It downloads the spam.
2. It downloads the address and mail exchanger list.
3. It sends the spam, making the appropriate local macro substitutions for Date, address, mime boundary, etc.
3. The bot reports back delivery data via the two report URLs.
4. The bot starts again from the beginning.