lundi 30 janvier 2017


Spambot safari #1 - Bombila


Let's go for a Spambot safari.
There is a lot of malware analysis on the Internet but a very small number about malware used for Spamming (Necurs is a rare exception). But behind every big spam campaign, there is a spambot. And this part of the campaign is often technically weak.

It's easy to find a spambot. Most of the time, botmatsers's do the error of spreading the spambot's binary via the spam botnet itself. Due to the malware's communication, this mistake expose the spambot architecture and allow us to analyze the CNC part.
Looking for malware with SMTP communication on public sandboxes is a another good way to find spambot samples.

Here, I'll try to describe "Bombila" Spambot (БОМБИЛА).
This malware was used for spreading Teslacrypt in 2016 (if you want to understand how weak are spamming campaigns, take a look at:

I'll try to give an overview of this malware.
Sample: 6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d


The malware itself (Silent_SMTP_Bruter) is not really interresting and seems in developpment;
A lot of bugs, poor strings obfuscation, OutputDebugStrings, a log file created in C:\log.txt...
Persistance is done via CurrentVersionRun, there is no self replication or hidden feature (the malware stay where you launch it), after some connection checks, the malware contact the CNC (HTTP). If you kill the process with the task manager, the malware stop working.

Wow! So much obfuscation...

"Silent_SMTP_Bruter" string is present in the PACKAGEINFO

As usual the malware is composed of a SMTP bruteforce module and a SMTP spam module.
The main module try to contacts a gate "cmd.php" in 2 different ways:
  • A POST request $_POST['status'] every 5 minutes for sending bot status
  • a GET request whitout parameter for retrieving new order.

Not so boring malware

But, the best part is not in the malware itself; it's the icon of the malware \o/. You can observe a funny behaviour; when you rename the binary, the binary's icon changes. It take icons already present in system icon cache. The hash is still the same (works on Windows 10 up to date :]).
It can be used to fool victims because the malware takes icon like directory or Word, txt etc

If we extract the icon from resources binary, I reproduce the bug with the .ico icon:

It's a very small icon file (78bytes)

In red, it's the Ico header composed of 2 structures: ICONDIR and ICONDIRENTRY
In green, it's the bitmap header, in the structure BITMAPINFOHEADER
In blue it's the color data RGB

It seems that, after a MapViewOfFile, user32 misparse bitmap data and choose a "random" icon in the icon Cache (C:\Users\login\AppData\Local\Microsoft\Windows\Explorer).
I'm still working on that; I'll try to write a post about how reverse these kinds of UI tricks without getting suicidal tendencies \o/.
Thanks a lot to @Antelox for his precious help :]

Crack the bot

During Teslacrypt analysis I was abble to dump the web panel. So, why not try to patch the bot with my CNC for playing with all the features ?
For that, we have to understand were is stored the CNC in the binary and patch it.
There is a good resource about that on Xylibox But in this case I'll use a easier way :]. In the binary we can see that the CNC is "obfuscated" (loc_4480D3)

It's now easy to make a dirty python script for encoding our CNC and patch the binary (Offset 0x58488)
Due to a stupid parsing error, the CNC must look like "" without the last slash.

You can now control the bot and explore all the features \o/.

Panel Overview

The source code is a real mess. It looks like the panel is a compilation of 2 panels
For example there is 3 footers in index.php:

Some comments refer to other projects:

It's time for a quick overview (I've try to do a quick and dirty english version (thanks @KodaES :D), put your cursor on the image for the translated version):
The home page:

From this page, you can:
  • Upload emails lists
  • Upload subject, messages, "from", header etc
  • retrives statistics about the spam campaign
  • retrives some statistics about infected bots
  • configure the campaing

I cannot found any bot lists or campaigns details directly form the webpanel.
Some page are only accessible by reading the source code.
In fact, index.php is a big switch case:

For example: the bots list (index.php?act=work):

Search engine:

there is no dropping or backdoor feature. This malware is only about spam purpose.

After Teslacrypt ?

I've try to found other sample of this malware after the end of Teslacrypt.
I've found a another panel but nothing else.

I think it can be easy to retrives new sample via VTi.

Some numbers to conclude (based on webstat files found on the CNC):
From December 2015 to February 2016, Bombila :
  • was composed of ~10 000 bots
  • has sent at least 10 millions emails

Thanks for reading :]

11 commentaires:

  1. Ce commentaire a été supprimé par l'auteur.

  2. thanks for sharing this wonderful article. We are providing best roadrunner customer care support, roadrunner helpline, Contact roadrunner how to contact roadrunner Support

  3. Reset A Canon Printer MX310 and Scanner. ... have obviously had accomplishment with this"Just hold the stop and reset button until the notice disappears.".

  4. Easy hp officejet pro 8710 printer setup, Driver Installation, Perform Scanning, Copying, Faxing, Wireless Connection to print wirelessly and Mobile Printing guidelines here.

  5. Wow! What did I suggest? I am really impressed with your suggestion. Thank you for sharing your suggestion. pls, share again. Keep it up.
    Verizon Email is the most trusted email service preferred by customers. You can easily connect your Verizon Email accounts from anywhere. If you encounter some problems while using your Verizon accounts such as if your Verizon email account has blocked and you have forgotten your password. Then you need to Change Verizon Email Password and after then you can easily access your email account and enjoyed our services.

  6. If you are forgot your Roadrunner Password and you want to Change Roadrunner Email Password. the Roadrunner email may also face some issues now and then. So, don’t be panic! You can call our Roadrunner Technical support team 24*7 Toll-Free Number and you can also visit our official website.

  7. W tym kasynie gier od około 3 lat zdecydowanie polecam wszystkim wszystko jest w porządku żadnych skarg nie polecam wszystkim

  8. Damn! Is this what a malware analysis looks like? Lol, I can’t understand a single word out of it. I used to think it was easy – a friend of mine does this all day. Now, I understand how difficult his work is. I provide coursework help service which is tough too – but I guess I have gotten used to it. So I don’t find it tough anymore.

  9. The cash management plays a vital role in the quickbooks accounting tool that is necessary for the company thus it will be helpful for the company maintain good cash management with the help of the cash flow forecast