Spam and All Things Salty: Spambot v2013

Jessa dela Torre1 and Sabrina Lei Sioting2

1 Forward-Looking Threat Research Team 2 Threat Cleanup and Analysis Team Trend Micro, Inc., Philippines

Abstract. This paper will discuss our research on a threat that involves the massive attacks on Wordpress, Joomla and Drupal sites and where they attempt to test the waters on a new spamming cycle. This routine involves different forms of web threats working independently of each other and has posed a challenge when it comes to email authentication. We will look into the (1) compromised website, (2) compromised ma- chine, (3) command and control server, the (4) payloads and/or affiliates involved, (5) the telemetry of the data we collected, and(6) how we em- ulated the threat to “milk” the server.

1 Introduction

In a paper we have previously released, we detailed the malware and spamming routines of Stealrat3, a new botnet that we have been monitoring. In this paper we will look at the various Content Management Systems (CMS) that are used extensively by the botnet operators as well as the other components that are part of this operation that we have yet to discuss. However, for continuity, we will still include some key points that we have already mentioned before. Stealrat introduced a new spamming technique wherein the communication between the spamming websites and the actual spam server is mediated by a compromised machine. This makes it difficult for spam filters to authenticate emails since they come from legitimate sites. While porn still remains to be the primary theme in the spam emails they send, we have also seen a spike in emails that take excerpts from The Stainless Steel Rat4 science fiction series, albeit, the subject is still porn-related.

3 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white- papers/wp-stealrat.pdf 4 http://en.wikipedia.org/wiki/The Stainless Steel Rat Fig. 1. Email samples

One of the ways Stealrat is unique from the other spam botnets is how they have set up their model: there are 2 compromised websites (one does the spamming and the other contains the payload) and a compromised machine. The compromised machine (end-user) will connect to a server to collect spam data and send it over to a compromised website where the email will be constructed and sent to the recipient. The email contains a link to another compromised website. Fig. 2. Stealrat model

In a nutshell, the binary component in the compromised machine connects to several URLs to gather the following data needed to construct the spam email:

– Mail server (backup) – “Sender” name – Recipient’s email address – Email template (subject and body)

It then sends a POST request to a compromised website where a PHP script builds the actual spam email and sends it to the recipient. Detailed descriptions of the malware (binary and PHP) components is in the previous paper under the sections “Modules” and “PHP Scripts”5 and a summary of each component is briefly mentioned below.

2 Content Management Systems

During the course of our research, we have found the compromised websites to be running Content Management Systems (CMS) . While only a small fraction of Drupal sites are affected, Joomla! and Wordpress comprise of 51% and 19% of the infection, respectively6.

5 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white- papers/wp-stealrat.pdf 6 based on our data and may vary with the actual statistics Fig. 3. CMS infection breakdown

While we have not determined most of the exploits and vulnerabilities used to gain access to the websites, we looked at these sites and plugins that are commonly compromised and enumerated some of the popular and interesting ones. On some instances, we have also seen some of the exploits used to gain root privilege to webservers running on Linux. One of them is the Abacus ex- ploit which affects Linux kernel versions 2.6.37 to 3.8.8 and involves a poisoned perf swevent enabled array in a perf event open system call.

Fig. 4. Sample abacus exploit snippet and files Once successfully exploited, the other websites hosted in that webserver will be accessible and vulnerable as well. Using the WSO web shell, the attackers can create, view, upload and execute files in all the hosted sites (see image).

Fig. 5. Other websites hosted in a webserver

2.1 Joomla! Joomla! is an open source Content Management System coded in PHP and can be modified or expanded functionally by using “extensions.” Officially, there are 5 different kinds of extensions: – Component – Plugin – Template – Modules – Languages In Joomla! sites, we found most of the malicious scripts inside the following components’ directory: – com virtuemart – com jce – com weblinks

Com virtuemart Virtuemart7 is an e-commerce component for Joomla!. It acts as a shopping cart, catalog and payment system for online merchandise. A normal installation contains the following files in the /components/com virtuemart folder: – fetchscript.php – show image in imgtag.php – virtuemart.php

7 http://virtuemart.net/features/what-is-virtuemart – virtuemart parser.php

Fig. 6. Sample compromised com virtuemart directory content

Com weblinks Weblinks8 is Joomla!’s component for adding links to a web- page. A normal installation contains the following files in the /components/- com weblinks folder: – controller.php – router.php – weblinks.php

Fig. 7. Sample of a compromised com weblinks directory content

8 http://docs.joomla.org/Help31:Components Weblinks Links Com jce Joomla Content Editor (JCE)9 is Joomla!’s component for editing pages which includes styling and other WYSIWYG tools. A normal installation has the following files in the /components/com jce folder:

– jce.php – popup.php

Fig. 8. Sample of a compromised com jce directory content

2.2 Wordpress

Similar to Joomla!, Wordpress10 is also coded in PHP and is a popular blogging tool as well as a Content Management System. In Wordpress sites, we found most of the malicious scripts inside the directory of the following plugins: ˆ tell-a-friend ˆ akismet ˆ tv1/tv1mod

Tell-a-friend Tell-a-friend is a Wordpress plugin that allows website visitors to “tell their friends” about the site by clicking on a button (see image) and sending an email to their contact list.

A normal installation only has the tell-a-friend PHP file in the /plugins/tell- a-friend folder plus several image files.

9 http://extensions.joomla.org/extensions/edition/editors/88 10 http://wordpress.org/ Fig. 9. Sample of a compromised tell-a-friend directory content

Interestingly, with the tell-a-friend plugin, all of the compromised sites we have seen have the tell-a-friend.php file modified and appended with the WSO 2.5 web shell.

Fig. 10. Modified tell-a-friend.php

Fig. 11. Original tell-a-friend.php Akismet Ironically, Akismet11 is a Wordpress plug-in for spam filtering, al- though it is for the comments section only. A normal installation has the follow- ing files in the “/plugins/akismet” folder: admin.php akismet.js akismet.css akismet.php akismet.gif widget.php

Fig. 12. Sample of a compromised Akismet directory content

TV1 The most intriguing plugin we have seen is TV1. According to the Word- press site , there is no plugin named TV1. In most of the sites we checked, aside from the malicious files, there are always the following PHP scripts in the “/plugins/tv1” folder:

– class-wp-importer-cron.php – tumblr-importer.php

These scripts (see image below) are part of the tumblr-importer plugin which imports a Tumblr blog to a Wordpress blog.

11 http://codex.wordpress.org/Akismet Fig. 13. Tv1 directory content

3 The Malware

Aside from exploiting CMS-run websites, another important aspect of Stealrat is the array of malware in its arsenal. While we have seen other components associated with this campaign, we will only look at those directly involved in its spamming routine. This section will briefly describe these components. A more detailed analysis of each component is discussed in our previous paper.

3.1 The Downloader (Mutator/Rodecap) Rodecap, or Mutator (according to its PDB debug string) downloads the SmMgr component from a specified URL. What has made Mutator interesting is its method of connecting to the C&C server to get its download instructions. One of its variants would connect to the mail servers of what seems like innocently named sites (eg. lyrics-db.org) and after a connection has been established, it would modify the hostname in the HTTP header to “google.com”. Its initial check-in to the C&C follows the format below: – protocol.php?p=[volume serial number]&d=[B64 encoded string]

3.2 The Collector (SmMgr/Symmi) Symmi, or SmMgr (according to its PDB debug string), is the component that downloads the spam data (which includes the sender name, subject and body) and the list of email addresses to send the spam email to. It then encrypts this information and sends it to the compromised websites. One interesting aspect about SmMgr (at least for the versions that we analyzed) is that it for every successful or failed function, it will send a debug string via UDP to what we call the “Testing” or “Debug” server. Recently, we have also seen a Linux version of SmMgr (ELF file). It checks for some Linux environment variables if present in the system. The values found in these variables are used as parameters to the link where this malware will connect to. It will connect to a URL (spam server) which contains the email addresses where the spam mails are sent. Similar to its Windows counterpart, the URL has the following format:

– http://{domain}/img/seek.cgi?db={data}&lin={data}

It also possibly connects to other URL where the configuration, spam mail data, email format and compromised page is given. It will send the spam mail which is B64 encoded to a compromised page via POST request. If all parameters in the POST request are correct the site replies the string “OKe807f1fcf82d132f9bb018ca6738a19f+0”. Then it is up to the compromised page to send the spam mail.

3.3 The Spammer (PHP script)

Downloaded as “Sm[number]e.php”, this PHP script receives the spam template from SmMgr and constructs the spam email that will be sent to the recipients. By default, the script uses the compromised site’s mail server, but has a backup server included in the spam data which is typically Google (Gmail).12 This script comes in multiple and different file names and the number of scripts usually vary in each site.

4 Command and Control

Over time, the operators have moved the C&C to several domains scattered across several IP addresses. It seems that they are using a single domain structure and just copy the entire thing when moving to different domains (see image)13.

12 http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-check-if-your- website-is-part-of-the-stealrat-botnet/ 13 current domains are circled in RED Fig. 14. Domains and IPs associated with Stealrat

Communications with the C&C vary among the components and done via TCP or UDP. Though implemented, the various encryption methods are simple and not overly complicated. Detailed description of each method is discussed in the “Malware and Network Communication” section of the previous paper.

5 Payloads and Affiliations

The links embedded in the emails are compromised sites injected with several HTML pages that are frequently updated. These pages range from pornography to online pharmacy.

5.1 Porn

Pornography is still the main theme of Stealrat’s payload.

Fig. 15. Sample payload page

Once the page loads, it will redirect to another compromised webpage that has been planted with pornographic links and images. Fig. 16. Sample compromised webpage injected with porn

5.2 Online Pharmacy

Another common landing page is an online pharmacy site, particularly doctor- pied.com (previous sites were doctorpot.com and doctoregpg.com).

Fig. 17. Online pharmacy site

Interestingly, doctorpied.com is registered by the email address fl[email protected] which also registered several other online pharmaceutical sites that we have at- tributed to a certain actor. While we have not yet determined their exact rela- tionship, we are not discounting the possibility that the same actor is involved here.

Fig. 18. Pharma domains and IPs associated with fl[email protected]

6 Telemetry

We have been monitoring this botnet intermittently since mid-April of 2013 and so far we have recorded about 215,000 websites that have been, at one point or another, compromised. Some of these websites had not denied directory listings, so we were able to view their files and contents. Using the access logs and data available from 3 random sites, we compiled and averaged some of the information we know about this threat. Although 3 out of 215,000 may not glean a good representation of the entirety of this operation, at the very least, we hope to get a glimpse and estimate its size.

Fig. 19. Geographic distribution of the IP addresses that connected to the 3 compro- mised websites Table 1. Average content of the 3 random compromised websites

Description Average Number Spam mailer scripts (PHP) 4 Spam emails sent on a single date (Sep 21, 2013) 1,497.33 Unique IPs (end-users) that sent spam data on a single date (Sep 21, 2013) 1,065.33

Currently, there are about 17 million email addresses that get periodic spam emails from these sites.

7 Emulation

To uncover a significant part of this operation, we emulated the binary (SmMgr) responsible for collecting the spam data and sending it over to a compromised website. Every 10 seconds, this binary spawns a thread that will perform these processes. We created several scripts to download and decode (see appendix) the fol- lowing: – email recipients – spam template – website to post the spam data to

8 Conclusion

While it is relatively small compared to the more established botnets such as Asprox14 and Pushdo15, its spam cycle is one of the ways that makes Stealrat unique. Its operators used compromised sites to send out spam. They also used compromised machines but only as mediators between the compromised sites and the spam server. This allowed them, in a way, to cover their tracks, as they left no clear evidence of a connection between the sites and their server. Another interesting characteristic is that they also attempted to mask their network traffic by modifying its HTTP header to make it seem like they are accessing normal domains. This shows the operators’ resiliency in adapting to the security enforced in networks and their attempt to stay under the radar for as long as possible. While compromising websites to send out spam is not a new technique, we believe that this particular botnet is worth a look not just because of the volume of spam it has managed to send out but because of the subtle and gradual

14 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white- papers/wp-asprox-reborn.pdf 15 http://blog.trendmicro.com/trendlabs-security-intelligence/latest-pushdo-variants- challenge-antimalware-solution/ improvement of their methods. The StealRat botnet is a perfect example of determined operators who will try anything to thwart the security defenses.

A Appendix

A.1 MD5 of Hashes MD5 Mutator/Rodecap 06406bb4957d552dec81c2c288c56106 5376f5e93efec7c87b97e062979511bb Symmi/SmMgr 60acc7b343e51e61f240e66ca9a35623 693c689488d9f7e6ddb7de45dd4e2bb1 6d478471ed054e5d2f9436ba8c770f06 49a7ef24fd53697294760498ee7d1b8b 10ce473a1d7acd67e15a798f5f495c1e 19e26ea780139c92691d372a3ac9c663 a3bcbf239b15262f5a7e8fe264d5edd1 9faf609654db710587c40542f181bdf6 79f944513251bbf88f9fd137fe760742 91e831f73b7f20e3e0e2003092760013 9339ce095ab289e7dbc13630739aab1b 3c039993b98103a1c974e6cd64d3bbef 59b3654564b5ad8b98f696c0f4eee634 0990c06ac0e77f889ab4d11cf1659e95 95d565d232133560d9db306166604462 0f1bd556eb165a3ae0f887e7e1831d00 345b4a2f59aeb6e50c00fbaa7aa8130b 1c5a24297a6631b95afadc39b84e9250 247dce7e1309dd09df0998f7c5be8219 bedbb698bf2fb05394fd831efab2d091 44f200ad1e561ec6a533521c4cb865b6 d098b9114482b08b7c4a27d0769b6079 aa6741593155e1a8008a61cbf01b5df2 11dfd5daa3359fe6967fe69e2413e59d c6c5886b685d2d33f7be0704ba5da951 ELF e2035725a82beb775faa1024670280e0 a6752df85f35e6adcfa724eb5e15f6d0 PHP scripts 9b6d87c50b58104e204481c580e630f1 d3c35d2fe48d8767fbb32c6ef974e26a 6fdd4a5f517b0faead39a681e62c86f1

A.2 Sample Decryption Script (decrypt.py)

#!/usr/bin/env python import s t r i n g import base64 import b i n a s c i i import sys import ctypes import operator i f (len(sys.argv) < 3 ) : #Usage : #dec . py # #Type : #1 − Config f i l e #2 − UDP t r a f f i c #3 − Email address list #4 − Spam template # #Output : . dec sys . e x i t else : encrypted = sys.argv[2] source = open (encrypted, ”rb”) s1 = source.read() source.close() s r c len = len(s1)

i f (sys.argv[1] == ”1”): DecConfig(s1, src l e n )

i f (sys.argv[1] == ”2”): DecUDPTraffic(s1 , src l e n )

i f (sys.argv[1] == ”3”): DecEmailList(s1, src l e n )

i f (sys.argv[1] == ”4”): DecEmailTemplate(s1 , src l e n )

i f ( s1 ) : out = open(encrypted+”.dec”, ”wb”) out.write(binascii.unhexlify(s1)) out.close() def DecConfig(s1, src l e n ) : c t r = 0 ptr = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1[ptr].encode(”hex”) val = hex(int(d1, 16) − 1) ab = val[+2:] i f (len(ab) == 1): ab = ”0” + ab s1 = s1[:ptr] + ab + s1[ptr+1:] ptr = ptr + 2 c t r = c t r + 1 else : break def DecUDPTraffic(s1 , src l e n ) : c t r = 0 ptr = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1[ptr].encode(”hex”) val = hex(int(d1, 16) ˆ 12) ab = val[+2:] i f (len(ab) == 1): ab = ”0” + ab s1 = s1[:ptr] + ab + s1[ptr+1:] ptr = ptr + 2 c t r = c t r + 1 else : break def DecEmailList(s1, src l e n ) : ptr = s r c l e n − 1 c t r = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr −1].encode(”hex”) d2 = s1[ptr].encode(”hex”) i f ( ptr == 0 ) : val = hex(18 ˆ int(d2, 16)) else : val = hex(int(d1, 16) ˆ int(d2, 16)) ab = val[+2:] i f (len(ab) == 1): ab = ”0” + ab s1 = s1[:ptr] + ab + s1[ptr+1:] ptr = ptr − 1 c t r = c t r + 1 else : break def DecEmailTemplate(s1 , src l e n ) : s1 = base64.b64decode(s1) s r c len = len(s1) ptr = 0 c t r = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1[ptr].encode(”hex”) val = hex(int(d1, 16) ˆ 2) ab = val[+2:] i f (len(ab) == 1): ab = ”0” + ab s1 = s1[:ptr] + ab + s1[ptr+1:] ptr = ptr + 2 c t r = c t r + 1 else : break