Win32/Cutwail

Re: Win32/Tofsee (Trojan.SpamBot)

#19502 by unixfreaxjp
Fri May 31, 2013 3:50 am

Note to: @EP_X0FF : I tried to search the right thread for this spambot but could not find the right one, this is the closest category that I can search. so allow me to paste the report here.

It was started from spam series of Paypal, eFax & Chase (etc)
As usual I expect PWS (Fareit or Cridex), Zeus or other PWS,
Instead they distributed the SpamBot Trojan too.

Spam email that lead to this spambot:

If we analyze the header:

we'll see significant characteristic of the MUA (or bot) sender sigs:

Code: Select all

Microsoft SMTP Server id 8.0.685.24;
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9)
Gecko/20100921 Thunderbird/3.1.4

with the relay signature too:

Code: Select all

Received: from unknown (HELO Spammer/FQDN) (Spammer Used MTA IP/x.x.x.x)
MIME-Version: 1.0
Status: RO

The link in spam itself redirect us to blackhole:

Code: Select all

h00p://papakarlo24.ｒu/wp-gdt.php?H00OTWYN3DI3Z4
Resolving papakarlo24.ｒu... seconds 0.00, 92.38.227.2
Caching papakarlo24.ｒu => 92.38.227.2
Connecting to papakarlo24.ｒu|92.38.227.2|:80... seconds 0.00, connected.
  :
GET /wp-gdt.php?H00OTWYN3DI3Z4 h00p/1.0
Host: papakarlo24.ｒu
h00p request sent, awaiting response...
  :
h00p/1.1 302 Moved Temporarily
Server: nginx/0.8.55
Date: Wed, 29 May 2013 08:16:21 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Location: h00p://uninstallingauroras・net/cloｓest/i9jfuhioejskveohnuojfir.php
Content-Length: 0
  :
302 Moved Temporarily
Location: h00p://uninstallingauroras・net/closest/i9jfuhioejskveohnuojfir.php [following]
  :
h00p://uninstallingauroras・net/cloｓest/i9jfuhioejskveohnuojfir.php
conaddr is: 92.38.227.2
Resolving uninstallingauroras.net... seconds 0.00, 80.78.247.227
Caching uninstallingauroras.net => 80.78.247.227

Which was designed only to drop one of these two exploit PDF (depend on your adobe plugin version)

Both PDF leads to our spambot binary sample at:

Code: Select all

h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php?orsjgvtp=1n:1j:2w:1m:1i&zxlegtgp=1k:1f:2w:1m:31:1o:1l:1l:30:31&tqdybltx=1h&mryvsc=pcyxjux&sctxbc=liolty

( If you interest to the exploit kit who backboned it you can refer to my analysis report in HERE )

I put the sample on VT in here:
https://www.virustotal.com/en/file/6d41 ... 369818590/
This is when the challange starts. I received the very confusing malware verdict in VT like the below...

Code: Select all

F-Secure                 : Trojan.GenericKDZ.19645
DrWeb                    : Trojan.DownLoad3.23197
GData                    : Trojan.GenericKDZ.19645
Symantec                 : WS.Reputation.1
AhnLab-V3                : Trojan/Win32.Tepfer
McAfee-GW-Edition        : PWS-Zbot-FAQD!0D2AF51B2813
TrendMicro-HouseCall     : TROJ_GEN.R47H1ES13
MicroWorld-eScan         : Trojan.GenericKDZ.19645
Avast                    : Win32:Dropper-gen [Drp]
Kaspersky                : Trojan-Spy.Win32.Zbot.lvxs
BitDefender              : Trojan.GenericKDZ.19645
McAfee                   : PWS-Zbot-FAQD!0D2AF51B2813
Malwarebytes             : Backdoor.Bot.ST
Rising                   : Win32.Asim.a
Panda                    : Trj/CI.A
Fortinet                 : W32/Zbot.LVXS!tr
ESET-NOD32               : Win32/Wigon.PH
Emsisoft                 : Trojan.Win32.Zbot (A)
Comodo                   : UnclassifiedMalware

Is not zbot family (many of AV mentioned as zbot..) for sure since the registry & drops is different, like]
(1)autorun:

Code: Select all

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xoxkycomvoly(RANDOM)
 →"C:\Documents and Settings\User\xoxkycomvoly.exe"

↑(2)was a different self copy command result:

Code: Select all

CopyFileA｛
   lpExistingFileName: "c:\test\sample.exe",
   lpNewFileName: "C:\Documents and Settings\User\xoxkycomvoly.exe", (RANDOM)
   bFailIfExists: 0x0 ｝

(3) different batch code too....

Code: Select all

:repeat
del %s
if exist %s goto :repeat
del %%0

My question is: Anyone know the right malware name of this one?

So I decided to take a look myself to find the sample sending massive spams, pleased see the below details to answer the question of malware name:

It aftered this MTA relay:

Code: Select all

smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com

By using these domains to spoof senders:

Code: Select all

reactionsearch.com
picsnet.com
mville.edu
oakwood.org
intelnet.net.gt
optonline.net
cox.net
pga.com
rcn.com
vampirefreaks.com
tiscali.co.uk
msu.edu
freenet.de
bluewin.ch
o2.pl
cfl.rr.com
worldnetatt.net
uakron.edu
comcast.net
centrum.cz
axelero.hu
aon.at
oakland.edu
ukr.net
posten.se
talstar.com
cnet.com
emailmsn.com
yahoo.com.hk
vodafone.nl
zoomtown.com
otakumail.com
netsync.net
grar.com
stc.com.sa
col.com
gallatinriver.net
worldonline.co.uk
aruba.it
bluewin.com
zoomnet.net
gcsu.edu
amazon.com
microtek.com
voicestream.com
tellmeimcute.com
bmw.com
backaviation.com
oregonstate.edu
earthlink.net
cablelan.net
floodcity.net
uplink.net
mindspring.com
clarksville.com
dr.com
shmais.com
sexstories.com
cwnet.com
chickensys.com
gravityboard.com
happyhippo.com
midway.edu
oakwood.org
intelnet.net.gt
blackplanet.com
tampabay.rr.com
gmx.net
juno.com
vampirefreaks.com
canada.com
worldnetatt.net
beeone.de
idea.com
boardermail.com
arcor.de
verizonwireless.com
mediom.com
iw.com
passagen.se
iupui.edu
ufl.edu
jwu.edu
uga.edu
music.com
accountant.com
ministryofsound.net
the-beach.net
metallica.com
vodafone.com
zdnetmail.com
hoymail.com
iwon.com
accessus.net
cbunited.com
pchome.com.tw
kazza.com
cytanet.com.cy
frisurf.no
parrotcay.como.bz
willinet.net
claranet.fr
kw.com
caixa.gov.br
frostburg.edu
intuit.com
actuslendlease.com
rowdee.com
vodafone.nl
feton.net
wcsu.edu
ricochet.com
embarqmail.com
allstream.net
mynet.com
kcrr.com
south.net
ig.com.br
atkearney.com
colorado.edu
zoomnet.net
creighton.edu
amazon.com
mvts.com
potamkinmitsubishi.com
lansdownecollege.com
mania.com
marchmail.com
anetsbuys.com
yatroo.com
bassettfurniture.com
machlink.com
nccn.net
floodcity.net
maui.net
earthlink.com
doctor.com
mexico.com
sexstories.com
penn.com
aussiestockforums.com
bendcable.com
ipeg.com
mediom.com
free.fr
ufl.edu
www.aol.com
hotmale.com
cox.com
ministryofsound.net
stargate.net
orange.pl
mzsg.at
imaginet.com
charter.com
pandora.be
iwon.com
windstream.net
oakland.edu
suscom.net
metrocast.net
migente.com
erzt.com
willinet.net
claranet.fr
kw.com
rockford.edu
emailmsn.com
uymail.com
xtra.co.nz
brettlarson.com
badactor.us
stc.com.sa
t-mobel.com
yahoo.com.cn
gatespeed.com
itexas.net
yahoo.com.tw
diamondcpu.com
vail.com
clear.net.nz
gallatinriver.net
ia.telecom.net
idealcollectables.com
number1.net
agilent.com
in.com
windermere.com
mts.net
sscomputing.com
primeline.com
indosat.com
lansdownecollege.com
springsips.com
tellmeimcute.com
chataddict.com
expn.com
earthlink.net
surfglobal.net

↑These data is written clearly after I unpack (whatever the name of method is) the binary.

Some captured SMTP sent logs:

Code: Select all

19:58:16.6989801 ->  65.55.96.11:smtp","SUCCESS"
19:59:03.0738552 ->  www2.windstream.net:smtp","SUCCESS"
19:59:03.0739711 ->  www.freenet.de:smtp","SUCCESS"
19:59:03.0740055 ->  67-208-33-32.neospire.net:smtp","SUCCESS"
19:59:03.1832375 ->  208.73.210.29:smtp","SUCCESS"
19:59:03.1833775 ->  web1.gcsu.edu:smtp","SUCCESS"
19:59:03.1834395 ->  searchportal.information.com:smtp","SUCCESS"
19:59:03.1834970 ->  176.32.98.166:smtp","SUCCESS"
19:59:09.0894742 ->  www2.windstream.net:smtp","SUCCESS"
19:59:09.0896164 ->  www.freenet.de:smtp","SUCCESS"
19:59:09.0896742 ->  67-208-33-32.neospire.net:smtp","SUCCESS"
19:59:09.1988465 ->  208.73.210.29:smtp","SUCCESS"
19:59:09.1989401 ->  web1.gcsu.edu:smtp","SUCCESS"

It has the botnet communication with HTTP & SSL, the SSL is for the handshake: