Cimbot - A Technical Analysis & Threat Research Blog | FireEye Inc
Cimbot - A Technical Analysis
Cimbot - A Technical Analysis
Personal ExpositionI was recently sent a .pcap file of a bot's C&C communications. Every 182seconds, the bot would download a GIF file from (91.211.65.180 as of Mar 11, 2009). These GIF files however are notwell-formed & that is to say, it's a GIF89a header, followed by a lotof random gibberish.At last! Something interesting and clever (this will make a good blogpost). I've been wondering why ittook so long for the bot authors to try to hide their communicationssteganographically (albeit poorly in this case).At first I didn't have a sample of this bot, only its communications. Justeyeballing a hexdump of the data revealed some very strong patterns. It wassafe to assume that this was a home-brew I speculatedthat it was just a sixteen (or some multiple of sixteen) byte pattern,repeatedly XOR'd over the plaintext. Performing some statistical analysis ofevery nth byte of the cyphertext (for n = 1 ..16) showed some very stronglanguage-like patterns. There were only about 80 to 90 distinct bytes pernth column of cyphertext, about what you'd expect for printable ASCII, Andthere was a slight power-law distribution of those bytes, rather than ahigh-entropy flat distribution that a good encryption algorithm wouldproduce.Most home-brew cryptosystems like this are trivial to crack, so I startedon a cyphertext-only cryptanalysis, and got pretty far along, until I receiveda Cimbot sample from Joe Stewart []. And then I could cheat by just analyzingthe binary code of the bot itself.The Technical PartCimbot is written in Microsoft Visual C++. According to the PE headers ofthe sample I have now, it was compiled/linked on Tue Mar 25 04:31:15 2008(but that's not always trustworthy). The bot sample I received communicateswith < (91.212.65.94 as of Mar 11, 2009), and does not useSSL & which I strongly suspect that more recent versions do. (As anaside: if anyone reading this has more Cimbot samples, please feel free to sendthem to me.)This Cimbot sample is a module out of a larger malware system, which is thepart which actually starts-up on boot, then loads Cimbot (stored encryptedon disk) Cimbot doesn't execute on its own. When executedCimbot sets a pseudo-random registry key (which it frequently polls), andspawns a second thread (you know, all the usual stuff), it callsGetTickCount() in a loop, Sleep()ing for a second each it keeps checking if 60 there are some calls torand(). If the clock tick is above a certain value, it'll make anHTTP request to log-in to the C&C server. It's not really setting anystate& just waiting & so if you're too ADHD to wait through all of this in adebugger, you can just flip the ZF bit when you get to that branch. (Ormodify that jump instruction in the binary, the bot doesn't do any integritychecking.)During initialization (before that loop I just mentioned) it callsGetVolumeInformationA() to get the VolumeSerialNumber of the System drive.It uses this value to generate an identity, which is used when initiallylogging into the C&C server& and& for decrypting (really deobfuscating)the encoded GIF data.First Example(Note that these examples have been scrubbed for anything which would reveal a victim's IP address or my own.)The first thing the bot will send is this. TheC63B& part isa unique identity for the bot, and also the crypto key.GET /account/l.php?C63BB0F8A09E9A317C1E8D232D8D8C0DHTTP/1.1Host: Accept: */*Connection: closeThe C&C will send back something like this:HTTP/1.1 200 OKDate: Thu, 12 Mar :05 GMTServer: Apache/2.0.58 (Win32) PHP/5.1.4X-Powered-By: PHP/5.1.4Set-Cookie: PHPSESSID=47d2af8a1d69c46c4896; path=/Content-Length: 0Connection: closeContent-Type: text/htmlThe bot then uses that PHPSESSID Cookie for all further communicationswith the C&C.The next thing that the bot will ask for is:GET /account/d.php?data=7ef326ceefaaec4daf0 HTTP/1.1Host: Accept: */*Connection: closeCookie: PHPSESSID=47d2af8a1d69c46c4896I kinda skimmed through the part where it calculates the7ef136c49&stuff after the ?data= part. I can figure it out later if anyone cares.I've noticed that the two bytes (&daf0 in this example) will change overtime.So, the C&C server send back something like this (with the fake-GIF hexifiedhere, for your blogging pleasure):HTTP/1.1 200 OKDate: Thu, 12 Mar :39 GMTServer: Apache/2.0.58 (Win32) PHP/5.1.4X-Powered-By: PHP/5.1.4Content-Length: 2641Connection: closeContent-Type: image/gif 49 46 38 39 61 03 b2
05 89 26 c2 5f 99 36 ca
|GIF89a....&._.6.| 26 12 38 f1 dc 0a 2a
09 e9 a3 17 c1 e4 87 e6
|H&.8...*........|b 22 08 38 f1 5b 0f 8a
09 e9 a3 58 c1 e8 87 c6
|;".8.[.....X....|b a2 f6 6e f1 5d 0f 8b
09 e9 a3 1a 04 e4 8b c6
|;..n.]..........|b 22 68 22 f1 1b 53 8a
0d e9 a3 17 e1 a3 89 c6
|;"h"..S.........|c 22 37 38 f1 1b 35 8a
38 51 15 7c 27 40 fa f0
|&"78..5.8Q.|'@..| 5f 64 ab 1b 43 6b ac
85 45 ca 40 00 0c b5 f0
|._d..Ck..E.@....|a 4b 63 94 22 77 4d e6
30 45 c5 74 f0 4d 89 ea
|zKc."wM.0E.t.M..|d 86 08 38 f1 1d 0f 15
09 e9 a3 93 c1 13 af 21
|m..8...........!|c 4f 82 68 1e 54 6b b7
66 64 d4 43 f4 14 04 ef
|.O.h.Tk.fd.C....|
97 95 83 68 1d 50 8c b2
31 45 fe 45 3c 14 b3 f7
|...h.P..1E.E&...|
6d 9f 64 95 1a 97 4f 06
31 45 ff 3c f5 14 b0 ef
|m.d...O.1E.&....|
97 95 83 68 1d 50 8c b2
64 4a d0 91 f1 11 c0 22
|...h.P..dJ....."|
68 7e 36 95 6c 4c 3b bd
39 66 cc 73 34 5f b7 f2
|h~6.lL;.9f.s4_..|
70 9f 30 60 4d 76 3d 05
39 15 d4 49 3e 40 e4 ef
|p.0`Mv=.9..I&@..|
b7 7e 36 61 4d 8e 8a ba
35 1e 20 3f 1c 45 b4 40
|.~6aM...5. ?.E.@| 9d 3a 64 25 98 38 b9
72 f1 c7 48 01 08 bc f4
|..:d%.8.r..H....|f 5a 6c 38 f1 1b 12 8a
20 e9 a3 17 d3 e4 b6 ee
|_Zl8.... .......|
ae 8b 6c 75 4c 7c 3c f0
39 16 dc 74 eb 0d b6 2f
|..luL|&.9..t.../|d 46 39 3b f1 36 0f 8a
09 ff a3 46 e9 57 ec 39
|=F9;.6.....F.W.9|
ae 8b 77 a6 2e 76 70 b7
6f 19 d0 50 1e 0e b0 f5
|..w..vp.o..P....|
a4 24 2c 69 f4 1b 26 8a
09 e9 b5 17 f0 0c ea 2f
|.$,i..&......../|f 5f 63 99 1e 81 3f b7
42 46 cd 40 f0 4d 89 ea
|._c...?.BF.@.M..|c 25 08 4d f1 1b 0f 9a
09 18 cb 8a fe 3f e8 f3
|l%.M.........?..|
a1 52 35 71 4e 45 38 b9
72 eb c7 48 c4 e4 96 c6
|.R5qNE8.r..H....|b 22 12 38 20 43 6b ad
37 13 cc 3b f0 4d 89 ea
|;".8 Ck.7..;.M..|
6c 26 08 0b f1 1b 0f 5b
09 18 ff 45 e9 4b f0 2c
|l&.....[...E.K.,|
64 9e 30 a2 61 82 38 06
31 59 11 7e ea 60 af 2d
|d.0.a.8.1Y.~.`.-|
b5 4b 84 60 6b 84 7f b3
85 11 15 78 33 0d 03 ee
|.K.`k......x3...|
a8 92 3b 61 6d 43 74 02
6e 12 1f 3f 2b 54 ec 2d
|..;amCt.n..?+T.-|
64 9e 30 af 52 91 38 06
31 4a 15 81 ea 60 af 3a
|d.0.R.8.1J...`.:|
9c 94 31 b4 19 8f 76 04
32 65 cb 78 24 49 b0 42
|..1...v.2e.x$I.B| 96 71 9e 1a 97 37 ec
76 59 cc 93 e9 45 fd 2f
|c.q...7.vY...E./| 9e 30 ac 52 8d 38 06
31 59 07 7d ea 60 af 28
|d.0.R.8.1Y.}.`.(|
b5 4b 84 60 53 95 41 b3
85 11 10 8a 2a 0d 03 ee
|.K.`S.A.....*...|e 83 6a 61 6d 43 73 f6
75 12 1f 3f 34 5d fa ef
|..jamCs.u..?4]..|
b7 4a 3b 9f 61 44 8b b2
7c 52 16 40 3d 0c fa 2f
|.J;.aD..|R.@=../|
ae 9a 31 b4 19 88 7f f1
32 65 cb 84 31 49 ee ef
|..1.....2e..1I..|
b7 4a 71 9b 60 44 8b b2
7c 60 09 40 3d 0c fe 33
|.Jq.`D..|`.@=..3|
b1 4b 84 60 68 88 70 b3
38 52 a7 17 dd e4 87 c6
|.K.`h.p.8R......| 22 37 60 5e 7c 78 f6
7d 58 dd 40 3d 0c f1 27
|U"7`^|x.}X.@=..'|
b1 83 7b 9b 63 84 7f fe
43 12 d2 80 c7 e4 8b c6
|..{.c...C.......|
3b 22 48 45 f4 1b 16 8a
47 e9 a3 17 fe 31 f6 40
|;"HE....G....1.@|
a4 8e 74 99 20 4f 3d ba
29 11 06 86 2e 54 e8 3a
|..t. O=.)....T.:|
a4 84 74 9d 2c 3b 5c dd
52 2e c3 4d ef 14 c2 e6
|..t.,;\.R..M....|
92 8b 76 9c 60 92 82 aa
57 3d c3 4c ef 15 c2 e6
|..v.`...W=.L....|
8e 78 39 73 11 49 5d cf
5d 12 aa 17 0c e4 87 c6
|.x9s.I].].......|
85 6f 77 b2 5a 87 7b eb
38 1d d1 47 e1 0c ea 35
|.ow.Z.{.8..G...5|
a8 92 69 ac 5a 7d 7b ef
44 09 f0 6a 0a 29 a7 fc
|..i.Z}{.D..j.)..| 52 43 58 48 84 7d ee
78 60 16 37 0f 38 a7 fb
|iRCXH.}.x`.7.8..| 53 43 58 44 71 40 c5
29 17 f1 5c 15 04 ca 12
|iSCXDq@.)..\....|d 42 39 66 22 49 43 bd
3b 1b cc 1e c1 3f 87 c6
|.B9f"IC.;....?..|b 7c 55 a7 6b 84 7b f6
6a 18 d8 45 f1 04 af 1d
|;|U.k.{.j..E....|
a4 90 6c a7 68 8e 4a aa
5e 24 c3 6e 2a 52 eb 35
|..l.h.J.^$.n*R.5|
b2 95 28 86 45 3b 44 b8
3a 24 c3 7c 2f 11 dc 19
|..(.E;D.:$.|/...| 42 7a ae 2b 4c 3d c2
37 19 d1 4e ea 04 ce 2b
|vBz.+L=.7..N...+|e 8d 77 67 23 4b 3f c0
39 22 d3 50 e1 2a f0 38
|..wg#K?.9".P.*.8|
a0 88 77 b0 20 4c 3d bf
37 19 d1 4e c8 e4 e6 c6
|..w. L=.7..N....|
3b 22 66 85 60 95 78 f6
75 4a d2 4b ef 14 a7 ee
|;"f.`.x.uJ.K....|
9e 91 75 a8 52 8f 78 ec
75 4e de 37 0e 37 d0 0b
|..u.R.x.uN.7.7..|
5b 58 36 68 2c 3b 66 f3
77 4d 12 8e 34 04 d5 1a
|[X6h,;f.wM..4...|
5b 57 36 69 2c 3b 62 e0
3a 24 c3 45 0f 29 db e6
|[W6i,;b.:$.E.)..|
7e 6e 5a 58 22 49 40 b8
3d 1c d5 49 fc 04 b5 14
|~nZX"I@.=..I....|
80 76 28 7b 3d 6d 2f bc
37 19 d1 4c f1 1b b9 fd
|.v({=m/.7..L....| 29 08 6b f1 1b 0f bc
56 58 1d 80 2d 50 e8 f5
|d).k....VX..-P..|f 50 38 58 19 7e 7e f7
79 4a 17 80 23 50 ec 01
|oP8X.~~.yJ..#P..|b 6f 5b 81 36 3b 45 b8
39 24 c3 6e 2a 52 eb 35
|[o[.6;E.9$.n*R.5|
b2 95 28 86 45 3b 44 b8
3a 12 aa 17 18 e4 87 c6
|..(.E;D.:.......| 6f 77 b2 5a 87 7b eb
38 1d d1 47 e1 0c ea 35
|.ow.Z.{.8..G...5|
a8 92 69 ac 5a 7d 7b ef
44 09 f0 6a 0a 29 a7 fc
|..i.Z}{.D..j.)..| 52 43 58 48 84 7d ee
78 60 16 37 0f 38 a7 fb
|iRCXH.}.x`.7.8..| 53 43 58 44 71 40 c5
29 17 f1 5c 15 04 ca 12
|iSCXDq@.)..\....|d 42 39 66 22 49 43 bd
3b 1b de 37 0a 52 ed 35
|.B9f"IC.;..7.R.5|b 83 7c a0 1f 4c 38 92
09 ec a3 17 c1 e6 ec 34
|..|..L8........4|
44 22 25 38 f1 1b 2a 8a
5b 4e 09 7c 33 49 f9 00
|D"%8..*.[N.|3I..|
5b 8a 7c ac 61 55 3e b9
75 4e 11 8c 38 12 ea 35
|[.|.aU&.uN..8..5|
a8 2f 12 41 f1 36 0f 8a
09 02 a3 69 26 4a ec 38
|./.A.6.....i&J.8|
a0 94 42 58 59 8f 83 fa
43 18 d2 7b 26 5a e8 3d
|..BXY...C..{&Z.=|
69 85 77 a5 fa 1b 2a 8a
09 e9 bc 17 13 49 ed 2b
|i.w...*......I.+|
ad 87 7a 72 11 83 83 fe
79 23 d2 46 25 49 fd 27
|..zr....y#.F%I.'|
b2 50 6b a7 5e 24 0f a5
09 e9 a3 30 c1 36 ec 2c
|.Pk.^$.....0.6.,|
a0 94 6d aa 2b 3b 77 fe
7d 59 dd 46 f0 48 ec 3c
|..m.+;w.}Y.F.H.&|c 99 36 9b 60 88 18 8a
24 e9 a3 17 da e4 d9 2b
|..6.`...$......+|
a1 87 7a 9d 63 55 2f f2
7d 5d 13 51 f0 13 f3 2b
|..z.cU/.}].Q...+|
a9 97 7f 66 54 8a 7c 93
09 04 a3 17 c1 fd 87 18
|...fT.|.........|
a0 88 6d aa 56 8d 49 aa
71 5d 17 87 fb 13 b6 32
|..m.V.I.q].....2|
a0 90 7d af 1f 7e 7e f7
12 e9 a5 17 c1 e4 87 c6
|..}..~~.........| 22 0a 38 f1 1b 0f 8a
12 e9 a5 17 c1 e4 87 c6
|D".8............|* 22 0c 38 f1 1b 8f a4
0f e9 ae 17 c2 e4 87 c6
|E".8............|c 2e 08 39 f1 1b 0f 8b
15 ea a4 17 c1 e4 88 d2
|&..9............|d 23 08 38 f1 1d 1b 8d
0a e9 a3 17 c5 f0 8b c7
|=#.8............|b 22 08 3b fd 20 10 8a
09 e9 a8 23 c7 e5 87 c6
|;".;. .....#....|
3b 27 14 3f f2 1b 0f 8a
0e f5 ab 18 c1 e4 87 cb
|;'.?............|
47 2b 09 38 f1 1b 14 97
09 ea a3 17 c1 e5 95 c6
|G+.8............|
3f 22 08 38 41 de 0f 8a
18 e9 a4 17 c1 e4 88 d7
|?".8A...........|
3b 4a 08 38 f1 41 0f b9
67 11 fe 78 ee 5e b7 f3
|;J.8.A..g..x.^..|
74 7e 35 95 6c 4c 3b bc
3d 66 cc 73 ef 0c e2 27
|t~5.lL;.=f.s...'|
68 9c 64 66 4e 96 41 b6
40 66 cc 3b f0 f5 87 02
|h.dfN.A.@f.;....|b 22 08 72 f1 4a 6d b2
64 4a d0 91 f1 11 c0 22
|;".r.Jm.dJ....."| 7f 83 69 1d 4e 3f 07
32 45 d1 3f 1c 45 b4 40
|i..i.N?.2E.?.E.@|b 4f 41 94 1e 78 8a bb
35 1b d7 94 ea 40 b5 ee
|kOA..x..5....@..| 83 35 b2 4d 49 6c 05
3b 15 da 94 ea 08 b6 d8
|..5.MIl.;.......|b 69 08 38 f1 60 0f b9
31 4a 05 8c 34 49 b0 42
|;i.8.`..1J..4I.B| 83 6c a5 5a 89 38 06
31 60 08 79 2e 45 fa 3a
|c.l.Z.8.1`.y.E.:|
a0 94 31 b4 19 8b 7e fd
7d 56 04 8a 35 49 f9 ef
|..1...~.}V..5I..|
b7 4a 70 9d 5d 8b 38 06
31 51 12 8a 35 51 e8 39
|.Jp.].8.1Q..5Q.9|
af 87 7a 61 6d 43 82 fa
6a 56 cc 46 d4 e4 8b c6
|..zamC..jV.F....|b 22 90 4b f2 1b 30 8a
0a e9 a3 17 c2 05 88 c7
|;".K..0.........|
3b 22 08 39 12 1d 10 8a
09 e9 a5 38 c4 e5 87 c6
|;".9.......8....|
3b 40 29 3c f2 1b 0f 8a
0f 0a a8 18 c1 e4 87 cd
|;@)&............|
5c 28 09 38 f1 1b 17 ab
10 ea a3 17 c1 ed a8 ce
|\(.8............|
3c 22 08 38 fb 3c 18 8b
09 e9 a3 26 e3 e4 8c c6
|&".8.&.....&....|
3b 22 0c 5d 3e 61 34 ad
09 ea a3 17 c1 e5 ab c6
|;".]&a4.........|
40 22 08 38 f5 40 57 d8
2e 0e a3 19 c1 e4 87 2a
|@".8.@W........*|b 48 08 3c f1 1b 0f ba
7e e9 a3 3e c1 ec 87 c6
|;H.&....~..&....|b 02 9b 3c f1 bb ca 97
09 f8 c5 17 c1 e4 a3 c6
|;..&............| 74 49 86 35 7a 5b e9
3d 48 db 3c ef xx xx xx
|`tI.5z[.=H.&.
xx xx xx xx xx xx xx xx
xx xx xx xx xx xx xx xx
|Redacted 23 08 38 f1 1e 2f 90
09 e9 a3 72 95 25 e5 81
|E#.8../....r.%..|c
|&|00000a51(You see what I mean about the patterns mod sixteen. The high nibble ofeach byte will stay within a range of only one or two adjacent values. Andsome values repeat exactly from one column to the next.)The Decoding Operation[Drum Roll] So, this is the decryption routine, yes, this really is all there is toit. It's just a subtraction operation.; Attributes: bp-based framesub_403635
proc n CODE XREF: sub_&pkey
= dword ptr
= dword ptr
0Chcyphertext
= dword ptr
10htext_length
= dword ptr
ebp, esppush
index, indexcmp
[ebp+text_length], Test if passed a NULLjbe
short loc_40365B if NULL pointer then returndecypher_loop:
CODE XREF: sub_&jmov
eax, [ebp+cyphertext]xor
edx, edxlea
ecx, [index+eax] ECX points to current byte of the cypertextmov
eax, indexdiv
[ebp+sixteen] EDX is basically index&0x0Fmov
eax, [ebp+key]mov
al, [edx+eax] AL is the byte of the 'key'sub
[ecx], The decryption function itself.inc
index, [ebp+text_length]jb
short decypher_looploc_40365B:
CODE XREF: sub_&jpop
10hsub_403635
endpIt's called like this& The pointer to the GIF89a buffer is moved up by15 bytes (and the length adjusted accordingly) So those bytes are notdecrypted, then it uses the first 10h (16.0) bytes of theC63BB0F8A09E9A317C1E8D232D8D8C0D (non-hexin memory) string asthe subtraction key.sub_403587
proc ne CODE XREF: sub_C6&p; sub_40201F+13C&parg_0
= dword ptr
edx, [esp+arg_0]mov
eax, [edx]cmp
eax, 0F Test that GIF is at least 16 bytesjnb
short long_enoughxor
eax, eaxjmp
short locret_4035B0long_enough:
CODE XREF: sub_&jadd
eax, 0FFFFFFF1hpush
Length of (*GIF89a-15)mov
eax, [edx+4]add
eax, 0Fhpush
15 bytes from the start of GIF89apush
10 First sixteen bytes of...push
offset the_bot_ The bot ID/keycall
sub_403635push
eaxlocret_4035B0:
CODE XREF: sub_403587+D&jretn
4sub_403587
endpSo the following quickly written Perl script should decrypt this particular(so-called) GIF file:#!/usr/bin/perluse IO::Fmy @key = ( 0xC6, 0x3B, 0x22, 0x08, 0x38, 0xf1, 0x1b, 0x0f,0x8a, 0x09, 0xe9, 0xa3, 0x17, 0xc1, 0xe4, 0x87);# If you're too lazy to retype the bot's login string as a byte array,# you can do something like this.# my @key = split(//,pack("H32",#
"C63BB0F8A09E9A317C1E8D232D8D8C0D"));# map {$_ = ord} @# You see, it's equivalent:# print "( ",join(", ", @key)," );\n";# You don't have to read all of the input file into memory either,# I'm just being lazy.my $file =my $length = (stat($file))[7];my $open(MOO, $file);read(MOO, $everything, $length);close(MOO);my @bytes =
unpack("C*",$everything) ;my $keylen = $#my $offset=15;# Do nothing for the first fifteen bytes.for(my $i=0; $i&$ ) {print pack("C", $bytes[$i++] );}# Then start subtracting.for(my $i=$ $i&$ ) {print pack("C", $bytes[$i++] - $key[$i%16]); # Sooper-dooper encryption!}0; # The endThis is the result (hexified here for blogging purposes). It's much morelegible now... 49 46 38 39 61 03 b2
05 89 26 c2 5f 99 36 04
|GIF89a....&._.6.|d 04 0a 00 00 c1 fb a0
00 00 00 00 00 00 00 20
|............... | 00 00 00 00 40 00 00
00 00 00 41 00 04 00 00
|.....@.....A....| 80 ee 36 00 42 00 01
00 00 00 03 43 00 04 00
|...6.B......C...| 00 60 ea 00 00 44 00
04 00 00 00 20 bf 02 00
|..`...D..... ...| 00 2f 00 00 00 26 00
2f 68 72 65 66 5c 73 2a
|../...&./href\s*|c 3d 5c 73 2a 28 5c 22
7c 5c 27 29 3f 28 2e 2a
|\=\s*(\"|\')?(.*|f 29 5b 5c 31 5c 3e 5c
27 5c 22 5d 2f 69 02 24
|?)[\1\&\'\"]/i.$| 64 00 00 00 02 00 8b
00 00 00 7c 00 2f 28 5b
|2d.........|./([| 2d 7a 30 2d 39 5c 2d
5d 7b 31 2c 33 30 7d 29
|a-z0-9\-]{1,30})|
5c 73 7b 30 2c 35 7d 28
28 5c 5b 2e 7b 30 2c 31
|\s{0,5}((\[.{0,1|
32 7d 5c 5d 29 7c 40 7c
28 5c 5c 25 34 30 29 29
|2}\])|@|(\\%40))|
5c 73 7b 30 2c 35 7d 28
5b 61 2d 7a 30 2d 39 5c
|\s{0,5}([a-z0-9\|
2d 5c 2e 5d 7b 31 2c 33
30 7d 29 5c 73 7b 30 2c
|-\.]{1,30})\s{0,|
35 7d 28 28 5c 5b 2e 7b
30 2c 31 32 7d 5c 5d 29
|5}((\[.{0,12}\])|
7c 5c 2e 29 5c 73 7b 30
2c 35 7d 28 5b 61 2d 7a
||\.)\s{0,5}([a-z|d 7b 32 2c 34 7d 29 2f
69 08 24 31 40 24 35 2e
|]{2,4})/i.$1@$5.| 38 64 00 00 00 03 00
17 00 00 00 12 00 2f 28
|$8d.........../(| 69 64 3d 5b 61 2d 66
30 2d 39 5d 2a 29 2f 69
|sid=[a-f0-9]*)/i| 24 31 03 00 1b 00 00
00 16 00 2f 28 73 65 73
|.$1......../(ses| 69 6f 6e 3d 5b 61 2d
66 30 2d 39 5d 2a 29 2f
|sion=[a-f0-9]*)/| 02 24 31 03 00 17 00
00 00 12 00 2f 28 63 69
|i.$1......../(ci| 3d 5b 61 2d 66 30 2d
39 5d 2a 29 2f 69 02 24
|d=[a-f0-9]*)/i.$| 03 00 15 00 00 00 10
00 2f 28 73 3d 5b 61 2d
|1......../(s=[a-| 30 2d 39 5d 2a 29 2f
69 02 24 31 03 00 0f 00
|f0-9]*)/i.$1....| 00 0a 00 2f 28 5c 23
2e 2a 29 24 2f 69 02 24
|..../(\#.*)$/i.$|
31 04 00 d3 00 00 00 d1
00 2f 5c 2e 28 67 69 66
|1......../\.(gif|
29 7c 28 6a 70 67 29 7c
28 70 6e 67 29 7c 28 67
|)|(jpg)|(png)|(g|
7a 29 7c 28 7a 69 70 29
7c 28 72 61 72 29 7c 28
|z)|(zip)|(rar)|(|
6d 70 33 29 7c 28 65 78
65 29 7c 28 6a 70 65 67
|mp3)|(exe)|(jpeg|
29 7c 28 77 61 76 29 7c
28 61 72 6a 29 7c 28 74
|)|(wav)|(arj)|(t|
61 72 29 7c 28 74 67 7a
29 7c 28 61 63 65 29 7c
|ar)|(tgz)|(ace)|| 74 69 66 29 7c 28 62
6d 70 29 7c 28 61 76 69
|(tif)|(bmp)|(avi| 7c 28 74 61 72 29 7c
28 70 64 66 29 7c 28 62
|)|(tar)|(pdf)|(b|a 29 7c 28 62 7a 32 29
7c 28 6d 73 69 29 7c 28
|z)|(bz2)|(msi)|(| 61 62 29 7c 28 64 6c
6c 29 7c 28 73 79 73 29
|cab)|(dll)|(sys)|c 28 33 67 70 29 7c 28
73 69 73 29 7c 28 73 69
||(3gp)|(sis)|(si| 78 29 7c 28 6d 70 67
29 7c 28 6d 70 65 67 29
|sx)|(mpg)|(mpeg)|c 28 69 63 6f 29 7c 28
73 77 66 29 7c 28 77 6d
||(ico)|(swf)|(wm| 29 7c 28 77 6d 61 29
2f 69 04 00 1c 00 00 00
|v)|(wma)/i......|a 00 2f 28 6d 61 69 6c
74 6f 3a 29 7c 28 6a 61
|../(mailto:)|(ja| 61 73 63 72 69 70 74
3a 29 2f 69 06 00 04 00
|vascript:)/i....|
00 00 40 0d 03 00 07 00
3e 00 00 00 3d 4d 6f 7a
|..@.....&...=Moz|
69 6c 6c 61 2f 34 2e 30
20 28 63 6f 6d 70 61 74
|illa/4.0 (compat|
69 62 6c 65 3b 20 4d 53
49 45 20 36 2e 30 3b 20
| MSIE 6.0; |
57 69 6e 64 6f 77 73 20
4e 54 20 35 2e 31 3b 20
|Windows NT 5.1; |
53 56 31 3b 20 2e 4e 45
54 29 07 00 4b 00 00 00
|SV1; .NET)..K...|
4a 4d 6f 7a 69 6c 6c 61
2f 34 2e 30 20 28 63 6f
|JMozilla/4.0 (co|d 70 61 74 69 62 6c 65
3b 20 4d 53 49 45 20 36
| MSIE 6|e 30 3b 20 57 69 6e 64
6f 77 73 20 4e 54 20 35
|.0; Windows NT 5|e 31 3b 20 53 56 31 3b
20 2e 4e 45 54 20 43 4c
|.1; SV1; .NET CL| 20 31 2e 31 2e 34 33
32 32 29 07 00 5b 00 00
|R 1.1.4322)..[..| 5a 4d 6f 7a 69 6c 6c
61 2f 35 2e 30 20 28 57
|.ZMozilla/5.0 (W| 6e 64 6f 77 73 3b 20
55 3b 20 57 69 6e 64 6f
| U; Windo| 73 20 4e 54 20 35 2e
31 3b 20 65 6e 2d 55 53
|ws NT 5.1; en-US|b 20 72 76 3a 31 2e 38
2e 30 2e 37 29 20 47 65
|; rv:1.8.0.7) Ge| 6b 6f 2f 32 30 30 36
30 39 30 39 20 46 69 72
|cko/ Fir| 66 6f 78 2f 31 2e 35
2e 30 2e 37 07 00 5f 00
|efox/1.5.0.7.._.|
00 00 5e 4d 6f 7a 69 6c
6c 61 2f 34 2e 30 20 28
|..^Mozilla/4.0 (|
63 6f 6d 70 61 74 69 62
6c 65 3b 20 4d 53 49 45
20 36 2e 30 3b 20 57 69
6e 64 6f 77 73 20 4e 54
| 6.0; Windows NT|
20 35 2e 31 3b 20 53 56
31 3b 20 2e 4e 45 54 20
| 5.1; SV1; .NET |
43 4c 52 20 31 2e 31 2e
34 33 32 32 3b 20 2e 4e
|CLR 1.1.4322; .N|
45 54 20 43 4c 52 20 32
2e 30 2e 35 30 37 32 37
|ET CLR 2.0.50727| 07 00 33 00 00 00 32
4d 6f 7a 69 6c 6c 61 2f
|)..3...2Mozilla/| 2e 30 20 28 63 6f 6d
70 61 74 69 62 6c 65 3b
|4.0 (| 4d 53 49 45 20 36 2e
30 3b 20 57 69 6e 64 6f
| MSIE 6.0; Windo| 73 20 4e 54 20 35 2e
31 29 07 00 57 00 00 00
|ws NT 5.1)..W...| 4d 6f 7a 69 6c 6c 61
2f 34 2e 30 20 28 63 6f
|VMozilla/4.0 (co|d 70 61 74 69 62 6c 65
3b 20 4d 53 49 45 20 36
| MSIE 6|e 30 3b 20 57 69 6e 64
6f 77 73 20 4e 54 20 35
|.0; Windows NT 5|e 31 3b 20 53 56 31 3b
20 2e 4e 45 54 20 43 4c
|.1; SV1; .NET CL| 20 31 2e 31 2e 34 33
32 32 3b 20 49 6e 66 6f
|R 1.1.4322; Info| 61 74 68 2e 31 29 08
00 03 00 00 00 02 65 6e
|Path.1).......en|
09 00 1d 00 00 00 1b 00
52 65 66 65 72 65 72 3a
|........Referer:|
20 68 74 74 70 3a 2f 2f
6c 65 6e 75 77 2e 63 6f
| http://lenuw.co|
6d 0d 0a 09 00 1b 00 00
00 19 00 52 65 66 65 72
|m..........Refer|
65 72 3a 20 68 74 74 70
3a 2f 2f 64 65 76 61 77
|er: http://devaw|
2e 63 6f 6d 09 00 1b 00
00 00 19 00 52 65 66 65
|.com........Refe|
72 65 72 3a 20 68 74 74
70 3a 2f 2f 64 65 76 61
|rer: http://deva| 2e 63 6f 6d 09 00 1b
00 00 00 19 00 52 65 66
|w.com........Ref| 72 65 72 3a 20 68 74
74 70 3a 2f 2f 64 65 76
|erer: http://dev| 77 2e 63 6f 6d 09 00
1b 00 00 00 19 00 52 65
|aw.com........Re| 65 72 65 72 3a 20 68
74 74 70 3a 2f 2f 6c 65
|ferer: http://le|e 75 77 2e 63 6f 6d 09
00 1b 00 00 00 19 00 52
|........R| 66 65 72 65 72 3a 20
68 74 74 70 3a 2f 2f 6c
|eferer: http://l| 6e 75 77 2e 63 6f 6d
09 00 02 00 00 00 00 00
|........| 00 02 00 00 00 00 00
09 00 02 00 00 00 00 00
|................|*a 00 04 00 00 00 80 1a
06 00 0b 00 01 00 00 00
|................| 0c 00 01 00 00 00 01
0c 01 01 00 00 00 01 0c
|................| 01 00 00 00 02 0c 03
01 00 00 00 04 0c 04 01
|................| 00 00 03 0c 05 01 00
00 00 05 0c 06 01 00 00
|................|
00 05 0c 07 01 00 00 00
05 0c 08 01 00 00 00 05
|................|
0c 09 01 00 00 00 05 0d
00 01 00 00 00 01 0e 00
|................|
04 00 00 00 50 c3 00 00
0f 00 01 00 00 00 01 11
|....P...........|
00 28 00 00 00 26 00 2f
5e 28 5b 61 2d 7a 30 2d
|.(...&./^([a-z0-|
39 5c 2d 5d 7b 31 2c 32
34 7d 29 5c 2e 28 5b 61
|9\-]{1,24})\.([a|
2d 7a 5c 2e 5d 7b 32 2c
37 7d 29 24 2f 11 00 3c
|-z\.]{2,7})$/..&| 00 00 3a 00 2f 5e 28
5b 61 2d 7a 30 2d 39 5c
|...:./^([a-z0-9\|e 5d 7b 31 2c 33 30 7d
29 5c 2e 28 5b 61 2d 7a
|.]{1,30})\.([a-z| 2d 39 5c 2d 5d 7b 31
2c 32 34 7d 29 5c 2e 28
|0-9\-]{1,24})\.(|b 61 2d 7a 5c 2e 5d 7b
32 2c 37 7d 29 24 2f 12
|[a-z\.]{2,7})$/.| 47 00 00 00 45 00 2f
28 61 62 75 73 65 29 7c
|.G...E./(abuse)|| 61 64 6d 69 6e 29 7c
28 77 65 62 6d 61 73 74
|(admin)|(webmast| 72 29 7c 28 70 6f 73
74 6d 61 73 74 65 72 29
|er)|(postmaster)|c 28 68 65 6c 70 29 7c
28 68 6f 73 74 6d 61 73
||(help)|(hostmas| 65 72 29 7c 28 73 70
61 6d 29 2f 13 00 04 00
|ter)|(spam)/....| 00 88 13 01 00 21 00
01 00 00 00 01 21 01 01
|......!......!..|
00 00 00 01 21 02 01 00
00 00 02 21 03 01 00 00
|....!......!....|
00 1e 21 04 01 00 00 00
06 21 05 01 00 00 00 07
|..!......!......|
21 06 01 00 00 00 08 21
07 01 00 00 00 09 21 08
|!......!......!.|
01 00 00 00 0a 21 09 01
00 00 00 0f 22 00 05 00
|.....!......"...|
00 00 04 25 4d 46 25 23
00 01 00 00 00 01 24 00
|...%MF%#......$.|
05 00 00 00 04 25 48 4e
25 25 00 02 00 00 00 64
|.....%HN%%.....d| 26 00 04 00 00 00 30
75 00 00 27 00 08 00 00
|.&.....0u..'....| e0 93 04 00 a0 bb 0d
00 0f 22 00 00 00 1c 00
|..........".....| 52 41 4e 44 5f 4c 5f
34 5f 38 25 2e 66 61 6b
|%RAND_L_4_8%.fak| 65 78 61 6d 70 6c 65
2e 63 6f 6d 0a 0b 0c 0d
|....|a 01 00 00 00 03 20 06
00 00 00 5b d4 41 5e bb
|...... ....[.A^.|
|.|00000a51I'm not completely certain yet, but I think this is either performingReferer spamming, or crawling the web collecting email addresses, or both.The regular expressions are for filtering out certain file types, andemail boxes while it harvests. I'm guessing it picks the User-Agents atrandom or in sequence or something. I can find out if anyone cares.Googling for < and < is left as an exercise for thereader.I've replaced the source IP address for my lab machine with 10.11.12.13 (0x0a, 0x0b, 0x0c, 0x0d),and the reverse DNS name with <. (It's right at the very endof the hexdump.) This is of course used by the bot to determine it's own IPaddress when it's behind a NAT.The %WHATEVERS% are the mail-merge template variables, that get filled inby appropriate values while sending spam. From examination of the Cimbot binary itself,these are all of the possible variables:aRand_di_
db '%RAND_DI_',0 DATA XREF: sub_4070BB:loc_407E27&oaRand_lu_
db '%RAND_LU_',0 DATA XREF: sub_4070BB:loc_407CE0&oaRand_ldu_
db '%RAND_LDU_',0 DATA XREF: sub_4070BB:loc_407B99&oaRand_ld_
db '%RAND_LD_',0 DATA XREF: sub_4070BB:loc_407A52&oaRand_d_
db '%RAND_D_',0 DATA XREF: sub_4070BB:loc_40790B&oaRand_l_
db '%RAND_L_',0 DATA XREF: sub_4070BB:loc_4077C6&oaRand_char_ldu
db '%RAND_CHAR_LDU%',0 DATA XREF: sub_4070BB:loc_407603&oaRand_char_lu
db '%RAND_CHAR_LU%',0 DATA XREF: sub_4070BB:loc_4075A1&oaRand_char_ld
db '%RAND_CHAR_LD%',0 DATA XREF: sub_4070BB:loc_40753F&oaRand_char_u
db '%RAND_CHAR_U%',0 DATA XREF: sub_4070BB:loc_4074DD&oaRand_char_d
db '%RAND_CHAR_D%',0 DATA XREF: sub_4070BB:loc_40747B&oaRand_char_l
db '%RAND_CHAR_L%',0 DATA XREF: sub_4070BB:loc_40741B&oaRand_num
db '%RAND_NUM%',0 DATA XREF: sub_4070BB:loc_4073A3&oaRand_guid
db '%RAND_GUID%',0 DATA XREF: sub_4070BB:loc_407317&oaUnix_time
db '%UNIX_TIME%',0 DATA XREF: sub_4070BB+33&oaOe
db '%OE%',0 DATA XREF: sub_D2&oaDm
db '%DM%',0 DATA XREF: sub_E&oaHs
db '%HS%',0 DATA XREF: sub_EB&oaRc
db '%RC%',0 DATA XREF: sub_DC&oaMf
db '%MF%',0 DATA XREF: sub_CD&oaBi
db '%BI%',0 DATA XREF: sub_CD&oaMp
db '%MP%',0 DATA XREF: sub_BE&oaMh
db '%MH%',0 DATA XREF: sub_AF&oaHn
db '%HN%',0 DATA XREF: sub_&oaIp
db '%IP%',0 DATA XREF: sub_&o</codeSecond ExampleThese are some of the the decoded spamtemplates from the original .pcap I recieved.One of the strings is like this:Date: %UNIX_TIME% +0000From: "Roeber Grossmann" &%MF%&X-Mailer: The Bat! (3.62.11) ProfessionalReply-To: Roeber Grossmann &%MF%&X-Priority: 3 (Normal)Message-ID: &.&To: &%RC%&Subject: More orgasmmsMIME-Version: 1.0Content-Type: multipart/boundary="----------5BA0A36C8AFBFE"------------5BA0A36C8AFBFEContent-Type: text/ charset=iso-8859-1Content-Transfer-Encoding: quoted-printableNew
Orgasm Enhancer=09
=20=09Decades. There are schools in which the averages a troopof monkeys ran chattering away and parrots of a better amusementi sat on the roof to watch i was for some time his privatesecretary, and at home in the evenings, he said. If not,my servant.------------5BA0A36C8AFBFEContent-Type: text/ charset=iso-8859-1Content-Transfer-Encoding: quoted-printable&!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"&=20&html&&head&&title&
=20&META http-equiv=3DContent-Type content=3D"text/ charset=3D"iso-8859-1="&=20&/head&&body& &strong&&/strong&&br&&span name=3D"#wqqq"&&/span&New
Orgasm Enhancer&br&&br&Click==20&a href=3D"http://cid-afbafcf33f10f80d./blog/cns!AFBAFCF33F1=0F80D!107.entry"&HERE&/a&&br&&strong&&/strong&&p&&br&&/p&&br&&p&&a name=3D"#qwww"&&/a&Decades. There are schools in which the averages a troop&br& of monkeys=ran chattering away and parrots of a better amusement&br& i sat on the roo=f to watch i was for some time his private&br& secretary, and at home in th=e evenings, he said. If not,&br& my servant.&/p&&/body&&/html&------------5BA0A36C8AFBFE--And another string is like this, I think it's the %MF% Mail Fromline:Here's another, almost identical one:The %MF% in this case is orthodontic@psnelling.co.uk. The server hasalready done the work of generating an appropriate Message-ID (half of it is the current datetime). (And offilling in most of the message with Markov-chain generated Bayesian filter poisoning text.)From: "Valladores Malys" &%MF%&X-Mailer: The Bat! (3.5.29) ProfessionalReply-To: Valladores Malys &%MF%&X-Priority: 3 (Normal)Message-ID: &.49@psnelling.co.uk&To: &%RC%&Subject: More oorgasmsMIME-Version: 1.0Content-Type: multipart/boundary="----------BF59A1A8555AD2"------------BF59A1A8555AD2Content-Type: text/ charset=iso-8859-1Content-Transfer-Encoding: quoted-printableNew Orgasm Enhanceer=09Moment in the cafe with maria, paredes, and the of sutasomaas also all his quivers. Bowless, i wish to the devil ihad shared your room with they glowed on shirt bosoms andmorning as well it in the name of the sovereignty of massachusetts,.------------BF59A1A8555AD2Content-Type: text/ charset=iso-8859-1Content-Transfer-Encoding: quoted-printable&!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"&
=20&html&&head&
&/title& =20&META http-equiv=3DContent-Type content=3D"text/ charset=3D"iso-8859-1="&
=20&/head& =20&body&
&strong& &/strong&&br&&br&New Orgasm Enhanceer&br&&b&
&/b&Click==20&a href=3D"http://cid-a66afb2a221a9923./blog/cns!A66AFB2A221=A.entry"&HERE&/a&&br&&span&=09&/span&&p&&br&&/p&&b&=09&/b&&p&&b&
&/b&Moment in the cafe with maria, paredes, and the of sutasoma&br=&as also all his quivers. Bowless, i wish to the devil i&br&had shared your room with they glowed on shirt bosoms and&br&morning as well it in the name of the sovereignty of massachusetts,.&/p&&/b=ody&&/html&------------BF59A1A8555AD2--There's one of these every 182 seconds (3 minutes). All of the From linesare spoofed:Message IDMAIL FROM StringMessage-ID: &.53@influencemag.ca&checking@influencemag.caMessage-ID: &.53@schindelar.cz&cerro@schindelar.czMessage-ID: &.&Message-ID: &.&Message-ID: &.09@math.usc.edu&misroute@math.usc.eduMessage-ID: &.17@oelhauser.ch&sorters@oelhauser.chMessage-ID: &.33@mulemusic.no&enflames@mulemusic.noMessage-ID: &.33@isphording.de&triumph@isphording.deMessage-ID: &.&Message-ID: &.45@ton-fabrik.de&sneezeweed@ton-fabrik.deMessage-ID: &.01@rhpresence.fr&machinizes@rhpresence.frMessage-ID: &.05@backfire.co.uk&shoed@backfire.co.ukMessage-ID: &.13@tsv-hochdahl.de&sinistral@tsv-hochdahl.deMessage-ID: &.21@applewise.co.jp&animally@applewise.co.jpMessage-ID: &.37@&precatory@Message-ID: &.&Message-ID: &..au&.auMessage-ID: &.&Message-ID: &.&Message-ID: &.34@am-auto.cz&downwardness@am-auto.czMessage-ID: &.38@kleine-wege.de&ostensory@kleine-wege.de&&Other StuffI should also note that the bot reports its status back up to the C&C servervia a HTTP POST of a GIF, but I don't have anything else reallyinteresting to say about this (it's the same key as above, most of thisexample is NULLs):POST /account/p.php HTTP/1.1Host: Accept: */*Content-Length: 97Connection: closeCookie: PHPSESSID=47d2af8a1d69c46c4896 49 46 38 39 61 f4 02
fe 01 21 bb ef b9 0f c8
|GIF89a....!.....| 4b 08 38 f1 1e 0f 8a
09 e9 83 55 79 2d 87 c6
|@K.8.......Uy-..|b 22 08 38 f1 1b 0f 8a
09 e9 a9 17 c1 e4 87 c6
|;".8............|b 22 08 38 f1 1b 0f 8a
09 e9 a3 17 c1 e4 8a e4
|;".8............|b 22 08 38 f1 1b 0f 8a
09 e9 a3 17 c1 e4 87 c6
|;".8............|b 22 08 38 f1 1b 0f 8a
|;".8......|0000005aEvery fifty minutes, Cimbot will make HTTP requests to Affiliate click websites like this (there's noUser-Agent):GET /index.php?ref=24364 HTTP/1.1Host: Accept: */*Connection: closeAnd this is the complete list of affiliate URLs, "s/http/hxxp/g"-ified mostly just to prevent anymore clicks on them by web-crawlingmachines.hxxp://lecoquin.net/pages/index.php?refid=ec0laghxxp:///default.asp?id=ec0laghxxp://www.dhcp-i386.biz/?ref=4912hxxp:///rjoin.asp?id=ec0laghxxp:///?refer=852hxxp:///?ref=2130hxxp:///signup.php?r=15293hxxp:///index.php?ref=ec0laghxxp://www.megacashclicks.net/index.php?ref=ec0laghxxp:///signUp.php?ref=1945777hxxp:///?r=ec0laghxxp://www.loo-promo.org/index.php?ref=381hxxp:///Search2.aspx?keyword=exchange&agentID=321hxxp:///index.php?ref=24364hxxp:///pages/index.php?refid=ec0laghxxp:///?2523754hxxp:///pages/index.php?refid=ec0laghxxp:///members/ec0laghxxp://www./pages/index.php?refid=ec0laghxxp:///monitor.php?kind=1&lang=0&user=352hxxp://www.ruspromotion.net/site/index.php?ref=ec0laghxxp://www.kesefkal.net/ru/?refer=ec0laghxxp:///index.php?i=1&ref=ec0laghxxp://www.clixnclix.net/index.php?ref=ec0laghxxp:///index.asp?ref=43256hxxp:///cgi-bin/reg.cgi?refid=ec0laghxxp:///index.php?ref=ec0laghxxp:///signup.php?r=5326hxxp:///index.php?refid=ec0laghxxp:///signUp.php?ref=ec0laghxxp://resource-a-day.net/member/index.cgi?tj42hxxp:///c/s=16356/c=24323/hxxp:///go.asp?refid=ec0lagSummarySpamming, Email Harvesting, and Click Fraud about sums this up.None of this is really new, except for the fake GIF headers on the C&Ccommunications.Julia Wolf @ FireEye Malware Intelligence LabQuestions/Comments to research [@] fireeye [.] com
This entry was posted on Mon Mar 16 09:52:30 EDT 2009 and filed under , , , , , , , , , , , , ,
Contact Us
+1 888-227-2721
Cyber Threat Map
News & Events
Technical Support
Cyber Threat Map