Coordinated Spam Effort

Yesterday we saw a large number of infected domains sending a massive spam run in what appeared to be a coordinated effort. Signs of a large-scale targeted effort included:

  • Sharp upticks of outbound spam requests occurring at once across multiple domains
  • The same script being used across disparate victims
  • A large sampling of IPs submitting malicious requests (a sample has been submitted to the ISC)

It appears that attackers build a spam botnet using a variety of attack vectors; we noted a range of compromised CMS systems, as well as stolen account credentials used to submit mail requests. This indicates that, rather than targeting a specific source installation, the attackers worked to build a bot from whatever resources they could, then mashed ‘go’ all at once. The source script was moderately obfuscated PHP; I’m working to reverse it now to search for clues regarding the source or author.

There’s nothing overly clever in it, but an initial overview found a few interesting points. The script was designed to be flexible and stealthy, finding the MX records of the infected domain (as opposed to hammer the server’s mail() function), and making use of awareness of disabled functions to try multiple methods of SMTP callouts. We also see prerequisite obfuscation of function names like mail. A few snippets are available below; I will post full findings tonight (barring a Super Bowl of epic proportions). The original script (whitespace modified for readability) is available here.

If anyone else noticed any odd behavior yesterday as well please feel free to chime in.

Leave a Reply

Your email address will not be published. Required fields are marked *