ISC reader Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.
He captured some packets and found an interesting binary that he submitted to ISC for analysis.
After analyzing this binary, they discovered a malware piramide. So, this is what’s happening:
extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.
But that’s not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.
First downloader that the main spam bot downloads is http://220.127.116.11/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://18.104.22.168/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://22.214.171.124/[REMOVED]/getnumtemp.asp?nip=0.
If this wasn’t enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://126.96.36.199/[REMOVED].
Back to the spam bot. What’s interesting is that it will download and replace the machine’s hosts file. Big deal, we’ve seen that a million times. Among all the standard AV vendors’ web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.).
As always learning lessons is the most important part of handling incidents. Anti-virus doesn’t do much for you when the malware is not detected obviously. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. Use windows internal firewall or another free(pay) (look my Free Programs category). Also use Hosts Secure for block and manage HOSTS file.