Lately there has been unusual reports of a supposed denial of service attack against a variety of well-known web sites. The full list can be found here. This came to me because in the news, they mentioned that a botnet called Pushdo was behind the attack and I reversed this a while ago, so I was quite familiar with the behavior of this particular malcode. This week, I managed to get a sample file related to the Denial of Service attack and found out it's a spambot. This is not part of any botnet, but only the spam-sending component. If you're infected by this, you immediately start sending spam like there's no tomorrow.
So why on earth would a spambot send SSL packets against high-profile web sites? There can be a few theories to choose from:
a) The Denial of Service attack. They could be trying to take those sites down. This is not likely for a few reasons. There are too many sites in that list and that spreads the "attack" too wide. I might give credit to the DDoS theory if the attack was directed to a shorter list of web sites. Also, the list doesn't make a lot of sense. The only thing the sites have in common is their high availability, which probably means they have caching procedures to minimize these kinds of attacks.
b) The internet connection check. These weird SSL connections might be just a way of checking whether the victim is connected to the internet. Just an advanced way of the age-old command "ping". It's a possibility, although it's too convoluted for such a simple use.
c) The DNS check. The connections might be just a way to create DNS queries to check whether the DNS server in the system is properly configured. A stronger possibility than b) but it probably fails for the same reason. Why SSL and not a simple DNS request?
d) The internet performance check. The connections might be measuring how fast the internet connection of the victim is. If this mail agent is anything like other modern spambots like cutwail, there is a field to configure the number of concurrent connections to mail servers. Cutwail, for instance, had this value preset by the bad guys but for some slower systems the number might be too low (so that some outgoing mail connections might not be happening or they happen too slow) and other faster systems would be able to handle more connections (so that the spambot would not be delivering as many spammed emails per second as it could). With a proper internet performance check the spambot would be able to self-configure to the optimal amount of connections in order to make the most out of the victim's internet connection.
I obviously favor the latter theory. I know it's just a theory and I'd probably need to reverse the binary to prove it (or disprove it!) but since I won't have the time anytime soon, I just throw this out there, in case somebody wants to pick it up.
As usual, criticism and new theories are always welcome as well as any other comments...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment