The ‘New’ Storm
Last week, ShadowServer have posted a great blog about this new p2p spam botnet. In this blog, I’ll mainly focus on its communication protocol and encryption algorithm of bot version 0.0.49.
The following figure shows us its bootstrap before communication starts.
1. Update Peer List
After the bootstrap, it will try to ‘talk’ to the peers which are hardcoded in the binary.(peer number? Sorry, I didn’t count)
It will send the following data via TCP/80.
After reversing its data compose routine, the real encrypted data actually starts from the offset 0×22(Highlighted).
01 02 01 01 01 01 02 01 – Hardcoded ANMP Flag(Author named the protocol)
51 01 00 00 – data length(include 1 byte which is unknown yet, in this case, it is 0x0B)
00 00 00 00 unknown
01 – Hardcoded, unknown
E8 03 – Hardcoded, unknown
03 00 00 00 – unknown
00 00 00 00 – unknown
00 00 00 00 – unknown
0B – unknow
… – Encrypted Data
The encrypted data is ZLIB compressed and encrypted using BlowFish(password is base64 encoded and hardcoded in the binary). After the decryption,the clear data send to the peer is the following:
The actually data send to the peer is the bootstrap peer list which including 2 main data parts. One is the bootstrap peer list, another is the bot(peer) info.
//bootstrap peer list
m_bootstrap_list
m_clients_list
//more than 1 peer info
m_client_id
m_ip
m_last_active_time
m_last_active_time
m_listening_port
m_live_time
//bot info
m_client_id
m_current_time
m_external_info_packed
m_external_data_blob
m_external_data_signature
m_external_info_id
m_listening_port
m_live_time
m_version
m_build
m_build_name
m_major
m_minor
After that, the peer will send its bootstrap and its updated peer list to the bot(peer). The data zones are almost the same except the bot build(version) info doesn’t exist and “m_success” appended.
2. Retrive spam related stuff & Send Report
After the bot(peer) updated its peer list, it will try to retrieve the spam info from the peer.
It will send the following HTTP GET to the peer. The clear data is the following:
The data includes the 2 main parts. One is the bot(peer) info, another is the current spam job info which are the following:
client_id
m_client_build_name //seems always to be “test”
m_client_ver_entry
m_build
m_build_name
m_major
m_minor
m_client_version //0.0.49
m_is_first_meet
m_last_worked_job_id
m_listenning_port
m_mail_section
m_current_que_size
m_plugins_configs_send_data
m_dns_config_id
m_from_client_mail_section
m_hosting_config
m_config_id
m_socks_config_id
Then, the peer will response the following data(clear):
We could see that, it contains the server config, spam template, etc. :]
After the working job done, it will send a report of the spam email sending status. Following is an example of this report.
Diff v0.0.48 and v0.0.49:
Sorry for not so many explanations. I’ll go deeper to figure out “unknown” parts.
-Kyle Yang