I was working today and today was an interesting day working. The task was to figure out why this client was threatened by their ISP to be cut off because they were spamming lots.
Well, that was easy – it’s a sure thing – they’ve got a spam bot installed on one of their machines. Figuring it out isn’t hard. In fact, I knew what machine it was going to be just based on who uses the computers.
I took this opportunity to learn a bit about the spam bot/root kit installed; but unfortunately for me the hub I took in wasn’t really a hub so my packet sniffing capabilities were limited. I did however find out that this root kit was installed as c:\\windows\\system32\\svchost.exe:exe.exe – that’s a good name. The colon actually saves it as part of svchost.exe (which is a valid windows component) – it’s tricky.
I also found out that this sucker basically contacts a site, which was pretty much a random set of letters, and clearly a bullshit domain name. It retrieved instructions from that site and started spamming away. While spamming it would connect to a few other sites – likely to send updates, maybe stats monitoring or just to fetch more info from supervisor nodes.
Although I’m disappointed in the lack of information I was actually able to connect, the whole scenario made more sense to me. I mean, this one system was sending at least 100 messages per minute. That’s over 144,000 messages per day. The traffic outgoing from this machine had pretty much zero effect on the machine itself. It’s actually a good thing Rogers had noticed and threatened them.
Are there really any fixes for this? Now that I’ve finally seen one in action, first hand, it scares me that there are millions of these machines out in the wild.
None of this is new to any security experts, but I think it’s important for regular people to be aware that this type of thing is in the wild and next time you complain about all the spam you get — you’d better check your own system and make sure you’re not the one sending it.