In this blog post, we'll be describing the functionality of a spamming botnet which appears to have been active since at least the first quarter of 2013. Currently, the bot's activity consists of sending job-related junk mail. We've named this spambot "Gamut" based on a string found in the malware body. At this time anti-virus detection is modest but mostly generic.
Malware Installation:
Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service. The following registry key is added as a result of running the service:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WPUms Type = 0x00000010Start = 0x00000002ErrorControl = 0x00000000ImagePath = "path to malware executable"DisplayName = "WPUms"ObjectName = "LocalSystem"
The sample we analyzed uses the name "WPUms" as its service name as well as its mutex name.
The malware utilizes an anti-VM (virtual machine) trick and terminates itself if it detects that it is running in a virtual machine environment. The bot uses INT 03h trap sporadically in its code, an anti-debugging technique which prevents its code from running within a debugger environment. It can also determine if it is being debugged by using the Kernel32 API - IsDebuggerPresent function.
Command and Control server:
After installation, it phones home to the following domain names:
Each of the domain names listed above point to the same hosting service provider, Avguro Technologies Ltd, based in Russia.
|
Domain Names |
Record |
Name |
IP Number |
Reverse |
Routes |
IP Location |
|
serenaso.in.ua dufoper.in.ua toporung.in.ua retionolo.in.ua arondo.in.ua |
A |
serenaso.in.ua |
81.177.135.113 |
81.177.128.0/18 RTCOMM-RU AS8342 RTCOMM-AS OJSC RTComm.RU |
Avguro Technologies Ltd. Hosting Service Provider Russian Federation |
|
|
MX |
mail.serenaso.in.ua mail.dufoper.in.ua mail.toporung.in.ua mail.retionolo.in.ua mail.arondo.in.ua |
|||||
|
NS |
ns1.jino.ru |
217.107.34.200 |
ns1.jino.ru |
217.106.0.0/15 RTCOMM-RU AS8342 RTCOMM-AS OJSC RTComm.RU |
Avguro Technologies Ltd. Hosting Service Provider Russian Federation |
|
|
ns2.jino.ru |
217.107.217.16 |
|||||
|
SOA |
hostmaster.jino.ru |
Older Gamut samples connect to the following domain names:
The bot initiates by connecting to its command and control server which is hardcoded inside the bot's body:
The bot then retrieves the SenderClient.conf file the from command and control server. The file contains the bot configuration such as the thread counts, smtp connection timeout, smtp sending timeout/attempts, etc.
Gamut sends the following commands or actions to communicate to its control server:
| Command/Actions | Definition |
| GetIP | request for infected machine's IP address |
| GetSubscriptionEmailsBlock | get the list of email addresses which will be spammed |
| GetSubscriptionContent | get spam template |
| EmailsSent | report back the list of email addresseses in which spam was successfully sent |
| SubscriptionBlockNotSent | report back the list of email addresseses in which spam was unsuccessfully sent |
| Port25Open | tell the control server that port 25 is open |
| Port25Close | tell the control server that port 25 is closed |
| GetPTR | Get PTR record |
The command is sent as an HTTP POST request. The screenshot below shows the command and control communication where the bot sends a GetIP command requesting the infected machine's IP address:
If the control server fails to obtain the infected machine's IP address, then the bot sleeps for 15 seconds.
Spam Engine:
After installation, Gamut probes the infected system's SMTP port 25 by sending a test SMTP transaction to mail.ru and hotmail.com. After the SMTP test, it tells the command and control server to determine whether port 25 is open or closed.
If the SMTP test is successful, then the bot will request the spam template and email list from the command and control server. If the test is not successful, the bot will sleep for 12 hours.
The Wireshark TCP stream screenshot below shows how the bot requests the spam template using the GetSubscriptionContent command.
If the spam template is empty or broken, the bot will sleep for 1 minute and attempts another request to the command and control server.
Here is a basic flowchart of Gamut's SMTP engine.
A single Gamut spambot can send at least 60,000 spam messages per day depending on the number of target email addresses received from the control server.
Spam Campaign:
It appears that Gamut's current spam campaign is actively targeting job seekers. Here is a sample spam sent by Gamut:
Here are few of the subject subject lines that the bot may use:
A great offerA great offer of employmentA great offer of employment in our new storeA vacancy in our new store for youApplication for a vacancyApplication for a vacancy in our new storeEmployee neededMore opportunitiesMore opportunities of employmentMore opportunities of employment in our new storeNew vacancies openedNew vacancies opened in our newly opened storeNew vacancyNew vacancy in our shopNew vacancy in recently launched store!Sales assistant vacancyVacancy of a sales assistant in our new shopVacancy onlineWe have a need in a sales assistant in our new storeWe search for employeesWe invite you to try yourself in our companyWe invite you to try yourself as a professional in our companyWe invite you to try yourselfWe invite you to tryWe invite you to join our united teamWe invite you to join our united qualified teamWe invite youOur company offers you to join our close knit qualified team\Our company offers an interesting positionNew vacancy in our teamNew vacancy in our professional teamJoin our united teamA great chance to join our professional teamA position in our company is availableA position in our united qualified team is waiting for you
The link in the message body points to a dodgy job website where the victim's name and email address are required for the hiring process. We tested signing-up by using fake names and emails, but we never received a reply. Most likely, the email entered are collected by spammers.
Trustwave Secure Email Gateway protects our customers from this spam campaign.
Conclusion:
The Gamut botnet was designed purely to send spam. It has a very simple command and control infrastructure as well as spamming engine. We brought this bot into focus because simple botnets like Gamut sometimes fall under the radar. Currently, it attributes to less than 5% of total spam volume. This spam botnet however appears to be building and has a capability to send massive amounts of spam.
