2007-01-01
Abstract
Just as it seemed that mass-mailers were dying away, a new breed emerged: Stration (aka Warezov, or Strat). Ivan Macalintal investigates the motives of the Stration gang.
Copyright © 2007 Virus Bulletin
Recently the anti-virus and computer security industry has focused increasingly on targeted trojan attacks, trojan downloaders and spyware/adware rather than the mass-mailers that plagued cyberspace just a few years ago. However, just as it seemed that mass-mailers were dying away, a new breed emerged: Stration (aka Warezov, or Strat).
The first variant appeared on 16 August 2006 and was given the detection name WORM_STRATION.A. After only two months Trend Micro had received well over 150 variants, the most recent of which (at the time of writing this article) is WORM_STRAT.EQ, detected on 25 October.
At first, the behaviour of the Stration worms was perplexing. They exhibited features much like those used by previous mass-mailers, but there were differences:
The worms exhibited bursts of ‘spiked attacks’ or continuous massive spamming in short time frames.
Stration’s downloader components used various top-level domains as infection vectors.
Stration appeared to have a financial motive, unlike previous worms whose only purpose was to spread to as many computer systems as possible, as quickly as possible.
This paper attempts to reveal the underlying motive of the seemingly random and nonsensical outbursts of the Stration worm.
On the surface, the Stration attacks look like a pointless series of worm propagation, but further investigation shows that this is not the case. Let’s take one recent variant’s behaviour as an example: WORM_STRAT.DV.
The worm is downloaded from one of the many URLs that Stration uses as infection vectors. Once executed, it drops a number of Dynamic Link Library (DLL) files in the system directory:
| File | Size |
|---|---|
| attstat.dll | 143,360 bytes |
| confatt.dll | 53,248 bytes |
| attprf32.dll | 53,248 bytes |
| attperf.exe | 40,960 bytes |
| attmgr32.dll | 356,352 bytes |
| atrconf.exe | 49,152 bytes |
We will take a closer look at two files: audstat.dll and atrconf.exe. After execution, audstat.dll decrypts a number of URLs in memory, as shown in Figure 1.
The second file in question, atrconf.exe, connects to the URL using IP address 208.66.194.207, as shown in Figure 2. The decrypted URL is http://shionkertunhedanse.com:25/outtask/urlTask8_c_2.txt?id=%s&flag=%d.
Figure 3 shows the result of loading the URL into a browser. The contents are dynamic, changing upon every reload of the page.
The following is an example of the content:
26|http://serv1.shionkertunhedanse.com/outtask/tasks/task_26_letter_1162078914.txt| http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/ report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put| 27|http://serv1.shionkertunhedanse.com/outtask/tasks/task_27_letter_1162078914.txt| http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/ report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put| 28|http://serv1.shionkertunhedanse.com/outtask/tasks/task_28_letter_1162078914.txt| http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/ report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put| 29|http://serv1.shionkertunhedanse.com/outtask/tasks/task_29_letter_1162078915.txt| http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/ report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put| 30|http://serv1.shionkertunhedanse.com/outtask/tasks/task_30_letter_1162078915.txt| http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/ report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put|
Let’s look at the first two URLs in the first row. Figure 4 shows what we will see when the first URL is loaded into a web browser.
Looking at Figure 4, we can see that it’s an email template. We saved the contents of the template and renamed it with an .EML extension. The result is shown in Figure 5 - it’s an image spam advertising Viagra and other drugs.
Figure 6 shows the result of loading the second URL into a web browser. This URL resolves to a site containing a list of email addresses. These are the target recipient email addresses that Stration uses to send the image spam. The number of email addresses found here continues to increase at the time of writing this article. They are gathered from the Internet via blogs, forums and mailing lists, as well as from infected PCs.
Although every spam email sent by Stration differs through the use of pixel randomization and hash-busting techniques, we have identified four distinct types. These are shown in Figure 7.
All of Stration’s spam messages advertise the domains of RXNN.ORG, RXEE.ORG and RX444.COM. All of these are registered under the name of either ‘Wang Pang’ or ‘Bai Ming’ - both of which have regularly been listed in spam forums and domain/URL abuse networks and services as prolific spammers from China. It is also interesting to note that ‘Wang Pang’ is the registrant and admin name for the URL used in the very first Stration variant.
The URLs at which the email addresses are hosted are dynamic. The one shown in Figure 6 is still live at the time of writing this article. A second email address-hosting URL, http://www1.vedasetionkderun.com:8080/dsl, is inaccessible at the current time.
The number of email addresses listed on these sites is mind-boggling. To date, we have identified around 20 million unique email addresses, with the number still increasing - indicating that the Stration gang is carrying out an attack on an enormous scale.
So far, the infected parties we know about have included ISPs, banks and financial institutions and enterprise, government and educational institutions, with hundreds of thousands of users being affected. The number continues to increase as new variants appear.
As we can see, Stration is all about spam - image spam. And when spam is involved, there tends to be a lot of money at stake. Looking further at the implication of this threat, we can see that there has been a steady increase in spam rates recorded over the last couple of months.
Figure 8 shows data collected by Commtouch, illustrating the increase in spam over recent months. Our own records (Figure 9) show that the percentage of image spam has been increasing in recent months, coinciding with the period when Stration infection reports were on the rise.
The Stration threat has been contributing significant numbers to the spam and, in particular, image spam flooding cyberspace and wasting Internet resources. This has been Stration’s primary motive all along.
In November 2006 it was discovered that the authors behind Stration were also using another malware family, known as Medbot, to make sure that their goal of proliferating huge amounts of Viagra spam was achieved.
In August 2006 - almost at the same time as the first Stration variant appeared - a new strain of IRC bot was released. This was Medbot, an IRC bot that also attempts to infect computers with the aim of turning them into zombies to send spam. We sniffed through WORM_MEDBOT.AI traffic and found that it connects to the IRC server reg.raxoper.com with the user ‘nick jebr-1_[four digit random number]_[four digit random number]’.
Once a private session is established, the controller issues several commands that are programmed into Medbot. For the session we monitored, the controller issued a download-and-execute command for four files:
modul32e.m.exe injs.n.exe hdd.h.exe ssd32.j.exe
These files are located in http://up.medbod.com/up.
Most notable of the four downloaded files is modul32e.m.exe, which accepts a URL as a parameter. Downloading the file from the URL reveals that it contains a lot of links to other files. A brief summary of the file lists includes the following:
s3.2.txt file from the seeky.mootseek.com domain
domain.cab file
fname.cab file
lname.cab file
pattern.txt file from the up.medbod.com domain
and a lot of other files from the seek[1-2 digit number].mootseek.com domain.
Surprisingly, the s3.2.txt file contains an email template that resembles spam. The files domain.cab, fname.cab and lname.cab contain archived files named domain, fname and lname, respectively. The domain file contains a list of various domains, fname contains a list of common first names, while lname contains a list of last names. The file pattern.txt contains phrases that can be used as email subjects.
The files from the ‘seek[1-2 digit number].mootseek.com’ domain are text files containing lists of email addresses that are not covered by the combination of strings found in fname/lname@domain. The s3.2.txt file is updated frequently, changing the URL link being advertised on the spam mail template. The same is true for the numerous files from the seek[1-2 digit number].mootseek.com domain. The only files that remain constant are the domain, fname and lname files. These files indicate that the intention of WORM_MEDBOT is - again - to turn infected computers into spam machines sending drug-related spam messages.Figure 10
shows some snapshots of the spam mails that are sent from Medbot-infected machines to millions of target recipients.
Running WHOIS on the domains of the sites advertised in the Medbot spam emails gives us the following information:
Registrant: Dima li jungonglu1219hao 200093 Administrative contact: Dima li
‘Dima Li’ is another of the aliases used by the registrants/administrators of the domains used by the Stration worms. Coincidence? Add to that the fact that both malware families appeared almost at the same time and it starts to look likely that these malware families may indeed be connected.
Figure 11 shows a site advertised in the spam messages sent by Medbot. Now take a look at Figure 12, which shows a site advertised in the spam messages sent by Stration. Coincidence? We don’t think so.
From this, we can safely assume that the authors behind Stration are using more than one malware family to achieve their goal. This increases the chances of users receiving spam advertising their pharmaceuticals-related business.
We can use ‘deadend’ email addresses to increase our sample collection via spamtraps. But how about the other legitimate and live email addresses - can they be of any use? Based on the sampling of email addresses that we have gathered, we have a good idea of Stration’s targets and audience demographic, and of the likely targets in the days, weeks or even months to come.
Is it possible that we can offer a service by working closely and coordinating with the affected recipients regarding the possible targets in their organizations?
Can we, say, implement a task force to make sure that these email recipients’ systems are well-guarded and that their email-filtering systems, anti-virus signatures and engines are updated so we can lessen the impact of the overall target of Stration (and of Medbot)?
I believe it is possible, with this information at hand, that we can minimize the damage of Stration and protect our customers and other users even before any future Stration event or attack occurs.
The web threat space is, and will continue to be, augmented by Stration and Medbot and any other malware that uses the Internet as one of its main infection vectors. Moreover, the Internet will continue to be populated not only by malicious code but by spam as well, draining our precious resources.
