Example 1

Within one particular botnet we observed an attacker who issued the following command (please note that the URLs have been obfuscated):

<St0n3y> .mm http://www.example.com/email/fetch.php?4a005aec5d7dbe3b01c75aab2b1c9991 http://www.foobar.net/pay.html Joe did_u_send_me_this

The command .mm ("mass emailing") is a customized version of the generic spam.start command. This command accepts four parameters:

  1. A URL for a file that contains several email addresses.
  2. The web page to target within the spam email - this could be a normal spam web-page or a phishing web site.
  3. The name of the sender.
  4. The subject of the email.

In this case, the fetch.php script returned 30 different email addresses every time it was invoked. To each of these recipients, an email message was constructed that advertised the second parameter of the command. In this example, it pointed to a web-page which attempted to install an ActiveX component on the victim's computer.