Last week we blogged about the rise of two botnets in our spam statistics and provided details of Xarvester. Today, we take a closer look at the other botnet in question: Donbot.
Donbot has been around for about three years but lately has surged to the top of our spam statistics chart with masses of dating and gambling spam. We recently found a suitable sample (VirusTotal report) and took a look.
When executed, the malware immediately contacted its control server at 220.127.116.11 on port 80 and did the following POST request:
POST /gateway/index HTTP/1.0
The server replied NO_TASK_WAIT. And wait we did – for a long time with the bot checking in like this roughly every 20 minutes. Then after two days the server suddenly sprang into life and responded with a download file svchosta.exe (VirusTotal report):
This led to the installation of the Donbot spamming component, where four similar processes were spawned on the infected host. These executables were all dropped in the c:\documents and settings\administrator\application data folder on our Windows XP host:
The four processes were all spamming simultaneously. When we killed some of the processes, the bot simply spawned more copies to replace them. The combined spam output rate was quite impressive, we measured 1800 messages per minute (108,000 messages per hour) in our lab. Before anyone thinks we’re spamming, rest assured that these messages were all captured by our spam sinkhole servers. This kind of spamming rate quickly leads to big numbers. For example, take a botnet of just 1000 bots, multiply that by 108,000 messages per hour and assume each host is spamming for 8 hours per day, and you get a spamming machine capable of over 800 million spam messages per day.
The control instructions and reports between the bot and its control server are all communicated in plain text. Here, for example is part of the template used in the gambling spam campaign we discussed last week.
Donbot also sends regular reports back to the server, which includes success rates and whether the host may be blacklisted at any IP blacklist (RBL). Below you can see two characteristics of Donbot traffic – the HALLO and CHUNK:
The success of sending to individual email addresses is also recorded, so that the operator can continually clean his email address lists of ‘bad’ addresses.
In amongst the template instructions, there is also a bunch of text which looks like it is pulled from a Wiki somewhere. Although we didn’t see it being used in the gambling campaign, this may be for inserting random text into spam messages.
All this is very similar to what we have seen before from Donbot (see our original write up here). What’s interesting is its sudden rise from obscurity and its high output per host. Why build a new fancy spamming botnet when you simply tweak some old ones?
Leave a reply