Researchers map out hard-to-kill, multi-layered spam botnet

A dropper component sent to the Akamai researchers led them to the discovery of a spamming botnet that consists of at least 83,000 compromised systems.

The botnet is multi-layered, decentralized, and widely distributed, the researchers found. The first attribute is what made them name it “Torte” (aka “Cake”).

“The botnet is fairly large and uses both ELF binary and PHP based infections. While binary infections only target Linux, other php based infections were found running on all major server operating systems – Linux, Windows, OS X Unix, SunOS, and variants of BSD,” they shared.

The artefact that triggered the researchers’ attention was a PHP script, which they discovered was used to discover processor’s architecture and operating system. Once that information became known, the dropper would download and execute the ELF binary (“spooler”).

The ELF binary contained several URLs, and each of them had a different task: one hands out spam templates/payloads, which contain links to “landers”, another provides URLs to servers infected with another piece of malware that made them serve as “mailers”, a third one offers up 404 error pages.

The researcher wrote a script that would effectively contact infected hosts (mailers) in order to see how many there are. The result? Over 78,000 unique mailer infections, 56,281 of which were active.

“Mailers offer up only a handful of features, with the primary goal being taking input from the spoolers, doing some socket operations, MX record lookups, then generating and sending the email payloads to the targeted addresses. They also offer some basic stats reporting and tracking, allowing the spoolers to check on jobs and get updates,” they found.

The researchers also identified 1,700+ active lander infections, whose goal is to redirect spam victims to a final lander – a page “properly seeded with affiliate content and links to adult networks,” hosted on servers that have been compromised via FTP credentials brute-forcing.

The researchers believe that the goal of the botnet is to brute force email address combinations so it can push spam to as many as can be found.

“While this doesn’t seem like an especially efficient manner of operating a spam botnet, due to the sheer number of incorrect possibilities it undoubtedly generates, the reality is a system of this size running nonstop would burn through any legitimate email address list it was fed very quickly, leaving it with nothing to do and wasted opportunity. Rather than let that happen, it appears the operators have decided to capitalize on those wasted cycles,” they explained.

Due to its multiple layers, the botnet is very resilient to takedowns and cleanup operations. Each component – spoolers, mailers, campaigns, and landers – can be easily changed if compromised in any way.

But, interestingly enough, the botnet is vulnerable to hijacking attempts due to its weak processes for authentication and verification throughout mailers and the C&C servers.

The researchers have created two shell scripts that can help organizations check if their web servers have been roped into this botnet, and they have included them in the paper detailing the botnet’s operation.

“The botnet described in this paper is not unique, nor is it the last we’ll see of its kind. The structures and methods employed have been seen in the past and will surely continue to be seen well into the future,” they pointed out.

“Torte is another instance of a growing trend that targets the Linux OS via binary infection. These Linux-targeted infections will continue to grow in popularity due to an estimated 1⁄3 of the public servers on the Internet running some variant of the OS. Attackers will continue targeting servers for a multitude of reasons including attack surface availability, always-on and high-bandwidth connectivity, and ease of lateral movement across networks and properties.”