Botnet tracking
August 11, 2008 8:13 PM   Subscribe

Botnet tracking
I run A couple of weeks ago a spam got through the filter telling me the Beijing Olympics had been canceled, and I got interested in where that link took me. I'm a sucker for Javascript obfuscation. But then a little light went on in my head -- if one got through, how many got blocked? Turns out: a lot. I've been down the rabbit hole ever since. It's been fun; maybe you think so, too.
posted by Michael Roberts (13 comments total) 2 users marked this as a favorite

Heh. Hooray for spam nerdery.
posted by cortex at 9:22 AM on August 12, 2008

Nyark, nyark. I got spam nerdery like nobody -- I've been a spam junkie since the 90's.
posted by Michael Roberts at 11:16 AM on August 12, 2008

I don't know what the hell I just voted for, but this is pretty cool. I think.

I so want to ask, but what's it do? but this would just point out my ignorance, so instead I'll just give it a thumbs up and act like I know!

Seriously, is there any practical application for this? Or is it indeed just spam herdery? Surprisingly, I'm fine with either answer.
posted by cjorgensen at 12:31 PM on August 12, 2008

Well, the practical application is to Know Thine Enemy. I've had several benefits from it: first, I know 15,000 IPs used to inject spam into, accounting for 3.9% of my spam right now -- I can block them specifically as soon as I have the time, and it's better in the end than simply blocking everything that looks like a DSL line. More sophistication in the filters is always a better thing.

Second, I've learned some Javascript. That's been fun. I haven't actually written much of it up yet, but one in particular was cool; it encrypted a payload script and used its own source and location URL as a key to verify it hadn't been modified before unpacking. (Of course, Javascript renders that kind of care moot, but it took me two days to figure it out.)

But mainly -- these jackholes are stealing the world's computers with the full knowledge of the Russian government and if you think they aren't the guys who took Estonia off the net, then I have a bridge I'd like to talk to you about. (If not this specific group, then another -- the principle applies nonetheless.)

Stupid little scripts like mine are part of the Internet's immune system. Eventually, it all adds up and we all become a little stronger, a little smarter.

But in the end? Spam nerdery. Or herdery. It's just a basic fascination. At some point, they'll start using self-modifying code and it'll all bootstrap up to intelligence and kill us.
posted by Michael Roberts at 12:51 PM on August 12, 2008

I like how the Google Ad on the bottom of your page is for a service to "Get Past Spam Filters".
posted by rajbot at 6:12 PM on August 12, 2008

Actually, your little project is about to become a regular thing for me to check on. A few days ago one of the lawyers in our office got the anti-virus popup after opening some CNN spam. Just today, our spam filter sent out a warning notification about the CNN Daily Top 10 spam and the changeup to MSNBC. Of course, you had caught them first - could have saved us a heart attack or two if I had notified people earlier instead of waiting for the "official" notification.
posted by cimbrog at 10:25 AM on August 14, 2008

This is awesome!
posted by JHarris at 12:28 PM on August 15, 2008

Holy schemoley, this got picked up by today and traffic is much, much more interesting!
posted by Michael Roberts at 5:14 PM on August 17, 2008

Why do email providers still allow users to send executables (or zipped or rar'd executables) in email? Seriously, block this, and you've blocked a lot of this stuff.
posted by damn dirty ape at 1:21 PM on August 18, 2008

Many do. That's why these emails don't contain executables.

Instead, the operators of the botnet hijack server accounts (usually an FTP password obtained by means unknown) and store the executable there. Some simply link to the executable from the email. Some have a link to a PHP page which forwards to the executable. Some have a link to static HTML containing Javascript which forwards to the executable.

Not these guys. These guys link to the executable from something that looks a whole lot like a video. And just in case that doesn't work, they have a meta refresh that fires after 30 seconds (or 10). And just in case that doesn't work, they have an invisible iframe that loads Javascript that loads a different executable, or exploits vulnerabilities in your Quicktime or Flash plugins. And just in case that doesn't work, they pop up a window that says it's scanning for viruses and loads yet another executable while you're waiting, and if you try to close, it warns you that your system may not be secure if you stop it. (ha!) And just in case that doesn't work, they also pop up a Javascript window that won't let you close your browser without loading that damned executable.

But just attach an executable to the email? Sheesh. That's so twentieth, man. Nobody does that except my kid sister.
posted by Michael Roberts at 8:44 PM on August 18, 2008

Its a popular trick and how most botnets get started. I analyzed some spam at my place recently and found a very popular trojan embedded in a zip file. The meta data on the file was changed so it looks like an acrobat file. So they unzip it and run it thinking its a zipped pdf. Still extremely popular and it still blows my mind that anyone allows any exe's through email.
posted by damn dirty ape at 10:52 PM on August 18, 2008

I'm going to have to do some research on that, then -- I've never actually looked at bodies at all at Despammed; header filtration is already pretty effective.

So it occurred to me that if this botnet were DDoSing, say, Georgia, at a point in time, say, leading up to a Russian invasion, then you'd expect to see less spamming activity from the botnet during that time. Right?

Oh, that's a shame. No graphics in comments here. Well, I have the graph up on the project page. Go judge for yourself. And tell me if I'm just staying up too late or if there's some meaning there.
posted by Michael Roberts at 11:10 PM on August 18, 2008

Oh, and after my spiel yesterday, today the botnet is linking directly to hosted executables.

posted by Michael Roberts at 5:12 AM on August 19, 2008

« Older - Copy/paste from one computer to a...   |   A Winner Is Me!... Newer »

You are not currently logged in. Log in or create a new account to post comments.