M86 Finds Xarvester Botnet Originating from the Electronic Grave
Phil Hay, Security Researcher at M86, recently claimed that, his group has identified the old Xarvester botnet, which was initially noticed during 2008 and accounted for 150,000 spam messages daily at its peak. He stated that, the botnet is again originating from the e-grave, as reported by Infosecurity-Magazine on May 25, 2011.
Hay highlighted that, while all this comes as a shock, it also comes against a scenario of the shutdown of the Rustock spambot and huge alterations in the bot scenario during the past few months.
Hay said that, these two botnets, along with Donbot, an old bot from 2006, were not present in the bot charts just 6 months before (referring to end of 2010), however now, apparently, someone has again created these spam bots.
Hay added that, Xarvester initially came to their (M86) knowledge around two years back, when it incredibly shot to fame after the hosting provider McColo was taken down, destroying the then top spamming botnet Srizbi. He further noted that, they (M86) had also observed Xarvester being evidently connected to Spamit.com, when they found Spamit traces in Xarvester spam templates. He then said that, so when they lately found a Xarvester bot, they decided to go for a thorough investigation.
As per Hay, the sample that M86 utilized for its analysis was not named Xarvester by any anti-virus company, Microsoft used to call it Bymot, and AVG named it SpamTool (VirusTotal Report). Hay added that, a close view of the strings in the malware body proved to them (M86) that, what they were viewing was definitely Xarvester, as they had noticed such strings in earlier Xarvester bots also.
Hay stated that, the spambot in itself is quite easy. When the executable is made to run, it primarily conducts a inquiry to verify host's IP address. Further, the bot links to another domain, and asks for an encrypted file, which, when decrypted, confirms to be a container for several files, which the bot requires to spam.
Conclusively, Hay stated that, this is quite identical to what M86 witnessed with Xarvester earlier. Headers of the fake e-mail messages are quite uniform, and a thorough investigation revealed that, the bulk of the header is strongly coded inside the malware body, which is strange in comparison to several of the other bots found today that differ headers frequently.
» SPAMfighter News - 03-06-2011