Nothing lasts forever. Just like Mega-D, the Lethic botnet has also come back from the dead after being disabled in early January. But last Thursday (February 11, 2010), the Lethic botnet resumed spamming after a month of silence. This week, Lethic accounted for 1.7% of spam we received in our spam traps.
Figure 1. Lethic is currently responsible for 1.7% of spam volume.
Figure 2. Between January 9, 2010 to February 10, 2010 we received zero spam from the Lethic botnet, but it resumed February 11, 2010.
So what's new with the bot? Although the new Lethic bot uses the same customized command and control (C&C) protocol that we illustrated here, some of the communication uses simple XOR-encrypted data between the bot and the C&C, perhaps to bypass firewall rules.
Figure 3. (Click to enlarge) The data communication is encrypted using a one byte XOR algorithm. The first byte sent by the C&C server is actually the encryption/decryption key.
The new Lethic bot contacts its control server using port 3956 on the following domain names:
- zjixjhs.com (66.55.148.72) hosted by Choopa, LLC.
- saddfcmed.com (67.58.96.202) hosted by CPC Technologies, LLC.
- hkcxksnw.com (67.58.96.194) hosted by CPC Technologies, LLC.
- zxokdij.com (66.55.148.70) hosted by Choopa, LLC
- sdflcvd.com (66.55.148.69) hosted by Choopa, LLC
One of the samples we analysed connects to p34s3.hmarhelo.com (98.126.77.178) using port 1199.
The Lethic spam campaigns still continue to focus on replica watches, bags, pills and Canadian pharmacy programs.
