Maazben: Best of Both Worlds

About 4 months ago, we discussed how proxy-based and template-based spambots work. Most of the spambots we see today use template-based spam engines. This is because proxy-based spambots do not work effectively behind NAT routers. Despite this fact, proxy-based bots are still very much alive.

One of the interesting bots we analyzed recently is Maazben. This bot utilizes both template-based and proxy-based spam engines. Maazben spam focuses exclusively on Casino spam and seems to target Russian and European email domains. So far, we've seen only the Virut and Sality downloaders responsible for distributing the Maazben executables. 

Here is how Maazben works:

Figure 1: Maazben bot flowchart 

Installation

When run, Maazben creates a mutex that serves as an infection marker on the compromised system. It usually has a mutex name with the "S_SERV" prefix on it. It then enables the bot executable to bypass the Windows firewall by modifying a registry key:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

<Bot executable> = "<Bot executable>:*:Enabled:ipsec"

The bot now registers its whereabouts to its control server by sending this HTTP GET request:

GET /utest/?jutr=16821&oo=2&936b4=407eec&ra=0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: <control server ip>
Cache-Control: no-cache

Behind the Router 

Maazben by default is a proxy-based spambot, However in case it runs behind a NAT router it downloads another spambot executable that utilizes a template-based engine. The bot herders know that running a proxy-based bot behind a router would make it difficult for their control servers to initiate connections to the bot clients. In other words, a contingency plan.

When running behind a NAT router, Maazben retrieves a list of URLs where template-based spambots are served up.

Figure 2: URL list of encrypted spambot  

Notice the .GIF file extension in Figure 2. The link is actually an encrypted executable file of the template-based spambot. Maazben then attempts to download one of the file from the URL list.

Figure 3: packet capture of an encrypted executable being downloaded 

After downloading and decrypting the ".GIF" file, the downloaded spambot is executed on the compromised system. An encrypted spamming template is then retrieved from the control server.

Figure 4: An encrypted and decrypted version of the spam template 

The spam template also includes a list containing hundreds of target email addresses and SMTP servers. In addition to this, it also collects email addresses from the current user's Outlook Windows Addess Book and temporary internet files. It also double checks whether the infected IP address has been blocked by the following spam blacklists:

• bl.spamcop.net
• cbl.abuseat.org
• list.dsbl.org
• sbl-xbl.spamhaus.org
• zen.spamhaus.org
• combined.njabl.org
• multihop.dsbl.org
• blackholes.uceb.org
• bl.csma.biz
• db.wpbl.info
• dnsbl.njabl.org
  

This is how the spam looks like in your inbox.

Figure 5: Sample email 

On the External Network

In a demilitarized zone or in the external network, the spammer's control server wouldn't have any problem initiating connection to a proxy-based bot. In this case, the proxy bot would typically register itself to a control server, listen and wait for incoming traffic then relay this traffic to its target.

As we mentioned earlier, by default Maazben is a proxy-based bot. Once it installs itself on the system, it then notifies its control server and listens on a rendezvous port waiting for spam traffic to relay to its target.

Figure 6: Maazben listening and waiting for incoming C&C relay connection.

Image in Figure 7 shows the control server sending request in SOCKS 4 protocol format to relay a spam message to a mail server using port 25.

 

Figure 7: Control server sends an initiation packet using SOCKS 4.

Maazben spam messages seems to be mostly Casino spam. The language varies, including English, Russian and other European languages. Here is one sample from our spamtraps:

Figure 8. Email sample sent by Maazben spam proxy

Proxy-based spambots are somewhat old-school, but for the spammers behind Maazben botnet it's just employing the best of both worlds.