Aliases
Comments
Xarvester began to massively increase its spam output soon after the McColo network shutdown in November 2008. It shares similarities with Srizbi , suggesting a link between them. Xarvester mainly concentrates on spam advertising replica watches and pharmaceutical products.
Features
- Encrypted C&C communication, HTTP over non-standard ports
- XOR-encrypted template files contain several files needed for spamming
- Spam run results sent back to control server
- Can upload Minidump crash file
Spamming Rate
- 25,000 msgs per hour per bot
Command and Control
On the samples that we have examined, the following domain names were queried to connect to its control server:
- bestsolutions2010.info
- def2010cnt.biz
It uses the following ports to connect to it's command and control server:
Malware Behavior on Host
The bot initially checks for the infected host's IP address through the DynDNS service. Afterwards, it connects to its command and control server through port 12309 to retrieve encrypted spam templates and other files.
Here is the packet capture for when the bot initializes.
The bot then decrypts the spam template and proceeds its spamming activity, here is a sample packet stream of the SMTP transaction:
