We often talk about how a spam bot will download a ‘template’ from a control server and begin spamming, but what exactly do we mean by a template and what do these templates look like?
A template is a set of information that a spam bot is able to understand and use to generate spam for a specific spam campaign. The actual template file describes the way the body of the message will look, just as an html file describes how a webpage will look. Along with the actual template file, a spam bot is also given other information to insert into the template each time a message is sent. This other information can be lists of recipient’s addresses, sender addresses, sender names, subjects and URLs. The template file will include references to these lists where the spam bot is to insert an (often random) entry from the list. A template file can also tell the spam bot where to insert variables such as the local date, a random message id, or a multipart boundary marker. Usually the server that the bot gets the template and additional files from is known as a control server.
Here is an example of a template file used by the Xarvester botnet. Before sending this template as a spam message the bot searches for any commands between the characters { and }.
The Xarvester bot will substitute {teml:var boundary} for a random multipart boundary that the bot is able to generate. The command {file "body.html", quoted printable} tells the bot to insert the file body.html, which is downloaded from the control server along with the template.
The body.html file has further commands telling the bot to insert a random line from links.txt, also downloaded from the control server, which contains one URL per line.
Here are some portions of header templates used by various bots:
By Xarvester:
By Asprox:
By Pushdo:
Many botnets encrypt their templates so that they cannot easily be read. Here is what you would see if you intercepted the template sent to a Rustock bot.
And this is intended for a Pushdo bot:
Most of today's top spaming botnets, such as Rustock, Pushdo, MegaD, Xarvester and Grum use template based spam bots. This allows the spammers to offload all of the email generation and bandwidth onto the bots. Often a bot will upload the results of each spam run when it has run out of recipient addresses to the control server before downloading a new template. This gives the spammers an idea of how many spam messages their botnet is sending and if the messages were successfully sent to the recipient or blacklisted.
