A Little Spam With Your Bagle?

As we mentioned last week, nearly all of the major spam botnets these days are template based. The bots contact a control server and download a spam message template and lists of recipients, subjects and links. Entries from each of the lists are inserted into the template and then sent as a spam message.
 
Prior to template based spam bots, spammers favored the use of bot infected machines as proxies to hide the source of their spam. While spam from template-based bots dominates, spam originating from proxy-based bots is still very much alive. Today, Bagle bots are one of the  biggest sources of proxy-based spam, accounting for an estimated five percent of all spam. This blog post will highlight some steps Bagle bots perform in order to send spam.

The label 'Bagle' has been around since early 2004 when it was applied to a mass mailing worm that spread by attaching a copy of itself to emails and spamming them out. Since then Bagle has evolved. Because of the huge number of variants and malware related to Bagle, we have decided to stick to the name Bagle in line with antivirus detections of the actual malware that we are examining here.

Modern variants of Bagle act as a proxy server, waiting for incoming connections and forwarding the network traffic to its destination. Because the bots wait for an incoming connection from a control server instead of connecting out to a control server to receive instructions, bots behind firewalls and NAT devices cannot be contacted by a control server and so can not be used to relay spam.

The Bagle malware has a list of URLs hard coded inside it that the bot attempts to communicate with. These domains all host a .php file, usually in the images directory. We believe many of these are legitimate domains that have been compromised and have had these files placed there by the people behind Bagle.

Upon executing, Bagle will look for the file blst.php. It sends a request to each of the URLs that end in blst.php until one responds with a list of IP addresses.

This list of over 2000 IP addresses and ranges are used by the bot as a blacklist. The bot’s proxy server will not accept connections from any IP addresses on this list. In fact most of the entries on this list are wild card entries such as 10.*.*.* that cover a huge range of Internet addresses. Effectively, this prevents anyone connecting to the bot's proxy except those deemed OK by Bagle's masters.

Bagle can also receive an updated version of itself from a control server with a request hld.php file. The server replies with a base64 encoded executable.

The few websites we have seen hosting this file are serving up older variants of Bagle that were well detected by anti virus scanners. Two of the variants are:

MD5: 6a42005c523f22597b71d34700580286 VirusTotal

and

MD5: 64a61530d7ee5b9949ea2baee9e99f01 VirusTotal

In order for a control server to know that there is a Bagle infected machine waiting to relay spam, the infected machine must contact the control server and tell it what port it is listening on. The Bagle network uses the script news.php on the compromised websites to forward this information to the control servers. The bot simply sends the request below to each of the URLs in its list ending in news.php.

Once a bot has ‘registered’ itself with the botnet, various control servers begin connecting and using the bot to relay spam. Each of the control servers we observed was sending a different type of spam.

A Bagle control server initiates a proxy connection by connecting to the listening port of the Bagle bot and sending the bytes 0x04 0x01 followed by the 16 bit port number and IP address of the remote machine the bot is to connect to. The bot will then create a TCP connection to the given IP address. Once this connection is established a response to the control server is sent containing the bytes 0x00 0x5a followed by the port and IP address it has just connected to. The Bagle bot now proxies all traffic between the two connections.

In the sample below a control server is telling the bot to connect to a mail server on port 25 (19 in hex).  On our test network this is redirected to our honey pot machine.

We have also seen control servers attempting to connect to web mail services such as hotmail via a Bagle bot. It is possible that the criminals behind Bagle hide all types of dubious internet activity, not just spam, behind their network of proxies. 

So how big is the Bagle botnet? Its hard to tell from the amount spam sent because the spam is only relayed by those bots that can be contacted from the Internet. One insight we have is a file created by the news.php script that is used to log the IP address and listening port of each bot. We have discovered several of these files, the largest of which contains over 3 million unique IP and port pairs. However, this is not a good measure of the current size of the botnet. The largest of these files is ~310Mb but is only increasing by about 0.5Mb a day (around 4000 unique IP and port pairs), suggesting the file is old and the older data may be no longer be valid. On the other hand, some of the smaller files we discovered, which are being regularly deleted and re-created, contain only the latest 10,000 or so IP and port pairs. 

Interestingly there are less than 40 ports on which different Bagle bots are listening. Here is a list of these ports and their frequency from the unique IP/port pairs of the 310Mb file.

In summary, then what do we learn from this analysis?  The proxy-based bots are very much still alive, although they have been overshadowed by their high volume template-based cousins. And Bagle is most certainly an active part of that scene, running a sophisticated and substantial-sized network of proxy bots.