Xarvester

Aliases

• Rlsloup
• Pixoliz
  

Comments

Xarvester began to massively increase its spam output soon after the McColo network shutdown in November 2008. It shares similarities with Srizbi , suggesting a link between them.  Xarvester mainly concentrates on spam advertising replica watches and pharmaceutical products.

Features

• Encrypted C&C communication, HTTP over non-standard ports
• Encrypted template files contain several files needed for spamming
• Bots don't need to do their own DNS MX lookups to send spam
• Spam run results sent back to control server
• Can upload Minidump crash file

Spamming Rate

• 25,000 msgs per hour per bot

Command and Control

On the samples that we have examined, the following domain names were queried to connect to its control server:

• salenthills.net
• sangftonline.com
• samsntafox.com
• stepling.net
• softoneveryday.com
• pinokioisback.cn
• ketiseyat.cn

It uses the following ports depending on the variant:

• 9991 (UDP)
• 8081 (TCP using Http Protocol)
• 7712 (TCP using Http Protocol) 

When connecting to its control server, it sends and receives encrypted data. An HTTP request was observed:

POST /bn/comgate.xhtml?name=78 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
Host: <random URL>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 2.0.50727) 

If successfully connected, the remote server will reply with an encrypted spamming template, otherwise the server will reply:

"Nothing to see here". 

Malware Behavior on Host

Xarvester may come as a .DLL (dynamic-link library) or a Win32 executable (.EXE) file. Executing the .EXE file will inject a .DLL component into explorer.exe, this .DLL component acts as a spamming engine. Depending on the variant, Xarvester drops the following file:

• C:\1041.nls - copy of itself
• %windir%\<8 random characters>.exe - component that uploads a crashdump to the control server
• %systemdir%\drivers\eth<5 random character>.sys - kernel-mode rootkit driver (depending on the variant)
• %systemdir%\drivers\ndis.sys - kernel-mode rooktit driver (depending on the variant)

Xarvester modifies the Registry in a number of ways.

To register itself as a service:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntldr.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<rootkit driver filename>(note: registry modification may depend on the variant)
  

Infection marker (may any of the following depending on the variant):

• HKEY_CURRENT_USER\Software\AdWare
• cmpgid = <ID in hex format>
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
• installation_id = <ID in hex format>
  

To authorize itself from Windows Firewall blocking:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
• C:\WINDOWS\explorer.exe = "C:\WINDOWS\explorer.exe:*:Enabled:Explorer"