Mail Bomber – it does more than you thought
After spending some time on analysing the mail bomber tool downloaded from spamfordz [dot] com, here is some interesting information noticed.
Fig.1 Files contained in the tool package
To get this work, one needs to upload the files (as shown in Fig. 1 above) to a web server and open index.html file, which opens the mail bomber sform as shown below.
Fig. 2 Mail Bomber form
As the form shows, one just needs to follow the easy steps like entering the victim’s email address, From name, etc, and hit ‘Do It!’ button, the job is done.
Is that simple? Before answering the question, let’s take a look at what it actually does behind the ‘Do It!’ button. After hitting the ‘Do It!’ button, it actually opens file bmb.php, which is contained in the mail bomber package, as shown in Fig.1. What does it contain in the file? After opening it with notepad, we see that there are some base-64 encoded strings, as shown in Fig. 3.
Fig. 3 Base-64 encoded characters
When the file gets executed, it first decodes the base-64 encoded string in the highlighted box-2 on Fig. 3. The decoded scripts are shown in Fig. 4 below.
Fig.4 Base-64 encoded string got decoded
It is interesting to note that the decoded scripts in Fig. 4 contain function base64_decode(), and some other string manipulation operations which then decode the base-64 encoded string in the highlighted box-2 in Fig.3 above. After decoding, it clearly shows what it does, as shown in Fig. 5 below
First, it collects the server information, and iterates through the file names from the directory where the mail bomber index.html file sits and send those information to the hard coded email address, which is servicemhz[at]gmail.com as shown in the highlighted box-1 in the figure.
Secondly, it sends mails to the specified victim’s email address, as shown in the highlighted box-2 above. In this example, it will keep sending 5000 mails to bomb the victim’s mail box
Now we know what it does. When the spammer downloads the free mail bomber tool and uses it to bomb the victim’s mail box, he might not realize that he also becomes a victim by sending his server and files information sitting on the server to the hard coded email address which probably belongs to the mail bomber tool provider. As all the scripts are base-64 encoded, so it is hard to understand what it does without decoding it.