Mail Bomber – it does more than you thought
After spending some time on analysing the mail bomber tool downloaded from spamfordz [dot] com, here is some interesting information noticed.
Fig.1 Files contained in the tool package
To get this work, one needs to upload the files (as shown in Fig. 1 above) to a web server and open index.html file, which opens the mail bomber sform as shown below.
Fig. 2 Mail Bomber form
As the form shows, one just needs to follow the easy steps like entering the victim’s email address, From name, etc, and hit ‘Do It!’ button, the job is done.
Is that simple? Before answering the question, let’s take a look at what it actually does behind the ‘Do It!’ button. After hitting the ‘Do It!’ button, it actually opens file bmb.php, which is contained in the mail bomber package, as shown in Fig.1. What does it contain in the file? After opening it with notepad, we see that there are some base-64 encoded strings, as shown in Fig. 3.
Fig. 3 Base-64 encoded characters
When the file gets executed, it first decodes the base-64 encoded string in the highlighted box-2 on Fig. 3. The decoded scripts are shown in Fig. 4 below.
Fig.4 Base-64 encoded string got decoded
It is interesting to note that the decoded scripts in Fig. 4 contain function base64_decode(), and some other string manipulation operations which then decode the base-64 encoded string in the highlighted box-2 in Fig.3 above. After decoding, it clearly shows what it does, as shown in Fig. 5 below
First, it collects the server information, and iterates through the file names from the directory where the mail bomber index.html file sits and send those information to the hard coded email address, which is servicemhz[at]gmail.com as shown in the highlighted box-1 in the figure.
Secondly, it sends mails to the specified victim’s email address, as shown in the highlighted box-2 above. In this example, it will keep sending 5000 mails to bomb the victim’s mail box
Now we know what it does. When the spammer downloads the free mail bomber tool and uses it to bomb the victim’s mail box, he might not realize that he also becomes a victim by sending his server and files information sitting on the server to the hard coded email address which probably belongs to the mail bomber tool provider. As all the scripts are base-64 encoded, so it is hard to understand what it does without decoding it.
About Symantec Intelligence
The Symantec Intelligence Blog published by Symantec.cloud serves as a conduit for communicating Intelligence data, trends and statistics based on analysis of cyber security threats, trends and insights from the Symantec Intelligence team comprised of many world-renowned malware and spam experts. Sitting on the front lines of defense, they have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day. Filter by:
Recently on Twitter
- symanteccloud: Looking for a silver lining in the cloud? Look no further than #Symantec?s cloud solution http://t.co/r3tnommlNA #webcast11 Jun 2013
- symanteccloud: @dsfeiken We'll have more info to share soon but if you can DM with any specific requests, we'll do what we can to assist you07 Jun 2013
- symanteccloud: Don?t let your judgment be clouded. Join our #webcast & learn how #Symantec can help you benefit from the cloud http://t.co/r3tnommlNA07 Jun 2013
- symanteccloud: @dsfeiken @SYMCPartners Hi Dennis, here is a starting point for info on Backup Exec.cloud http://t.co/FBygw8SNxy05 Jun 2013
- symanteccloud: RT @SymantecSMB: Proper security adds value to your e-commerce site. What your small biz can do to build online trust: http://t.co/8e5P2m1P?05 Jun 2013
Comments 1 Comment • Jump to latest comment
hello daniellizzy433@yahoo.co.uk is my id
Would you like to reply?
Login or Register to post your comment.