Video Screencast Help
Symantec Intelligence

Mail Bomber – it does more than you thought

Created: 15 Oct 2009 • 1 comment
Daren Lewis's picture
0 0 Votes
Login to vote

After spending some time on analysing the mail bomber tool downloaded from spamfordz [dot] com, here is some interesting information noticed.

 20091005_01.gif

Fig.1 Files contained in the tool package

To get this work, one needs to upload the files (as shown in Fig. 1 above) to a web server and open index.html file, which opens the mail bomber sform as shown below.

 20091005_02.gif

Fig. 2 Mail Bomber form

As the form shows, one just needs to follow the easy steps like entering the victim’s email address, From name, etc, and hit ‘Do It!’ button, the job is done.

Is that simple? Before answering the question, let’s take a look at what it actually does behind the ‘Do It!’ button. After hitting the ‘Do It!’ button, it actually opens file bmb.php, which is contained in the mail bomber package, as shown in Fig.1.  What does it contain in the file? After opening it with notepad, we see that there are some base-64 encoded strings, as shown in Fig. 3.

20091005_03.gif 
Fig. 3 Base-64 encoded characters

When the file gets executed, it first decodes the base-64 encoded string in the highlighted box-2 on Fig. 3. The decoded scripts are shown in Fig. 4 below.

 20091005_04.gif

Fig.4 Base-64 encoded string got decoded

It is interesting to note that the decoded scripts in Fig. 4 contain function base64_decode(), and some other string manipulation operations which then decode the base-64 encoded string in the highlighted box-2 in Fig.3 above. After decoding, it clearly shows what it does, as shown in Fig. 5 below

First, it collects the server information, and iterates through the file names from the directory where the mail bomber index.html file sits and send those information to the hard coded email address, which is servicemhz[at]gmail.com  as shown in the highlighted box-1 in  the figure.

20091005_05.gif 

Secondly, it sends mails to the specified victim’s email address, as shown in the highlighted box-2 above. In this example, it will keep sending 5000 mails to bomb the victim’s mail box 

Now we know what it does. When the spammer downloads the free mail bomber tool and uses it to bomb the victim’s mail box, he might not realize that he also becomes a victim by sending his server and files information sitting on the server to the hard coded email address which probably belongs to the mail bomber tool provider. As all the scripts are base-64 encoded, so it is hard to understand what it does without decoding it.
 

Comments 1 CommentJump to latest comment

lizzydan's picture

hello   daniellizzy433@yahoo.co.uk  is my id

+1
Login to vote