Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Xrumer: The Spammer’s Toolkit

Created: 29 Oct 2009 17:51:49 GMT • Updated: 23 Jan 2014 18:31:41 GMT
Patrick Fitzgerald's picture
+1 1 Vote
Login to vote

While looking through some recent customer submissions a particular filename caught my attention. It was called “googlewaveinvitegenerator.exe”. Google Wave is a new communication application being developed by Google. Many people who missed the initial sign up for this application are now seeking invites to the service. Certain bad guys have latched onto this and are attempting to take advantage of the situation to push malware. In this case the malware in question is Backdoor.Tidserv. It’s also worth pointing out Google Wave was only selected because of its current popularity. Using a trusted brand like this also increases the chance of success for the attacker. This technique is something we see all of the time.

This particular campaign tries to trick people who want to get into the Google Wave community by promising not only an application that generates Google Wave invites, but also untold riches by selling these invites to other people who want to ride the Google Wave. This is typical of this type of marketing campaign—promise the world but give nothing! (Just to be clear, the invite generator does not work!) 

Yet another campaign that is peddling malware to unsuspecting victims. What is interesting about this particular campaign is that it accidentally gave valuable insight into how the bad guys are making these campaigns successful.  

Getting the word out there

The first thing the bad guys need to do is to draw attention to their latest scam. In this case they automatically posted entries like the following on forums across the Web:

Screen shot 2009-10-29 at 5.07.48 PM_sml.png
 

Figure 1. Example of a spam message on a forum

The topic on the forum where this appeared had absolutely nothing to do with Google Wave invites! This message has a nice personal and friendly tone throughout. The item in the code box shows fake Virustotal results, claiming that googlewaveinvitegenerator.exe is in fact clean, which of course it isn’t. As mentioned earlier this file is actually Backdoor.Tidserv.

The hard sell

Once the bad guys have the word out the next stage is to get the victims to install their malware. This screenshot shows the sales pitch used this time round:

Screen shot 2009-10-29 at 5.08.00 PM.png
 

 

Screen shot 2009-10-29 at 5.08.19 PM.png 

Figure 2a – The sales pitch

Screen shot 2009-10-29 at 5.08.34 PM.png

Figure 2b – The Twitter page pushing this malware

The promise of a Google Wave invite, and extra cash by selling more, is the lure to try and trick users into running the software. Figure 2b also shows a Twitter microblog used to push their malicious code.

Download the malware

Once a user falls foul of the scam and follows the link they’ll see the following page, from which they can download the invite generator:

Screen shot 2009-10-29 at 5.08.52 PM.png 

Figure 3 – Download page for the malware

The googlewaveinvitegenerator.exe is available for download, but the other files are more interesting. It looks like the people behind this made a mistake and gave away more information than they probably intended. The extra files are what give us the insight into this latest scam. The files contain:

1. googlewave.txt – This file contains three URLs. One link to the download page, one link to the page seen in Figure 2a above, and one link to a Twitter account shown in Figure 2b.

Screen shot 2009-10-29 at 5.09.04 PM.png

Figure 4 – Configuration URLs for xRumer

2. googlewaveinvitegenerator.exe – This is the malicious payload Backdoor.Tidserv

3. gwavegendogma.txt – This is the text that will be used in the spam campaign. This is created using a format called Spintax. Spintax provides an easy way to change the content of posts to avoid easy detection. For example, the Spintax ‘{Hello|Hi}‘ will evaluate to either: ‘Hi’ or ‘Hello’. The following shows the Spintax used in this campaign:
 
Screen shot 2009-10-29 at 5.09.22 PM.png

Figure 5 - Spintax

4. gwavegendogmakeys.txt – Contains a wordlist which helps in targeting the spam campaign.

5. Xrumer Guide.pdf – This turned out to be a user manual for Xrumer. Xrumer is a tool that is used to automatically create different types of content in spam campaigns. It's clear this tool is at the heart of this particular campaign. This guide provides an excellent insight to how the bad guys conduct these campaigns.


Xrumer – The Swiss Army spam kit

Screen shot 2009-10-29 at 5.09.55 PM.png

Figure 6 – Cover page of the Xrumer Guide

This introduction gives an idea of what Xrumer is capable of. The author has no illusions as to what this is capable of with a call to arms: “Now let’s go spam the crap out of the Internet!” The guide gives you instructions on how to approach spamming campaigns and how to increase your ranking in search engines using SEO techniques. For example, the following excerpt gives advice on how to generate keyword lists:

Screen shot 2009-10-29 at 5.10.11 PM.png

Figure 7 – How to generate keyword lists

The guide also gives advice on how to avoid detection by using an anonymous VPN. An interesting point here is the author is using an affiliate program. If anyone signs up to this VPN service using the link provided, then the author gets paid!

Screen shot 2009-10-29 at 5.10.49 PM.png

Figure 8 – Anonymous VPN advice

An excerpt showing Spintax from the guide:
 
Screen shot 2009-10-29 at 5.11.00 PM.png

Figure 9 – Spintax

Once everything is set up, you just click go and Xrumer does the rest:
 
Screen shot 2009-10-29 at 5.11.14 PM.png

Figure 10 – Xrumer in action

If you get this far, the author wraps it up by welcoming you into the spammers' club—a dubious accolade!
 
Screen shot 2009-10-29 at 5.11.25 PM.png

Figure 11- Author’s welcome to Club Spam.

And if that’s not enough then Xrumer also has the capability to automatically decipher CAPTCHAs:
 
Screen shot 2009-10-29 at 5.11.44 PM.png

Figure 12 – Additional information on using the framework to decode CAPTCHAs

This threat was analyzed on a machine using NIS 2010 and when executed it was picked up by SONAR, which flagged the suspicious behavior:
 
Screen shot 2009-10-29 at 5.11.59 PM.png

Figure 13 – NIS 2010 to the rescue

For those that are curious when this program is executed this is what it looks like:
 
Screen shot 2009-10-29 at 5.12.21 PM.png

Figure 14 – The GUI of the malware. This drops Backdoor.Tidserv to the victim’s machine.

One last piece of info was given away in the document. The author is appealing to the reader’s good nature and has asked for PayPal donations using a free webmail address: p<removed>n42@yahoo.co.uk

Symantec customers are protected against this attack as long as they have their antivirus definitions up to date. This time Google Wave was used as the initial infection vector, but this is an arbitrary choice made by the spammer. Xrumer makes it very easy to select any hot topic that’s available at that time. Being slightly cynical can be an asset when browsing the Web because as this scam illustrates, if something appears too good to be true then it usually is.