Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Zunker is not alone

Created: 17 Jul 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:47:56 GMT
Orlando Padilla's picture
0 0 Votes
Login to vote

Earlier this year, I saw some screenshots of the Zunker bot and itscontrolling interface. I became curious about the existence of othersimilar interfaces and began paying a bit more attention to the spamcoming into my inbox on a personal account. After a few weeks ofwandering through IP blocks referenced by the spam, I ran across anopen directory containing a few screen shots of what looked likeanother interface actively spamming multiple products.

The following screen shot shows a statistics screen for a botnetthey are currently using. Similar to the Zunker interface, thisinterface also has the ability to group by country. It looks like thefeature is broken though, as you can only see one bot, which isoriginating from Poland. Given that, it is tempting to presume theowner is Polish; however, the interface's text is entirely in Englishand the screen shot was found on a Russian server. It could, however,mean that the person leasing this interface is controlling it from amachine in Poland, but this is just an assumption.

orlando_pic4_sm.JPG

Efficient Spamming?
The following screen shot displays the different types ofconfigurations currently active on this interface. It clearly shows howthe spam “instances” are managed. As the picture indicates, they areactively spamming pharmaceuticals, watches, and OEM in parallel. It'samusing how they try to capitalize on their investment.

orlando_pic2_sm.JPG

Creating a spam instance
The following screenshot indicates how they configure their spaminstances. (If only they had a larger resolution!) In short, theoptions found on the picture indicate the following:

• license.server, port and key are issued to the person leasing the framework;
• log_file and the subsequent five lines are debugging options;
• mysql.* is obviously the sql server they use;
• listen.ip and port is where data gets pushed from the license server regarding their statistics; and,
• access.list is presumably a list of IP addresses that are allowed to connect to the Web interface.

Options found in File 2 look incomplete, but presumably feed optionsto the utility used to create the email they will ultimately spam.There is not enough information on the other two boxes to deduce anymeaningful information.

orlanda_pic1_sm.JPG

So, do we currently underestimate the development efforts put forthby malware authors? I'd say so, it takes quite a bit of time to developa framework from scratch for this specific purpose and the funding hasto be coming from somewhere.

The number of active bots is relatively low, but a total of aquarter million inactive bots is still a worrisome number ofcompromised machines. I find this type of information fascinating andhope to find more to keep posting cool images of the control interfacesmalware authors use for their large-scale networks.