As you may or may not know, the popular SPAM bots work off something called a "template". These templates contain tokens for the system-resident malware to replace with a word list that is periodically fetched from an external server. In the past we've seen some bots that clearly separate the template update mechanism from the c&c communication (like Pushdo/Cutwail) and some that combine it more into one blurry malware package (like Rustock or Grum).
Well, today I had an interesting piece of mail come through my SPAM trap which showed the template being used by the SPAM bot very clearly. There was obviously a bug in the bot such that it didn't replace the strings in the template with the actual word list. Below is the message as it actually appeared in my mailbox. If you weren't familiar with how these sorts of bots work, it very clearly illustrates how SPAM actually gets generated under the hood:
From: Larry Hill [mailto:AnthonybowfinCarter@enoughfanzine.com]
Sent: Tue 6/30/2009 10:00 AM
To: (me)
Subject: %SI_subj
What if you could %SI2_rnd10 your desire and %SI2_rnd11 by just %SI2_rnd12 %SI2_rnd13 step?
What if this step was %SI2_rnd14, %SI2_rnd15 and side-effect-free?
There is %SI2_rnd16 solution!
%SI2_rnd17 %SI2_rnd18 use %SI2_rnd20 to give their %SI2_rnd20 %SI2_rnd21 night fire!
If there are no %SI2_rnd22, why refusing to take one pilule before %SI2_rnd23?
%SI2_rnd24 of men did it - You can do it too!
Billy Mays would never have stood for this poor showing of salesmanship.
Alex Lanstein @ FireEye Malware Intelligence Lab
Question/Comments : research {at} fireeye [.] com
Twitter
Facebook
Live Chat
ahahaha, that's awesome.
Posted by: joe blow | 2009.07.01 at 04:30 AM