Research

Bot-watching

As we wrote yesterday, the Kido botnet has installed another well-known worm – Iksmas, aka Waledac – on infected computers.

Iksmas was downloaded from the server goodnewsdigital.com, a resource that researchers have known about for some time and which is currently one of the main sources used to distribute Iksmas.

The variant that was downloaded by Kido was detected proactively by Kaspersky Anti-Virus as HEUR:Worm.Win32.Generic using heuristic technology. The new version of Kido (Worm.Win32.Kido.js) was also detected by the same heuristics and with the same verdict.

We decided to keep tabs on the botnet to see what the spambot worm Iksmas would do once it was installed on infected computers.Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received commands to send out spam mailings. All the spam messages sent by the botnet last night were advertising pharmaceuticals. Here are a few sample messages:

Subject: A unique opportunity to live healthier life!
Hot News for You http://ie.hipraputt.com/

Subject: Add power to your man’s hammer
We supply porno studios since 1972. Try blue-pills and stay up with your girls! ^M
http://bv.relaxkind.com/

Subject: Hot life – our help here. Ensure your potence today!
Solution to low-sized perks http://bj.jilfawris.com/

Subject: Perfect solutions to have it hard as stone!
Your one and only online Chemist. http://zer.jilfawris.com/

Subject: She will dream of you days and nights!
Love her everywhere. http://lrmt.jilfawris.com/

In just 12 hours, one bot alone sent out 42 298 spam messages.

As you will have noticed, the messages contain domain links. Virtually every email contained a unique domain. This was obviously done to prevent anti-spam filters from detecting the mass mailings using methods that analyze the frequency with which a specific domain is used.

We detected the use of 40 542 third-level domains and 33 second-level domains. They all belonged to spammers and the companies that ordered these mailings.

Here are a couple of screenshots from the sites:

Here is a full list of the second-level domains used in the mailings:

aromatangy.com
calmchic.com
crisppride.com
cykduhdao.com
deblanf.com
eslihos.net
fabjust.com
fadvyil.com
fadvyil.net
faynetr.com
goodcure.at
gooddoctoronline.at
gooddoctorscare.at
gooddoctorsite.at
gooddoctorworld.at
gooddruginfo.at
gooddrugonline.at
gooddrugsite.at
gooddrugworld.at
goodearthlawncare.at
gotbake.net
hereftu.net
hipraputt.com
jilfawris.com
kepiseu.com
kepiseu.net
multinew.com
plumppeak.com
relaxkind.com
uljyelsel.com
vapshei.net
yuleaware.com
zwefopcyn.com

Virtually all of these sites are located in China and are registered in the names of various people, most probably invented.

A simple calculation shows that one Iksmas bot sends out around 80 000 emails in 24 hours. Assuming that there are 5 million infected machines out there, the botnet could send out about 400 000 000 000 (400 billion!) spam messages over a 24-hour period.

Bot-watching

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox