The real motive behind Stration

2007-01-01

Ivan Macalintal

Trend Micro, USA
Editor: Helen Martin

Abstract

Just as it seemed that mass-mailers were dying away, a new breed emerged: Stration (aka Warezov, or Strat). Ivan Macalintal investigates the motives of the Stration gang.


Introduction

Recently the anti-virus and computer security industry has focused increasingly on targeted trojan attacks, trojan downloaders and spyware/adware rather than the mass-mailers that plagued cyberspace just a few years ago. However, just as it seemed that mass-mailers were dying away, a new breed emerged: Stration (aka Warezov, or Strat).

The first variant appeared on 16 August 2006 and was given the detection name WORM_STRATION.A. After only two months Trend Micro had received well over 150 variants, the most recent of which (at the time of writing this article) is WORM_STRAT.EQ, detected on 25 October.

At first, the behaviour of the Stration worms was perplexing. They exhibited features much like those used by previous mass-mailers, but there were differences:

  • The worms exhibited bursts of ‘spiked attacks’ or continuous massive spamming in short time frames.

  • Stration’s downloader components used various top-level domains as infection vectors.

  • Stration appeared to have a financial motive, unlike previous worms whose only purpose was to spread to as many computer systems as possible, as quickly as possible.

This paper attempts to reveal the underlying motive of the seemingly random and nonsensical outbursts of the Stration worm.

Analysis of the threat

On the surface, the Stration attacks look like a pointless series of worm propagation, but further investigation shows that this is not the case. Let’s take one recent variant’s behaviour as an example: WORM_STRAT.DV.

The worm is downloaded from one of the many URLs that Stration uses as infection vectors. Once executed, it drops a number of Dynamic Link Library (DLL) files in the system directory:

FileSize
attstat.dll143,360 bytes
confatt.dll53,248 bytes
attprf32.dll53,248 bytes
attperf.exe40,960 bytes
attmgr32.dll356,352 bytes
atrconf.exe49,152 bytes

We will take a closer look at two files: audstat.dll and atrconf.exe. After execution, audstat.dll decrypts a number of URLs in memory, as shown in Figure 1.

audstat.dll decrypts URLs in memory.

Figure 1. audstat.dll decrypts URLs in memory.

The second file in question, atrconf.exe, connects to the URL using IP address 208.66.194.207, as shown in Figure 2. The decrypted URL is http://shionkertunhedanse.com:25/outtask/urlTask8_c_2.txt?id=%s&flag=%d.

TCPView screenshot.

Figure 2. TCPView screenshot.

Figure 3 shows the result of loading the URL into a browser. The contents are dynamic, changing upon every reload of the page.

Loading the URL in a browser.

Figure 3. Loading the URL in a browser.

The following is an example of the content:

26|http://serv1.shionkertunhedanse.com/outtask/tasks/task_26_letter_1162078914.txt|
http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/
report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put|

27|http://serv1.shionkertunhedanse.com/outtask/tasks/task_27_letter_1162078914.txt|
http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/
report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put|

28|http://serv1.shionkertunhedanse.com/outtask/tasks/task_28_letter_1162078914.txt|
http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/
report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put|

29|http://serv1.shionkertunhedanse.com/outtask/tasks/task_29_letter_1162078915.txt|
http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/
report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put|

30|http://serv1.shionkertunhedanse.com/outtask/tasks/task_30_letter_1162078915.txt|
http://get.shionkertunhedanse.com:8091/cgibin/gi2.cgi|http://serv1.shionkertunhedanse.com/
report2.cgi|1||http://mail.oldartero.com:8888/cgi-bin/put|

Let’s look at the first two URLs in the first row. Figure 4 shows what we will see when the first URL is loaded into a web browser.

The first URL loaded into a browser.

Figure 4. The first URL loaded into a browser.

The motive

Looking at Figure 4, we can see that it’s an email template. We saved the contents of the template and renamed it with an .EML extension. The result is shown in Figure 5 - it’s an image spam advertising Viagra and other drugs.

Image spam.

Figure 5. Image spam.

Figure 6 shows the result of loading the second URL into a web browser. This URL resolves to a site containing a list of email addresses. These are the target recipient email addresses that Stration uses to send the image spam. The number of email addresses found here continues to increase at the time of writing this article. They are gathered from the Internet via blogs, forums and mailing lists, as well as from infected PCs.

The second URL loaded into a browser.

Figure 6. The second URL loaded into a browser.

Although every spam email sent by Stration differs through the use of pixel randomization and hash-busting techniques, we have identified four distinct types. These are shown in Figure 7.

The four types of Stration image spam.

Figure 7. The four types of Stration image spam.

All of Stration’s spam messages advertise the domains of RXNN.ORG, RXEE.ORG and RX444.COM. All of these are registered under the name of either ‘Wang Pang’ or ‘Bai Ming’ - both of which have regularly been listed in spam forums and domain/URL abuse networks and services as prolific spammers from China. It is also interesting to note that ‘Wang Pang’ is the registrant and admin name for the URL used in the very first Stration variant.

The URLs at which the email addresses are hosted are dynamic. The one shown in Figure 6 is still live at the time of writing this article. A second email address-hosting URL, http://www1.vedasetionkderun.com:8080/dsl, is inaccessible at the current time.

The number of email addresses listed on these sites is mind-boggling. To date, we have identified around 20 million unique email addresses, with the number still increasing - indicating that the Stration gang is carrying out an attack on an enormous scale.

So far, the infected parties we know about have included ISPs, banks and financial institutions and enterprise, government and educational institutions, with hundreds of thousands of users being affected. The number continues to increase as new variants appear.

Some statistics

As we can see, Stration is all about spam - image spam. And when spam is involved, there tends to be a lot of money at stake. Looking further at the implication of this threat, we can see that there has been a steady increase in spam rates recorded over the last couple of months.

Figure 8 shows data collected by Commtouch, illustrating the increase in spam over recent months. Our own records (Figure 9) show that the percentage of image spam has been increasing in recent months, coinciding with the period when Stration infection reports were on the rise.

Commtouch data on spam rates Oct 05 to Sept 06.

Figure 8. Commtouch data on spam rates Oct 05 to Sept 06.

Trend Micro records show that the percentage of image spam has increased.

Figure 9. Trend Micro records show that the percentage of image spam has increased.

The Stration threat has been contributing significant numbers to the spam and, in particular, image spam flooding cyberspace and wasting Internet resources. This has been Stration’s primary motive all along.

Medbot

In November 2006 it was discovered that the authors behind Stration were also using another malware family, known as Medbot, to make sure that their goal of proliferating huge amounts of Viagra spam was achieved.

In August 2006 - almost at the same time as the first Stration variant appeared - a new strain of IRC bot was released. This was Medbot, an IRC bot that also attempts to infect computers with the aim of turning them into zombies to send spam. We sniffed through WORM_MEDBOT.AI traffic and found that it connects to the IRC server reg.raxoper.com with the user ‘nick jebr-1_[four digit random number]_[four digit random number]’.

Once a private session is established, the controller issues several commands that are programmed into Medbot. For the session we monitored, the controller issued a download-and-execute command for four files:

modul32e.m.exe
injs.n.exe
hdd.h.exe
ssd32.j.exe

These files are located in http://up.medbod.com/up.

Most notable of the four downloaded files is modul32e.m.exe, which accepts a URL as a parameter. Downloading the file from the URL reveals that it contains a lot of links to other files. A brief summary of the file lists includes the following:

  • s3.2.txt file from the seeky.mootseek.com domain

  • domain.cab file

  • fname.cab file

  • lname.cab file

  • pattern.txt file from the up.medbod.com domain

and a lot of other files from the seek[1-2 digit number].mootseek.com domain.

Surprisingly, the s3.2.txt file contains an email template that resembles spam. The files domain.cab, fname.cab and lname.cab contain archived files named domain, fname and lname, respectively. The domain file contains a list of various domains, fname contains a list of common first names, while lname contains a list of last names. The file pattern.txt contains phrases that can be used as email subjects.

The files from the ‘seek[1-2 digit number].mootseek.com’ domain are text files containing lists of email addresses that are not covered by the combination of strings found in fname/lname@domain. The s3.2.txt file is updated frequently, changing the URL link being advertised on the spam mail template. The same is true for the numerous files from the seek[1-2 digit number].mootseek.com domain. The only files that remain constant are the domain, fname and lname files. These files indicate that the intention of WORM_MEDBOT is - again - to turn infected computers into spam machines sending drug-related spam messages.Figure 10

shows some snapshots of the spam mails that are sent from Medbot-infected machines to millions of target recipients.

Snapshots of the spam mails being sent out from Medbot-infected machines.

Figure 10. Snapshots of the spam mails being sent out from Medbot-infected machines.

Running WHOIS on the domains of the sites advertised in the Medbot spam emails gives us the following information:

Registrant: Dima li
jungonglu1219hao
200093
Administrative contact: Dima li

‘Dima Li’ is another of the aliases used by the registrants/administrators of the domains used by the Stration worms. Coincidence? Add to that the fact that both malware families appeared almost at the same time and it starts to look likely that these malware families may indeed be connected.

Figure 11 shows a site advertised in the spam messages sent by Medbot. Now take a look at Figure 12, which shows a site advertised in the spam messages sent by Stration. Coincidence? We don’t think so.

The site advertised by Medbot spam messages.

Figure 11. The site advertised by Medbot spam messages.

The site advertised by Stration spam messages.

Figure 12. The site advertised by Stration spam messages.

From this, we can safely assume that the authors behind Stration are using more than one malware family to achieve their goal. This increases the chances of users receiving spam advertising their pharmaceuticals-related business.

Conclusion

We can use ‘deadend’ email addresses to increase our sample collection via spamtraps. But how about the other legitimate and live email addresses - can they be of any use? Based on the sampling of email addresses that we have gathered, we have a good idea of Stration’s targets and audience demographic, and of the likely targets in the days, weeks or even months to come.

Is it possible that we can offer a service by working closely and coordinating with the affected recipients regarding the possible targets in their organizations?

Can we, say, implement a task force to make sure that these email recipients’ systems are well-guarded and that their email-filtering systems, anti-virus signatures and engines are updated so we can lessen the impact of the overall target of Stration (and of Medbot)?

I believe it is possible, with this information at hand, that we can minimize the damage of Stration and protect our customers and other users even before any future Stration event or attack occurs.

The web threat space is, and will continue to be, augmented by Stration and Medbot and any other malware that uses the Internet as one of its main infection vectors. Moreover, the Internet will continue to be populated not only by malicious code but by spam as well, draining our precious resources.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

VB2019 paper: APT cases exploiting vulnerabilities in region‑specific software

Some APT attacks are carried out by exploiting vulnerabilities in region-specific software. Government agencies frequently use such localized software, and this tends to be the target of attackers. In Japan, there have been many cases where attacks…

Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

Web application vulnerabilities are an important entry vector for threat actors. In this paper researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting…

VB2019 paper: Cyber espionage in the Middle East: Unravelling OSX.WindTail

It’s no secret that many nation states possess offensive macOS cyber capabilities, though such capabilities are rarely publicly uncovered. However, when such tools are detected, they provide unparalleled insight into the operations and techniques…

VB2019 paper: 2,000 reactions to a malware attack – accidental study

This paper presents an analysis of 1,976 unsolicited answers received from the targets of a malicious email campaign, who were mostly unaware that they were not contacting the real sender of the malicious messages. Many of the victims were unaware…

VB2019 paper: Why companies need to focus on a problem they don't know they have

There is a type of crime, breach of company policy, misuse of company assets and security threat that is often overlooked: as one in 500 employees use their work computer to handle child sexual abuse material. This crime and misuse of company assets…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.