There was a big hit to botnet world when the Spamit.com closed their shop and the gigantic Rustock botnet was slowed down. As looking to statistics we can see that this made this year so far happy to anti – spammers.And when it all looked quite and nice, suddenly the well known Donbot and Xarvester returned. Someomne clearly breathed a new life to these spamming machines.Below you can see the activity of well known Botnets.
Xarvester first came to attention few years ago, it was found that then it was the leading botnet, having a big relation to such gigantic botnets as Rustock. Lets take a look to Xarvester.
Alliases : Bybot , Rlsloop, Pixoliz
Features : Encrypted C&C communication, HTTP over non-standard ports ; XOR-encrypted template files contain several files needed for spamming; Spam run results sent back to control server; Can upload Minidump crash file
Spamming rate : 25,000 msgs per hour per bot
Command and control : bestsolutions2010.info; def2010cnt.biz; Port – 12309 (may vary)
Malware behaviour on Host below:
The spambot itself is relatively simple. When the executable is run, it first performs a query to checkip.dyndns.com to check the IP address of the host. The bot then connects to the def2010cnt[dot]biz domain on port 12309, and requests an encrypted file, which, when decrypted, proves to be a container for a bunch of files the bot needs to spam.
I write posts about Botnets recently because i find them the biggest enemy at computing world. I also cant imagine how people create such huge machines for their own purposes.
Reference : http://labs.m86security.com/