After reading the abuse.ch post about the RODECAP botnet, we could get some samples of the scripts used by the botnet to send spam.
From abuse.ch, sent us a dump of the communication from a RODECAP sample, so we started the analysis using the PCAP received and our scripts.
At a first look, the script is obfuscated; you can see a lot of characters close, as seen in the next screenshot.
After preparing the script, we can try to understand the code. This was the new look:
The obfuscation renamed all variables and functions, and reused some names in the functions or in the main code, so we started to identify each variable and its purpose.
Well… when a petition is sent to the script, the first check is the number of the keys sent by POST, if it is two or less, the script returns a die command with the OS plus a few characters, which in our script was ‚1’ + ‚0’ + md5(0987654321), so the petition return the next string:
If the number of keys is more than two, the script checks each key and compare the first character in each key. This is the only important part of the key. The botnet uses randomized keys for the petitions, but the first character must always be the same.
The script searches for 4 different characters as the first letter in the keys:
- l: This key stores the list of the mails where the spam will be sent.
- d: Contains the data to craft the mail to send.
- m: Contains the mail server (SMTP) used to send spam
- e: This key is only used as a flag value, to check if the other keys values are encrypted or not. If the key exist, the values are encrypted.
If the values are encrypted, the script decrypts them in the next step.
The encoded strings use a simple base64 encoding plus a XOR with two for each character in the string.
This is the function to decrypt the keys:
This is an example of the encrypted key sent:
The string after base64 decode:
And, this is the string decrypted by XOR:
Once the values are decrypted, the process continues preparing the mailing list, the list of mails is stored in the l key and they are joined using the ‚#’ char.
The next step is to craft the email using the d value. This value uses a tag format, and the tags used are:
And finally, the emails are sent using either the mail php function, if it is installed on the system, or a self crafted function implementing the SMTP protocol, both cases using the mail server defined in m key.