Research

Bobax Trojan Analysis

Bobax is a semi-automated spreading trojan. Similar in concept to bots like Agobot, the trojan can spread unattended, but only when given the command to do so by its author. Its primary purpose appears to be to create a massive automated spamming network. Unlike proxy trojans which require the spammer to connect and send each individual piece of mail, Bobax sends the mail using a template and a list of email addresses. This has the benefit of offloading almost all the bandwidth requirements of spamming onto the trojaned machines, allowing the spammer to operate with minimal cost.

The dropper file is named svc.exe. When run, it extracts a DLL file from its executable and injects it into the Explorer process space.

When executed for the first time, the Bobax trojan follows these steps:

  • Tests for the presence of mutex 00:24:03:54A9D. Exits if it exists, creates it if it doesn't
  • Attempts to delete files from the Temp directory with a tilde prefix, cleaning up after the infection process
  • Copies itself to the Windows system directory and adds to the following registry keys: 
    	HKLM\Software\Microsoft\Windows\CurrentVersion\Run
	HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
 		[keyname] => [path to executable file]
    The registry key name is an 8-digit hexidecimal pseudo-random number generated from the volume ID of the disk where the system directory resides. The exe name prefix is a sequence of 5-14 randomly generated lowercase letters.
  • Attempts to contact the the following sites:

    chilly.no-ip.info
    kwill.hopto.org
    cheese.dns4biz.org
    butter.dns4biz.org

    The requested URL is:

    http://hostname/reg?u=[8-digit hex id]&v=114

    The User-agent provided by the trojan when connecting to the control server is:

    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

    If successful, the trojan will parse the returned content looking for commands from this server. These commands may or may not be present depending on the spammer's schedule: 

    	upd - Download and execute update
	exe - Download and execute a program
	scn - Scan and infect hosts using the MS04-011 exploit
	scs - Stop scanning
	prj - Send spam from template email and list of addresses provided
	spd - Report speed of connection

The scanning thread works as follows:

  • An HTTP listener is set up on a random numbered port between 2000 and 62000
  • 128 threads are started to scan for vulnerable hosts:
    • 32 threads will scan the same /16 subnet as the local host
    • 32 threads will scan the same /8 subnet as the local host
    • 64 threads will scan randomly chosen Internet addresses
  • The scan is actually performed on TCP port 5000 - if the port is found open this is usually indicative of a Windows XP host. The trojan will then connect to port 445 and execute the LSASS exploit against the vulnerable host. The trojan file will be served from the internal HTTP process and the target host will be infected and under the control of the spammer.

It is unclear why the trojan author chose to only infect Windows XP systems. It could be for simplicity - the exploit will crash a system if the target OS and patch level does not match certain offsets in the exploit code, so limiting the target platform means you only have to send one offset. It could also be the spammer prefers to operate using home-user systems rather than corporate servers which would be more likely to be running Windows 2000.

The internal workings of the code appear similar to spam trojans we have seen before - most recently in the "Minit" trojan. This could be an indication that they at least share some of the same code if they are not written by the same author.

Update: May 24, 2004

At this time, three more variants have been discovered. Bobax.B is a minor variant with additional websites to contact. In addition to seven primary control hosts contained in the binary, Bobax.B can generate a large number of hostname variations on those names in order to thwart attempts to have the names taken out of the free DNS services it uses. For instance, if butter.dns4biz.org no longer works, butter1.dns4biz.org, butter2.dns4biz.org, butter3.dns4biz.org and so on can be used. After the suffix '9', letters a-z are used. It also attempts to download files from other websites as a bandwidth-speed test. Bobax.C has introduced the ability to spread by also exploiting the RPC/DCOM vulnerability used by the Blaster worm (MS03-026/MS03-039) on TCP port 135. This also means that Bobax.C can infect Windows 2000 systems as well as Windows XP. Bobax.D was discovered later, but was actually compiled before the B and C variants. The D variant may have contained bugs because the B variant was compiled only an hour and a half later.

VariantSizeMD5Compile Date
A 20,480 b0825423585db91f845cf77cbeb91774 Sat May 15 18:31:56 2004
B 21,504 a1ed86348c7c2540244dc87dea3db5e9 Sun May 16 22:13:38 2004
C 22,528 18a3787cbb84b4215c28a3d7ba20213f Tue May 18 00:09:19 2004
D 19,456 8c447a3038a283286f7f255f5b08daae Sun May 16 20:47:37 2004

Manual Removal

The Bobax trojan injects itself into the Explorer process memory, so using the Task Manager, kill the explorer.exe process (it should restart, sans Bobax). Remove the registry keys that match the pattern above and any files associated with the trojan and reboot the computer. Install the MS04-011 patch (and the MS03-039 patch if needed) to prevent reinfection.

Next Steps
Start With SecureWorks Request More Information Now
Call SecureWorks Call Us Today
877-905-6661

Send to a Friend

*Your Name: 
*Your Email: 
*Their Name: 
*Their Email: 
Comments:

Info Request


Newsletter Signup

* First Name:
* Last Name:
* Email Address: