This is an in depth look at the StealRat Botnet first discussed by TrendMicro in their paper at

One of the sites I host became compromised and began sending thousands of spam messages per hour. Being in the position I am, I was able to honeypot the exploit and learned much of the inner workings of this spam operation.

Overview[edit | edit source]

The StealRat botnet operates with the following components:

  1. A Command and Control server
  2. Botnet agents
  3. Compromised websites acting as botnet agents
  4. Compromised websites acting as mail gateways
  5. Compromised websites acting as a HTTP redirect

The control server isolates itself from the actual act of spamming through the botnet agents and compromised websites. Each of these components will be discussed in detail below.

Command and Control Server[edit | edit source]

My knowledge of the C&C server is based solely on the exploit that is executed remotely by botnet agents and therefore may be incomplete.

The C&C server provides the 3 things for the malware.

  1. Email addresses to spam
  2. A message to send, including the actual message, the subject, the sender name, and email address
  3. URLs to compromised websites to use as mail gateways.

The command and control server is hosted by LeaseWeb in Amsterdam with the domain ''. It resolves to the IP address

Botnet Agents[edit | edit source]

The StealRat botnet has agents which make the actual HTTP request against compromised websites which either directly sends spam through a PHP mail script on a compromised website, or sends spam through a PHP shell on a compromised website.

Compromised Websites[edit | edit source]

Exploits Used[edit | edit source]

The PHP Mailer Script[edit | edit source]

The PHP mailer script is an exploit uploaded by the attacker that allows the botnet to send spam messages. The deobfuscated mailer script can be seen below. <phorkie></phorkie>

At its most active, these mailer scripts can be hit every few seconds by random botnet clients. An individual request will contain POST values listed below. <phorkie></phorkie>

The POST arguments sent to the mailer script are listed below. While the keys are given as whole words, only the first letter is used.

  • l / layer - The list of email addresses to spam
  • d / dimm - The email message to send
  • en / err - Message encoded. Always observed as 1

Earlier this year in 2015, the botnet clients would send values using only the first letter (l, d, and en, instead of layer, dimm, and err) which shows that the botnet clients are still actively updated by the botnet operators. This is possibly an attempt to obfuscate the traffic slightly.

Both the email address list and message are encoded using base64 and XOR'd with 1's. The email address list contains 19 email addresses delimited by the hash '#' character. The email message contains the a fake name and username, email subject and message. <phorkie></phorkie>

This botnet in particular always send messages with a single link which goes to yet another hacked server which redirects an unsuspecting user to a site the botnet operators are promoting.

Interestingly, the user agent targetting the PHP mailer script is always

Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)

The PHP Shell[edit | edit source]

The PHP shell is a short exploit injected to an existing PHP script. A secret key is hard coded to allow arbitrary code execution by POSTing to the shell. <phorkie></phorkie>

This most likely was created from an existing exploit such as a vulnerable wordpress plugin.

Using this PHP shell, the botnet operators and other botnet clients can run arbitrary PHP code on the server.

One of the many uses is to further distance the act of sending the spam messages by using the shell as a proxy and to also amplify the amount of spam that can be sent by the botnet clients. Another is to maintain a healthy set of PHP mailer scripts online on the server in case they are taken down.

Proxying Mail Requests[edit | edit source]

Every few hours, one of the botnet clients will attempt to execute an obfuscated piece of PHP code on the PHP shell which proxies mail requests to other exploited servers. <phorkie></phorkie>

The payload is encoded using base64. The deciphered payload can be viewed below. The single quotes around the function names is an artifact of my decoder. <phorkie></phorkie>

Basically, the payload above fetches a binary from the C&C server based on the host's architecture to /tmp and executes it with an environment variable XDVSN_SESSION_COOKIE which is encoded using base64 and XOR'd with 1's. Decoding this value yielded URLs and arguments to other of the C&C resources which the binary uses in order to spam using other remote servers. <phorkie></phorkie>

From what I can figure out, the arguments are:

  • ldb = list database containing the email addresses. Changing this yielded different email addresses.
  • kk = random keys the program should use
  • su = a URL to the C&C server that provides a random URL to a PHP mailer script
  • bu = a URL to the C&C server that provides a random email message to send
  • lu = the base URL to the C&C server that provides an encrypted list of email addresses.
  • lc = limit on the number of emails to fetch

More on the C&C in the section below.

A Simple Solution
This attack can be prevented if /tmp is made to be noexec.

Interestingly, these clients always make the request with the user agent string of:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

Once the binary executes with the proper environment variable set, it will fetch a random URL to use as a mail gateway, a list of about 100 email addresses to spam, and a email message from the C&C server. In batches of 19 email addresses, the binary will make one request to a random PHP mailer script until all emails have been exhausted and the program terminates.

The PHP Exploit Creator[edit | edit source]

Once in a while, a botnet client will run a different piece of obfuscated PHP code which creates the PHP mailer scripts. <phorkie></phorkie>

Deobfuscating the code shows that the exploit creator will randomly traverse into a directory and dump the payload into a random file whose name is randomly generated from a list of generic words, all of which are web related in order to be discrete. <phorkie></phorkie>

The payload always contains the PHP mailer script discussed in the sections above.

More about the C&C Server[edit | edit source]

The C&C server is hosted in the Netherlands by LeaseWeb. By capturing the botnet requests to proxy and to amplify the spam requests, the C&C resources were discovered. There are three resources that are of interest:

  • hxxp://pages. .com/crond32
  • hxxp://pages. .com/crond64
  • hxxp://sk. .com//img/logo.gif?sessd=$ldb&sessc=$lc&sessk=$kk
  • hxxp://bat. .com/aa2.php
  • hxxp://stat. .com/gj13c.php

The first two are the 32 and 64bit binaries used by the botnet to proxy HTTP requests to PHP mailer scripts.

The logo.gif resource takes in three parameters:

  1. sessd - the email table
  2. sessc - the number of email addresses to fetch
  3. sessk - a 16 character long key the contents are 'encrypted' with. 0's are used to pad the string if its length is less than 16 bytes.

The contents returned is XOR'ed using the key provided.

aa2.php provides the spam messages. gj13c.php provides a URL to a PHP mailer script.

See Also[edit | edit source]