High Performance Network Security, Enterprise and Data-Center Firewall

High Performance Network Security, Enterprise and Data-Center Firewall

A Guide to SpyEye C&C Messages

by RSS Doug Macdonald  |  February 15, 2011  |  Category: Security Research

In the past month changes in the SpyEye botnet kit have more or less stopped, after a very busy year in which many new versions were released. I was recently looking at all of the information I have from testing and analysis of these versions, when it occured to me that this lull in activity would be a good time to put some organized results together. Then when SpyEye returns, in some mutant, Zbot like form, we will have something like a guide to its workings, which should be useful.

A good place to start this process is with the SpyEye botnet messages. Network messages can be a quick way to recognize a botnet, even when no sample is available yet. They can also provide a dynamic view of the botnet in action, revealing its structure, growth and activities.

When a SpyEye bot running on an infected computer starts up, it immediately sends a message to check in with its Command & Control server. This first message contains some basic information about the bot infector and the computer it is running on. Here is an example, with the parameters highlighted.


Let's take a closer look at each of the parameters sent to the C&C server in this message.

guid=uname!cname!1A2B3C4D The guid is a unique identifier for the bot. It is made up of the current user name, the computer name and a numeric identifier.

ver=10260 This is the version of the bot infector that is currently running on the infected computer. The SpyEye version numbers in my message collection range from 10060 (1.0.60) to 10299 (1.2.99). In this range 43 version numbers have been seen in use, all in less than a year. The most commonly seen version numbers, and probably the most popular builds, are 10070, 10280 and 10299. There have been some recent attempts to sell 103xx and 104xx versions, but most of these are obvious fakes. There is an emerging 10305 version appears to be genuine.

stat=ONLINE The functional status of the bot. In most messages the bots send stat=ONLINE. If a bot is not online no message can be sent, so there is no need for an offline status message. If the loader has just been used to put a file on the bot, the status will be either LOAD-COMPLETE or LOAD-ERROR, depending on the result.

ie=6.0.2900.2180 The version of Internet Explorer on the infected computer.

os=5.1.2600 The version of Microsoft Windows operating system on the infected computer.

ut=Admin This is the user type of the current user on the infected computer. The possible values are User and Admin.

cpu=100 The cpu load on the infected computer, as a percentage.

ccrc=90A01B2D This is a CRC32 taken from the last four bytes of the bot config file currently on the infected computer. The ccrc is used to determine if a config update is needed.

md5=0516cb89185fee8bee81a15d2859c870 This is the md5 of the bot infector that currently is on the computer. The C&C server software compares this to the latest md5 in its update table to decide if an update is needed. This parameter was introduced somewhere between versions 10070 and 10082.

After sending the initial message, the bot continues to regularly send check in messages every five minutes. These messages are the same as the first one, except that the** ie**, os and ut parameters are not included.


If there are plugins included in the infection, the check in messages will have the plg parameter, along with the names of the plugins. Here is a list of some popular plugins.

<strong>billinghammer</strong>     Charges credit cards using stolen card data.
<strong>bugreport</strong>         Returns SpyEye debugging information.
<strong>ccgrabber</strong>         Collects credit card information from the bots.
<strong>ffcertgrabber</strong>     Collects certificate information from the bots.
<strong>ftpbc</strong>             Allows reverse ftp connections to the bot.
<strong>socks5</strong>            Allows reverse connections through a proxy server.

It is not possible to give an exact or complete plugin list because the names can be changed, and it looks like there are some fakes circulating. In the next sample message the bot reports that is has two plugins, bugreport and billinghammer.


The C&C server responds to this message with status control information, which is used to set the state of the plugins. In this example, both plugins are being kept in the inactive state by setting the control codes to zero.

HTTP/1.1 200 OK (text/html) PLUGIN

As an example, if the bugreport plugin is to be activated, the botnet operator uses the C&amp;C Control Panel to change the setting. The image below shows how this is done.

The next time the bot checks in, the status code for bugreport in the reponse message will have been changed from zero to one. This tells the bot to activate the plugin, causing it to begin doing whatever it does. The new status code continues to be sent in response to each subsequent check in, until the bot goes offline or the plugin is deactivated from the Control Panel.

HTTP/1.1 200 OK (text/html) PLUGIN

Soon the time will come to update the bot executable, either because Anti-Virus scanners detect the old build, or because a new version has become available. To do an update, the botnet operator goes to the Control Panel and uses the Update Bot subpanel to upload the new file. The md5 of the sample is put into the update_bot table, and each time a check in message arrives from a bot, this md5 is compared to the one in the message. If they differ, an UPDATE command is included in the C&C response message. An example of the check in message and response can be seen below, with the old md5 highlighted.


HTTP/1.1 200 OK (text/html) UPDATE

When this command is received, the bot downloads the new build from the location given and installs it. The next check in message to be sent shows the change in the md5 (highlighted below). If the new md5 matches the one in the update_bot table, the update was successful.


The configuration file (config.bin) can also be updated, in a similar manner. This would be done when a server address changes, or to update or add plugins, which are delivered in the config file. The bot message format includes a parameter called ccrc, which is a crc32 taken from the last four bytes of the config.bin file, in reverse order. The file is compressed and these bytes are part of the compression information. If this value differs from the ccrc of the config.bin stored on the C&C server, an UPDATE_CONFIG command is issued, causing a new config.bin to be downloaded and installed. The check in and response messages can be seen below, followed by the next check in message, where the change in the ccrc can be seen.


HTTP/1.1 200 OK (text/html) UPDATE_CONFIG


The botnet Control Panel software also provides the ability to load and execute programs on the bot infected machine. Once a loader task has been set up, a LOAD command is sent as part of the response to the next bot check in.

HTTP/1.1 200 OK (text/html) LOAD

Unlike the update functions, the loader has no crc or md5 to check the success of a download, so it relies on an error reporting system. The number 121, at the end of the LOAD command above, is a task ID used to report success or failure. It is included as tid=121 in the next bot check in message, where it serves to identify the task being reported on.


Here the load was successful. This is confirmed by the status being set to stat=LOAD-COMPLETE, and by the text report, rep=TASK IS OK. If the LOAD command fails, the status is reported as stat=LOAD-ERROR, with a more detailed error message in the text report. Of course this system does not protect against file corruption.


There are several other error messages that can be sent by the bot. The list of error message format strings from the bot can be seen below.

[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0x%08X; dwCrc32 == 0x%08X : dwErr == %d [ERROR] : DumpPage("%s", "%s") fails : dwErr == %d [ERROR] : Empty szLink? : dwErr == %d [ERROR] : Empty data? : dwErr == %d [ERROR] : Empty report. Unknown error : dwErr == %d [ERROR] : Thread is really sloppy : dwErr == %d [ERROR] : Cannot create thread. 0o : dwErr == %d

For quick reference, here is a brief summary of the parameters that may appear in check in messages sent from the bot to the C&C. They are listed in their order of appearance, which is always the same.

<strong>guid</strong>   Unique <strong>ID</strong> of a bot infected computer.
<strong>ver</strong>    Bot infector <strong>version</strong> number.
<strong>stat</strong>   Current bot <strong>status</strong>.
<strong>tid</strong>    Program loader <strong>task ID</strong> number.
<strong>rep</strong>    Program loader result, text <strong>report</strong>.
<strong>ie</strong>     Internet Explorer <strong>version</strong>.
<strong>os</strong>     Microsoft Windows <strong>version</strong>.
<strong>ut</strong>     <strong>User type</strong> of the current user.
<strong>plg</strong>    List of <strong>plugins</strong> currently installed.
<strong>cpu</strong>    Percent <strong>cpu load</strong>.
<strong>ccrc</strong>   <strong>Config crc32</strong>, to check if update needed.
<strong>md5</strong>    Md5 of <strong>bot exe</strong>, to check if update needed.

This is not really the end of the story, some of the plugins also generate messages as they do their work. But at least we have enough information here to recognize and interpret the most important messages, the ones passed between the bot and the C&C server.

by RSS Doug Macdonald  |  February 15, 2011  |  Category: Security Research
comments powered by Disqus

FortiGuard Labs on the Web

search results hidden links