Tofsee – modularny spambot

	def greetingXor(data):
	dec=""
	res=198
	for c in data:
	dec+=chr((res^(32*ord(c)\|(ord(c)>>3)))&0xFF)
	res=ord(c)^0xc6
	return dec, res

view raw greetingXor.py hosted with ❤ by GitHub

	struct greeting{
	uint8_t key[128];
	uint8_t unk1[16];
	uint32_t bot_IP;
	uint32_t srv_time;
	uint8_t unk2[48];
	};

view raw greeting.c hosted with ❤ by GitHub

	def xorStream(data, key, main_key, it):
	res=""
	for c in data:
	key[it%7]+=main_key[it%128]
	key[it%7]&=0xFF
	res+=chr(ord(c)^(key[it%7]))
	it+=1
	return res

view raw xorStream.py hosted with ❤ by GitHub

	struct header{
	uint32_t size;
	uint32_t size_decompressed;
	uint32_t CRC32;
	uint8_t flags; // flags&2!=0 -> compressed
	uint32_t op;
	uint32_t subop1;
	uint32_t subop2;
	};

view raw header.c hosted with ❤ by GitHub

	struct botdata{
	uint32_t flags_upd;
	uint64_t botID;
	uint32_t unk1;
	uint32_t net_type;
	uint32_t net_flags;
	uint32_t vm_flags;
	uint32_t unk2;
	uint32_t unk3;
	uint32_t lid_file_upd;
	uint32_t ticks;
	uint32_t tick_delta;
	uint32_t born_date;
	uint32_t IP;
	uint32_t unk4;
	uint32_t unk5;
	uint8_t unk6;
	uint8_t OS;
	uint8_t unk[46];
	};

view raw botdata.c hosted with ❤ by GitHub

	struct resource{
	uint32_t type; // Small integer.
	char name[16];
	uint32_t unk;
	uint32_t length;
	uint8_t contents[]; // Size=length.
	};

view raw resource.c hosted with ❤ by GitHub

Nazwa zasobu – numer	Nazwa biblioteki	Hash MD5 DLL-ki
1	ddosR.dll	fbc7eebe4a56114e55989e50d8d19b5b
2	antibot.dll	a3ba755086b75e1b654532d1d097c549
3	snrpR.dll	385b09563350897f8c941b47fb199dcb
4	proxyR.dll	4a174e770958be3eb5cc2c4a164038af
5	webmR.dll	78ee41b097d402849474291214391d34
6	protect.dll	624c5469ba44c7eda33a293638260544
7	locsR.dll	2d28c116ca0783046732edf4d4079c77
10	hostR.dll	c90224a3f8b0ab83fafbac6708b9f834
11	text.dll	48ace17c96ae8b30509efcb83a1218b4
12	smtp.dll	761e654fb2f47a39b69340c1de181ce0
13	blist.dll	e77c0f921ef3ff1c4ef83ea6383b51b9
14	miner.dll	47405b40ef8603f24b0e4e2b59b74a8c
15	img.dll	e0b0448dc095738ab8eaa89539b66e47
16	spread1.dll	227ec327fe7544f04ce07023ebe816d5
17	spread2.dll	90a7f97c02d5f15801f7449cdf35cd2d
18	sys.dll	70dbbaba56a58775658d74cdddc56d05
19	webb.dll	8a3d2ae32b894624b090ff7a36da2db4
20	p2pR.dll	e0061dce024cca457457d217c9905358

	From: "%NAME" <%FROM_EMAIL>
	To: %TO_EMAIL
	Subject: %SUBJ
	Date: %DATE
	MIME-Version: 1.0
	Content-Type: multipart/mixed;
	boundary="%BOUNDARY1"

	--%BOUNDARY1
	Content-Type: multipart/alternative;
	boundary="%BOUNDARY2"

	--%BOUNDARY2
	Content-Type: text/plain;
	charset="%CHARSET"
	Content-Transfer-Encoding: quoted-printable

	{qp1-}%GI_SLAWIK{/qp}

	--%BOUNDARY2
	Content-Type: text/html;
	charset="%CHARSET"
	Content-Transfer-Encoding: quoted-printable

	{qp0+}%GI_SLAWIK{/qp}

	--%BOUNDARY2--
	--%BOUNDARY1
	Content-Type: application/zip;
	name="%ATTNAME1.zip"
	Content-Transfer-Encoding: base64
	Content-Disposition: attachment;
	filename="%ATTNAME1.zip"

	%JS_EXPLOIT

	--%BOUNDARY1--
	- GmMxSend
	v SRV alt__M(%RND_NUM[1-4])__.gmail-smtp-in.l.google.com
	U L_SKIP_5 5 __M(%RND_NUM[1-5])__
	v SRV gmail-smtp-in.l.google.com
	L L_SKIP_5
	C __v(SRV)__:25
	R
	S mx_smtp_01.txt
	o ^2
	m %FROM_DOMAIN __A(4\|__M(%HOSTS)__)__
	W """EHLO __A(3\|__M(%{mail}{smtp}%RND_NUM[1-4].%FROM_DOMAIN)__)__\r\n"""
	R
	S mx_smtp_02.txt
	o ^2 ^3
	L L_NEXT_BODY
	v MI 0
	- m %FROM_EMAIL __M(%FROM_USER)__@__M(%FROM_DOMAIN)__
	W """MAIL From:<__M(%FROM_EMAIL)__>\r\n"""
	R
	S mx_smtp_03.txt
	I L_QUIT ^421
	o ^2 ^3
	L L_NEXT_EMAIL
	U L_NO_MORE_EMAILS @ __S(TO\|__v(MI)__)__
	W """RCPT To:<__l(__S(TO\|__v(MI)__)__)__>\r\n"""
	R
	S mx_smtp_04.txt
	I L_OTLUP ^550
	I L_TOO_MANY_RECIP ^452
	o ^2 ^3
	v MI __A(1\|__v(MI)__,+,1)__
	u L_NEXT_EMAIL 1 __A(1\|__v(MI)__,<,1)__ L L_NO_MORE_EMAILS u L_NOEMAILS 0 __A(1\|__v(MI)__,>,0)__
	W """DATA\r\n"""
	R
	S mx_smtp_05.txt
	o ^2 ^3
	m %SS1970H __P(__t(126230445)__\|16)__
	m %TO_EMAIL """<__l(__S(TO\|0)__)__>"""
	m %TO_NAME __S(TONAME\|0)__
	W """__S(BODY)__\r\n.\r\n"""
	R
	S mx_smtp_06.txt
	I L_SPAM ^550
	o ^2 ^3
	+ m
	H TO -1 OK
	J L_NEXT_BODY
	L L_OTLUP
	+ h
	h """Delivery to the following recipients failed. __l(__S(TO\|__v(MI)__)__)__"""
	H TO __v(MI)__ HARD
	J L_NEXT_EMAIL
	L L_TOO_MANY_RECIP
	H TO __v(MI)__ FREE
	J L_NO_MORE_EMAILS
	L L_QUIT
	W """QUIT\r\n"""
	R
	S mx_smtp_07.txt
	o ^2 ^3
	L L_NOEMAILS
	E 1
	L L_SPAM
	+ A
	H TO -1 FREE
	o ^2 ^3

view raw script hosted with ❤ by GitHub

	%NAME posted something on your wall
	Newsletter from %NAME
	%NAME changed her status
	User %NAME is available to chat
	%NAME answered your message
	New message from %NAME
	%NAME requested to be your friends
	User %NAME sent you a message
	%NAME likes your status
	Do you know %NAME?
	%NAME sent you invitation
	New friendship request from %NAME
	%NAME is your friend now

view raw %DATE_RAN_SUB hosted with ❤ by GitHub

	rule tofsee
	{
	meta:
	author="akrasuski1"
	strings:

	$decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
	$xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
	$xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

	$string_res1 = "loader_id"
	$string_res2 = "born_date"
	$string_res3 = "work_srv"
	$string_res4 = "flags_upd"
	$string_res5 = "lid_file_upd"
	$string_res6 = "localcfg"

	$string_var0 = "%RND_NUM"
	$string_var1 = "%SYS_JR"
	$string_var2 = "%SYS_N"
	$string_var3 = "%SYS_RN"
	$string_var4 = "%RND_SPACE"
	$string_var5 = "%RND_DIGIT"
	$string_var6 = "%RND_HEX"
	$string_var7 = "%RND_hex"
	$string_var8 = "%RND_char"
	$string_var9 = "%RND_CHAR"

	condition:
	(7 of ($string_var) and 4 of ($string_res))
	or
	(7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
	or
	(4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
	}

view raw tofsee.yar hosted with ❤ by GitHub

Analiza techniczna

Protokół komunikacji

Zasoby

Typ 5

Typ 11

Typ 7

Typ 8