Tofsee botnet

The spam botnet Tofsee, a.k.a. ‘GHEG’, has been active for many years. I first encountered it in May 2013, since when I have been monitoring its activities. Based on my analysis, the Tofsee botnet can be divided into three components: loader, core module and plug-ins. In this article I will describe how the components communicate with the C&C server, and how they work with one another.

The loader is a relatively simple and independent component compared with the other two. Usually, the file comes from a social network and disguises itself as an interesting picture. After successfully luring victims into executing it, the loader will communicate with a list of C&C servers that are hard-coded within its code, then download and run the core module. At the same time, it downloads a picture file and displays it to the victim.

Figure 1 shows the initial communication between the victim machine and the C&C server.

Figure 1. Initial communication between victim and C&C server.

The loader’s request contains parameters that provide the Windows version and system bit type to the C&C server. The reply from the C&C server is encrypted. After decryption, the information is revealed in the following format: KEYS(l,u,p), Path, URL, Content-Length. An example is shown in Figure 2, with the corresponding values:

11, name03, 3sRd6Nf8H, tsone/ajuno.php, hxxp://wickedreport.com/images/2009/05/naughty-elephant.jpg, 25

The ‘KEYS(l,u,p)’and ‘Path’ value will be used to connect to the same C&C server again and to download the core module binary. The ‘URL’ value is the link to download the picture file.

Figure 2. Victim downloads the core module.

The core module is the main control component. It hides itself in the victim system, keeps talking to the C&C server, fetches new configuration data and loads plug-ins.

Although the core module connects to the C&C server through ports 443, 995 or 465, the connections are not standard SSL. The streams between them are encrypted by a customized encryption routine. After setting up the TCP connection, the C&C server will send a 200-byte package to the core module. The decrypted data includes an initialized 128-byte key table, the victim’s public IP address, server status flags, etc. (see Figure 3).

Figure 3. 200-byte package sent to the core module that includes the key table.

The core module inspects the package received from the C&C server. If all goes well, the core module will generate a package which includes local information (such as: local time, unique ID, system version, etc.) and send it back to the C&C server. The core module will use the key table and a hard-coded key string, ‘abcdefg’, for encryption to generate the package. From this point on, communication between the victim and the C&C server will use the key table and the hard-coded key string for encryption and decryption.

Next, the server may return a new C&C server list (Figure 4) or request local configuration information from the victim and provide some new configuration files to the core module.

Figure 4. New C&C server list.

In Tofsee, at the beginning of each configuration, there are a couple of bytes that indicate the length and CRC value of the configuration data. Following these bytes, the configuration can be divided into three parts: configuration type, configuration name and configuration data. For example, we can see in Figure 4 that the configuration type is 1, the name is ‘work_srv’, and the rest is the corresponding data. Each specific type of configuration contains different configuration data. For example, configuration type 1 contains a list of C&C servers; configuration type 5 is for plug-ins; configuration type 7 contains string variables for spam.

Figure 5 shows some of the configurations collected from Tofsee C&C servers.

Figure 5. List of Tofsee configurations.

The name gives us a general idea of what each configuration is for. Types 7 and 8 in particular have a large number of configurations. These contain string variables which will be used by the email template to generate random spam emails.

Figure 6 shows part of the template from the configuration ‘3-psmtp_task’.

Figure 6. Part of the configuration template.

In the template, we found many variables such as %RNDRCOLOR, %RND_DEXL, %EVA_URL, etc. So, for example, Figure 7 shows the content of configuration ‘7-%EVA_URL’.

Figure 7. A list of URLs in a configuration for spam email.

In the lower half of configuration ‘3-psmtp_task’ there is a small script for sending spam using the ‘direct-to-MX’ method. Figure 8 shows part of the script.

Figure 8. The lower half of ‘3-psmtp_task’.

Once Tofsee’s core module has been deployed in the victim system, the C&C server will send it lots of new configurations every day. Figure 9 shows information based on my tracking data. (Note that the statistics were generated on 10 January 2014.)

Figure 9. Updating frequency of Tofsee configurations.

Some of the configurations were updated quite frequently, especially those with ‘URL’ as part of their names. It is interesting to see that the configuration ‘3-psmtp_task’ has not been updated for a while, even though it is still top of the list, as shown in Figure 9. It appears that configuration types 11 and 8 were introduced recently.

The type 11 configuration has a similar data structure to ‘3-psmtp_task’. It uses type 8 to generate spam. These have been introduced to replace the ‘3-psmtp_task’ configuration, as we can tell from the update times shown in Figure 10.

Figure 10. Type 11 configuration.

One more thing about the configuration is that, based on my data, the Tofsee C&C servers have not been changed frequently. Configurations ‘1-start_srv’ and ‘1-work_srv’ contain a list of C&C servers, as shown in Figure 11. (Please refer to Figure 4 for the content of these configurations.) These C&C servers are mainly hosted in Malaysia, Hong Kong and Eastern European countries.

Figure 11. Configurations that contain a list of C&C servers.

The plug-ins are of configuration type 5. From the data in Figure 12, we can tell that the plug-ins are not updated frequently. The most recently updated one, ‘5-12’, is related to spamming.

Figure 12. List of plug-ins.

The following is a list of plug-ins and their names:

All of the plug-ins received from the C&C server are loaded into the core module’s memory and run under the core module. All of the plug-ins are DLL files and have the same exported function, ‘plg_init’, which will be called by the core module to initialize them.

Figure 13 shows the part of the core module code that loads the plug-ins.

Figure 13. Snippet of core module code for loading the plug-ins.

The function ‘plg_init’ only takes one parameter, ‘Function_Structure’, which is a big array of function memory locations. ‘Function_Structure’ is first initialized by the core module, and later the plug-ins will update it by adding or removing items. Since the core module and the plug-ins all run under the same process, they can share different functions with one another. Figure 14 shows how the plug-in ‘5-4’ accesses functions.

Figure 14. Snippet of plug-in code to access functions using ‘Function_Structure’.

Tofsee’s overriding behaviour is spamming, of course. However, its use of plug-ins allows for additional functionality. So far, based on my analysis, the binaries that have been downloaded from the C&C server have functionalities such as DDoSing, sniffing, rootkit protection and litecoin mining.

We will continue to keep an eye on this botnet to see what new features appear and how it evolves.