Akamai Diversity

The Akamai Blog

The Torte Botnet: A SpamBot Investigation

By Bill Brenner, Akamai SIRT Senior Tech Writer   

Akamai released a new whitepaper today about a spambot investigation conducted by Chad Seaman, a Senior Security Response Engineer from Akamai's Security Intelligence Research Team (SIRT).

Attackers are using a multi-layered, decentralized and widely distributed botnet to launch coordinated brute-force spamming campaigns. Chad named it the "Torte" botnet because its structure resembles a multi-layered cake.

The botnet is fairly large and uses both elf binary and php based infections. The portions that could be mapped account for over 83,000 unique infections across 2 of the 4 infection layers. While binary infections only target Linux, other php-based infections were found running on all major server operating systems -- Windows, Linux, os x, Unix, SunOS, and variants of bsd.

The paper examines Akamai's SIRT investigation, findings and recommended defensive measures.

The investigation began when we received a short, obfuscated php script for analysis. De-obfuscation and analysis of this initial payload is ultimately what lead to the information leaks that would aid in the discovery of the botnet.

The initial payload used an obfuscation technique that was trivial to reverse. The core process involved building a string of every character used by the script and then building the script using the key string indexes.

A tested and proven tactic for attackers
The botnet described in this paper is not unique, nor is it the last we'll see of its kind. The structures and methods employed have been seen in the past and will surely continue to be seen well into the future.

Attackers will always target low-hanging fruit like cms and web-based software, and botnets like this will continue to grow in popularity. Decentralized/transient and layered operations like Torte offer several advantages for the operators, primarily making it much harder to identify the malicious actors, clean up infections, and ultimately dismantle or sinkhole botnets.

Looking ahead
Torte is another instance of a growing trend that targets the Linux os via binary infection. These Linux-targeted infections will continue to grow in popularity due to an estimated 1⁄3 of the public servers on the Internet running some variant of the os. Attackers will continue targeting servers for a multitude of reasons including attack surface availability, always-on and high-bandwidth connectivity, and ease of lateral movement across networks and properties.

As security and organizational processes improve to mitigate and combat attackers, they'll continue to evolve their tactics. We'll undoubtedly see more elaborate, distributed, and decentralized techniques, like the ones used in Torte, in future botnets due to necessity as well as survival.

The full advisory is available at www.stateoftheinternet.com/torte-spambot