A new bot seems to be making the rounds, but this time it is nice that this bot is easily identifiable.
We’ve observed the bot perform three different behaviors so far:
1) Attempting to log in user accounts with a dictionary, e.g.:
2) Sending a HELO command and then closing the connection.
3) Attempting to log in user accounts with a random string of characters, e.g.:
What makes this bot easily identifiable, at least for the time being, is the HELO command used:
HELO command received, args: *.*
This HELO is consistent with the three behaviors that we have seen above. Behaviors 1 and 3 are of course accompanied with an AUTH LOGIN attempt; trying to ‘hack’ into your user accounts. Be on alert!
Technically, many new characters are being allowed in naming conventions to handle foreign languages, but ‘*.*’ is not one of them. Check your logs for this type of behavior, we’re 99.9% certain that the attacker is part of this botnet and compromised. Although technically some machines ‘might’ be able to set their ‘hostname’ (which is what is typically used in the HELO/EHLO) to almost anything, it isn’t something you would expect to ever happen.
Why random names? Botnet’s are often used to perform dictionary attacks (ie ‘just guess’), and if they are lucky they can find a new email address to spam with. Usually, this type of attack is an attempt to go through an online database of common names. A reminder why it is not recommended to use the same password for different online services. Also, always configure your email clients to use TLS/SSL encryption when sending login information.
Since this botnet appears to be spread out globally, this is another case where allowing your users to control how/when authentication attempts to their accounts are made would be useful.
While this bot is not as large as the ‘CutWail’ or ‘FastTalker’ bots mentioned in previous blogs, which tend to use other easy to identify patterns or obfuscated EHLO’s, it shows how simple log analysis can reveal emerging threats and trends.