Threat Research

From Spammer To Clicker

By He Xu | May 06, 2014

Lethic is a proxy bot with an extremely long history that started in January 2010. It is most known for spreading spam emails to earn as much money from the underground market as possible.

In March 2014, our botnet monitoring system found that Lethic has now transformed into a clicker bot.

Lethic's Spamming Method

As a proxy bot, Lethic only transfers data between its command-and-control (C&C) server and its target. When spreading spam emails, the bot receives the business SMTP email server's IP address and port from the C&C server (see Figure 1). After connecting to the SMTP server, the SMTP server automatically replies with either a welcome, a warning, or an error message.

An example of the received plain text message from the SMTP server is as follows:

Lethic Clicker Table1

The captured traffic looks like the following:

Lethic Clicker 1

Figure 1. Traffic received by the bot.

The bot forwards the data that is received from the SMTP server back to the C&C server. The C&C server then sends the next SMTP commands to the bot. These are the basic steps for spamming.

Below is an instance of the SMTP commands that we have observed.

Lethic Clicker Table2

As we can see, the domain used after the SMTP command HELO begins with the string mx7, which is an attempt by the Lethic C&C server and bot to disguise themselves as another email server. The rest of the domain is randomly generated.

At the time when we observed this particular spamming attempt, the SMTP server replied that the request is denied because the bot's IP is in their blacklist.

Lethic Clicker Table3

When this happens, Lethic ends the current attempt, and just tries again to connect to the next SMTP server that the C&C sends. This happens repeatedly until an attempt finally succeeds.

The failure shown here demonstrates why the Lethic C&C server doesn't just send spam by itself, but chooses to use infected computers (its bots) as a proxy for its spamming activities - it is just too easy to block IPs. But if it's lucky, it just might infect a host that uses a dynamic internet IP, which means that every system or router reboot will result in a new IP. In this case, the SMTP server blacklist may fail to block the bot.

Now A Clicker

Starting March 2014, Lethic has found another way to earn money from its compromised network - the bot now acts as a clicker.

The mechanism of the Lethic clicker is similar to spamming. The bot still acts as a proxy, but instead of the IP address of an SMTP server, the C&C server and bot now uses a URL; and instead of SMTP commands, the C&C server sends HTTP GET commands. Mimicking web browser behavior, the bot requests a certain web page and downloads it, but it doesn't display the page to the user of the infected computer.

Below is an example of the clicker traffic that we have seen.

Lethic Clicker 2

Figure 2. Clicker traffic between bot and C&C server.

The target is a web site that is selling tickets for a show which will be held in Toronto, ON on Tue, May 13, 2014 08:00 PM. In this case, the Lethic clicker has helped to increase the online click numbers. Due to the number of systems infected by Lethic, the abnormal click numbers should be huge.

According to our botnet monitoring system's continually tracking of Lethic, we have found that the bot tried to access the following links recently:

Lethic Clicker Table4

As seen above, Lethic accessed the same domain with the m prefix, which means that it is a mobile access website. The following are some of the fake User Agents that we have seen that were used for cheating the targeted web sites:

Lethic Clicker Table5


Our botnet monitoring system continues to track the activities of the Lethic botnet. We have seen in this post that Lethic has turned into a clicker. If it transforms into something else in the future, we will surely keep an eye on it and will do our best to respond efficiently.

Join the Discussion