{
	"id": "3e4e2fc7-c634-4a98-aca2-46439df0d1ca",
	"created_at": "2026-04-06T00:18:52.320635Z",
	"updated_at": "2026-04-10T03:21:17.378335Z",
	"deleted_at": null,
	"sha1_hash": "f01d187d75e2c5aae63f986c1600865b41ef7a5f",
	"title": "Virus Bulletin :: Tofsee botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3174576,
	"plain_text": "Virus Bulletin :: Tofsee botnet\r\nBy Ryan MiFortinet, CanadaEditor: Helen Martin\r\nArchived: 2026-04-05 18:40:02 UTC\r\n2014-04-02\r\nAbstract\r\nThe spam botnet Tofsee can be divided into three components: loader, core module and plug-ins. Ryan Mi\r\ndescribes how the components communicate with the C\u0026C server, and how they work with one another.\r\nCopyright © 2014 Virus Bulletin\r\nThe spam botnet Tofsee, a.k.a. ‘GHEG’, has been active for many years. I first encountered it in May 2013, since\r\nwhen I have been monitoring its activities. Based on my analysis, the Tofsee botnet can be divided into three\r\ncomponents: loader, core module and plug-ins. In this article I will describe how the components communicate\r\nwith the C\u0026C server, and how they work with one another.\r\nThe loader\r\nThe loader is a relatively simple and independent component compared with the other two. Usually, the file comes\r\nfrom a social network and disguises itself as an interesting picture. After successfully luring victims into executing\r\nit, the loader will communicate with a list of C\u0026C servers that are hard-coded within its code, then download and\r\nrun the core module. At the same time, it downloads a picture file and displays it to the victim.\r\nFigure 1 shows the initial communication between the victim machine and the C\u0026C server.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 1 of 13\n\nFigure 1. Initial communication between victim and C\u0026C server.\r\nThe loader’s request contains parameters that provide the Windows version and system bit type to the C\u0026C server.\r\nThe reply from the C\u0026C server is encrypted. After decryption, the information is revealed in the following format:\r\nKEYS(l,u,p), Path, URL, Content-Length. An example is shown in Figure 2, with the corresponding values:\r\n11, name03, 3sRd6Nf8H, tsone/ajuno.php, hxxp://wickedreport.com/images/2009/05/naughty-elephant.jpg, 25\r\nThe ‘KEYS(l,u,p)’and ‘Path’ value will be used to connect to the same C\u0026C server again and to download the\r\ncore module binary. The ‘URL’ value is the link to download the picture file.\r\nFigure 2. Victim downloads the core module.\r\nThe core module\r\nThe core module is the main control component. It hides itself in the victim system, keeps talking to the C\u0026C\r\nserver, fetches new configuration data and loads plug-ins.\r\nAlthough the core module connects to the C\u0026C server through ports 443, 995 or 465, the connections are not\r\nstandard SSL. The streams between them are encrypted by a customized encryption routine. After setting up the\r\nTCP connection, the C\u0026C server will send a 200-byte package to the core module. The decrypted data includes an\r\ninitialized 128-byte key table, the victim’s public IP address, server status flags, etc. (see Figure 3).\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 2 of 13\n\nFigure 3. 200-byte package sent to the core module that includes the key table.\r\nThe core module inspects the package received from the C\u0026C server. If all goes well, the core module will\r\ngenerate a package which includes local information (such as: local time, unique ID, system version, etc.) and\r\nsend it back to the C\u0026C server. The core module will use the key table and a hard-coded key string, ‘abcdefg’, for\r\nencryption to generate the package. From this point on, communication between the victim and the C\u0026C server\r\nwill use the key table and the hard-coded key string for encryption and decryption.\r\nNext, the server may return a new C\u0026C server list (Figure 4) or request local configuration information from the\r\nvictim and provide some new configuration files to the core module.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 3 of 13\n\nFigure 4. New C\u0026C server list.\r\nIn Tofsee, at the beginning of each configuration, there are a couple of bytes that indicate the length and CRC\r\nvalue of the configuration data. Following these bytes, the configuration can be divided into three parts:\r\nconfiguration type, configuration name and configuration data. For example, we can see in Figure 4 that the\r\nconfiguration type is 1, the name is ‘work_srv’, and the rest is the corresponding data. Each specific type of\r\nconfiguration contains different configuration data. For example, configuration type 1 contains a list of C\u0026C\r\nservers; configuration type 5 is for plug-ins; configuration type 7 contains string variables for spam.\r\nFigure 5 shows some of the configurations collected from Tofsee C\u0026C servers.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 4 of 13\n\nFigure 5. List of Tofsee configurations.\r\nThe name gives us a general idea of what each configuration is for. Types 7 and 8 in particular have a large\r\nnumber of configurations. These contain string variables which will be used by the email template to generate\r\nrandom spam emails.\r\nFigure 6 shows part of the template from the configuration ‘3-psmtp_task’.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 5 of 13\n\nFigure 6. Part of the configuration template.\r\nIn the template, we found many variables such as %RNDRCOLOR, %RND_DEXL, %EVA_URL, etc. So, for\r\nexample, Figure 7 shows the content of configuration ‘7-%EVA_URL’.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 6 of 13\n\nFigure 7. A list of URLs in a configuration for spam email.\r\nIn the lower half of configuration ‘3-psmtp_task’ there is a small script for sending spam using the ‘direct-to-MX’\r\nmethod. Figure 8 shows part of the script.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 7 of 13\n\nFigure 8. The lower half of ‘3-psmtp_task’.\r\nOnce Tofsee’s core module has been deployed in the victim system, the C\u0026C server will send it lots of new\r\nconfigurations every day. Figure 9 shows information based on my tracking data. (Note that the statistics were\r\ngenerated on 10 January 2014.)\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 8 of 13\n\nFigure 9. Updating frequency of Tofsee configurations.\r\nSome of the configurations were updated quite frequently, especially those with ‘URL’ as part of their names. It is\r\ninteresting to see that the configuration ‘3-psmtp_task’ has not been updated for a while, even though it is still top\r\nof the list, as shown in Figure 9. It appears that configuration types 11 and 8 were introduced recently.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 9 of 13\n\nThe type 11 configuration has a similar data structure to ‘3-psmtp_task’. It uses type 8 to generate spam. These\r\nhave been introduced to replace the ‘3-psmtp_task’ configuration, as we can tell from the update times shown in\r\nFigure 10.\r\nFigure 10. Type 11 configuration.\r\nOne more thing about the configuration is that, based on my data, the Tofsee C\u0026C servers have not been changed\r\nfrequently. Configurations ‘1-start_srv’ and ‘1-work_srv’ contain a list of C\u0026C servers, as shown in Figure 11.\r\n(Please refer to Figure 4 for the content of these configurations.) These C\u0026C servers are mainly hosted in\r\nMalaysia, Hong Kong and Eastern European countries.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 10 of 13\n\nFigure 11. Configurations that contain a list of C\u0026C servers.\r\nThe plug-ins\r\nThe plug-ins are of configuration type 5. From the data in Figure 12, we can tell that the plug-ins are not updated\r\nfrequently. The most recently updated one, ‘5-12’, is related to spamming.\r\nFigure 12. List of plug-ins.\r\nThe following is a list of plug-ins and their names:\r\n5-1: plg_ddos\r\n5-2: plg_antibot - kill\r\n5-3: plg_sniff\r\n5-4: plg_proxy\r\n5-5: plg_webm\r\n5-6: plg_protect\r\n5-7: plg_locs\r\n5-11: plg_text\r\n5-12: psmtp\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 11 of 13\n\n5-14: plg_miner\r\n5-16: plg_spread1\r\n5-17: plg_spread2\r\n5-18: plg_sys_cfg\r\nAll of the plug-ins received from the C\u0026C server are loaded into the core module’s memory and run under the\r\ncore module. All of the plug-ins are DLL files and have the same exported function, ‘plg_init’, which will be\r\ncalled by the core module to initialize them.\r\nFigure 13 shows the part of the core module code that loads the plug-ins.\r\nFigure 13. Snippet of core module code for loading the plug-ins.\r\nThe function ‘plg_init’ only takes one parameter, ‘Function_Structure’, which is a big array of function memory\r\nlocations. ‘Function_Structure’ is first initialized by the core module, and later the plug-ins will update it by\r\nadding or removing items. Since the core module and the plug-ins all run under the same process, they can share\r\ndifferent functions with one another. Figure 14 shows how the plug-in ‘5-4’ accesses functions.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 12 of 13\n\nFigure 14. Snippet of plug-in code to access functions using ‘Function_Structure’.\r\nTofsee’s overriding behaviour is spamming, of course. However, its use of plug-ins allows for additional\r\nfunctionality. So far, based on my analysis, the binaries that have been downloaded from the C\u0026C server have\r\nfunctionalities such as DDoSing, sniffing, rootkit protection and litecoin mining.\r\nWe will continue to keep an eye on this botnet to see what new features appear and how it evolves.\r\nSource: https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet\r\nPage 13 of 13\n\n  https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet     \nThe type 11 configuration has a similar data structure to ‘3-psmtp_task’. It uses type 8 to generate spam. These\nhave been introduced to replace the ‘3-psmtp_task’  configuration, as we can tell from the update times shown in\nFigure 10.       \nFigure 10. Type 11 configuration.      \nOne more thing about the configuration is that, based on my data, the Tofsee C\u0026C servers have not been changed\nfrequently. Configurations ‘1-start_srv’ and ‘1-work_srv’ contain a list of C\u0026C servers, as shown in Figure 11.\n(Please refer to Figure 4 for the content of these configurations.) These C\u0026C servers are mainly hosted in\nMalaysia, Hong Kong and Eastern European countries.    \n    Page 10 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet"
	],
	"report_names": [
		"tofsee-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434732,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f01d187d75e2c5aae63f986c1600865b41ef7a5f.pdf",
		"text": "https://archive.orkl.eu/f01d187d75e2c5aae63f986c1600865b41ef7a5f.txt",
		"img": "https://archive.orkl.eu/f01d187d75e2c5aae63f986c1600865b41ef7a5f.jpg"
	}
}