Cybercriminals Moving Over To TLD .su

Published on January 29, 2012 in Monitoring & Reporting. 0 Comments Tags: , .

During the past few years the Top Level Domain (TLD) .ru has been heavily abused by cybercriminals. According to ZeuS Tracker, TLD .ru was one of the most abused Top Level Domains that were used by criminals to run ZeuS botnet controllers.

The Top Level Domain .ru is managed by the Coordination Center for TLD RU (cctld.ru). CCTLD.ru finally did their job well and addressed the reputation problem TLD.ru had by setting up new terms and conditions for domain name registration of .ru domains which came into force on November 11 2011.

One of the most interesting parts of the new terms and conditions is the following passage:

5.7. The Registrar may terminate the domain name delegation upon the receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet, should the petition contain information about the domain’s information addressing system being used for:

  1. receipt from third parties (users of the system) of confidential information by misleading these persons regarding its origin (authenticity) due to similarity of the domain names, design or content of the information (phishing);
  2. unauthorized access to third parties’(users, visitors) information systems or for infecting these systems with malware or taking control of such software (botnet control);

[...]

In fact this means that a registrar can terminate a domain name when it is being used for phising attacks or when it is being used to control a botnet. However, there is one part which seems to be not well defined:

[...] receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet”

I’m asking myself what the definition of “organization indicated by the Coordinator as a competent one to determine violations in the Internet” might be. As we all know there are many security vendors and non-profit organisations out there which do a great job in tracking down malicious and fraudulent content. Will registrars accept takedown requests received from such parties? I don’t know…

However, what I can say so far is that the number of fraudulent .ru domains used by ZeuS botnet herders decreased in the beginning of 2012. I can also see that malicious .ru domains which are being added to ZeuS Tracker have a much shorter life span. While malicious .ru domains used to stay active for several weeks or months in the past, they are now getting nuked much faster (mostly within 4-24hrs). That’s great news for the internet community!

Unfortunately we all know that there is a never ending cat and mouse game between the security industry / infosec community and cybercriminals. Criminals have already noticed that their domains are getting shut down much faster. So they started to look for another TLD to use for their dirty business and found a TLD that nearly has been forgotten: the TLD .su.

For those of you who don’t know: .su is (or should I say was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (which is operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su.

Since the Soviet Union isn’t any more and I see legit .su domains pretty rarely, I think it’s a good idea to block .su on the network edge (web proxies / content filtering systems). If you are operating a gateway in your company / network you should take the time and have a look at your logs. If you don’t see any legit .su domains being hit/used in your company just simply block it.

Follow me on Twitter:
https://twitter.com/abuse_ch

Bookmark, tagg it or email it to a friend:
[Bloglines] [del.icio.us] [Digg] [Facebook] [Google] [Mister Wong] [MySpace] [Slashdot] [Technorati] More »

ZeuS Gets More Sophisticated Using P2P Techniques

Published on October 10, 2011 in ZeuS Tracker. 1 Comment Tags: , , , .

Recently, I’ve seen some major modifications in ZeuS murofet/LICAT.
Murofet (also know as LICAT) is a modified version of ZeuS, which is using a so called Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain.

However, a few weeks ago I’ve noticed that no new murofet/LICAT C&C domain names have been registered by the criminals. I was a little bit confused and decided to analysed a recent ZeuS sample (spread through a Spam campaign targeting US citizens). When I ran the binary in my sandbox, I’ve seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I’ve analysing the infection I came to the conclusion that it is actually ZeuS.

*** A new (custom) version of ZeuS ***

The new version of ZeuS is no longer using a DGA to determine the current C&C domain, therefore it’s also not possible to pre-calculate the C&C domains that will be used in the near future. Obviously, the criminals switched back to a hardcoded C&C domain which is stored in the ZeuS config file.

The *new* version of ZeuS (v3?) implements a Kademlia-like P2P botnet. Similar to the Miner botnet, ZeuS is now using a “IP list” which contains IP addresses of other drones participating in the P2P botnet. An initial list of IP addresses is hardcoded in the ZeuS binary. As soon as a computer gets infected, ZeuS will try to find a active node by sending UDP packets on high ports. If the bot hits an active node, the remote node will response with a list of current IP addresses that are participating in the P2P network. Additionally, the remote node will tell the requesting node which binary- and config version he is running. If the remote node is running a more recent version, the bot will connect to it on a TCP high port to download a binary update and/or the current config file. Afterwards the bot will connect to the C&C domain listed in the config file using HTTP POST.

The HTTP protocol is only being used to drop the stolen data to the Dropzone and/or to receive commands from the botnet master. In fact this means there is no longer a BinaryURL or a ConfigURL that ZeuS Tracker can track. It also makes it quite difficult for security researchers to keep track of the targets. What is interesting is the fact that if everything fails (=no working/active P2P drone can be found and the main C&C is dead) the bot will use the DGA as fallback mechanism.

At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.

*** ZeuS sinkhole data ***

During the past few weeks I was able to sinkhole several ZeuS botnet C&Cs that were associated with this new ZeuS version. The chart below shows up the number of unique IP addresses that are associated with this ZeuS version and hitting my sinkhole. The highest IP count was about 100k unique IPs in 24hrs.

The Geo location of this ZeuS botnet looks like this:

As we can see on the chart above, India seems to have the most infected systems, followed by Italy, the United Staates and Greece. Please consider that this chart just shows the unique IPs for each country. It does not count the unique bot IDs.

As usual, the sinkhole data is being sent to Shadowserver. If you are a network provider / ISP please make sure that you subscribe Shadowservers drone feed to receive reports regarding infected drones in your network/AS (the service is free of charge).

*** Conclusion ***
What I can say so far is that the encryption of this new (custom) version of ZeuS haven’t changed. You should watch out for the following strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):

  • /gameover.php
  • /gameover2.php
  • /gameover3.php

Since I’ve started to track this ZeuS campaign, I’ve collected more than 270 unique config files.

Since the source code of ZeuS got leaked back in the beginning of 2011, several so called custom builds popped up in the underground which are based on the leaked source code. A good example is a recently on opensc.ws introduced bot kit called Ice IX.

So are we talking about a *new* ZeuS version which we will see being sold in the underground soon? I don’t think so. This seems to be just another custom build. But there is one thing that makes this custom build unique: This build (and the previous murofet/LICAT version) is much more sophisticated than all other ZeuS builds I’ve seen before. Also, when I take a look at the way they operate it looks like this botnet has several customers using the same botnet infrastructure.

Since the guy who wrote this version of ZeuS seems to have a lot of knowledge, it could be that Slavik (the author of the original ZeuS version) has his hands on this ZeuS build. We all know how successful ZeuS was (and still is). So why should Slavik leave this business? I believe that Slavik was unwell with the fact that his trojan was in the spotlight of security researchers, security industry and LEA. Also, ZeuS has attracted a lot of script kiddies and smaller criminal groups which weren’t able to pay that much of money for a product. Slavik probably dropped this business and released the source code for public to get out of this situation. But I believe that he is still developing on ZeuS, but only custom build(s) for a small circle of customers who are able to pay a lot more money that small fishes. This wouldn’t attract that much attention from LEA an security folks, but will bring in a lot more money than dealing with standard customers.

We all know that the fight between criminals and security researchers is a cat and mouse game. I’m sure this wasn’t the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar.

Follow me on Twitter:
twitter.com/abuse_ch

Bookmark, tagg it or email it to a friend:
[Bloglines] [del.icio.us] [Digg] [Facebook] [Google] [Mister Wong] [MySpace] [Slashdot] [Technorati] More »

Ice IX – Or Just ZeuS?

Published on August 25, 2011 in Malware & Virus Analysing. 0 Comments Tags: , .

This morning I read an interesting article on Securelist regarding a new Trojan called Ice IX that seems to be based on the leaked ZeuS source code.

I’ve googled a little bit and found a post on a well known underground forum where a user with the nickname nvidiag is selling Ice IX (UPDATE Aug 27, 2011: After my blog post the topic on opensc.ws has obviously been deleted):

Ice IX is a new bot form-grabber similar to Zeus , but a big rival to it. It is based on modified Zeus 2 core.
The core was redesigned and enhanced. It was enhanced bypassing the proactive protection and firewall using driver mode, injects are working more stable on IE and Firefox based browsers.
The main goals were adding protection from detection by trackers, getting higher response, more stealthiness, and longer vitality. The goals were successfully reached.

The features advertised by nvidiag seems to be the same as in ZeuS. But there seems to be one new feature:

Protection from Trackers.
The config file now id getting not directly but throw the proxy.php file where you should enter the same key using for crypt data exchange between bot and control panel. If the request for config is created not by bot with the same key the 404 error will be returned. So no way to download and analyze the configuration file.
This is a major advantage if you are creating a big botnets, because the main problem of original Zeus – it is trackers.

So, according to this forum post Ice IX has a function to protect ZeuS Tracker & Co from being able to download the config file. For example, instead of HTTP GET Ice IX will only serve a config file when the clients sends a HTTP POST request

Does this new anti ZeuS Tracker feature makes it impossible to track Ice IX? Well, let’s try this:

$ wget -S –post-data=”id=REDACTED&hash=REDACTED” “chilloutcaffee.net/photos/zb1/cc/ccc.php”
–2011-08-25 XX:XX:XX– http://chilloutcaffee.net/photos/zb1/cc/ccc.php
Resolving chilloutcaffee.net… 123.30.129.251
Connecting to chilloutcaffee.net|123.30.129.251|:80… connected.
HTTP request sent, awaiting response…
HTTP/1.1 200 OK
Date: Thu, 25 Aug 2011 XX:XX:XX GMT
Server: Apache/2
[...]
Length: 41370 (40K) [text/plain]
Saving to: `ccc.php’

100%[==============>] 41,370 7.80K/s in 5.2s

2011-08-25 XX:XX:XX (7.80 KB/s) – `ccc.php’ saved [41370/41370]

Uh?

$ file ccc.php
ccc.php: data

Looks good…

$ md5sum ccc.php
f673999a9de960d5ae0d9d72beaf0433 ccc.php

Let’s try to decrypt it…

Version: 1.0.5.0
url_loader (binary download)
http://chilloutcaffee.net/photos/zb1/cc/bot.exe
url_server (dropzone)
http://chilloutcaffee.net/photos/zb1/gate.php
entry “AdvancedConfigs” (backup config files)
http://chilloutcaffee2.net/photos/zb1/cc/ccc.php

url_wfrules
Nhttp://*odnoklassniki.ru/*
Nhttp://vkontakte.ru/*
S*/login.osmp.ru/*
S*/atl.osmp.ru/*
[...]

é voilà – Ice IX config file successfully downloaded and decrypted. You just need to do some wget Kung Fu and you need to have the binary to extract the RC4 key in order to decrypt the Ice IX config file and to construct the correct hash value in the URL used to query the configuration file.

Below is a list of Ice IX botnet controllers I’ve seen so far:

http://frcfir.com/cfg/logo.php
http://ziigmmn.com/logo.php

Is Ice IX a new threat? Not really. It has the same functionality as ZeuS, but it tries to evade ZeuS Tracker & Co (but royally fails). I will continue to monitor the situation.

*** Further reading ***

Bookmark, tagg it or email it to a friend:
[Bloglines] [del.icio.us] [Digg] [Facebook] [Google] [Mister Wong] [MySpace] [Slashdot] [Technorati] More »
economics-recluse
Scene C99Shell honey r57shell phpshell-by-maker PHPShell phpMyAdmin phpmyadmin
Urgent!