Archive for the 'Malware & Virus Analysing' Category

Page 5 of 44

Dutch Spam Campaign Hits Switzerland With P2P ZeuS

Weird things are going on here in Switzerland. Today I’ve seen a spam campaign sent out by the Cutwail Spambot (on of the biggest spam botnets in the world), hitting Switzerland with the P2P version of ZeuS (aka P2P ZeuS aka ZeuSv3 aka Gameover ZeuS). The spam email looks like this:

From: reportbank@ag.ch
Subject: Re: onjuist ingevulde NATXXXX belastingformulier

Helaas is u op de hoogte dat je hebt fouten gemaakt bij het invullen van de laatste belastingformulier applicatie (ID: XXXXX).
vindt u het advies van onze fiscalisten Op deze link
( 1 minuut Wacht tot rapport zal laden)

Wij vragen u om corrigeer de fouten en bestand de herziene aangifte aan uw lokale belastingkantoor zo snel mogelijk.

Kanton Aargau
XXX XXX
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 3352 Aarau
Tel.: +41 (0)62 362 XX XX
Fax: +41 (0)62 365 XX XX

What is weird with this spam campaign is the fact that it imitates a social department of a Swiss canton called Aargau (German), but the text in the email is written in Dutch. It might be hard to believe, but most Swiss citizens don’t speak Dutch at all…

Additionally, I’ve seen that Cutwail is sending out this spam campaign to non-CH mailboxes as well (.net, .com etc.). So it is not yet clear whether the intend of the criminals behind this malware campaign is to hit Swiss citizens or not (I don’t think that any foreign citizens knows the canton Aargau…).

The spam email contains a hyperlink to a hijacked website, for example:

hXXp://robfama.com/Kompetenzzentrum.htm

The page looks like this:

For a normal visitor the page doesn’t look suspect at all, its a copy of the official web page of the canton Aargau (swiss canton). However, if you take a closer look at the html source of the advertised URL you will notice malicious Java script code which will cause that the visitors web browser will load a content from foreign URL hosted in Korea:

hXXp://africanbeat.net/detects/urgent.php

africanbeat.net points to 222.238.109.66

[ Network Information ]
IPv4 Address : 222.232.0.0 – 222.239.255.255 (/13)
Service Name : broadNnet
Organization Name : SK Broadband Co Ltd
Organization ID : ORG3930
Address : 267, Seoul Namdaemunno 5(o)-ga Jung-gu SK NamsanGreen Bldg.
Zip Code : 100-711
Registration Date : 20040402

The mentioned website (africanbeat.net) is likely operated by cybercriminals and hosting a exploit kit called “Blackhole”. Blackhole is able to exploit various (known) vulnerabilities in the visitors web browser (eg. Internet Explorer or Firefox) but as well as in 3rd party browser plugins like Adobe Flash, Adobe Reader and Sun Java. If the software installed on the visitors computer is not fully patched, blackhole will exploit a vulnerability and will use it to install an ebanking Trojan called P2P ZeuS.

Since P2P ZeuS is not using any centralized (botnet) infrastructure, there is no central botnet C&C domain/ip you could block on your company’s gateway. However, P2P ZeuS is using P2P functionality, communicating with other infected bots around the globe using a high TCP/UDP port. In fact you can mitigate this threat by blocking any outgoing TCP and UDP port higher than 1024 on your firewall (as a side note: you should restrict outgoing traffic on your firewall anyway).

Additionally, I recommend everyone to block the following domain names and IP address at the network edge:

  • 222.238.109.66 (Blackhole Exploit Kit hosting)
  • africanbeat.net (Blackhole Exploit Kit hosting)
  • 63.143.53.180 (Malware DNS server)

*** Further reading ****

A follow me on Twitter: https://twitter.com/abuse_ch

A Quick Update On Spambot Kelihos

In March 2012 I blogged about Kelihos, a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012.

Various security researchers believe that Kelihos (also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009. Today I asked myself: What kind of evolution did Kelihos have during this year, so I decided to have a quick look at recent Kelihos binaries and compare their behaviour with the behaviour of the binaries I saw back in March 2012.

Here is a quick overview:


  Kelihos March’ 12 Kelihos December’ 12
Using (double) FastFlux domains to spread Kelihos: Yes Yes
(ab)used TLD for malware distribution: .eu .ru
Sponsoring registrar for nameserver domains: INTERNET.BS INTERNET.BS
Capability to spread via removable drives: No Yes
Using P2P network: Yes Yes

Infecting removable drives
So, what has changed? The first thing that pops up is the fact that Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10 (what a nice date to push an update for Kelihos!).

Once a Kelihos infection binary is executed on the victims computer, it writes a temporary file to C:\WINDOWS\Temp:

C:\WINDOWS\Temp\temp12.exe

The naming schema used by Kelihos seems to be temp[1-9]{2}.exe. This file then tries to get an updated version of Kelihos by calling home to a .ru domain that is double FastFlux hosted. Once the update is done, temp12.exe will start to infect removable drives that are attached to the victims computer, most likely using CVE-2010-2568, which was first used in Stuxnet, and later on copied by various other malware:

Origin process Affected file
C:\WINDOWS\Temp\temp12.exe \Device\SanDisk0\sony.exe
C:\WINDOWS\Temp\temp12.exe \Device\SanDisk0\Shortcut to Sony.lnk

Switching from .eu to .ru
Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru:

abaxhad.ru
adnedat.ru
adtesok.ru
aqzepylu.ru
asmukuf.ru
awewsip.ru
bipulte.ru
biwuvba.ru
bopwyeb.ru
bowbaiv.ru
bycmolhy.ru
bygotbys.ru
byjlegta.ru
byvbymy.ru
caqxaro.ru
citsibe.ru
cylqiduh.ru
dalwoza.ru
darabub.ru
deafesqy.ru
dehjujuq.ru
dinymak.ru
dohwapih.ru
doxilik.ru
egnisje.ru
estesgo.ru
evdyvaz.ru
fetucxo.ru
fevnotow.ru
fidedhah.ru
fixavpu.ru
gazuzoz.ru
gedopan.ru
gijevsog.ru
ginnyjyb.ru
golhysux.ru
gubahvi.ru
gywilhof.ru
hahsekju.ru
haponeg.ru
hedybih.ru
heztymut.ru
hitakat.ru
huquqxov.ru
ihmytog.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
irhegre.ru
irojvuqu.ru
ivkikcop.ru
ivnuvuk.ru
iwvahin.ru
izxirfy.ru
jaibzup.ru
jamwazer.ru
jebtelyx.ru
jedytlu.ru
jodkymy.ru
jokenqi.ru
jykyvca.ru
jymeegom.ru
jytorqu.ru
jyvvozoz.ru
kejejib.ru
kubtyhuz.ru
kuirfufo.ru
kycufvy.ru
leqgugom.ru
lopoqyv.ru
luditla.ru
lufsekim.ru
lupylzum.ru
mabuhos.ru
mosjinme.ru
muhipew.ru
muwosiv.ru
muzupdyg.ru
neluzjiv.ru
niliqrix.ru
nobzekyx.ru
ocgaextu.ru
ogdowkys.ru
ojpaxlam.ru
oqjogxi.ru
oqlapjim.ru
osmuryf.ru
otgeguuz.ru
otpipug.ru
otxolpow.ru
ovquqaip.ru
pagubev.ru
pawahav.ru
pedugtap.ru
pegyrgun.ru
pevhyvys.ru
pogwytfy.ru
pynxomoj.ru
pyykxug.ru
qaijroke.ru
qiquzcy.ru
quohdit.ru
racadpuh.ru
rebfelqi.ru
rekvyfo.ru
rifirac.ru
risytfa.ru
ritrios.ru
rizsebym.ru
rujfeag.ru
ruxymqic.ru
rybuhoq.ru
rykafeh.ru
saxyjuw.ru
sesuhror.ru
sexjereh.ru
sihemuj.ru
sittanyg.ru
siwebheb.ru
sohaxim.ru
soqvaqo.ru
sukbewli.ru
sutfasof.ru
sutimjy.ru
tahfifak.ru
taixcih.ru
tecviqir.ru
tikoqox.ru
tiwciwux.ru
tozfyma.ru
turiwil.ru
ucelgos.ru
udxowub.ru
udzycaf.ru
uggifym.ru
uhduxic.ru
uhzubvo.ru
umpefan.ru
uqlahaf.ru
uwfekfyj.ru
uwfubpeb.ru
uxfokur.ru
uxosgik.ru
veuwhyz.ru
vijsixem.ru
votqygiq.ru
vunjuet.ru
vuohsub.ru
wapifnuc.ru
warkafoc.ru
wefecfo.ru
wetifjam.ru
wibveces.ru
wyjenqo.ru
xenacoz.ru
xikmonej.ru
xofsimi.ru
xogitaj.ru
xomoqol.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
ynjaprur.ru
ynkicyr.ru
yxyqwiz.ru
yzsabuq.ru
zaefofin.ru
zidamuk.ru
zupivzed.ru
zuqijcel.ru
zylhomu.ru

As outlined before, these domain names are being used to spread Kelihos. Malware binaries are located at various places like calc.exe and rasta01.exe:

http://*random-domain-from-the-list-above*/calc.exe

http://*random-domain-from-the-list-above*/rasta01.exe

All mentioned domain names are registered through the same Russian based registrar called REGGI-RU:

domain: GYWILHOF.RU
nserver: ns1.biocruc.com.
nserver: ns2.biocruc.com.
nserver: ns3.biocruc.com.
nserver: ns4.systeat.com.
nserver: ns5.systeat.com.
nserver: ns6.systeat.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2012.11.01
paid-till: 2013.11.01
free-date: 2013.12.02
source: TCI

… while the domain name itself is using double FastFlux (A record + NS record hosted on a FastFlux botnet):

A records for pevhyvys.ru:
-> 67.177.139.18 [c-67-177-139-18.hsd1.mi.comcast.net.]

Delegated nameservers for pevhyvys.ru:
-> ns2.biocruc.com. -> 114.43.101.84 [114-43-101-84.dynamic.hinet.net.]
-> ns4.systeat.com. -> 67.177.139.18 [c-67-177-139-18.hsd1.mi.comcast.net.]
-> ns6.systeat.com. -> 71.205.242.35 [c-71-205-242-35.hsd1.mi.comcast.net.]
-> ns3.biocruc.com. -> 50.130.45.53 [c-50-130-45-53.hsd1.ms.comcast.net.]
-> ns5.systeat.com. -> 69.132.69.185 [cpe-069-132-069-185.carolina.res.rr.com.]

What surprisingly haven’t changed is the fact that the Kelihos gang is still using INTERNET.BS (a domain name registrar located in the Bahamas) to register domains names of the name servers that are being used to provide DNS resolution to the malicious .ru domains:

Domain Name: BIOCRUC.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.BIOCRUC.COM
Name Server: NS2.BIOCRUC.COM
Name Server: NS3.BIOCRUC.COM
Name Server: NS4.BIOCRUC.COM
Name Server: NS5.BIOCRUC.COM
Name Server: NS6.BIOCRUC.COM
Status: clientTransferProhibited
Updated Date: 14-aug-2012
Creation Date: 15-jul-2012
Expiration Date: 15-jul-2013

The rise of Kelihos
If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day.

But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate.

For example:

hXXp://pevhyvys.ru/newavr3.exe

MD5: 19b4bb3dde20da3d6602165a25186a00
File size: 741.0 KB ( 758784 bytes )
File name: newavr3.exe
File type: Win32 EXE
Detection ratio: 1 / 46 (detected by Malwarebytes exclusively at the time of this post)
Reference: Virustotal

So what can a network administrator do to mitigate this threat?

  • Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
  • Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
  • Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
  • Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
  • Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ



economics-recluse
Scene
Urgent!