Archive for the 'Monitoring & Reporting' Category

Page 2 of 9

Introducing: Feodo Tracker

In the past week I’ve received multiple reports about wide-spread spam campaigns hitting German speaking countries. The spam emails are multi-themed and pretend to come from either Volksbank, Deutsche Telekom, Vodafon D2 or NTT. There are already various blog posts about the latest spam campaign for example on G Data SecurityBlog (German) or Cisco Blog (English). Deutsche Telekom has also already published a blog post on their website warning its customers about fake invoices (German) pretending to come from Deutsche Telekom. While the fake invoices that are being sent out by the cybercriminals vary, they usually point to a malicious website that always serves the same malware to its visitors: Feodo.

Feodo (also known as Cridex and Bugat) is yet another ebanking Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or user credentials. The trojan itself isn’t really new, in fact its already been around for over two years now – it was first spotted in January 2012. Feodo is not only hitting Germany, its also hitting financial institutions in several other countries.

Feodo Modus Operandi
Currently, there are two versions of Feodo known: Let’s call them version A and version B. The spam- and malware-campaign we have seen recently hitting Germany can be attributed to version B. One of the biggest differences between those two versions is the way an infected computer (bot) communicates with its C&C servers. While version A is communicating over HTTP to hijacked servers running a nginx daemon on port 8080 TCP (which are in fact just acting as proxy node forwarding all botnet traffic to a tier 2 proxy server), version B communicates with its botnet C&C infrastructure using HTTP on port 80 TCP. For version B, the botnet C&C infrastructure (domain names + hosting) is set up by cybercriminals for the exclusive purpose of hosting a Feodo botnet C&C server.

Mitigating the Feodo threat

As mentioned earlier, Feodo isn’t a new threat but it seems to be emerging these days. Hence, I’ve decided to put Feodo in the spotlight by launching yet another tracker. Introducing: Feodo Tracker. Similar to the existing trackers for ZeuS, SpyEye and Palevo, Feodo Tracker provides an overview over existing Feodo botnet C&C servers and serves a blocklist in different formats, allowing system- and network administrators to spot and stop Feodo C&C traffic in their network as well as identifying infected computers in the local network (LAN). Currently, Feodo Tracker offers plain text blocklists for both Feodo C&C IP addresses and Feodo C&C domains but also IDS/IPs rules for Snort and Suricata.

Feodo Malware Distribution
Looking at the modus operandi of this Feodo gang (which is running version B) and how they operate to recruit new bots shows that they are using both compromised websites as well as domain names registered for the exclusive purpose of infecting new computers (spam landing pages). Sample URLs/Domains are:

hXXp://clownjohh.ru/vodafone_online/ (malicious domain)
hXXp://clownjohh.ru/telekom_deutschland/ (malicious domain)
hXXp://sencert.ru/volksbank_eg/ (malicious domain)
hXXp://mmc-tt.ru/telekom/ (malicious domain)
hXXp://frtyui.ru/telekom_deutschland/ (malicious domain)
hXXp://1pfkc1.happykid.ch/vodafon/ (compromised/hijacked)
hXXp://xs9imj.tenebro.us/telekom/ (compromised/hijacked)
etc…

Those URLs are embedded / advertised in the spam mails which are being sent out by the criminals using stolen SMTP credentials. By taking advantage of stolen SMTP credentials the criminals bypass usual DNSBL-driven spam filters. Most of the advertised .ru URLs (which are, as said, usually registered by the cybercriminals themselves for the exclusive purpose of hosting a Feodo malware distribution site) are registered through the Russian based domain registrar REG.RU.

Feodo Botnet C&C Infrastructure
Looking at the Feodo botnet C&C Infrastructure for this Feodo campaign (version B) shows that all botnet C&C domains are within ccTLD .ru and, again, registered through the Russian based domain registrar REG.RU:

Feodo C&C domains

It’s not the first time criminals are using REG.RU to register malicious domain names. In this case the criminals also decided to host their DNS at REG.RU’s DNS infrastructure. All Feodo botnet C&C domains I’ve seen so far are using REG.RU’s DNS infrastructure as delegated DNS servers:

ns1.reg.ru. 345600 IN A 31.31.205.39
ns1.reg.ru. 345600 IN A 31.31.205.55
ns1.reg.ru. 345600 IN A 31.31.205.73
ns1.reg.ru. 345600 IN A 31.31.204.25
ns1.reg.ru. 345600 IN A 31.31.204.37
ns1.reg.ru. 345600 IN A 31.31.204.52
ns1.reg.ru. 345600 IN AAAA 2a00:f940::25
ns2.reg.ru. 345600 IN A 31.31.205.56
ns2.reg.ru. 345600 IN A 31.31.205.74
ns2.reg.ru. 345600 IN A 88.212.207.122
ns2.reg.ru. 345600 IN A 198.100.149.22
ns2.reg.ru. 345600 IN AAAA 2a00:f940::37

Hence, you may want to block any DNS query going to REG.RU’s DNS infrastructure to prevent further abuse. But please keep in mind that there are also thousands of legit domain names using REG.RU’s DNS infrastructure, so blocking those DNS servers will cause collateral damage.

Conclusion
My goal is to provide system- and network administrators – as well as Internet Service Providers (ISPs) – the possibility to mitigate the recent Feodo attacks by blocking known bad Feodo C&C botnet traffic at their network edge (such as Router, Firewalls, Web-Proxy and DNS-servers). I hope Feodo Tracker will help to support these efforts. If you have feedback on Feodo Tracker or any other project please feel free to drop me a line using the contact form.

Follow me on Twitter: https://twitter.com/abuse_ch

Further readings

AMaDa Discontinued, Palevo Tracker With A New Home

As announced on Twitter last month, abuse.ch Malware Database (AMaDa) has been discontinued on 2012-03-17.

Since my announcement on Twitter to discontinue AMaDa, I received several dozen emails from IT security representatives of ISPs, national CERTs as well as governmental and non-governmental organisations that were using AMaDa’s blocklist to identify compromised computers within their networks. I have to say that I was quite amazed how many people used AMaDa’s blocklist. However I’m unable to answer all these emails due to lack of time, hence I decided to publish a short statement on my blog.

AMaDa was launched in 2010, since then it has analysed 169’545 URLs serving malware, 160’183 malicious binaries and identified 1’685 malware botnet controllers associated with all kinds of Trojans (like Mebroot, TLD/TDSS, Carberp, BlackEnergy, Ramnit and many more).

In February 2011, I started Palevo Tracker as sub-project of AMaDa. Palevo Tracker’s blocklist was served together with the AMaDa IP and Domain blocklist.

Running and maintaining the tracking infrastructure (ZeuS-, SpyEye- and Palevo Tracker) is very time intensive, also since it created much “background noise” (sometimes I think I need a secretary to handle all emails and requests). Hence I was prevented from blogging as much as I would have liked to last year. Unfortunately, every day only has 24 hours, and due to personal circumstances as well as my focus on other (non-public) projects I’m no longer able to provide AMaDa’s data / information with a good enough quality. I always serve data and information on “best effort” basis, and as I’m no longer able commit to that for AMaDa I’ve decided to discontinue the project (please keep in mind that all these projects are done in my spare time).

I’m aware that this is bad news for many of you, but fortunately I also have some good news. This weekend I moved Palevo Tracker onto a new infrastructure. I decided to keep Palevo Tracker running as a “new” project. Since AMaDa is gone, Palevo Tracker has found a new home on it’s own sub domain:

Palevo Tracker (including it’s blocklists) can be found at https://palevotracker.abuse.ch

If you are using one of AMaDa’s blocklists, please ensure that you stop query them as they are no longer available. If you want to keep up identifying Palevo botnet C&Cs please switch to one of the blocklists available on Palevo Tracker’s Blocklist page.

*** Links ***




economics-recluse
Scene
Urgent!