Monthly Archive for March, 2012

Kelihos Back In Town Using Fast Flux

In September 2011, Microsoft announced the takedown of the Kelihos botnet. In the beginning of 2012, Kaspersky found a new version of Kelihos in the wild.

Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques.

*** The Kelihos Spambot ***

Recently, I spotted a sample of Kelihos in my sandnet, so I decided to have a short look at it:

As soon the victims computer has been infected successfully, the malware will try to drop an additional file by calling a .eu domain which seem to be hard coded in the infection binary:

hXXp://ejywqem.eu/rtce003.exe
hXXp://etrodhy.eu/jucheck.exe

The first URL will return a binary:

Filename: rtce003.exe
MD5 hash: 1393e4f5d0691e3de07eeda1b1451b89
File size: 886’272 bytes
AV detection: 10 / 43

The mentioned file will install the WinPcap library, which is being used by the malware to sniff the network traffic on the victims computer:

Origin process (executing process) Affected file
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\drivers\npf.sys

By sniffing the network traffic, the malware is able to steal sensitive data like credentials.
The second URL (jucheck.exe) will just return a HTTP 200 OK. As soon as the WinPcap library has been installed, the malware will start to communicate with other drones on port 80 (using it’s own protocol). It’s some kind of P2P protocol used by the malware to get a list of other drones participating in the Kelihos botnet.

To begin it’s spam operations, Kelihos will connect to another drone using HTTP and a random URL string:

GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1
Host: 79.132.177.87
Content-Length: 1464
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre

*encrypted-data*

HTTP/1.1 200
Server: Apache
Content-Length: 55002
Content-Type:
Last-Modified: X
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Sun, 04 Mar 2012 X
Last-Modified:Sun, 04 Mar 2012 X
Accept-Ranges:bytes

*encrypted-data*

This communication is being used to get the spam templates as well as the email address list. Afterwards the spambot will start to send out spam mails (click to enlarge):

Currently the Kelihos botnet seems to send out German stock spam.

*** Kelihos FastFlux botnet ***

Let’s take a closer look at the .eu domains used by Kelihos. What pops up quickly is the fact that the domain names used by Kelihos are hosted on a FastFlux botnet, as all the records has a TTL of 0:

$ dig ejywqem.eu A

;; QUESTION SECTION:
;ejywqem.eu. IN A

;; ANSWER SECTION:
ejywqem.eu. 0 IN A 88.132.1.15

The delegated nameservers for the mentioned domain name are hosted on a FastFlux botnet as well. This is what we call Double-Flux:

$ dig ejywqem.eu NS

;; QUESTION SECTION:
;ejywqem.eu. IN NS

;; ANSWER SECTION:
ejywqem.eu. 0 IN NS ns6.ejywqem.eu.
ejywqem.eu. 0 IN NS ns1.ejywqem.eu.
ejywqem.eu. 0 IN NS ns2.ejywqem.eu.
ejywqem.eu. 0 IN NS ns3.ejywqem.eu.
ejywqem.eu. 0 IN NS ns4.ejywqem.eu.
ejywqem.eu. 0 IN NS ns5.ejywqem.eu.

When taking a look at the geo location of this Fast Flux botnet, it seems that the botnet is mainly located in eastern Europe:

Due to the fact that these domain names are using double-flux, it is extremely hard to shut them down (there is no webserver or DNS server to take down). Currently, there are several domain names hosted on this Fast Flux botnet:

awmybak.eu
beqylhe.eu
bozopit.eu
dilecdo.eu
edkadaf.eu
ejywqem.eu
essessa.eu
etrodhy.eu
gipahco.eu
gycakus.eu
hiahnuh.eu
iqqeniv.eu
jerufuw.eu
juzagyt.eu
kareffu.eu
kufogku.eu
monedyg.eu
opgukem.eu
oxkyrir.eu
piqxoxo.eu
qofabar.eu
rivinax.eu
rybunwa.eu
seybdec.eu
suiqtat.eu
udqejyx.eu
ugdycom.eu
usmuzeq.eu
wabomiw.eu
wyylsic.eu
xulotgu.eu
ykqewyx.eu
yraxvuh.eu
zaetpop.eu
zitufon.eu
zobubof.eu
zoneczu.eu

All mentioned domain names are registered through OnlineNIC (a domain name registrar located in the US):

Domain: zoneczu

Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for webbased whois.

Registrar Technical Contacts:
Name: Breeze Wu
Organisation: OnlineNIC Inc.
Language: en
Phone: +86.15306099988
Fax: +852.58044444
Email: Tech@regionalofficecenter.com

Registrar:
Name: OnlineNIC Inc
Website: www.onlinenic.com

Name servers:
ns5.pizzebu.com
ns6.pizzebu.com

The domain name used to resolve these malicious domains is registered through internet.bs (a domain name registrar located in the Bahamas):

Domain Name: PIZZEBU.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.PIZZEBU.COM
Name Server: NS2.PIZZEBU.COM
Name Server: NS3.PIZZEBU.COM
Name Server: NS4.PIZZEBU.COM
Name Server: NS5.PIZZEBU.COM
Name Server: NS6.PIZZEBU.COM
Status: clientTransferProhibited
Updated Date: 13-jan-2012
Creation Date: 13-jan-2012
Expiration Date: 13-jan-2013

This Fast Flux botnet reminds me of the Fast Flux botnet used by Waledac which was also using a TTL of 0 for their DNS records.

*** Detection ***

As hard as it is to take down this botnet, as easy it should be to detect computers infected with Kelihos. The malware itself seems to ignore several RFCs which makes it very easy to detect infected computers in corporate and governmental networks.

In the first stage, the malware hits “jucheck.exe” with an incomplete HTTP request:

GET /jucheck.exe HTTP/1.0
Host: etrodhy.eu

This particular HTTP request is missing several HTTP fields which a normal web browser would use:

  • Several HTTP fields like User-Agent, Accept-Language, Accept-Encoding are missing
  • The URL jucheck.exe seems to be quite static, so you just have to watch out for .eu domains in combination of jucheck.exe in your gateway logs

In the second stage (where the malware tries to connect to other drones using HTTP), the malware sends 1-2KB of encrypted data to the foreign peer:

GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1
Host: 79.132.177.87
Content-Length: 1464

I’m not a RFC specialist, but I’ve never seen a HTTP GET request in combination with the Content-Length header. I would only expect the HTTP Content-Length header from the server (response) or when sending a HTTP POST request to the server. Therefore it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field “Content-Length”.

Happy Kelihos hunting!

*** Further reading ***

*** Further reading (for the Kelihos botnet masters) ***

Follow me on Twitter:
https://twitter.com/abuse_ch

Scareware Locks Down Computer Due To Child Porn and Terrorism

Recently, my sandbox came across a scareware that locks down the victim’s computer due to “terrorism and child pornography”. The malware is being detected by some AV vendors as “Win32/LockScreen”.

The schema is pretty simple: The criminals try to infect computers with scareware (eg. through Drive-By exploits). As soon as the computer is infected, the malware locks down the machine so that the user won’t be able to log in any more. The malware then displays a message to the user that the law enforcement agency XY found child pornography on the victims computer and that the his computer was used to send out “spam mails with terrorist motives”:

Attention!!!

This operating system is locked due to the violation of the laws of the United Kingdom! Following violations were detected:
Your IP address was used to visit websites containing pornography, child pornography, zoopillia and child abuse. Your computer also contains video files with Pornographic content, elements of violence and child pornograhpy! Spam-messages with terrorist motives were also sent from your computer

This computer lock is aimed to stop your illegal activity.

The message which is being displayed to the victim looks like this (click to enlarge):

What is interesting with this scareware is the dependency of the geo location of the victim’s computer. Before the scareware displays the message shown above, it contacts a central botnet command and control server (C&C) located in Ukraine (188.190.99.174 – AS197145 Infium LTD) using HTTP:

X-188.190.099.174.00080: GET /loc/gate.php?getpic=getpic HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Connection: Keep-Alive

188.190.099.174.00080-X: HTTP/1.1 200 OK
Date: Wed, XX Feb 2012 XX:XX:XX
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8

http://188.190.99.174/pic/DE.bmp

In the first request the malware contacts the C&C using a parameter called “getpic”. The C&C will response with an URL containing the location of the image the malware should display to on the victim. The malware will follow the URL and download the BMP-file:

GET /pic/DE.bmp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Cache-Control: no-cache

Then the malware will determine the IP address of the victim’s computer by using the parameter “getip”:

X-188.190.099.174.00080: GET /loc/gate.php?getip=getip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Connection: Keep-Alive

Afterwards the malware displays a “lock screen” to the user using the response (=ip address) from the C&C and the image file downloaded before.

The interesting part is that you can identify the countries which are being hit by this attack by guessing the files on the botnet controller (country codes). So far, I’ve identified the following countries/URLs:

Location: http://188.190.99.174/pic/AT.bmp
Country: Austria (AT)
Agency: BUNDESPOLIZEI
Domain name: landes-kriminalt.net
Location: http://188.190.99.174/pic/DE.bmp
Country: Germany (DE)
Agency: BUNDESPOLIZEI
Domain name: landes-kriminalt.net
   
Location: http://188.190.99.174/pic/GB.bmp
Country: United Kingdom (GB)
Agency: METRPOPOLITIAN POLICE
Domain name: policemetropolitan.org
Location: http://188.190.99.174/pic/FR.bmp
Country: France (FR)
Agency: Gendarmerie nationale
Domain name: n-p-f.org
   
Location: http://188.190.99.174/pic/IT.bmp
Country: Itanly (IT)
Agency: Guardia di Finanza
Domain name: it-polizia.org
Location: http://188.190.99.174/pic/ES.bmp
Country: Spain (ES)
Agency: La policia ESPANOLA
Domain name: lapoliciaespanola.org

Most domain names mentioned above are misspelled, for example, the domain name landes-kriminalt.net is a misspelling of “Kriminalamt” which is equivalent to the Federal Police. All mentioned domain names are registered through registrar BIZCN (a registrar located in China):

Domain Name: LANDES-KRIMINALT.NET
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS3.CNMSN.COM
Name Server: NS4.CNMSN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 02-may-2011
Creation Date: 02-may-2011
Expiration Date: 02-may-2012

Last update of whois database: Thu, 01 Mar 2012 10:26:21 UTC
[…]

Domain name: landes-kriminalt.net

Registrant Contact:
Lilo
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Administrative Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Technical Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Billing Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2011-05-02
Expires: 2012-05-02

What nearly all domain names have in common is the fact that they have already been up since more than 8 months (Created: 2011-05-02). The same registrant has also registered other domain names:

landes-kriminalt.net
landes-kriminalt.org
bundeskriminalamtes.org
n-p-f.org
policemetropolitan.org
lapoliciaespanola.org
it-polizia.org
myxxxhot.org
nanosearchpro.net
porno-pir.org
privatetechnology.biz
sexysheep.org
tourboportal.com
tubechube.org

I’m asking myself how the criminals have managed not to get their domain names suspended for such a long time period. Please note that these domain names can be considered as malicious and should therefore be blocked at your network’s edge (web gateway / proxy / DNS) along with the botnet controller (188.190.99.174).

The described Scareware schema isn’t really new, Switzerland along with several other European countries were hit by a similar attack back in 2011:




economics-recluse
Scene
Urgent!