A few days ago I’ve published a short analysis of a Trojan dropper which I call DNSTrojan (see New Dropper Uses DNS To Communicate). During this week I’ve tried to mitigate the threat by nuking at least some of the DNSTrojan C&C domain names by pointing them to my sinkhole.
In the first attempt I was able to redirect the traffic of the C&C servers to my sinkhole for around 9 hours. Afterwards the cybercriminals propagated a new C&C domain to the infected clients using httpdsconfig.com (the infected clients regularly contacting httpdsconfig.com using DNS to receive a list of C&C domains they should use).
A few hours later I was able to sinkhole the new domain name as well. Below is a chart showing the number of Apache handlers during the time the domain names have pointed to the sinkhole:
As you can see, the sinkhole had a huge server load. In totally, the C&C traffic has been redirected to my sinkhole for 10 hours. During this time I was able to count 23’000 unique IPs hitting the sinkhole. So I estimate the botnet size to 35k-50k unique IPs per day. This seems to be a huge number but in fact this isn’t a really BIG botnet (let’s compare: recently I was able to monitor a botnet which had a size of over 320’000 unique IPs per day).
Below is a chart which shows the botnet Geo location of the Trojan:
During the sinkhole action I was confronted with a unexpected problem: The botnet size wasn’t a problem but the fact that each bot queries the C&C every 30 seconds struggled my server into some performance problems. As you can see on the chart above, it ended with a downtime of the sinkhole server. In cooperation with Shadowserver I’ve now moved the domain names over to the Shadowservers sinkhole which should be able to handle that amount of requests easily.
In the last blog post I’ve published a list of C&C domains which are associated with the Trojan. Below is a updated list with additional domain names which I’ve came across so fare:
Another interesting find which I’ve made during the sinkholing action is that the cybercriminals are obviously using some kind of monitoring server. They periodically calling a PHP file called check.php on the C&C domain names to check whether the servers are still accessible:
18.104.22.168 “HEAD /check.php HTTP/1.1” 200 “curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/22.214.171.124 libidn/1.8 libssh2/0.18” “
The two monitoring servers are located in Sweden and the Netherlands:
AS number: AS49770
AS name: SERVERCONNECT-AS ServerConnect Sweden AB
IP address: 126.96.36.199
AS number: AS16265
AS name: LEASEWEB AS
If we put the things together we can draw the following picture:
As shown above, the C&C servers are obviously just acting as nginx proxies which are redirecting the to the real mothership (which is currently unknown). Here is the list of nginx proxies which I’ve identified so far:
188.8.131.52 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
184.108.40.206 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
220.127.116.11 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
18.104.22.168 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
22.214.171.124 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
126.96.36.199 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
188.8.131.52 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
184.108.40.206 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
Let’s see where they are moving to during the next few days…