Introducing: Palevo Tracker

Today we are going to talk about a nasty worm called Palevo.

Palevo (also known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they called Mariposa.

Since then the threat lost its media attention, but what most people don’t known is: Palevo is still a big player in the global threat landscape. According to FireEye, in 2010 Palevo was the top malware (# of infections) in the world:

Source: FireEye’s Malware Intelligence Lab: World’s Top Malware

Palevo is a so called bot kit that is being sold in underground forums (like ZeuS) using the name BUtterFly BOT. Therefore there are dozens of different botnets out there run by different criminal groups.

So what is the key to the success of Palevo? The worm is using different techniques to spread itself. The most common builtin techniques include:

  • P2P filesharing programs (bearshare, imesh, emule, limewire etc.)
  • Instant messaging (MSN- / Windows Live Messenger)
  • Removable drives (like USB-Sticks)

In addition, criminals have been observed linking other spreading mechanisms such as windows filesharing spread with palevo to achieve maximum impact.

During the past few months I have come across dozens of USB sticks infected with a variant of Palevo. Unfortunately, most (new) Palevo samples have a very bad detection rate. This makes it pretty easy to get infected. Just imagine you are attending a meeting or event, and you ask your colleague or the presenter to get a copy of the presentation he just held a few minutes before. What will he do? Well, most probably he will provide you with his USB stick with a copy of the presentation and BOOM – you are infected.

Another aspect of the problem is the fact that most employees are using the same USB stick at home and at work. If they plug-in the USB stick (which were previously infected by Palevo on the home computer) into the office computer, Palevo will infected it immediately. In this case it doesn’t matter what corporate Firewall or what Spam-Filter you are using in your network – you will get infected before most of the corporate security devices have had a chance to kick in.

In spite of Microsofts decision to disable autoplay in Windows 7, and the highly needed disabling of autorun (except for CDs) in XP/Vista/2003/2008, Palevo still seems to spread widely.

A further problem is the way Palevo communicates with its Command&Control server (C&C): The worm uses UDP and encrypts the data sent to the C&C server on (in most cases) a high port (e.g. 7700 UDP). The reason why Palevo uses UDP is simple: There is a bunch of Firewalls/Appliances out there which are poorly configured and therefore:

  • aren’t logging UDP packets in the Firewall log
  • allow UDP traffic by default

That makes it pretty easy to keep the Palevo C&C traffic hidden even in corporate networks.

*** Palevo Tracker ***
As outlined above, Palevo is a huge threat for corporate- and home networks. Due to the fact that it is spread widely and most people are not aware of the problem I have decided to create Palevo Tracker. My goals are:

  • Get some attention on the Palevo threat
  • Provide a blocklist for well known Palevo C&Cs to the internet community
  • Provide details regarding Palevo C&Cs to ISPs, CERTs and Law Enforcement
  • Keep the project smart and simple as possible

To keep it simple I’ve created Palevo Tracker as sub-project on AMaDa. This means that the Palevo Tracker blocklist is included in the AMaDa C&C Blocklist.

You can use the blocklist to block Palevo C&C traffic proactively and/or to identify infected clients (e.g. by matching the blocklist against your Firewall logs).

*** Further Links ***
Below are some links to different AV-vendors currently detecting Palevo:

Symantec: W32.Pilleuz
McAfee: W32/Palevo
Microsoft: Win32/Rimecud
Symantec Connect: The Mariposa Butterfly

Follow me on Twitter:

One thought on “Introducing: Palevo Tracker

Leave a Reply

Your email address will not be published. Required fields are marked *