abuse.ch Running On New Hardware

What most people don’t know is that abuse.ch for the most part is a “one-man-show”. I run abuse.ch and associated projects by myself in my spare time. In addition to abuse.ch, I have a full-time job that is very demanding. I run abuse.ch for non-profit: I do not sell any data or information. Hence I have to rely on donations and “good-will” from third parties in order to keep my projects up and running.

On December 15 2014, I had to suspend services for abuse.ch and ZeuS Tracker due to some major server issues. The backend server that was hosting those services crashed unexpectedly several times. Due to this, a database got corrupted – this in turn caused irreparable damages to a few database tables.

The backend server that crashed was running on very old hardware. I was not able to locate the cause of these crashes, so I figured that getting the services up and running again on the old hardware would be a really bad idea. To prevent further irreparable damages on the databases, I decided to temporarily suspend the services and look for a new home for abuse.ch and ZeuS Tracker.

In the past days I have been busy with searching for a new home for abuse.ch and ZeuS Tracker. I have to say that I was overwhelmed with the vast amount of people that offered me help. I had never imagined that so many people enjoy and rely on the services offered on abuse.ch. Hence it wasn’t too difficult to find a sponsor for new servers. On December 19 2014, I was able to restore services for both, abuse.ch and ZeuS Tracker, on new hardware sponsored by PhishLabs and ThreatSTOP. I would like to thank both of them for their great support.

I also want to take the opportunity and thank all the organisations and security researchers that I work with regularly and that support my efforts to make the internet a safer place. Some of them decided to remain anonymous and hence do not wish to get named in public. For all others I’ve set up the page “Friends of abuse.ch”. You can find the list of supporters of abuse.ch here.

The vast amount of positive feedback I have received in the past days motivates me even more to continue my fight against cybercrime and providing data and information about cyberthreats to the internet community for the good.

I wish you all a Merry Christmas and a Happy New Year!

Follow abuse.ch on Twitter:
https://twitter.com/abuse_ch

Cridex, Feodo, Geodo, Dridex, whats next?

In June 2014 I blogged about some new development on the Feodo / Cridex front. While Feodo was pretty active in Germany in January 2014, it suddenly disappeared. In June 2014 Feodo reappeared with a new program code – Geodo was born. For me it was not clear whether the disappearance of Feodo was a direct response to the launch of Feodo Tracker. However, a few days after I announced that I extended Feodo Tracker in order to track Geodo, Geodo suddenly disappeared as well.

Roughly a month later, my friends over S21sec reported the appearance of another new Feodo variant: Dridex.

Together with friends from the infosec community I started to investigate Dridex. One of the most interesting things is that while Feodo and Geodo has been spammed out massively in Germany and were targeting financial institutions there, Dridex obviously has a different focus. Looking into one of the recent Dridex configuration files reveals different botnets that are targeting financial institutions in the US, UK and CH.

While the attackers have abused well known German brands such as Deutsche Telekom, O2 and Vodafone for their spam runs to spread Geodo in Germany, they are now abusing UK based brands such as British Telecommunications (BT) to spread Dridex in the UK.

Overall it seems that the modus operandi didn’t change much with Dridex: The attackers are still using spam emails to spread Dridex, abusing stolen SMTP credentials. Dridex botnet controllers are still hosted on compromised boxes and are running an nginx daemon that is usually listening on port 8080 TCP. What has changed is the URL structure of Dridex botnet C&C communication. The URL structure and code varies between each variant.

Taking a look at one of the recent Dridex configuration files reveals additional botnet C&C IPs used for Dridex backconnect, VNC module and webinjects (“redirects”) that vary for each Dridex botnet:

<bconnect>5.135.28.113:443</bconnect>
    <vncconnect>5.135.28.109:9955</vncconnect>
   <redirects>
      <redirect name="1st" vnc="0" socks="0" uri="http://62.76.44.174:8080/injectgate" timeout="20">twister5.js</redirect>
      <redirect name="2nd" vnc="1" socks="1" uri="http://50.56.34.20:8080/tokengate" timeout="20">mainsc5.js</redirect>
      <redirect name="vbv1" vnc="0" socks="0" uri="http://37.139.47.177:8080/logs/ukvbvg/js.php" timeout="20">/logs/ukvbvg/js.php</redirect>
      <redirect name="vbv2" vnc="0" socks="0" uri="http://37.139.47.177:8080/logs/ukvbvg/in.php" timeout="20">/logs/ukvbvg/in.php</redirect>
      <redirect name="logs1" vnc="0" socks="0" uri="http://37.139.47.177:8080/logs/in.php" timeout="20">/logs/in.php</redirect>
   </redirects>

Like the GameOver ZeuS Botnet (GOZ), it appears that Dridex is based on a Malware-As-Service (MSA) model as well. Different botnets targeting different financial institutions and countries, but using the same malware.

In mid August 2014, I’ve started to list Dridex botnet C&Cs on Feodo Tracker as well. These are labelled as Version D on Feodo Tracker and are getting pushed into the Feodo Tracker Blocklists.

Malware Feodo Tracker naming
Feodo Version A / Version B
Geodo Version C
Dridex Version D

Now, let’s see if this gang abandon Dridex as fast as they abandoned Feodo and Geodo.

Some recent Dridex C&Cs:

108.166.70.44:8080
202.124.205.84:8080
85.214.26.248:8080
178.208.81.204:8080

Some recent Dridex malware samples (MD5):

532e7924f759aab014dedca651398ce6
818bb82d1845eacedabdd5d0a5de310c
fab100a415254de5c8af70eb1c7eb2d0
95d4a587ac1a128db890035793483885
f8edaacbfc88a8f045bf2bbbd75c435b

Follow abuse.ch on Twitter:
https://twitter.com/abuse_ch




Scene
Urgent!