Tag Archives: botnet

Introducing: Feodo Tracker

In the past week I’ve received multiple reports about wide-spread spam campaigns hitting German speaking countries. The spam emails are multi-themed and pretend to come from either Volksbank, Deutsche Telekom, Vodafon D2 or NTT. There are already various blog posts about the latest spam campaign for example on G Data SecurityBlog (German) or Cisco Blog (English). Deutsche Telekom has also already published a blog post on their website warning its customers about fake invoices (German) pretending to come from Deutsche Telekom. While the fake invoices that are being sent out by the cybercriminals vary, they usually point to a malicious website that always serves the same malware to its visitors: Feodo.

Feodo (also known as Cridex and Bugat) is yet another ebanking Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or user credentials. The trojan itself isn’t really new, in fact its already been around for over two years now – it was first spotted in January 2012. Feodo is not only hitting Germany, its also hitting financial institutions in several other countries.

Feodo Modus Operandi
Currently, there are two versions of Feodo known: Let’s call them version A and version B. The spam- and malware-campaign we have seen recently hitting Germany can be attributed to version B. One of the biggest differences between those two versions is the way an infected computer (bot) communicates with its C&C servers. While version A is communicating over HTTP to hijacked servers running a nginx daemon on port 8080 TCP (which are in fact just acting as proxy node forwarding all botnet traffic to a tier 2 proxy server), version B communicates with its botnet C&C infrastructure using HTTP on port 80 TCP. For version B, the botnet C&C infrastructure (domain names + hosting) is set up by cybercriminals for the exclusive purpose of hosting a Feodo botnet C&C server.

Mitigating the Feodo threat

As mentioned earlier, Feodo isn’t a new threat but it seems to be emerging these days. Hence, I’ve decided to put Feodo in the spotlight by launching yet another tracker. Introducing: Feodo Tracker. Similar to the existing trackers for ZeuS, SpyEye and Palevo, Feodo Tracker provides an overview over existing Feodo botnet C&C servers and serves a blocklist in different formats, allowing system- and network administrators to spot and stop Feodo C&C traffic in their network as well as identifying infected computers in the local network (LAN). Currently, Feodo Tracker offers plain text blocklists for both Feodo C&C IP addresses and Feodo C&C domains but also IDS/IPs rules for Snort and Suricata.

Feodo Malware Distribution
Looking at the modus operandi of this Feodo gang (which is running version B) and how they operate to recruit new bots shows that they are using both compromised websites as well as domain names registered for the exclusive purpose of infecting new computers (spam landing pages). Sample URLs/Domains are:

hXXp://clownjohh.ru/vodafone_online/ (malicious domain)
hXXp://clownjohh.ru/telekom_deutschland/ (malicious domain)
hXXp://sencert.ru/volksbank_eg/ (malicious domain)
hXXp://mmc-tt.ru/telekom/ (malicious domain)
hXXp://frtyui.ru/telekom_deutschland/ (malicious domain)
hXXp://1pfkc1.happykid.ch/vodafon/ (compromised/hijacked)
hXXp://xs9imj.tenebro.us/telekom/ (compromised/hijacked)

Those URLs are embedded / advertised in the spam mails which are being sent out by the criminals using stolen SMTP credentials. By taking advantage of stolen SMTP credentials the criminals bypass usual DNSBL-driven spam filters. Most of the advertised .ru URLs (which are, as said, usually registered by the cybercriminals themselves for the exclusive purpose of hosting a Feodo malware distribution site) are registered through the Russian based domain registrar REG.RU.

Feodo Botnet C&C Infrastructure
Looking at the Feodo botnet C&C Infrastructure for this Feodo campaign (version B) shows that all botnet C&C domains are within ccTLD .ru and, again, registered through the Russian based domain registrar REG.RU:

Feodo C&C domains

It’s not the first time criminals are using REG.RU to register malicious domain names. In this case the criminals also decided to host their DNS at REG.RU’s DNS infrastructure. All Feodo botnet C&C domains I’ve seen so far are using REG.RU’s DNS infrastructure as delegated DNS servers:

ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN AAAA 2a00:f940::25
ns2.reg.ru. 345600 IN A
ns2.reg.ru. 345600 IN A
ns2.reg.ru. 345600 IN A
ns2.reg.ru. 345600 IN A
ns2.reg.ru. 345600 IN AAAA 2a00:f940::37

Hence, you may want to block any DNS query going to REG.RU’s DNS infrastructure to prevent further abuse. But please keep in mind that there are also thousands of legit domain names using REG.RU’s DNS infrastructure, so blocking those DNS servers will cause collateral damage.

My goal is to provide system- and network administrators – as well as Internet Service Providers (ISPs) – the possibility to mitigate the recent Feodo attacks by blocking known bad Feodo C&C botnet traffic at their network edge (such as Router, Firewalls, Web-Proxy and DNS-servers). I hope Feodo Tracker will help to support these efforts. If you have feedback on Feodo Tracker or any other project please feel free to drop me a line using the contact form.

Follow me on Twitter: https://twitter.com/abuse_ch

Further readings

Malware With Bruteforce Capabilities

Today I came across an interesting piece of malware that attacks websites that are running WordPress by trying to guess the users credentials using brute-force methodology. Arbor already did an analysis of this threat in the beginning of September which they have published under the name Fort Disco. However, the brute-force attacks issued by Fort Disco is not limited to Content Management Systems (CMS).

*** The malware ***

The malware installs itself into the All Users directory to ensure that it gets started whenever a user logs on to the computer:

C:\Documents and Settings\All Users\Application Data\System\filename-of-the-infection-binary.exe

In addition, the malware will create the following registry key:


Digging a little bit deeper, I found several other malware samples in my zoo that seem to belong to the same malware family:

MD5 hash Botnet C&C server
c09585e10a5faa7865fe18af370b5e14 hXXp://google-update.pw/cmd.php
bd03abc172becc1cafaf1367aeb67d10 hXXp://google-update.pw/cmd.php
284141c69272444566abe47947e65d1d hXXp://pizdaprovoda.com/cmd.php
8da5edce85cd55cf36f6d97a7b1f24e7 hXXp://borailibali.com/cmd.php
538a4cedad8791e27088666a4a6bf9c5 hXXp://cureid.pw/cmd.php
c2ec42e5dce6044bf3b07950ccb1b144 hXXp://dedart.ru/cmd.php (thanks to @raashidbhatt)
a25737d6a881fc327ba1b8bdb37cc391 hXXp://my.ololo.in/cmd.php

This particular malware appeared for the first time in my malware zoo on July 1st, 2013.

*** C&C botnet communication ***

The malware itself is using HTTP POST and HTTP GET to communicate with its C&C infrastructure. What is interesting is the fact that the main C&C URL is always using /cmd.php (see above). When talking to the C&C server, the infected computer (bot) first registers itself by sending a HTTP POST with content status=0 to the C&C server:

POST /cmd.php HTTP/1.0
Host: google-update.pw
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: application/x-www-form-urlencoded
Content-Length: 8


Afterwards the bot will be able to retrieve commands from the botnet herder. If the botnet C&C responds with 5 zeros (0 0 0 0 0), there is no task for the bot. Otherwise the C&C server will respond with something like this:


The C&C server tells the bot that it has a new task to execute and will provide a link to a text-file (pass_bot_pull/1001632.txt) and a password (abertxuiop123). If we take a look at the content of the text-file the bot retrieves from its C&C server, we will see what this is all about:


The text-file contains a huge list of exactly 5’000 websites that are running WordPress. These URLs points to PHP login scripts (usually wp-login.php) that handle the WordPress user authentication.

It’s not hard to guess what is coming next: The bot will go through the whole list of WordPress websites it retrieved from the C&C server and will try to login to WordPress using the user name Administrator and the password provided by the C&C server before:

POST /wp-login.php HTTP/1.0
Host: onlyagame.wbur.org
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Referer: onlyagame.wbur.org/wp-login.php


Wordpress Bruteforce

WordPress bruteforce attempts (click to enlarge)

*** Bruteforcing other internet services ***

Going down the rabbithole, I found a sample of this particular malware that was brute-forcing POP3 instead of WordPress credentials (MD5 538a4cedad8791e27088666a4a6bf9c5):

GET /login.txt HTTP/1.1
User-Agent: PrototypeB
Host: cureid.pw
Cache-Control: no-cache

Notice the User-Agent PrototypeB that we haven’t seen before. The C&C server response looks like this:


This appears to be a list of user names that the bot will use later to brute-force POP3 credentials. But first the bot will register itself at the C&C server in the same way we have seen before (HTTP POST /cmd.php with content status=0). Once the bot has registered itself, it will retrieve a new task from the C&C server:


The bot will fetch the file temp_brut/915232.txt. Looking at this file, the content looks very interesting:


The file contains a large list of domain names followed by the responsible MX record that handles email for the particular domain name (domain:pop3-server). The bot will now try to brute-force POP3 credentials for these domain names, using the MX-record and user name that the bot retrieved from the C&C server before:

POP3 Bruteforce

POP3 bruteforce attempts (click to enlarge)

While speaking with the guys over at Shadowserver, they reported that they have seen this malware family bruteforcing FTP credentials using the same methodology.

*** Detecting bruteforce attempts by this malware ***

These brute-force attempts against WordPress should be easy to detect. First of all, the bot sends a poor HTTP referer to wp-login.php. For the example above, your browser would send the HTTP referer http://onlyagame.wbur.org/wp-login.php while this bot will omit the protocol name (onlyagame.wbur.org/wp-login.php without leading http://). Second, the malware misses three HTTP headers which are usually being sent to the remote webserver with every HTTP request when using a standard web browser. These three header fields are Accept, Accept-Encoding, and Accept-Language.

Comparing a real HTTP header with a brute-force attempt by this malware will show the following:

Bot HTTP header

Host: fredericacade.wordpress.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 302
Referer: fredericacade.wordpress.com/wp-login.php

User HTTP header

Host: fredericacade.wordpress.com
Accept: text/html,application/xhtml+xml,application/xml
Accept-Language: da, en-gb;q=0.8, en;q=0.7
Accept-Encoding: gzip, deflate
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 302
Referer: http://fredericacade.wordpress.com/wp-login.php

*** Preventing bruteforce attacks against WordPress ***

Bruteforce attacks against WordPress and other Content-Management-Systems (CMS) aren’t something really new. In the past few months abuse.ch (which is also running on WordPress) has identified and blocked more than 21’000 bruteforce attempts against the blog. While such brute-force attacks usually have been carried out by malicious python- and perl scripts hosted on various rogue servers in the internet in the past, this seems to be one of the first malware family that is being used to bruteforce WordPress credentials.

In fact it isn’t too difficult to prevent these kind of bruteforce attacks against WordPress. There are a few simple things you can do to protect your WordPress blog from this threat:

  • First of all, you should implement a Two-Factor authentication mechanism on your WordPress site. To do so, you can use Google Authenticator on your smartphone (which is for example already being used by Dropbox) in combination with the Google Authenticator Plug-In for WordPress. It’s very easy to setup and not only provides protection against brute-force attacks but also prevents cybercriminals from being able to login to your WordPress blog using stolen credentials (that were obtained before by e.g. using a password stealer on your computer).
  • There is another nice WordPress Plug-In around called Limit Login Attempts. With this Plug-In you can limit the number of login attempts by IP address. By this you can make sure that every IP address will only have a specific number of retries (eg. 4) until it gets banned from login in to WordPress for a specific periode of time (eg. 24hrs).
  • You can limit access to wp-admin/ and wp-login.php by using .htaccess with an additional username/password. By doing this you can not just reduce brute-force attempts but also prevent attacks against the WordPress admin panel that are taking advantage of unpatched security vulnerabilities in WordPress.
  • Another possibility to prevent automated brute-force attacks is to rename the PHP file that is responsible for the WordPress authentication (wp-login.php) to something specific that only you know (eg. nigol-pw.php).
  • Since the HTTP POST request issued by this malware family is poorly crafted, you might want to use a Web Application Firewall (WAF, for example ModSecurity) to block suspicious and automated HTTP requests. By using a WAF, you can also block other known web based attacks against your site.
  • You should also change the default username that you are using to manage your site (do not use Administrator or Admin).
  • Keep your WordPress blog up to date, not only WordPress itself but also all 3rd party Plug-Ins. Always use the most recent version of WordPress and installed Plug-Ins.
  • Last but not least you may also want to have a look at the WordPress Hardening Guide.

*** Conclusion ***

With this malware, cybercriminals created a way to distribute brute-force attacks not only against WordPress but also against POP3-servers around the world, including Google and Outlook (formerly Hotmail) and FTP servers on the internet.

What the criminals will use the compromised WordPress accounts for once they have successfully gained access to them, is unclear at this time. However, last week I read a news article heise.de (sorry, it’s in german) that reports DDoS attacks that have been conducted by WordPress blogs. The German Anti-Botnetz-Beratungszentrum suspects (sorry, its in german as well) that the attacking WordPress websites have been hacked previously by using brute-force methodology. I’m not sure if this is related or not, but it could be a scenario of what WordPress websites that have been compromised by this malware can be used for. So this seems to be one of the first malware families with generic brute-force capabilities.

As a side note: Both the Snort/Suricata ruleset from Emerging Threats and Sourcefire VRT already have signatures to detect botnet C&C traffic from this malware.

Follow me on Twitter: https://twitter.com/abuse_ch