Tag Archive for 'licat'

ZeuS Gets More Sophisticated Using P2P Techniques

Recently, I’ve seen some major modifications in ZeuS murofet/LICAT.
Murofet (also know as LICAT) is a modified version of ZeuS, which is using a so called Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain.

However, a few weeks ago I’ve noticed that no new murofet/LICAT C&C domain names have been registered by the criminals. I was a little bit confused and decided to analysed a recent ZeuS sample (spread through a Spam campaign targeting US citizens). When I ran the binary in my sandbox, I’ve seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I’ve analysing the infection I came to the conclusion that it is actually ZeuS.

*** A new (custom) version of ZeuS ***

The new version of ZeuS is no longer using a DGA to determine the current C&C domain, therefore it’s also not possible to pre-calculate the C&C domains that will be used in the near future. Obviously, the criminals switched back to a hardcoded C&C domain which is stored in the ZeuS config file.

The *new* version of ZeuS (v3?) implements a Kademlia-like P2P botnet. Similar to the Miner botnet, ZeuS is now using a “IP list” which contains IP addresses of other drones participating in the P2P botnet. An initial list of IP addresses is hardcoded in the ZeuS binary. As soon as a computer gets infected, ZeuS will try to find a active node by sending UDP packets on high ports. If the bot hits an active node, the remote node will response with a list of current IP addresses that are participating in the P2P network. Additionally, the remote node will tell the requesting node which binary- and config version he is running. If the remote node is running a more recent version, the bot will connect to it on a TCP high port to download a binary update and/or the current config file. Afterwards the bot will connect to the C&C domain listed in the config file using HTTP POST.

The HTTP protocol is only being used to drop the stolen data to the Dropzone and/or to receive commands from the botnet master. In fact this means there is no longer a BinaryURL or a ConfigURL that ZeuS Tracker can track. It also makes it quite difficult for security researchers to keep track of the targets. What is interesting is the fact that if everything fails (=no working/active P2P drone can be found and the main C&C is dead) the bot will use the DGA as fallback mechanism.

At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.

*** ZeuS sinkhole data ***

During the past few weeks I was able to sinkhole several ZeuS botnet C&Cs that were associated with this new ZeuS version. The chart below shows up the number of unique IP addresses that are associated with this ZeuS version and hitting my sinkhole. The highest IP count was about 100k unique IPs in 24hrs.

The Geo location of this ZeuS botnet looks like this:

As we can see on the chart above, India seems to have the most infected systems, followed by Italy, the United Staates and Greece. Please consider that this chart just shows the unique IPs for each country. It does not count the unique bot IDs.

As usual, the sinkhole data is being sent to Shadowserver. If you are a network provider / ISP please make sure that you subscribe Shadowservers drone feed to receive reports regarding infected drones in your network/AS (the service is free of charge).

*** Conclusion ***
What I can say so far is that the encryption of this new (custom) version of ZeuS haven’t changed. You should watch out for the following strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):

  • /gameover.php
  • /gameover2.php
  • /gameover3.php

Since I’ve started to track this ZeuS campaign, I’ve collected more than 270 unique config files.

Since the source code of ZeuS got leaked back in the beginning of 2011, several so called custom builds popped up in the underground which are based on the leaked source code. A good example is a recently on opensc.ws introduced bot kit called Ice IX.

So are we talking about a *new* ZeuS version which we will see being sold in the underground soon? I don’t think so. This seems to be just another custom build. But there is one thing that makes this custom build unique: This build (and the previous murofet/LICAT version) is much more sophisticated than all other ZeuS builds I’ve seen before. Also, when I take a look at the way they operate it looks like this botnet has several customers using the same botnet infrastructure.

Since the guy who wrote this version of ZeuS seems to have a lot of knowledge, it could be that Slavik (the author of the original ZeuS version) has his hands on this ZeuS build. We all know how successful ZeuS was (and still is). So why should Slavik leave this business? I believe that Slavik was unwell with the fact that his trojan was in the spotlight of security researchers, security industry and LEA. Also, ZeuS has attracted a lot of script kiddies and smaller criminal groups which weren’t able to pay that much of money for a product. Slavik probably dropped this business and released the source code for public to get out of this situation. But I believe that he is still developing on ZeuS, but only custom build(s) for a small circle of customers who are able to pay a lot more money that small fishes. This wouldn’t attract that much attention from LEA an security folks, but will bring in a lot more money than dealing with standard customers.

We all know that the fight between criminals and security researchers is a cat and mouse game. I’m sure this wasn’t the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar.

Follow me on Twitter:

How Criminals Defend Their Rogue Networks

It is common that cybercriminals are hosting their stuff in rogue networks (renting out so-called Bulletproof hosted servers). Many of you may remember the year 2008, when a well known Bulletproof hoster named McColo was knocked offline. We can say that this nearly was a historical moment in the history of the world wide web, where the Internet community clearly showed that they didn’t want to tolerate Cybercrime any longer. The McColo takedown was the beginning of a series of takedowns initiated by security researchers, law enforcement agencies and volunteers; In 2010, the well known Russian based Bulletproof hoster Troyak was cut off from the Internet, followed by the takedown of Group Vertical.

The series of takedowns continued in the beginning of 2011, when in January 14 rogue ISPs were disconnected from the Internet. Since then we didn’t see any new Bulletproof hosters popping up… or did we? Where did all the Cybercriminals move to? If we take a look at the ZeuS Tracker statistic (Top ten ZeuS hosting ISPs) we don’t see any network that would look too much like a Bulletproof hoster.

So the Internet appears to be free from cybercrime… *cough* – unfortunately I have to disappoint everyone who thought that the Internet is getting rid of Cybercrime: The Bulletproof hosters are still here. I still see a lot of fraud, malware, phishing etc popping up on a daily basis. But where is it hosted? As you probably know, Cybercriminals can be very creative. They found several ways to hide themselves from the radar of the security industry and from the eyes of security researchers. Some of there tactics are very old, while some of them are pretty new.

FastFlux hosting
FastFlux hosting is a pretty old technique and still an issue (but not that big any more): Cybercriminals are hosting their infrastructure on FastFlux botnets to hide the real botnet controllers (mothership) and to make their infrastructure more hardened against takedowns. During the past few months the situation haven’t really changed. The number of FastFlux hosted ZeuS botnet controllers is more or less constantly 19. What is new is the fact that the Cybercriminals have also started to host SpyEye botnet controllers on FastFlux botnets. Currently SpyEye Tracker tracks 8 SpyEye C&Cs controllers that are hosted on FastFlux botnets.

Domain Generation Algorithms (DGA)
A much more sophisticated way to serve/host botnet control infrastructure are so called Domain Generation Algorithms (DGA). The criminals are using an algorithm that is using date and some salt as parameter to generate the domains the infected computers (bots) should contact. In this way the domains are being ‘fluxed’ on a daily basis – meaning the CnC domains that are used by the bots are changing every day, or in some cases several times a day –  which makes it hard to take down the botnet control infrastructure. Last year, a special version of ZeuS (murofet/LICAT) that used the DGA technique covered some media attention. But in fact the technique isn’t new: Torpig, a sophisticated banking Trojan, has been using a DGA since 2008. Torpig even utilized the Twitter trend API, as mentioned in this old post by unmaskparasites.

How ever sophisticated this technique sounds, DGA can have a benefit for security researchers: If you are able to reverse engineer the code, you are able to identify the algorithm used by the Trojan. In this way it is possible to generate the domain names that the Trojan will use in the future and register them to sinkhole the botnet. However, there are some Trojans that are generating more than 50’000 domains per day. This would mean that you have to register 50’000 domains every day to sinkhole the botnet effectively.

Using custom DNS servers
Another interesting tactic that I’ve seen recently is the use of custom DNS servers. Some Trojans are using custom DNS servers that are under control of the criminals themselves. The Trojan resolves the domain name used as botnet controller using a custom DNS server. The benefit for the criminal is, that only the DNS server that is under control of himself is resolving the domain name correctly. In fact this means when a security researcher tries to access the domain it appears that it does not exist.

Also, the criminal can use well known domain names like google.com or facebook.com as botnet controllers. Due to the fact that the Trojan resolves the domains using the custom DNS servers the criminal can point the domain name to his botnet controller. In this case the benefit for the criminal is that e.g. google.com appears in the sandbox reports of the Security Industry and may lead to false positives in security products. So the criminals can catch two birds with one stone: Hiding their botnet infrastructure behind a well known domain name and making Security Products imprecise.

Since version 10338 (1.3.38, first seen around April 4 2011), certain SpyEye versions has been seen utilizing such a feature. The botnet master can define custom DNS servers that are being stored in a file called “dns.txt” that is served to the bots within the SpyEye configuration file. However, usually public DNS servers are listed in this dns.txt file, like the ones offered by Google. This is a trick to avoid local DNS blackholing and to avoid detection by looking at local DNS server logs.

Fluxing domain names
After the takedown of several rogue ISPs in January 2011, I’ve seen a big amount of botnet controllers popping up in some suspicious networks. What got my attention was the fact that as soon as I had added a botnet controller to the tracker the domain disappeared and became unreachable. A few hours later a backup domain pointing to the same or nearby IP address in the same subnet came active.

I’ve seen this behaviour on several ISPs that are all looking quite suspicious to me. A good example is AS56659 BALTI-AS (also known as PermInterSvyaz LTD and BESTISP), a Ukraine-based ISP that is being routed by Er-Telecom -> synterra.ru. Currently, there are 5 ZeuS botnet controllers tracker by ZeuS Tracker, none of them are currently active. SpyEye Tracker currently tracks 11 SpyEye botnet controllers in that subnet. Only one is currently active. At first glance this AS does not look that suspicious, but if we take a look at this history of the subnet we see that it hosted more than 60 SpyEye botnet controllers since March 2011:

# Timestamp (UTC) | Domain | IP address | AS number | AS name | Country Code
2011-05-02 16:18:05 | opilori.com | | AS56659 | BALTI-AS OOO | UA
2011-05-19 17:02:55 | gameopiloris.com | | AS56659 | BALTI-AS OOO | UA
2011-06-11 20:51:10 | cmakdohaio93.in | | AS56659 | BALTI-AS OOO | UA
2011-06-13 08:37:27 | cmakdohaio93.in | | AS56659 | BALTI-AS OOO | UA
2011-06-16 13:53:34 | alunionylogen.ru | | AS56659 | BALTI-AS OOO | UA
2011-06-16 19:51:46 | cmakdocolo19.in | | AS56659 | BALTI-AS OOO | UA
2011-06-18 08:33:12 | ohiotexas1978.in | | AS56659 | BALTI-AS OOO | UA
2011-06-19 15:08:48 | gameopiloris.com | | AS56659 | BALTI-AS OOO | UA
2011-06-21 16:48:57 | zeblikino019.in | | AS56659 | BALTI-AS OOO | UA
2011-06-26 14:28:59 | juengerbi781.in | | AS56659 | BALTI-AS OOO | UA
2011-06-27 08:17:03 | ziabslikino47.in | | AS56659 | BALTI-AS OOO | UA
2011-06-27 14:55:25 | dnsfiarfucktorylockup.in | | AS56659 | BALTI-AS OOO | UA
2011-06-28 17:47:31 | hahahaitismydome.in | | AS56659 | BALTI-AS OOO | UA
2011-06-29 14:24:51 | nemiroffvodka.in | | AS56659 | BALTI-AS OOO | UA
2011-07-05 13:47:09 | cmakdomass19.in | | AS56659 | BALTI-AS OOO | UA
2011-07-05 15:23:33 | halkozukin33.in | | AS56659 | BALTI-AS OOO | UA
2011-07-05 16:08:27 | zelikinder019.in | | AS56659 | BALTI-AS OOO | UA
2011-07-05 16:45:49 | abelopatianeer.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-06 12:19:17 | unkvarante.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-06 13:23:26 | unkvarante.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-06 21:02:21 | diexr.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-07 05:32:33 | diexr.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-07 05:39:20 | diexr.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-07 09:57:46 | 3qwpocol.com | | AS56659 | BALTI-AS OOO | UA
2011-07-07 11:26:23 | 3qwpocol.com | | AS56659 | BALTI-AS OOO | UA
2011-07-08 06:39:56 | 3qwpocol.com | | AS56659 | BALTI-AS OOO | UA
2011-07-08 11:14:17 | 3qwpocol.com | | AS56659 | BALTI-AS OOO | UA
2011-07-08 12:14:50 | 3qwpocol.com | | AS56659 | BALTI-AS OOO | UA
2011-07-08 20:12:23 | unkvarante.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-09 21:37:13 | unkvarante.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-10 15:10:36 | unkvarante.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-11 04:43:30 | diexe.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-11 05:25:34 | nokiamobilecorporation.in | | AS56659 | BALTI-AS OOO | UA
2011-07-11 17:54:31 | unkvarante.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-12 06:34:04 | unkvarante.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-12 08:53:25 | unkvarante.ru | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:17:31 | 3qwpocol.com | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:19:35 | benbog.com | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:35:57 | gaqwpo.com | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:36:32 | bonobon7.com | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:54:07 | colqwpo.com | | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:00:11 | udostrejas.com | | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:00:32 | starterkit1.com | | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:05:58 | diexr.com | | AS56659 | BALTI-AS OOO | UA
2011-07-13 07:37:45 | lineclock.com | | AS56659 | BALTI-AS OOO | UA
2011-07-14 10:35:32 | diexri.com | | AS56659 | BALTI-AS OOO | UA
2011-07-14 11:48:02 | murkinduxck.co.tv | | AS56659 | BALTI-AS OOO | UA
2011-07-15 08:34:38 | murkinduxck1.co.tv | | AS56659 | BALTI-AS OOO | UA
2011-07-15 10:53:58 | wupd64.com | | AS56659 | BALTI-AS OOO | UA
2011-07-15 17:25:45 | wupd643.com | | AS56659 | BALTI-AS OOO | UA
2011-07-23 08:37:36 | etopala.com | | AS56659 | BALTI-AS OOO | UA
2011-07-23 08:47:07 | 44qwpoco.com | | AS56659 | BALTI-AS OOO | UA
2011-07-23 18:40:28 | etopala3.com | | AS56659 | BALTI-AS OOO | UA
2011-07-24 08:29:53 | 44qwpoga.com | | AS56659 | BALTI-AS OOO | UA

I assume that the criminals are using some kind of script to check ZeuS- and SpyEye Tracker periodically for new botnet controllers in their subnet. As soon as a new domain pops up they seem to remove it and switch over to a backup URL (both ZeuS and SpyEye have a feature that allows the cybercriminals to define backup URLs that the bots should contact when the main C&C is not reachable).

But what’s the benefit of this tactic for the criminal? Well, Cybercriminals have seen in the past that they will get de-peered quite quickly when they attract to much attention from law enforcement and security researchers. By fluxing the domain name as soon as it appear on a tracker, they ensure that the number of active botnet controllers stay as low as possible. Therefore they will not appear on the radar of the Internet community that fast and of course they can claim that they take action against fraudulent customers quickly.

What we can say is that BALTI-AS is a rogue network for sure. I haven’t seen any legit domain names being hosted there.

Also, the criminals are quite creative and will always try to not appear on the radar of the Internet community. It’s always a cat and mouse game between the infosec community and the criminals who are operating the different botnet infrastructures.

As we all know, things can change quite fast in the Internet. This is a big issue for policy makers and law enforcement. They are not able to act as quick as the criminals do. The cybercriminals knows this too and are trying to make profit with the failing of the law enforcement.

The Internet has no borders so we need a global solution to defend ourselves from cybercrime. But we are still failing to find a global solution. Fortunately, there are dedicated people out there that are determined to fight cybercrime. When these people cooperate, they are able to move mountains.

Good deeds are being done by these folks every day. We just need more of them. And we need governments and organisations across the world to follow in their footsteps.