Tag Archives: palevo tracker

AMaDa Discontinued, Palevo Tracker With A New Home

As announced on Twitter last month, abuse.ch Malware Database (AMaDa) has been discontinued on 2012-03-17.

Since my announcement on Twitter to discontinue AMaDa, I received several dozen emails from IT security representatives of ISPs, national CERTs as well as governmental and non-governmental organisations that were using AMaDa’s blocklist to identify compromised computers within their networks. I have to say that I was quite amazed how many people used AMaDa’s blocklist. However I’m unable to answer all these emails due to lack of time, hence I decided to publish a short statement on my blog.

AMaDa was launched in 2010, since then it has analysed 169’545 URLs serving malware, 160’183 malicious binaries and identified 1’685 malware botnet controllers associated with all kinds of Trojans (like Mebroot, TLD/TDSS, Carberp, BlackEnergy, Ramnit and many more).

In February 2011, I started Palevo Tracker as sub-project of AMaDa. Palevo Tracker’s blocklist was served together with the AMaDa IP and Domain blocklist.

Running and maintaining the tracking infrastructure (ZeuS-, SpyEye- and Palevo Tracker) is very time intensive, also since it created much “background noise” (sometimes I think I need a secretary to handle all emails and requests). Hence I was prevented from blogging as much as I would have liked to last year. Unfortunately, every day only has 24 hours, and due to personal circumstances as well as my focus on other (non-public) projects I’m no longer able to provide AMaDa’s data / information with a good enough quality. I always serve data and information on “best effort” basis, and as I’m no longer able commit to that for AMaDa I’ve decided to discontinue the project (please keep in mind that all these projects are done in my spare time).

I’m aware that this is bad news for many of you, but fortunately I also have some good news. This weekend I moved Palevo Tracker onto a new infrastructure. I decided to keep Palevo Tracker running as a “new” project. Since AMaDa is gone, Palevo Tracker has found a new home on it’s own sub domain:

Palevo Tracker (including it’s blocklists) can be found at https://palevotracker.abuse.ch

If you are using one of AMaDa’s blocklists, please ensure that you stop query them as they are no longer available. If you want to keep up identifying Palevo botnet C&Cs please switch to one of the blocklists available on Palevo Tracker’s Blocklist page.

*** Links ***

Introducing: Palevo Tracker

Today we are going to talk about a nasty worm called Palevo.

Palevo (also known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they called Mariposa.

Since then the threat lost its media attention, but what most people don’t known is: Palevo is still a big player in the global threat landscape. According to FireEye, in 2010 Palevo was the top malware (# of infections) in the world:

Source: FireEye’s Malware Intelligence Lab: World’s Top Malware

Palevo is a so called bot kit that is being sold in underground forums (like ZeuS) using the name BUtterFly BOT. Therefore there are dozens of different botnets out there run by different criminal groups.

So what is the key to the success of Palevo? The worm is using different techniques to spread itself. The most common builtin techniques include:

  • P2P filesharing programs (bearshare, imesh, emule, limewire etc.)
  • Instant messaging (MSN- / Windows Live Messenger)
  • Removable drives (like USB-Sticks)

In addition, criminals have been observed linking other spreading mechanisms such as windows filesharing spread with palevo to achieve maximum impact.

During the past few months I have come across dozens of USB sticks infected with a variant of Palevo. Unfortunately, most (new) Palevo samples have a very bad detection rate. This makes it pretty easy to get infected. Just imagine you are attending a meeting or event, and you ask your colleague or the presenter to get a copy of the presentation he just held a few minutes before. What will he do? Well, most probably he will provide you with his USB stick with a copy of the presentation and BOOM – you are infected.

Another aspect of the problem is the fact that most employees are using the same USB stick at home and at work. If they plug-in the USB stick (which were previously infected by Palevo on the home computer) into the office computer, Palevo will infected it immediately. In this case it doesn’t matter what corporate Firewall or what Spam-Filter you are using in your network – you will get infected before most of the corporate security devices have had a chance to kick in.

In spite of Microsofts decision to disable autoplay in Windows 7, and the highly needed disabling of autorun (except for CDs) in XP/Vista/2003/2008, Palevo still seems to spread widely.

A further problem is the way Palevo communicates with its Command&Control server (C&C): The worm uses UDP and encrypts the data sent to the C&C server on (in most cases) a high port (e.g. 7700 UDP). The reason why Palevo uses UDP is simple: There is a bunch of Firewalls/Appliances out there which are poorly configured and therefore:

  • aren’t logging UDP packets in the Firewall log
  • allow UDP traffic by default

That makes it pretty easy to keep the Palevo C&C traffic hidden even in corporate networks.

*** Palevo Tracker ***
As outlined above, Palevo is a huge threat for corporate- and home networks. Due to the fact that it is spread widely and most people are not aware of the problem I have decided to create Palevo Tracker. My goals are:

  • Get some attention on the Palevo threat
  • Provide a blocklist for well known Palevo C&Cs to the internet community
  • Provide details regarding Palevo C&Cs to ISPs, CERTs and Law Enforcement
  • Keep the project smart and simple as possible

To keep it simple I’ve created Palevo Tracker as sub-project on AMaDa. This means that the Palevo Tracker blocklist is included in the AMaDa C&C Blocklist.

You can use the blocklist to block Palevo C&C traffic proactively and/or to identify infected clients (e.g. by matching the blocklist against your Firewall logs).

*** Further Links ***
Below are some links to different AV-vendors currently detecting Palevo:

Symantec: W32.Pilleuz
McAfee: W32/Palevo
Microsoft: Win32/Rimecud
Symantec Connect: The Mariposa Butterfly

Follow me on Twitter: twitter.com/abuse_ch