Introducing: Feodo Tracker

In the past week I’ve received multiple reports about wide-spread spam campaigns hitting German speaking countries. The spam emails are multi-themed and pretend to come from either Volksbank, Deutsche Telekom, Vodafon D2 or NTT. There are already various blog posts about the latest spam campaign for example on G Data SecurityBlog (German) or Cisco Blog (English). Deutsche Telekom has also already published a blog post on their website warning its customers about fake invoices (German) pretending to come from Deutsche Telekom. While the fake invoices that are being sent out by the cybercriminals vary, they usually point to a malicious website that always serves the same malware to its visitors: Feodo.

Feodo (also known as Cridex and Bugat) is yet another ebanking Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or user credentials. The trojan itself isn’t really new, in fact its already been around for over two years now – it was first spotted in January 2012. Feodo is not only hitting Germany, its also hitting financial institutions in several other countries.

Feodo Modus Operandi
Currently, there are two versions of Feodo known: Let’s call them version A and version B. The spam- and malware-campaign we have seen recently hitting Germany can be attributed to version B. One of the biggest differences between those two versions is the way an infected computer (bot) communicates with its C&C servers. While version A is communicating over HTTP to hijacked servers running a nginx daemon on port 8080 TCP (which are in fact just acting as proxy node forwarding all botnet traffic to a tier 2 proxy server), version B communicates with its botnet C&C infrastructure using HTTP on port 80 TCP. For version B, the botnet C&C infrastructure (domain names + hosting) is set up by cybercriminals for the exclusive purpose of hosting a Feodo botnet C&C server.

Mitigating the Feodo threat

As mentioned earlier, Feodo isn’t a new threat but it seems to be emerging these days. Hence, I’ve decided to put Feodo in the spotlight by launching yet another tracker. Introducing: Feodo Tracker. Similar to the existing trackers for ZeuS, SpyEye and Palevo, Feodo Tracker provides an overview over existing Feodo botnet C&C servers and serves a blocklist in different formats, allowing system- and network administrators to spot and stop Feodo C&C traffic in their network as well as identifying infected computers in the local network (LAN). Currently, Feodo Tracker offers plain text blocklists for both Feodo C&C IP addresses and Feodo C&C domains but also IDS/IPs rules for Snort and Suricata.

Feodo Malware Distribution
Looking at the modus operandi of this Feodo gang (which is running version B) and how they operate to recruit new bots shows that they are using both compromised websites as well as domain names registered for the exclusive purpose of infecting new computers (spam landing pages). Sample URLs/Domains are:

hXXp://clownjohh.ru/vodafone_online/ (malicious domain)
hXXp://clownjohh.ru/telekom_deutschland/ (malicious domain)
hXXp://sencert.ru/volksbank_eg/ (malicious domain)
hXXp://mmc-tt.ru/telekom/ (malicious domain)
hXXp://frtyui.ru/telekom_deutschland/ (malicious domain)
hXXp://1pfkc1.happykid.ch/vodafon/ (compromised/hijacked)
hXXp://xs9imj.tenebro.us/telekom/ (compromised/hijacked)
etc…

Those URLs are embedded / advertised in the spam mails which are being sent out by the criminals using stolen SMTP credentials. By taking advantage of stolen SMTP credentials the criminals bypass usual DNSBL-driven spam filters. Most of the advertised .ru URLs (which are, as said, usually registered by the cybercriminals themselves for the exclusive purpose of hosting a Feodo malware distribution site) are registered through the Russian based domain registrar REG.RU.

Feodo Botnet C&C Infrastructure
Looking at the Feodo botnet C&C Infrastructure for this Feodo campaign (version B) shows that all botnet C&C domains are within ccTLD .ru and, again, registered through the Russian based domain registrar REG.RU:

Feodo C&C domains

It’s not the first time criminals are using REG.RU to register malicious domain names. In this case the criminals also decided to host their DNS at REG.RU’s DNS infrastructure. All Feodo botnet C&C domains I’ve seen so far are using REG.RU’s DNS infrastructure as delegated DNS servers:

ns1.reg.ru. 345600 IN A 31.31.205.39
ns1.reg.ru. 345600 IN A 31.31.205.55
ns1.reg.ru. 345600 IN A 31.31.205.73
ns1.reg.ru. 345600 IN A 31.31.204.25
ns1.reg.ru. 345600 IN A 31.31.204.37
ns1.reg.ru. 345600 IN A 31.31.204.52
ns1.reg.ru. 345600 IN AAAA 2a00:f940::25
ns2.reg.ru. 345600 IN A 31.31.205.56
ns2.reg.ru. 345600 IN A 31.31.205.74
ns2.reg.ru. 345600 IN A 88.212.207.122
ns2.reg.ru. 345600 IN A 198.100.149.22
ns2.reg.ru. 345600 IN AAAA 2a00:f940::37

Hence, you may want to block any DNS query going to REG.RU’s DNS infrastructure to prevent further abuse. But please keep in mind that there are also thousands of legit domain names using REG.RU’s DNS infrastructure, so blocking those DNS servers will cause collateral damage.

Conclusion
My goal is to provide system- and network administrators – as well as Internet Service Providers (ISPs) – the possibility to mitigate the recent Feodo attacks by blocking known bad Feodo C&C botnet traffic at their network edge (such as Router, Firewalls, Web-Proxy and DNS-servers). I hope Feodo Tracker will help to support these efforts. If you have feedback on Feodo Tracker or any other project please feel free to drop me a line using the contact form.

Follow me on Twitter: https://twitter.com/abuse_ch

Further readings

Leave a Reply

Your email address will not be published. Required fields are marked *