Blog

Killing the beast…Part 1

The purpose of this series of articles is very simple, to give our readers an idea about the current geographical distribution of command and control coordinates for the some of the top botnets.  Based on this data I'll try to estimate whether it is possible to shutdown these botnets by puling the plug for these servers.  The Botnets which will be discussed in these articles are Pushdo, Xarvester, Rustock, Koobface and Ozdok.  These stats are based on my sandnet logs for the last 3 months or so.  By no means is this list complete but it will give our reader a reasonable idea about the current motherships for these botnets.

Pushdo

Here is the list of Pushdo CnCs arranged in tabular form:

Sr.no

ISP

IPs

Country

1

INTERSERVER INC

66.45.246.146

NEW
JERSEY
, USA

2

UBIQUITY SERVER SOLUTIONS

69.147.239.106

NEW
YORK
, USA

3

MONITORING

94.103.4.217

94.103.4.230

MOLDOVA,
REPUBLIC

4

SOFTLAYER TECHNOLOGIES INC

174.36.201.82

208.43.154.226

208.43.162.82

208.43.162.84

TEXAS
DALLAS, USA

5

BLUEJEEP.COM

66.197.167.21

MASSACHUSETTS,
USA

6

ARABSGATE

66.96.214.197

SAUDI
ARABIA

6

LIMESTONE NETWORKS INC

69.162.79.82

69.162.64.146

TEXAS
DALLAS, USA

7

NETWORK OPERATIONS CENTER INC

66.197.131.69

PENNSYLVANIA,
USA

8

THEPLANET.COM INTERNET
SERVICES INC

74.53.42.61

75.125.213.202

74.54.224.242

74.54.77.82

74.54.135.202

75.125.238.10

TEXAS
DALLAS

9

2086 WESTMORE AVE

69.64.67.194

QUEBEC
MONTREAL, CANADA

10

GODADDY.COM

72.167.49.117

68.178.255.165

97.74.115.222

ARIZONA
SCOTTSDALE, USA

11

ABACUS AMERICA INC

216.55.176.45

CALIFORNIA
SAN DIEGO, USA

12

ZLKON

94.247.3.46

94.247.2.95

LATVIA

13

BRUCE GARRET

208.66.194.232

FLORIDA
ST. PETERSBURG, USA

14

APS COMMUNICATION

209.66.122.238

CALIFORNIA
SAN JOSE, USA

15

UATELECOM ISP

91.203.92.7

UKRAINE

 

The first thing which is clearly visible from the above stats is that Pushdo is no longer relying on 1 or 2 ISPs. The list above has about 29 CnC servers distributed all across the globe. What are our chances of shutting down the server in Ukraine, Latvia or Arabia?

Just imagine for a minute that all of these data centers pull the plug at once. What will happen then?  Before the McColo shutdown, Pushdo  used to have a long list of hard coded CnC IPs but it is no longer the case. Some recent analysis (Tip o' the hat to our friend Ross Thomas over at SophosLabs for the heads up) shows that new variants also contain a domain based fallback mechanism. Guess what; the name of this fallback domain today is 'fireasseye.com'.  It looks someone from FireEye made *someone* really upset.  It can't be me ..:). 

Fasseye

Anyway, what it means is that even if the Pushdo command servers are shutdown all at once, the Pushdo guys can recover their botnet using this fallback domain. The situation in the case of 'Cutwail' is even worse.  As many of the readers of this blog will already know, 'Cutwail' is one of the child downloads of Pushdo and is its actual spam weapon.  Pushdo on start up silently downloads Cutwail and injects that into other processes, normally 'svchost.exe'.  It never tries to install Cutwail permanently on the infected system. What this means is that even if all Cutwail CnCs are killed, the next day Pushdo can download another variant pointing to some other server.  One can imagine what happened after the rogue ISP 3fn  (which was serving many of Cutwail CnCs) was shutdown

What if somehow Pushdo fallback domain(s) is taken away from the bot herders? I guess this will be a partial success. We have already seen that Pushdo is one of the active members of Virut , Bredolab and Exchanger botnetwebs. These top level malware droppers might again drop another instance of pushdo on to the infected machine, reporting to a completely different IP block. Killing the beast is not that easy.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM

7 thoughts on “Killing the beast…Part 1

  1. Quite a big beast, with too many heads..
    About Latvia, would it be easier to influence Latvia (rather than Arabia or Ukraine), because it’s in EU?

  2. Looking at the third one in the list “MOLDOVA, REPUBLIC” I can tell you that the server is hosted in the separatist part of the country, so no officials will be able to shut down this server.

  3. pick them off one by one, even if they all don’t get shut down, the more the better.

  4. Regarding the first entry in your list; 1
    INTERSERVER INC
    66.45.246.146
    NEW JERSEY, USA
    This January 19, 2009 entry at threatexpert.com may be of interest:
    hxxp://www.threatexpert.com/report.aspx?md5=31d99bff63bb3e6183d9a8072051a13d
    The entry describes a pushdo trojan and its attempts to contact 4 hosts, one of which was 66.45.246.146. The other three may have been shutdown, but as you report 66.45.246.146 is currently active. Perhaps Interserver needs a push to do the right thing.
    Appreciate your postings.

  5. Have you folks considered an adaptive algorithm in your boxes that automatically detects and blocks traffic originating from these IPs – at least those directed at vulnerable ports? This will place the onus of fixing the problem at the ISPs and/or originating sites..
    Carlos

  6. Atif, I am not sure how you figured out that the ISP for 66.96.214.197 is Arabsgate. First of all, Arabsgate is not an ISP. Second, a whois lookup of that IP shows the following:
    network: Class-Name: network
    network: ID: net-66.96.214.192/28
    network: Auth-Area: 66.96.192.0/18
    network: Network-Name: NET-669621419228
    network: IP-Network: 66.96.214.192/28
    network: Organization;I: org–8830
    network: Org-Name: DMEHosting.com – EPCO c/o Network Operations Center Inc.
    network: Street-Address: PO Box 591
    network: City: Scranton
    network: State-Prov: PA
    network: Postal-Code: 18510-0591
    network: Country-Code: US
    network: Phone: 1-570-343-8551
    network: Abuse-Email: abuse@hostnoc.net
    network: Abuse-Phone: 1-570-343-8551
    network: Tech-Email: nic@hostnoc.net
    http://www.samspade.org
    If in doubt, you can do a tracert to the IP and the last two hops shows the following:
    ….
    9 278 ms 283 ms 293 ms ec1-20.agg04.sctn01.hostnoc.net [96.9.191.14]
    10 335 ms 335 ms 342 ms 6696214197.hostnoc.net [66.96.214.197]
    hostnoc.net refers to Network Operations Center Inc. provider located in PENNSYLVANIA, USA

Comments are closed.