Malc0de Database Update

Initially malc0de.com was created to link domains that were serving the same executable. What I found out in a very short period of time is the binaries are updated so frequently that this becomes almost impossible. Storing the MD5 is still useful just not as useful as I originally thought. The only purpose malc0de.com is to store and keep track of domains that host malicious binaries.

I have recently made a few adjustments to the database which should speed up the queries. I have also linked the IP addresses to a good friend of mines newly created website www.malwaregroup.com. Think of it as a robtex for malware domains.

For example here we can find a domain hosting the Neosploit exploit pack. The domain is hosted on 75.125.212.58. By searching malwaregroup.com we can see domains hosted on the same IP that are named in a similar fashion and are most likely also hosting Neosploit or being staged.

The Command Structure of the Aurora Botnet

A detailed write up describing the the command and control structure of the Aurora Botnet was recently released of by a security company called Damballa. The 31 page  PDF which can be found here makes some interesting connections and is definitely worth reading.

Damballa’s findings concerning Operation Aurora can be summarized by the following:

 At the time the attack was first noticed by Google in December 2009, systems within at least 7 countries had already been affected. By the time Google made the public disclosure of the attack on January 12 2010, systems in over 22 countries had been affected and were attempting to contact the CnC servers – the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.

 The Trojan.Hydraq malware, which has been previously identified as the primary malware used by the attackers, is actually a later staging of a series of malware used in the attacks which consisted of at least three different malware ‘families’. Two additional families of malware (and their evolutionary variants) have been identified, and they were deployed using fake antivirus infection messages tricking the victim into installing the malicious botnet agents.

 The attacks that eventually targeted Google can be traced back to July 2009, with what appears to be the first testing of the botnet by its criminal operators. The analysis identifies the various CnC testing, deployment, management and shutdown phases of the botnet CnC channels.

 The botnets used dozens of domains in diverse Dynamic DNS networks for CnC. Some of the botnets focused on victims outside of Google, suggesting that each set of domains might have been dedicated to a distinct class or vertical of victims.

 Some of the CnC domains appear to have been dormant for a period of time after they had infected a number of victim systems. This can occur after the botnet operator has updated the botnet malware with new (more powerful) variants or when the criminal operator sells/trades a segment of the botnet to another criminal operator.

 There were network artifacts that suggest that the botnet malware operating with the US-based victims’ networks made use of email services to extract the stolen data from the breached organizations.

 There is evidence that there were multiple criminal operators involved, and that the botnet operators were of an amateur level. The botnet has a simple command topology and makes extensive use of Dynamic DNS CnC techniques. The construction of the botnet would be classed as “old-school”, and is rarely used by professional botnet criminal operators today

Past 30 Days of Malicious Activity

The past 30 days of data collected and stored in the malc0de database shows the United States is the top offender when it comes to domains hosting malware. The first graph represents how much malware was collected each day between 01/21/2010 – 02/21/2010.  We can see a spike around Valentines days which can probably be attributed spam/malware taking advantage of the holiday. The dip on the 9th is likely related to something breaking so ignore that.

I thought it would also be interesting to create a graph based on which countries have hosted the most malware during the previous 30 days. I was a little surprised at the results seeing the United States at the top of the list with China coming in second place.

Keep in mind that this data only represents a tiny snapshot in the overall scheme of things and is specific to malware collected by malc0de.com.

Last but not least the list below represents the top ten binaries seen during the past 30 days.

Count – MD5
251 – 7981f884202bf9f50bb5cb9bf3adbeb1
200 – 105082712e5a14db357fb9432bc9ca22
198 – eeda586b324d69ebf6b537724ad122cb
178 – 1bf3bbfa188f1b8fd0ffc498be481d53
171 – eec01f6a39e56ae3efe0a9866ba09b33
125 – 9ec690317e2109169c371c81341ec3d3
82 – 4f4a22a1391fe11be2c9c9b77ded0949
75 – a1e96a96471e08dae17d0b9b6873d726
75 – a17a76e2f0f8343bbd4c49c9eaef83a3
67 – 1620ef6bb04e2ca548f3e7951f2a8a6f

The MD5′s above are all related to Trojan Koobface. If you are interested in tracking domains and IP’s contacted by or distributing Koobface click here for an updated list.

Zief.pl And Friends Distribute Trojan Virut

Zief[dot]pl and a handful of other domains hosted on the same IP address (61.235.117.71) are currently attempting to distribute Trojan W32/Virut by using various client side exploits. The Trojan W32/Virut family is particularly nasty and  consists of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.

Upon execution Win32/Virut will open a connection with one of the IRC servers over a non standard IRC port. This channel is used for communication allowing the attacker to control the machine or download additional malicious components onto the system.

One example:

Server: proxima.ircgalaxy.pl
Port: 65520
Channel: &virtu

What happened when Google visited this site?

Of the 42 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-30, and the last time suspicious content was found on this site was on 2010-01-30.Malicious software includes 738 exploit(s), 416 virus, 320 scripting exploit(s).

This site was hosted on 3 network(s) including AS4134 (China Telecom backbone)AS9394 (CRNET)AS38356 (TIMENET).

This campaign has been going on for more then 30 days from the same IP address hosted in China (big surprise).

inetnum: 61.235.117.0 – 61.235.117.255
netname: CRGdSzS
country: CN
descr: China Railcom Guangdong Shenzhen Subbranch
descr: Telecommunication Company
descr: Shenzhen City,Guangdong Province

All activity including timeframe, domains, md5s and IP’s can be found here.

**Update 02/27/2010**
A more detailed analysis of Trojan Virut can be found here. Thanks Nicolas Brulez for bringing this to my attention.

Fake UPS spam distributes Trojan Bredolab

Early December I wrote about a fake DHL spam campaign which was found to be distributing Trojan Bredolab. The new spam campaign is very similar to the last but this time appears to be from UPS.

Example

Subject: UPS Tracking Number 5845190

“Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service of America.

[attachment UPS_invoice_NR12944.zip”

VirusTotal results for the attachment can be found here. Domains known to be  contacted by Trojan Bredolab listed below.

20091217:http://mmsfoundsystem.ru, 193.104.12.20
20091227:http://preflopp.com, 95.211.8.170
20100105:http://greatmoder.cn, 122.115.63.19
20100108:http://213.108.56.125, 213.108.56.125

Return top