Archive for March, 2010

Malc0de Database Update

Initially malc0de.com was created to link domains that were serving the same executable. What I found out in a very short period of time is the binaries are updated so frequently that this becomes almost impossible. Storing the MD5 is still useful just not as useful as I originally thought. The only purpose malc0de.com is to store and keep track of domains that host malicious binaries.

I have recently made a few adjustments to the database which should speed up the queries. I have also linked the IP addresses to a good friend of mines newly created website www.malwaregroup.com. Think of it as a robtex for malware domains.

For example here we can find a domain hosting the Neosploit exploit pack. The domain is hosted on 75.125.212.58. By searching malwaregroup.com we can see domains hosted on the same IP that are named in a similar fashion and are most likely also hosting Neosploit or being staged.

The Command Structure of the Aurora Botnet

A detailed write up describing the the command and control structure of the Aurora Botnet was recently released of by a security company called Damballa. The 31 page  PDF which can be found here makes some interesting connections and is definitely worth reading.

Damballa’s findings concerning Operation Aurora can be summarized by the following:

 At the time the attack was first noticed by Google in December 2009, systems within at least 7 countries had already been affected. By the time Google made the public disclosure of the attack on January 12 2010, systems in over 22 countries had been affected and were attempting to contact the CnC servers – the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.

 The Trojan.Hydraq malware, which has been previously identified as the primary malware used by the attackers, is actually a later staging of a series of malware used in the attacks which consisted of at least three different malware ‘families’. Two additional families of malware (and their evolutionary variants) have been identified, and they were deployed using fake antivirus infection messages tricking the victim into installing the malicious botnet agents.

 The attacks that eventually targeted Google can be traced back to July 2009, with what appears to be the first testing of the botnet by its criminal operators. The analysis identifies the various CnC testing, deployment, management and shutdown phases of the botnet CnC channels.

 The botnets used dozens of domains in diverse Dynamic DNS networks for CnC. Some of the botnets focused on victims outside of Google, suggesting that each set of domains might have been dedicated to a distinct class or vertical of victims.

 Some of the CnC domains appear to have been dormant for a period of time after they had infected a number of victim systems. This can occur after the botnet operator has updated the botnet malware with new (more powerful) variants or when the criminal operator sells/trades a segment of the botnet to another criminal operator.

 There were network artifacts that suggest that the botnet malware operating with the US-based victims’ networks made use of email services to extract the stolen data from the breached organizations.

 There is evidence that there were multiple criminal operators involved, and that the botnet operators were of an amateur level. The botnet has a simple command topology and makes extensive use of Dynamic DNS CnC techniques. The construction of the botnet would be classed as “old-school”, and is rarely used by professional botnet criminal operators today

Return top