It's very rare as a researcher to get a chance to explore the inner workings of a botnet command and control (CnC) server. Detailed analysis of a botnet CnC server or command sub-component can yield valuable information about the capabilities of the botnet itself, and possibly the motives of the bad guys behind it. However, gaining access to a botnet CnC server often depends on the will of the hosting providers. Recently, while I was casually monitoring our MAX Network logs for the current geo-locations of Pushdo CnCs, I got the following results for the past 30 days:

Continue reading »

In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined effort involving third parties like ISPs, registries, registrars, etc. 

Instead of playing a passive role, this time FireEye
decided to come forward and start working with these groups to
make this happen.  The good news is that at the time of writing this
article, all the major Ozdok command and control servers (as mentioned
in my last post) have been taken down.  As it turns out, no matter how
many fallback mechanisms are in place, if they aren't all implemented
properly, the botnet is vulnerable.

Continue reading »

Note: Updates are available at the bottom of this article.

Ozdok a.k.a Mega-d is one of those botnets that has been very successful flying under the radar over the past few years. Recent stats by Marshal TRACE show Ozdok is currently responsible for about 4.2% of the world's overall SPAM.  The question that arises again is who are the guys controlling this botnet, and more importantly from where?  I recently conducted a detailed study of Ozdok's active command and control servers.  There are two main things I took away from this study.

1. The USA is still a first choice for bad guys when it comes to hosting CnC servers.

2. After the McColo experience, these guys are no longer relying on a single net block for hosting their CnCs.  To further ensure their safety, most botnets today are equipped with a fallback mechanism.  As a matter of fact, in the case of Ozdok, there is more than one fallback mechanism involved.  These come into play once the primary command and control structures fall apart.  How?  I'll explain that shortly.

Continue reading »

Donbot
is primarily a spam bot, one of the few spam botnets whose growth was
not hampered by the McColo shutdown earlier this year.  As a matter of fact, the sudden
shut down of big spammers like Srizbi and Rustock helped Donbot climb the
spam botnet rankings.  In this article I am going discuss different aspects of Donbot, first as a malware and then in the
later half I will try to shed some light on its command and control architecture.

Lets start with a particular donbot sample (273a07dccdfff421bfde652912f02e32).  Like its peer botnets (Ozdok, Xarvester etc), Donbot is also a template based spam bot.  Everything from the subject line to the mailing list, the message body, and the User Agents to be used in the SMTP headers are retrieved from the CnC server. 

Continue reading »

A leap into the unknown is a series which will discuss some lesser known malware, that has a reasonably good command and control structure.  Most of this malware might not be totally new to the AVs, but they were never considered for more than just creating a signature.  Little or no effort has been made to disclose the motivation behind creating this malware, the CnC architecture, or the people behind it.  These articles are not to prove that "My (discovered) botnet is bigger than yours".  No offense to those who may already know about this malware and might not agree with the word 'unknown' in the title of this article. There is always someone who knows more than you do.

Continue reading »

In the third part of this series, I'm going to discuss the command and control structure of another famous botnet, Clampi a.k.a ilomo. Clampi is all about data stealing and is famous for its anti-reversing and evasion techniques. The financial damage this information stealer can cause is evident from the fact that it has recently been publicly disclosed of a cyber theft of more than $150,000.  Notorious isn't it..?

Like the first two parts where I discussed the command and control structure of the Pushdo and Koobface botnets, I'll start by showing the current geographical distribution of Clampi CnCs, followed by a brief analysis on the chances of shutting down these control servers and hence the complete botnet.

Continue reading »