Blog

As promised, a few more thoughts on fallback Command and Control channels and the Botnets that implement them

Srizbi is the best example of a total failure that we’ve seen to date. As a recap, Srizbi was essentially a McColo-only Botnet that had a single IP hard coded in each binary, as well as a set of 4 domains that rotated every 3 days based on the system time. Here are some examples of the 192 Srizbi domains we own so far:

agyfsgtq.com,arrgiowg.com,asdqdtrf.com,atttsaqq.com,atwfwqqe.com,

auaopagr.com,ddaqrtru.com,dddqrdqq.com,ddpprdup.com,ddquqddp.com,

ddsrqiyp.com,ddygsquf.com,dpdrpqur.com,dppdrpqd.com,dpuquppd.com,

dqdddruq.com,dqddurdp.com,dqdpqrpq.com,dqsuyaau.com,druupqqd.com

After sinking $1,500 into GoDaddy - and having the boss give me the stink-eye when he saw the expense report - I was hoping I’d get some good data out of it. Luckily, Srizbi did not disappoint.

Numbers are always an attention grabber, and at a quarter of a million IPs detected thus far, Srizbi is nothing to shake a stick at, but there are a couple interesting nuggets to take from this as well.

• 250,000 IPs (over hundreds of millions of connections) is a lot, but think of how many institutions use a NAT… the number is likely much larger
• We only registered 192 domains, which represents 4 or 5 times that many Srizbi samples; there are likely more. It’s tough to prove a negative, and although we think we have a high percentage of the domains, we’d be more than happy to take more domains if anyone knows of some that are not yet registered
• The team over at Marshal/Trace had a post a bit after the McColo story broke where they listed 12 domains that they detected unregistered. They did not register them on the spot, which I assume was because they wanted to see who would snatch them up. When I went to go poke at the domains, I saw an IRC daemon running on some of the normal Srizbi ports, which led me to believe that they were registered by someone who did not understand the Srizbi protocol (which operates over HTTP on random-ish ports)
• Srizbi, as most know, has a driver that runs in kernel space. If it crashes/bluescreens, it does a straight HTTP POST and sends up the Windows crash dump file (More on this from Julia later). So Srizbi can not only do revisions (updates) and stats gathering, but also noninteractive bug fixing! There’s a proud mother somewhere in Russia.
• The Srizbi Bots have some sort of a timeout, in the timeframe of 36 hours and/or around 500 connections, where if they get the wrong response from the server, they will just stop connecting. Interestingly, when we changed the IP of the domain, we get another 36 hours out of them. Because the “timeout” is so short, we don’t believe we are having any overlap in the count due to home users being DHCP’d
• A couple things the FE research team has discovered how to command Srizbi to do, but will not be doing for obvious reasons: Sending the “uninstall” command; Sending an updated binary; Sending an updated driver; Attempting to decrypt any of the data being sent to us by these Bots (other than those from our labs)

As we mentioned, each sample has 4 domains hard coded. Here are a couple of the domains, and the unique IPs we saw connecting to each - courtesy of our newest researcher, Todd:

pptaupya.com - 35281 unique IPs
rroydray.com - 34796 unique IPs
dddqrdqq.com - 34518 unique IPs
uuwapuya.com - 34348 unique IPs

efwiwygp.com - 24835 unique IPs
tsegeafr.com - 24774 unique IPs
uprurqdd.com - 24578 unique IPs
oitftysu.com - 24433 unique IPs

gqgtpwdy.com - 22300 unique IPs
fqforepa.com - 22158 unique IPs
sqswutry.com - 22138 unique IPs
dqdddruq.com - 22102 unique IPs

eifpaqyi.com - 16612 unique IPs
tgsryqag.com - 16500 unique IPs
ofiuaqyf.com - 16380 unique IPs
uupdqqqu.com - 16360 unique IPs

 

Here is some live Srizbi metatraffic:

Rustock had an interesting Saturday night. As chronicled by Atif in an earlier post, McColo was briefly routable - thanks to Telia - and in that time, there was a mass Rustock binary update. This update changed the Command and Control server from a McColo backed one to an IP in Russia (62.176.17.200). It was only routable for 12 or so hours, so in that time there’s no way the whole Botnet was updated, but no doubt they got good sized piece. Any guess would be pure speculation. We don’t have many Rustock domains registered, so we’ve only seen around 1,000 Bots connect to us over the last 24 hours. We’ve seen many more than that just from our customers, so this is clearly not a good sampling. Still, an interesting Rustock traffic sample is shown below:

Last up for tonight is Mega-D/Ozdok. We have a handful of Mega-D fallback domains (12) so we get a decent view into this Botnet. In the last 12 hours we’ve seen about 4,000 Bots trying to connect to the fallback domains. Mega-D is encrypted, so you won’t see a heck of a lot of interesting data, but it is what it is:

Lots more during the day tomorrow.

Alex Lanstein, Atif Mushtaq, Julia Wolf, and Todd Rosenberry @ FireEye Malware Intelligence Labs

Comments/Questions to research@fireeye.com