Blog

There are two general ways a complex problem can be solved, using a good approach or a bad one.  The only good thing about the bad approach is that it will usually be simpler to understand and implement, but in the long run one will find that shortcuts don't always work. The good thing with most humans is that they learn from their mistakes and move forward.  This is what we are seeing happen at the moment within the anti-malware industry.  Host based anti-virus products are shifting their focus from signature based detection to advanced behavioral analysis and memory forensics.  Network based sensors which used to rely heavily on DNS and IP black lists for detecting phishing attacks, SPAM emails and botnet command and controls are moving towards advanced protocol analysis and emulation.

The purpose of this series is to discuss limitations and challenges involved in using black lists (DNS & IP) for network based anomaly detections.  I will focus more on the problems of tracking botnets using their control server identities alone. I will also discuss if there are better techniques available to detect compromised (botted) machines and terminate CnC channels to prevent further damage.

Continue reading »

In March earlier this year, Spanish police arrested three men
linked to the Mariposa botnet. After this move it was widely believed that the
massive botnet had shutdown.  From what I have seen over the last week,
that is not the case.  Some Mariposa CnCs are still active and spreading.  The screen shot below is a snapshot
of a Mariposa sample (ad7a5b6755089ba83001f224a7067ec1)
communicating to its CnC.  On this occasion it received a command to spread
through USB.

Continue reading »

I got very excited when I heard that recently Steven Adair from Shadowserver has spotted a slightly modified Storm variant live in action. But I was little surprised when I read the details of this alleged new variant. This new variant (a modified version of actual storm) was discovered back in 2008 and I got a chance to write about it in quite a detail.

From my article written back in 2008:

Another interesting nugget is "User-Agent" header:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1921)

I guess the Storm author meant to type ‘Windows’ here, but
fat-fingered it and made a typo.  There is a sig in Bleeding Snort that
recognizes this mistake:

#storm c&c with a typo'd UA.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Storm C&C with typo'd User-Agent (Windoss)";
flow:established,to_server; content:"User-Agent\: Mozilla/4.0
(compatible\; MSIE 6.0\; Windoss NT"; depth:200;
classtype:trojan-activity; sid:2007742; rev:3;)

https://www.fireeyesolution.com/research/2008/10/storm-just-befo.html

Continue reading »

It's very rare as a researcher to get a chance to explore the inner workings of a botnet command and control (CnC) server. Detailed analysis of a botnet CnC server or command sub-component can yield valuable information about the capabilities of the botnet itself, and possibly the motives of the bad guys behind it. However, gaining access to a botnet CnC server often depends on the will of the hosting providers. Recently, while I was casually monitoring our MAX Network logs for the current geo-locations of Pushdo CnCs, I got the following results for the past 30 days:

Continue reading »

If you’ve read our last couple blogs, you know that FireEye recently hijacked the Ozdok/Mega-D botnet.  Smashing the Mega-d/Ozdok botnet in 24 hours
 
We registered some C&C backup domains and worked with registrars and hosting providers to have the primary domains and systems taken down.   We directed the Ozdok bots to a sinkhole and watched the connections come pouring in.   After about 5 days we saw 487,430 unique IP addresses connecting to us.   It’s difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are.

Brazil is the number 1 infected country with 11.5% of the total infections, followed closely by India and Viet Nam.  China came in at number 16 followed by the USA at 17, each with 1.6% of the total infections we saw.  There were 214 countries represented, but after the top 3, total infections rapidly decreased. 

So how big is this thing?  Due to dynamic addressing, one infected system will have many real and advertized IP addresses over time.   When researchers at UCSB hijacked the Torpig botnet, they were able to find a unique bot identifier in the communication to their sinkhole. 

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Continue reading »

In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined effort involving third parties like ISPs, registries, registrars, etc. 

Instead of playing a passive role, this time FireEye
decided to come forward and start working with these groups to
make this happen.  The good news is that at the time of writing this
article, all the major Ozdok command and control servers (as mentioned
in my last post) have been taken down.  As it turns out, no matter how
many fallback mechanisms are in place, if they aren't all implemented
properly, the botnet is vulnerable.

Continue reading »

Note: Updates are available at the bottom of this article.

Ozdok a.k.a Mega-d is one of those botnets that has been very successful flying under the radar over the past few years. Recent stats by Marshal TRACE show Ozdok is currently responsible for about 4.2% of the world's overall SPAM.  The question that arises again is who are the guys controlling this botnet, and more importantly from where?  I recently conducted a detailed study of Ozdok's active command and control servers.  There are two main things I took away from this study.

1. The USA is still a first choice for bad guys when it comes to hosting CnC servers.

2. After the McColo experience, these guys are no longer relying on a single net block for hosting their CnCs.  To further ensure their safety, most botnets today are equipped with a fallback mechanism.  As a matter of fact, in the case of Ozdok, there is more than one fallback mechanism involved.  These come into play once the primary command and control structures fall apart.  How?  I'll explain that shortly.

Continue reading »

Donbot
is primarily a spam bot, one of the few spam botnets whose growth was
not hampered by the McColo shutdown earlier this year.  As a matter of fact, the sudden
shut down of big spammers like Srizbi and Rustock helped Donbot climb the
spam botnet rankings.  In this article I am going discuss different aspects of Donbot, first as a malware and then in the
later half I will try to shed some light on its command and control architecture.

Lets start with a particular donbot sample (273a07dccdfff421bfde652912f02e32).  Like its peer botnets (Ozdok, Xarvester etc), Donbot is also a template based spam bot.  Everything from the subject line to the mailing list, the message body, and the User Agents to be used in the SMTP headers are retrieved from the CnC server. 

Continue reading »

Ok, I admit this blog post is not about our childhood TV friend, Gumby… Instead it's about a much more sinister character, Gumblar & its malware henchmen…

Originally making its debut back in March/April of this year (see here , here  and here) and then suddenly it went quiet for a few months, until recently… Yes, Gumblar is back with a vengeance & still causing problems for it's unsuspecting victims.

The primary delivery mechanism is still via Drive-By-Download (notably compromised sites serving malicious Adobe PDF's) which when successful will load the malware onto your system.

We have taken a look at a couple of the Gumblar associated malware samples, you can see some VirusTotal results here & here.

Continue reading »