Storm/CME711 is back to a 'funny greeting card' page.


(Note the "copyright error" in the image)

• The file postcard.exe is offered by clicking on the image.
• The file ecard.exe is offered when waiting 5 seconds.
• The file e-card.exe is offered when clicking the 'click here' link.

Many people already watch for *card.exe with their IDS. I don't expect this to last long. Perhaps the next will be related to the anticipated U.S. Economic Stimulus Package --- or maybe Easter?

It appears this latest run drops the peers list to c:\windows\system32\diperto.ini.

A few MD5's for the binaries are:

11b9d46c4b3e2059361a9ca3d85ddf82
399c189575547593a5b1f0dcab23cf67
4291a354788c2e4100ff7286c03536e2
47336a1cc00f028abbd75fc44ac51b75
51730a17b5dbfb4d508ac9c6c9b3a574
73b17235901ecbb04ec5e1984df89b4d
76e8e63915ec5c44f62e1bbd91b47522
dea1a23e7561e0326edc0e1b487b07dd
e65359a96fb163553f4e5516ac150d1f
e68e331c3e4fd2c1e6a5eaa233cd8554

Labels: CME711, p2p botnet, peacomm, peed, postcard, Stormworm, Zhelatin

Over the past four years we've seen a large number of law enforcement, ISPs, and hobbyists get involved with botnet monitoring. A side effect of the increased interest is that botnet operators will go to great lengths to keep their botnets hidden. That includes encryption, hiding in plain sight, use of undocumented/new protocols and distributed control structures. As law enforcement arrests more offenders, we see more of them using TOR, or their own botnets to hide their true identity. While I personally don't feel it will ever be the super-bug theory that Paul Vixie and Gadi Evron imagine, it is a concern we need to be aware of.

The following post may help drive some botnet operators deeper underground, but the concepts are not new. In many cases these concepts are in use today. I presented on these topics a year ago at the 5th Botnet Task Force conference. For a year security researchers and law enforcement have had the chance to reflect on my presentation and develop mitigation.

Distributed Command and Control is simply a term we use to identify botnets where the operator has learned that directly controlling a large botnet is a big risk to himself and his network. Large scale botnets still exist today, however the operators are wisely breaking these networks up into many smaller networks - or using peer to peer communication. Since the networks are spread out, its harder to eliminate the threat of one attacker.

For example, if a botnet operator takes his 50,000 bots, and spreads them out into 10 networks, each net could have 5,000 drones. By spreading his network out, he mitigates some of the threat from rival operators, botnet hunters, ISPs, and law enforcement. Even if one controller node was taken offline, the botnet operator has 45,000 bots to retaliate with. In many circumstances this gives an operator the heads up he needs to update his 45,000 other bots and protect his empire.

As recent as two years ago, we've started seeing botnets using a pyramid structure, like the simplified image below.



A botnet operator is represented at the top of this flow chart. He communicates with a smaller botnet of only a couple dozen drones. Those drones then communicate with many larger botnets, who perform the stated action. This provides the botnet operator a layer of protection. Now the experienced researchers or law enforcement must find the smaller net, to identify the botnet operator. This is time consuming work, and with out the cooperation of ISP's, its hard work. Even if a controller node is found, it is much easier to snoop on a net with 5,000-10,000 drones than it is one with less than 100 drones.

This distributed structure also helps if the botnet operator wants to rent out or sale portions of his bot. One chunk can be used for spam, while another may perform better in Denial of service type activities.

Another example of distributed structure is the P2P scenario, where the botnet operator issues a command, which is passed to a number of supernodes, whom then pass it to the single peers.

Mapping peer to peer and other types of DC&C's are still possible. It was done with Stormworm and will continue to be done with future P2P botnets. I wont highlight how researchers are doing this mapping, simply because we need to weigh teaching public (including bad-guys) and keeping an ace up our sleeves. I'm hoping this post will spark many closed door conversations to help investigate other methods for tracking and identifying.

As part of the BTF presentation I gave, I wanted to outline additional C&C vectors that could be used. The idea that really caught my eye was based on hiding in plain site. Using protocols that are commonly used by millions of users every day. CME711 (Stormworm) has been easy to keep on top of, because of the mistakes they make in maintaining their DNS (fast flux), registering their domains and using UDP P2P traffic. Because of that UDP P2P traffic many large corporations have been immune - they disable UDP outbound.

The number of infected machines would increase dramatically if the used a connection model similar to Skype.

So back to hiding in plain sight - What would you say to a bot that received its commands over RSS? News readers use RSS to gather headlines and a few lines of news. Users are able to quickly choose articles that interest them, while ignoring those that do not. Millions of people subscribe to RSS feeds, and many of those feeds are of blogger or comment pages. Many news sites allow comments on their website, which can then be retrieved via RSS. Since RSS is simply http requests wrapped in a pretty new interface (XML) bots could easily parse this data to receive commands. An anonymous poster could post a command, and bots could be scheduled to pull the feed every 10-15 minutes. The request would look like legitimate RSS traffic and it would be hard to tell which visitors were bots and which were legitimate.

Using a form of encryption the botnet operator could even protect his botnet so others were unable to issue commands. High profile news and blogging sites might not be so helpful with requests to disable portions of their website because a botnet used it as a command and control vector. They might be more willing to assist law enforcement though, certainly more willing than some ISP's.

So how do users protect themselves, and the rest of the internet community?

First, users should use common sense. Don't click links in email or instant messenger! If the email contains a link, use the cut and paste function to visit URLs. If you're offered a picture or video in instant messenger, verify the sender sent the file and only then use your best judgment before proceeding.

Don't download untrusted software. Even if its recommended by your neighborhood computer genius (highschool student) - do research with an internet search engine. What do others say about it?

Don't surf as an administrator. Even if you do pick up a piece of malware, if you're logged in with limited privileges you will be less likely to install harmful malware.

Online banking should be done from a secure location. Do not access your bank account from hotspots like coffee shops or restaurants. Avoid doing so from work as well - remember in the United States you have no right to privacy on your corporate PC, which likely means your boss is watching where you surf. He or she might just be using a keystroke logger.

Never give your personal information on the internet. Your bank will not notify you of account problems via email - and in the event that changes over the next few years, bank pages are usually encrypted. Watch for "https://" at the beginning of your URL bar. Watch for the padlock icon on most browsers. If you're presented with an expired or self signed certificate, cancel the connection and notify the webmaster immediately.

Consider using a Sandboxer for programs that access the internet. SandboxIE is a great piece of software that will wrap around web browsers, email clients, instant messengers, just about any application that accesses the internet. It uses temporary user space to protect you from hostile code.

Don't consider "known" sites trusted. No site is ever trusted. Sites are compromised every day. Many times these compromises point to code that will attempt to compromise your PC.

If possible, disable Javascript for sites you casually visit. Using the NoScript Firefox plugin is an excellent idea for most users. This is becoming increasingly harder as poor coders are hired to develop websites.

Use firewalls at both the router and operating system level.

Turn your pc off when not in use. Even if your machine is infected, the damage it can do would be limited to the time you spend on your system. Most users are on their home computer for only a few hours a day.

Keep your Antivirus definitions and application patches up to date. Remember many third party applications will not update every month like your operating system. You should do this manually or work with the vendor to schedule updates.

Alternative operating systems are no excuse for poor security practices. Linux has malware, OSx has malware, BSD has malware. Keep your security hat on even if you don't run the targeted OS of the month.

Report suspected botnet activity and spam. CastleCops and Shadowserver have excellent resources available to help report malicious activity. DISOG staff always welcomes submissions via email (staff [-at-] disog.org).

Labels: Botnet monitoring, Botnet Task Force, CME711, DC and C, javascript, p2p botnet, SandboxIE, Skype, Stormworm, Superbug, supernodes

The storm update has finally come, with the most recent page offering the latest in peer to peer sharing technology.
The page advertises a p2p application called Krakin, which, among other things is said to be:

Easy to install, prevents tracking, has blogs and chat platforms, and video mail.

The download link points to krakin.exe, which is a p2p client - a p2p botnet client. The page isn't lacking the MPACK javascript either. I expect this page will stick around awhile. It looks very professional. I expect the blogger spam will pick up with this run.

Labels: CME711, MPACK, p2p botnet, peacomm, peed, xored javascript

There have been a number of requests in mailing lists and privately for the latest Stormworm numbers. It seems people like statistics.

Since Oct 1st, 2007 we've identified 4,149 unique IP addresses participating with our honeypots, either p2p, in DDOS attacks, or spreading 'spa-m-alware' (mostly the later, since our smtp honeypot is setup to capture outgoing spam, and there is lots of it).

Additionally, our sensors have downloaded 7,202 Storm binaries, resulting in 4,661 uniquely hashed downloads since Oct 1st, 2007. A total of 43,897+ unique binaries have been captured to date.

The domains are slow to resolve again, some of them not responding at all. This is probably because the author is looking to spread the executable SuperLaugh.exe and working to change his sites. SuperLaugh will be spammed using the rouse 'a funny cat e-card.'

Lending an air of credibility to the scam SuperLaugh.com, which is a valid ecard site, also has a file called SuperLaugh.exe which is downloaded from http:// www.superlaugh.com/ icon/SuperLaugh.exe and has an MD5Sum of 571dd3cec20da6c70a3b62fa9f3637a8. Our anti-virus scanners say the legit file is harmless.

Malware Page:


Legit Page:


In addition to the static html code, the authors are also attaching the Mpack xor'd javascript to the end of their pages. The javascript will attempt to exploit several old vulnerabilities within windows and third party software. It forces the download of file.php, a downloader.

It's still surprising to me how many ISP's are allowing these domains to resolve. The bad press coverage should be enough for the ISPs to start null routing those domains. We're still getting activity on the following domains:

ptowl.com tibeam.com kqfloat.com snbane.com yxbegan.com wxtaste.com eqcorn.com bnably.com ltbrew.com

We received an email from someone we suspect was trying to take over the Storm botnet. When we did not provide him with the requested information we believe he launched a JoeJob attack as described in the last blog entry.

We've seen researchers using TOR to capture binaries or communicate with the network, we see denial of service attacks on high profile IP's, probably related to researchers honeypots, and we suspect we've seen a few attempted take over attacks.

The authors don't appear to be letting up. The change in malware file names tells me they are getting greedy or preparing for something big.

As more black hats investigate the CME711 code, the network will become more vulnerable to takeover attacks. I hope these guys cut their losses and start breaking down the net soon. I would hate to see such a large botnet in the hands of some second rate script kiddy.

Labels: CME711, nuwar, p2p botnet, peacomm, peed, stats, Storm, xored javascript

We've received reports about malware spreading with war related subject lines. The user reporting did not have a copy of the malware, but one of my email drops did. The binary appears to be communicating with several other systems over high, semi random UDP ports. The ISC has posted a diary related to this event. It can be found here.

File: Click Me.exe (95c563731b7828d6e98eae81ee08869f)

Subject lines in email:

USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more than 20000 Iranian citizens
Missle Strike: The USA kills more than 1000 Iranian citizens
Missle Strike: The USA kills more than 10000 Iranian citizens
Isreal Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III

Spreads as one of the following attachments:

More.exe
Read More.exe
Click Here.exe
Read Me.exe
Movie.exe
News.exe
Video.exe

Opened port UDP 11274 listener. (visible with netstat -ao)

Communication via UDP with over 200 peers:

124.111.241.36, 124.150.75.126, 124.240.126.252, 125.131.29.176, 125.177.33.8, 125.25.203.140, 128.2.223.2, 131.114.13.230, 134.95.128.1, 141.30.123.42, 151.37.79.55, 154.37.66.117, 154.37.66.118, 154.37.66.119, 154.37.66.140, 154.37.66.163, 154.37.66.164, 154.37.66.186, 154.37.66.187, 154.37.66.209, 154.37.66.210, 160.75.14.190, 161.53.119.17, 193.198.36.3, 193.238.109.16, 194.15.147.40, 194.226.192.151, 195.111.2.70, 195.146.64.57, 195.158.117.39, 195.208.208.23, 195.5.19.34, 200.40.182.198, 202.71.93.14, 203.59.209.219, 207.212.26.3, 207.226.112.34, 209.222.54.55, 210.107.134.172, 211.178.169.34, 211.201.180.65, 211.51.122.173, 211.54.19.45, 212.42.91.82, 213.112.20.102, 213.251.132.34, 213.96.139.108, 216.130.188.168, 216.151.155.28, 216.151.155.52, 216.224.114.210, 217.127.81.254, 217.147.35.23, 217.160.208.201, 217.216.190.61, 217.229.107.161, 217.255.238.238, 217.8.61.68, 218.169.117.123, 219.7.138.42, 220.240.123.155, 220.78.177.58, 220.86.152.249, 222.101.241.112, 24.185.38.143, 24.232.127.169, 24.23.233.158, 24.91.13.235, 58.231.142.136, 61.228.201.222, 62.112.100.44, 62.1.122.240, 62.117.184.135, 62.121.113.97, 62.131.242.45, 62.149.227.219, 62.16.233.229, 62.204.120.132, 62.233.197.214, 62.234.51.180, 62.45.4.26, 64.229.75.158, 65.100.22.172, 66.90.79.226, 66.97.29.33, 67.15.4.10, 67.170.214.104, 68.13.18.8, 68.42.150.171, 69.26.174.131, 69.26.191.34, 69.63.60.170, 71.114.0.6, 71.133.154.97, 71.62.123.187, 72.224.137.213, 72.232.137.18, 72.36.146.114, 76.169.66.144, 80.102.127.102, 80.116.163.193, 80.132.226.44, 80.146.66.14, 80.171.187.9, 80.178.220.187, 80.62.149.20, 81.173.164.247, 81.174.12.96, 81.202.135.20, 81.202.47.48, 81.203.146.158, 81.204.129.108, 81.220.135.194, 81.2.209.136, 81.244.78.93, 81.248.26.210, 81.251.130.12, 81.37.253.45, 81.56.28.52, 81.57.135.146, 81.68.144.107, 81.83.232.171, 81.88.117.121, 81.9.204.210, 82.143.237.175, 82.156.34.116, 82.159.247.33, 82.225.194.86, 82.231.107.108, 82.231.149.214, 82.231.223.75, 82.235.41.53, 82.238.26.118, 82.241.209.40, 82.245.157.248, 82.55.220.212, 82.59.77.21, 82.66.238.182, 82.67.168.28, 82.74.157.18, 82.92.253.142, 83.160.229.119, 83.165.141.129, 83.180.72.197, 83.19.165.243, 83.19.172.30, 83.199.215.211, 83.22.0.248, 83.222.14.114, 83.29.217.233, 83.37.140.132, 83.38.133.154, 83.40.205.158, 83.45.120.73, 83.97.181.149, 84.10.255.230, 84.115.20.205, 84.121.30.130, 84.123.166.106, 84.123.216.174, 84.134.174.205, 84.137.122.192, 84.157.114.165, 84.16.225.19, 84.16.230.162, 84.16.234.75, 84.16.239.110, 84.186.113.5, 84.205.2.117, 84.40.221.36, 84.48.106.96, 84.57.181.194, 84.58.177.68, 84.73.206.231, 84.74.226.207, 84.80.109.203, 84.82.181.136, 84.94.92.106, 84.97.208.35, 84.97.223.102, 85.118.33.111, 85.118.37.162, 85.118.41.93, 85.136.165.33, 85.137.87.194, 85.214.40.169, 85.216.228.7, 85.219.217.113, 85.234.37.43, 85.249.225.64, 85.25.136.89, 85.66.37.33, 85.76.252.138, 86.149.162.197, 87.0.79.250, 87.10.167.240, 87.1.102.103, 87.167.190.214, 87.184.146.152, 87.234.144.208, 87.5.76.207, 88.1.156.113, 88.191.11.45, 88.191.13.247, 88.191.15.80, 88.191.20.102, 88.191.21.31, 88.191.28.48, 89.145.34.71, 89.220.0.127, 89.85.252.147, 90.197.74.155, and 90.27.33.59

Communication made through a random UDP port. The most common port is 30191 followed by 1857, 4061, 1859 and 1853.

Disables processes with the window names: blackice firewall avg vsmon zonealarm spybot nod32 regedit mcafee taskmgr hijackthis msconfig antivirus nav avp

Creates wincom32.ini with the following data:

[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
...
F4842DAE3B27F129678E1847263CAB26=54506DCB17E800
F63EDCCBDCAF1A1E79DEC78C8666B552=58BF0F50468500
FD6A5500DC3ED6A4E8398E3580A974FA=48249272325D00
FDD38B10A859838455DF59392B3C3F71=51398792233800

Scans files on the harddrive for email addresses to spread to. Spreads with built in SMTP relay.

Rootkit Revealer Output:

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32 4/8/2007 11:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000\DeviceDesc 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32 4/9/2007 12:45 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32\ImagePath 4/9/2007 12:45 AM 74 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32\DisplayName 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32 4/8/2007 11:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000\DeviceDesc 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32 4/9/2007 12:45 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32\ImagePath 4/9/2007 12:45 AM 74 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32\DisplayName 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
C:\WINDOWS\system32\wincom32.sys 4/8/2007 11:45 PM 52.75 KB Hidden from Windows API.

(hint: type c:\windows\system32\wincom32.sys >c:\windowstrojan.sys)

wincom32.sys (f9d04e27f908f9c50fd5ce2aeea72b08) infected: Trojan.Peed.BF (BitDefender)

Jose Nazario with Arbor Networks found some more hashes related to this malware run:

00de52e42e23439f4469f6a0429f80ec8ce3cbd3 "Click Here.exe"
5df70e6794e96adcf68c8f5c0134645dd3f38884 "Movie.exe"
868a8f2dc2cf3d056c4c079c97ef6ea797b5e402 "Read Me.exe"
caf89f7dac0627cf0f523f414cc4e0bc8500debc "Video.exe"
f717291eb5e9edf70007f90a16c7e99fad6f16bb "News.exe"

Thanks Jose! Jose also believes this is closely related to the storm malware we've seen over the month or so.

More information can be found here at secureworks.com

Labels: nuwar, p2p botnet, peacomm, peed, Storm