Over the past few months, the FireEye research team has seen a gradual but steady decline in the sheer number of Bots controlled by the spam king Storm. Quietly, Srizbi and Rustock have eclipsed Storm in our labs and at our (quicky growing!) customer base. Last month we found a very close, if not definitive, relationship between Srizbi, Pushdo, Rustock, and Mega-D. You can review our findings, as well as some of our peers confirming our discoveries below:
http://blog.fireeye.com/research/2008/08/srizbi-and-ru-1.htm
http://blog.fireeye.com/research/2008/08/srizbi-and-rust.html
http://www.darkreading.com/document.asp?doc_id=162056&WT.svl=news2_1
http://www.marshal.com/trace/traceitem.asp?article=751
The Botnet connections appear to go deeper - we have discovered that there is a direct connection between Storm, Pushdo and Trojan.Exchanger as well.
A new piece of malware (sysohqt.exe, MD5:806D37E4FECFF3F1EEAFAADCABB975B3) seen at one of our deployments was found to download Storm, Pushdo and XPAntiVirus-2008 onto the same infected system. This begs the question: Why would a single binary download Storm and Pushdo, if they were in fact, competing Botnets?
According to VirusTotal, the initial Trojan is recognized by a variety of AntiVirus vendors as Zhelatin or Tibs.
http://www.virustotal.com/analisis/3adfe1c024fead07c2e9a4019423d7bc
Upon execution of this sample, it downloaded multiple generic droppers (a small binary whose sole purpose is to download larger exes) onto the victim machine, having file names like:
dflgh8jkd2q1.exe (md5) DA852D31585EE89F85C35FF974F23F53
dflgh8jkd2q2.exe (md5) 21878F97F8BBF5E03A65BB805AC9B472
dflgh8jkd2q5.exe (md5) B01C346C5A055A1424993E26C1BC114C
dflgh8jkd2q6.exe (md5) E54877D0D37ECA4B492FC3E0D3B0A690
dflgh8jkd2q7.exe (md5) 881068E0E4D7F993BEAEB912F9A12B0C
The last two binaries listed above are what we'll deep dive into, as those are the ones which further download Storm variants, Pushdo, Exchanger, and XPAntiVirus-2008.
dflgh8jkd2q7.exe
---------------------
This binary downloads a Pushdo variant with the name Cpl32ver.exe (md5) AC75FEB9078738E602A91775BFABFBBD
dflgh8jkd2q6.exe
---------------------
This downloads Storm with a name of back.exe or neos.exe (md5) 4840AF24FB1F82580B991C96BEAE4ABC and the now famous fake alerter lphcjefj0e5cc.exe.
‘lphcjefj0e5cc.exe’ further downloads a Rogue (hxxp://av-xp2008.com/) onto the users system. We have already shown lphcjefj0e5cc.exe earlier as a payload from Trojan.Exchanger and Srizbi. Using the exact same domain and path, we saw this same binary downloaded by a completely "different" Botnet.
Here the is snippet of the infected PC:
This is a snippet from the packet capture of the communication from the infected PC:
This recent discovery seems to indicate that Storm, which we previously thought to be separate from the HTTP based Rustock, Srizbi, etc, may actually be part of the same club. The fact that the same Trojan downloads these different Botnets, and that each of the Botnets can download each other points to the fact that they are all run by the same organization. It seems unlikely that a Botnet with the capability to spread itself would need to rely on an external third party to gain more traction.
Atif Mushtaq & Haroon W Malik & Alex Lanstein @ FireEye Malware Intelligence Labs
Comments