A remarkably small number of data centers host services for those groups who operate the most sophisticated malware and botnets, known to the industry as Bad Actors. Over the next couple weeks I'll take a closer look at the worst of the worst.
Depeering Bad Actors seems to be all the rage lately. Atrivo/Intercage and McColo have gotten the most press, but it seems more and more researchers are interested in shining a light in the dark corners of the Internet, if this recent posting by Brian Krebs is any indication.
As the title suggests, the first up to bat is Starline Web Services. They are hosted by Compic in Estonia, who is legendary for allowing malicious content on their network.
All the IPs below are inside Starline's allocated IP space.
On 92.62.100.14 we find malicious files and drop zones for ZBot, a notorious banking and backdoor trojan.
GET /kaz.pek HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: chinchoi.cn
Pragma: no-cache
POST /zilog/s.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: chinchoi.cn
On 92.62.101.60 we see more Zbot of a slightly different variety:
GET /g1/data.cub HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 92.62.101.60
Pragma: no-cache
The URL above 404s, which suggests an older variant didn't get updated, but the next two are functioning
GET /g1/data HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 92.62.101.60
Pragma: no-cache
POST /g1/s.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 92.62.101.60
On 92.62.100.64 it appears they host a site (traffone.cn) which is frequently used to host redirectors (usually via an iframe) to exploit sites. Security researchers often have the undesirable job of surfing porn sites during work to "search for malware", and hence, if you were to load the "Referer" page seen below you would see the iframe I reference. Of course, if you do this and have an unpatched copy of Acrobat Reader, you'll get exploited.
GET /in.cgi?27 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hxxp://www.freenakedgirls.com/gallery/petitegirlfriends/m1/1/?s=1476&c=1
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
Host: traffone.cn
Connection: Keep-Alive
The above page forwarded me to directlink2.cn (hosted on 92.62.100.66) which tried to exploit me with a malicious PDF
GET /wait/?9abds[removed] HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://directlink2.cn/wait/?t=16
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: directlink2.cn
Connection: Keep-Alive
I sent the malicious URL to one of my exploitable VMs, and sure enough, the EXE payload was hosted on yet another Starline IP, 92.62.100.79
GET /33232.exe HTTP/1.1
User-Agent: 22aab1b3
Host: dosendz.net
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 10 Feb 2009 20:03:36 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Last-Modified: Sun, 01 Feb 2009 23:18:37 GMT
ETag: "16380e8-2445-a85d4d40"
Accept-Ranges: bytes
Content-Length: 9285
MZ.................@............!..L.!This program cannot be run in DOS mode. (continued)
Today I saw the first instance of Srizbi since the McColo days at one of my customer sites. I assumed that with Microsoft announcing they were adding support for Srizbi in the February MSRT that the Srizbi guys would pick up all the bots that happened to be physically off for the shutdown/update and move them elsewhere, but it doesn't appear that they are doing anything to recover the last of the botnet. Again, this Srizbi C&C is active and hosted on 92.62.100.97
GET /g/9AN31N-A881ND-Q2N19A HTTP/1.1
Host: 92.62.100.97
X-Flags: 0
X-TM: 1951
X-BI: SDA09NJLI8SENJ33NSDF901FAFDFD9
X-PH: 0
POST /r/9AN31N-A881ND-Q2N19A HTTP/1.1
Host: 92.62.100.97
Content-Length: 9412
X-Flags: 0
X-TM: 1951
X-BI: SDA09NJLI8SENJ33NSDF901FAFDFD9
X-PH: 0
X-TI: 192098157.2.6231.902.128.8
Looking back in our blog posts, it seems we detected a Pushdo C&C on 92.62.100.95. Further back in the October timeframe, I see a few customer boxes detected 92.62.101.67 hosting "bestantivirusremover2008.com", a clear Rogue AV. While I was writing this, I came across the RealSecurity blog who took a similar look at Starline. I encourage you to check it out.
One might look at the above and think "It's only a handful of IPs that he found were being used for malicious actions". However, if you look at their CIDR block, you'll see Starline only has a /23 (actually, allocated as two /24s). When you consider how dispersed the malware is across their IP space, it certainly seems they are in the back pocket of criminals, if not criminals themselves. Manually doing a Google search for all their IPs, sequentially, shows quite a bit of historical badness as well, but as they used to say in my comp sci textbooks, I'll leave that as an exercise for the reader.
Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research [ @+ ] fireeye.com
Twitter
Facebook
Live Chat
good read
Posted by: joe blow | 2009.02.12 at 03:03 AM