In the third part of this series, I'm going to discuss the command and control structure of another famous botnet, Clampi a.k.a ilomo. Clampi is all about data stealing and is famous for its anti-reversing and evasion techniques. The financial damage this information stealer can cause is evident from the fact that it has recently been publicly disclosed of a cyber theft of more than $150,000. Notorious isn't it..?
Like the first two parts where I discussed the command and control structure of the Pushdo and Koobface botnets, I'll start by showing the current geographical distribution of Clampi CnCs, followed by a brief analysis on the chances of shutting down these control servers and hence the complete botnet.
This article is not an in depth analysis of the malware itself but concentrates more on current geo locations of Clampi command and control servers. For detailed in-depth analysis of this malware, one may refer to this.
Let's start with a brief introduction to the Clampi command and control architecture which is not a classical client/server model. As a matter of fact, there are two types of CnC servers involved here.
1. Gate Servers
2. Gates
Gate Servers are the first level or "master command and control servers" which are responsible for locating secondary CnC servers, or "Gates". Instead of using one big CnC host list, this model gives the Clampi masters more flexibility in running and maintaining the botnet. They have the freedom to change the secondary servers at any time for load balancing or for evading black list based security gateways. It also gives the bot herders an option not to buy dedicated hosting for each CnC. While Gate Servers may be dedicated or paid-for servers, the secondary servers might be compromised legitimate servers.
Why am I calling these servers Gates? Well, the Clampi authors themselves refer to them in this way. Information about the initial Gate Servers on the compromised machines is stored inside a registry key like this:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\GatesList
I have observed the following behavior for all the Clampi samples tested and run in my lab.
1. Each instance comes with at least two Gate Servers.
2. The Gate Servers will be domain names instead of IPs.
3. The secondary servers or Gates have been found to be hard coded IPs.
So far I am aware of these Gate/Master Servers.
- panel.coboora.cn
- reporter.hdrtech.cn
- webmail.re-factoring.cn
- pop3.re-factoring.cn
- direct.matchbox.ws
- drugs4sale.loderunner.in
- secure.loderunner.in
- try.mojitoboom.in
- admin.viennaweb.at
- forum.reversed.gs
- booch.goochabamboocha.cn
where the 2 that are the most active at the time of writing this article currently resolve to IPs.
panel.coboora.cn -> 78.108.183.225
inetnum: 78.108.180.0 - 78.108.183.255
netname: UPL-NET-CUSTOMERS
descr: UPL Telecom
country: CZ
admin-c: SM9797-RIPE
tech-c: SM9797-RIPE
status: ASSIGNED PA
mnt-by: UPL-MNT
source: RIPE # Filtered
person: Serge Matveev
address: UPL TELECOM s.r.o
address: Vinohradska 184/2396
address: Prague 3,130 52
address: Czech Republic
phone: +426 267 132 361
phone: 
+420 267 132 102
nic-hdl: SM9797-RIPE
mnt-by: UPL-MNT
source: RIPE # Filtered
reporter.hdrtech.cn -> 87.118.101.27
inetnum: 87.118.96.0 - 87.118.127.255
netname: DE-KEYWEB-III
descr: Keyweb AG IP Network
country: DE
admin-c: KWAG-RIPE
tech-c: KWAG-RIPE
status: ASSIGNED PA
mnt-by: KEYWEB-MNT
source: RIPE # Filtered
person: Hostmaster Day
address: Keyweb AG
address: Neuwerkstr. 45/46
address: 99084 Erfurt
address: Germany
phone: 
+49-361-658530
abuse-mailbox: abuse@keyweb.de
fax-no: +49-361-6585366
nic-hdl: KWAG-RIPE
mnt-by: KEYWEB-MNT
source: RIPE # Filtered
Based on the last 45 days of data from my lab, these are the hosts (master + secondary) found to be serving as Clampi CnCs.
|
Server# |
ISP |
IP(s) |
Geo Location |
|
1 |
INNOVATION
IT SOLUTIONS CORP |
67.228.138.10 |
UNITED
KINGDOM |
|
2 |
THEPLANET.COM
INTERNET SERVICES INC |
66.98.144.21 70.84.236.194 69.57.140.18 209.85.120.100 66.98.153.17 209.85.100.7 209.62.7.178 |
TEXAS,
USA |
|
3 |
PROSTOHOSTING
LTD |
195.189.247.110 |
UKRAINE |
|
4 |
HOSTDIME.COM
INC |
72.29.66.235 66.7.197.104 |
ORLANDO, FLORIDA, USA |
|
5 |
GLOBAL IP
NETWORKS INC |
66.128.55.82 |
FT. MYERS, FLORIDA,
USA |
|
6 |
YURIY GELFAT |
78.47.214.117 |
GERMANY |
|
7 |
HOSTFORWEB
INC |
66.225.237.140 |
CHICAGO, ILLINOIS,
USA |
|
8 |
MAKTOOB.COM
INC |
67.15.161.131 |
HOUSTON, TEXAS, USA |
|
9 |
KEYWEB AG IP
NETWORK |
87.118.88.30 87.118.101.27 |
GERMANY |
|
10 |
EZZI.NET |
66.199.237.3 66.199.237.139 |
NEW YORK |
|
11 |
UPL-NET-CUSTOMERS |
|
CZECH
REPUBLIC |
|
12 |
DEDICATED
VPS AND VIRTUAL HOSTING |
78.47.61.229 |
GERMANY |
|
13 |
NETWORK
OPERATIONS CENTER INC |
66.96.234.5 |
PENNSYLVANIA,
USA |
|
14 |
HANGZHOU
TELECOMMUNICATION IDC CENTER |
61.153.3.48 |
CHINA |
|
15 |
INTERNET
VIENNAWEB SERVICE GMBH |
195.225.236.4 |
VIENNA, AUSTRIA |
|
16 |
NETDIREKT E.K |
84.16.229.188 |
GERMANY |
|
17 |
RACKVIBE LLC |
64.18.143.52 |
NEW JERSEY,
USA |
|
18 |
POUNDHOST
CUSTOMER SERVER |
92.48.96.229 |
UNITED KINGDOM |
|
19 |
VDSWIN20 -
DMITRIY BELETSKIY |
78.109.29.129 |
UKRAINE |
|
20 |
ALLCLACK.NET |
67.15.236.244 |
HOUSTON, TEXAS, USA |
|
21 |
FASTSERVERS
INC |
147.202.39.101 |
CHICAGO, ILLINOIS, USA |
|
22 |
OT
PUBLISHING LIMITED |
67.15.150.130 |
HOUSTON, TEXAS, USA |
|
23 |
PARTIDO
SOCIALISTA DEL PAIS VALENCIANO |
83.175.218.163 |
BARCELONA,
SPAIN |
|
24 |
SRS SAKURA
INTERNET INC |
202.181.96.87 |
TOKYO,
JAPAN |
|
25 |
GLOBAL NET
ACCESS LLC |
209.51.159.31 |
ATLANTA, GEORGIA, USA |
|
|
LAYERED
TECHNOLOGIES INC |
72.233.28.167 |
PLANO, TEXAS, USA |
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
This is a good bit of information but I wish it was more detailed. You seem to have the PULSE of the industry when it comes to botnets, aside from Joe Stewart. I would VERY much like to see more detailed analysis on the Botnet backend infrastructures. Usually based on LAMP architectures. Discuss and expand on ways to compromised / subvert these. Why worry about taking Down.. a C&C when you can subvert the entire botnet by neutering it by taking over a C&C and wiping the bots or corrupting them. I doubt that there are sophisticated User based Access control functions that give various privileged levels based on Role like commercial systems do. Simply take over one of them and do the most damage you can possibly do. Find their drop sites and secure Wipe the captured data or Encrypt it in place. Or better yet trojan beacon the data after swapping it with falsified stolen data after you sanitize the original stolen data. I am disappointed by the continual lack and absence of Innovative solutions on taking these infrastructures out. De-peering and takedown requests are one thing. Waging counter cybercrime warfare is another. If the industry continues to fail at the attribution angle, at least it can succeed technically by doing surgical and tactical strikes at any touchpoint it can get its hands on. For more insights check out www(DOT)conanthedestroyer(DOT)net
Focused MultiVendor/Researcher strike forces against specific targets is the way to go to obliterating this threat.
Initial target list.
Conficker - (literally dropped off the radar in news coverage but still present)
Zeus - It has earned its reputation - now its time to smash it. (Over 500 Command and controls (Abuse.ch zeus tracker) COME oN? are you kidding me. get rid of it already.
Rustock - the level of sophistication demands a sophisticated response
Asprox - Mass disruption, automated sql injection Massive threat. Put a laser on it. (QUIT simply identifying exploitation/spreading/and C&C IPs/DNS names) Start opening up discussion on how to SMASH these networks. I could come up with about 10 ideas that dont even get talked about.
Clampi - $$$$ Stolen, need any more justification?
Waldec - AKA peacomm/storm - Is anyone pissed we havent gotten these guys yet. obviously the lowered profile has helped this second generation botnet in staying under the radar and being less sensational. I saw a post where the KNEW who exactly is behind RBN but refuse to say. I say why the HELL not. OUT these bastards. Put a name to a face and publish it far and wide. Run information operations against them and expose them. People dont like to deal with people that have so much heat on them. They treat them as toxic. Make it know that they have been discovered and are now Cooperating......
Or simply go over to where they live and give them a good knee capping. Either way something needs to change the level of debate and it should start with Knowledge and it should start now.
Diocyde
Posted by: diocyde | 2009.09.30 at 07:41 AM