Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« Previous Post | Main | Next Post »

Killing the beast...Part 3

In the third part of this series, I'm going to discuss the command and control structure of another famous botnet, Clampi a.k.a ilomo. Clampi is all about data stealing and is famous for its anti-reversing and evasion techniques. The financial damage this information stealer can cause is evident from the fact that it has recently been publicly disclosed of a cyber theft of more than $150,000.  Notorious isn't it..?

Like the first two parts where I discussed the command and control structure of the Pushdo and Koobface botnets, I'll start by showing the current geographical distribution of Clampi CnCs, followed by a brief analysis on the chances of shutting down these control servers and hence the complete botnet.

This article is not an in depth analysis of the malware itself but concentrates more on current geo locations of Clampi command and control servers. For detailed in-depth analysis of this malware, one may refer to this.

Let's start with a brief introduction to the Clampi command and control architecture which is not a classical client/server model. As a matter of fact, there are two types of CnC servers involved here.

1. Gate Servers

2. Gates

Gate Servers are the first level or "master command and control servers" which are responsible for locating secondary CnC servers, or "Gates". Instead of using one big CnC host list, this model gives the Clampi masters more flexibility in running and maintaining the botnet.  They have the freedom to change the secondary servers at any time for load balancing or for evading black list based security gateways. It also gives the bot herders an option not to buy dedicated hosting for each CnC.  While Gate Servers may be dedicated or paid-for servers, the secondary servers might be compromised legitimate servers.

Why am I calling these servers Gates?  Well, the Clampi authors themselves refer to them in this way. Information about the initial Gate Servers on the compromised machines is stored inside a registry key like this:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\GatesList

I have observed the following behavior for all the Clampi samples tested and run in my lab.

1. Each instance comes with at least two Gate Servers.  

2. The Gate Servers will be domain names instead of IPs.

3. The secondary servers or Gates have been found to be hard coded IPs.

Cncs

So far I am aware of these Gate/Master Servers.

  1. panel.coboora.cn
  2. reporter.hdrtech.cn
  3. webmail.re-factoring.cn
  4. pop3.re-factoring.cn
  5. direct.matchbox.ws
  6. drugs4sale.loderunner.in
  7. secure.loderunner.in
  8. try.mojitoboom.in
  9. admin.viennaweb.at
  10. forum.reversed.gs
  11. booch.goochabamboocha.cn

where the 2 that are the most active at the time of writing this article currently resolve to IPs.

panel.coboora.cn -> 78.108.183.225 

inetnum:        78.108.180.0 - 78.108.183.255
netname:        UPL-NET-CUSTOMERS
descr:          UPL Telecom
country:        CZ
admin-c:        SM9797-RIPE
tech-c:         SM9797-RIPE
status:         ASSIGNED PA
mnt-by:         UPL-MNT
source:         RIPE # Filtered

person:         Serge Matveev
address:        UPL TELECOM s.r.o
address:        Vinohradska 184/2396
address:        Prague 3,130 52
address:                   Czech Republic
phone:          +426 267 132 361
phone:          +420 267 132 102
nic-hdl:        SM9797-RIPE
mnt-by:         UPL-MNT
source:         RIPE # Filtered

reporter.hdrtech.cn -> 87.118.101.27

inetnum:        87.118.96.0 - 87.118.127.255
netname:        DE-KEYWEB-III
descr:          Keyweb AG IP Network
country:        DE
admin-c:        KWAG-RIPE
tech-c:         KWAG-RIPE
status:         ASSIGNED PA
mnt-by:         KEYWEB-MNT
source:         RIPE # Filtered

person:         Hostmaster Day
address:        Keyweb AG
address:        Neuwerkstr. 45/46
address:        99084 Erfurt
address:                    Germany
phone:          +49-361-658530
abuse-mailbox:  abuse@keyweb.de
fax-no:         +49-361-6585366
nic-hdl:        KWAG-RIPE
mnt-by:         KEYWEB-MNT
source:         RIPE # Filtered

Based on the last 45 days of data from my lab, these are the hosts (master + secondary) found to be serving as Clampi CnCs.

Server#

ISP

IP(s)

Geo Location

1

INNOVATION IT SOLUTIONS CORP

67.228.138.10

UNITED KINGDOM

2

THEPLANET.COM INTERNET SERVICES INC

66.98.144.21

70.84.236.194

69.57.140.18

209.85.120.100

66.98.153.17

209.85.100.7

209.62.7.178

TEXAS, USA

3

PROSTOHOSTING LTD

195.189.247.110

UKRAINE

4

HOSTDIME.COM INC

72.29.66.235

66.7.197.104

ORLANDO, FLORIDA, USA

5

GLOBAL IP NETWORKS INC

66.128.55.82

FT. MYERS, FLORIDA, USA

6

YURIY GELFAT

78.47.214.117

GERMANY

7

HOSTFORWEB INC

66.225.237.140

CHICAGO, ILLINOIS, USA

8

MAKTOOB.COM INC

67.15.161.131

HOUSTON, TEXAS, USA

9

KEYWEB AG IP NETWORK

87.118.88.30

87.118.101.27

GERMANY

10

EZZI.NET

66.199.237.3

66.199.237.139

NEW YORK

11

UPL-NET-CUSTOMERS


CZECH REPUBLIC

12

DEDICATED VPS AND VIRTUAL HOSTING

78.47.61.229

GERMANY

13

NETWORK OPERATIONS CENTER INC

66.96.234.5

PENNSYLVANIA, USA

14

HANGZHOU TELECOMMUNICATION IDC CENTER

61.153.3.48

CHINA

15

INTERNET VIENNAWEB SERVICE GMBH

195.225.236.4

VIENNA, AUSTRIA

16

NETDIREKT E.K

84.16.229.188

GERMANY

17

RACKVIBE LLC

64.18.143.52

NEW JERSEY, USA

18

POUNDHOST CUSTOMER SERVER

92.48.96.229

UNITED KINGDOM

19

VDSWIN20 - DMITRIY BELETSKIY

78.109.29.129

UKRAINE

20

ALLCLACK.NET

67.15.236.244

HOUSTON, TEXAS, USA

21

FASTSERVERS INC

147.202.39.101

CHICAGO, ILLINOIS, USA

22

OT PUBLISHING LIMITED

67.15.150.130

HOUSTON, TEXAS, USA

23

PARTIDO SOCIALISTA DEL PAIS VALENCIANO

83.175.218.163

BARCELONA, SPAIN

24

SRS SAKURA INTERNET INC

202.181.96.87

TOKYO, JAPAN

25

GLOBAL NET ACCESS LLC

209.51.159.31

ATLANTA, GEORGIA, USA

 26

LAYERED TECHNOLOGIES INC

72.233.28.167

PLANO, TEXAS, USA

It's very easy to conclude based on the above information that most active servers are located in safe heavens like Ukraine, Germany, and the Czech Republic. The secondary servers are spread wide across the globe, including the USA. In my opinion shutting down the Clampi botnet would require shutting down the Gate Servers; taking down Gates won't make a great deal of difference. Recently we have seen lots of upstream providers and ISPs taking action against rogue hosted servers, but unfortunately no serious effort has ever been made by any of the domain registrars or registries to take down the rogue Clampi domains.  When dealing with multiple gTLD and ccTLD operators, the coordination needed to effective pull the plug (such that the bad guys don't have time to recover to other domains) is a tricky process, a process which is clearly in its infancy.  The community has come a long way (see Conficker for a good example), but I have a pessimistic view of a takedown of Clampi based on the lack of progress against other, more prolific information stealers.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM

Account Deleted on 2009.09.29 Botnet Activities / Outbreaks

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef0120a5fbca9f970c

Listed below are links to weblogs that reference Killing the beast...Part 3:

Recent Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

  • This is a good bit of information but I wish it was more detailed. You seem to have the PULSE of the industry when it comes to botnets, aside from Joe Stewart. I would VERY much like to see more detailed analysis on the Botnet backend infrastructures. Usually based on LAMP architectures. Discuss and expand on ways to compromised / subvert these. Why worry about taking Down.. a C&C when you can subvert the entire botnet by neutering it by taking over a C&C and wiping the bots or corrupting them. I doubt that there are sophisticated User based Access control functions that give various privileged levels based on Role like commercial systems do. Simply take over one of them and do the most damage you can possibly do. Find their drop sites and secure Wipe the captured data or Encrypt it in place. Or better yet trojan beacon the data after swapping it with falsified stolen data after you sanitize the original stolen data. I am disappointed by the continual lack and absence of Innovative solutions on taking these infrastructures out. De-peering and takedown requests are one thing. Waging counter cybercrime warfare is another. If the industry continues to fail at the attribution angle, at least it can succeed technically by doing surgical and tactical strikes at any touchpoint it can get its hands on. For more insights check out www(DOT)conanthedestroyer(DOT)net

    Focused MultiVendor/Researcher strike forces against specific targets is the way to go to obliterating this threat.

    Initial target list.

    Conficker - (literally dropped off the radar in news coverage but still present)

    Zeus - It has earned its reputation - now its time to smash it. (Over 500 Command and controls (Abuse.ch zeus tracker) COME oN? are you kidding me. get rid of it already.

    Rustock - the level of sophistication demands a sophisticated response

    Asprox - Mass disruption, automated sql injection Massive threat. Put a laser on it. (QUIT simply identifying exploitation/spreading/and C&C IPs/DNS names) Start opening up discussion on how to SMASH these networks. I could come up with about 10 ideas that dont even get talked about.

    Clampi - $$$$ Stolen, need any more justification?

    Waldec - AKA peacomm/storm - Is anyone pissed we havent gotten these guys yet. obviously the lowered profile has helped this second generation botnet in staying under the radar and being less sensational. I saw a post where the KNEW who exactly is behind RBN but refuse to say. I say why the HELL not. OUT these bastards. Put a name to a face and publish it far and wide. Run information operations against them and expose them. People dont like to deal with people that have so much heat on them. They treat them as toxic. Make it know that they have been discovered and are now Cooperating......

    Or simply go over to where they live and give them a good knee capping. Either way something needs to change the level of debate and it should start with Knowledge and it should start now.

    Diocyde

    diocyde on Killing the beast...Part 3

The comments to this entry are closed.