11 posts categorized "Bad Actors"

2009.10.28

A little more on Donbot...

Donbot is primarily a spam bot, one of the few spam botnets whose growth was not hampered by the McColo shutdown earlier this year.  As a matter of fact, the sudden shut down of big spammers like Srizbi and Rustock helped Donbot climb the spam botnet rankings.  In this article I am going discuss different aspects of Donbot, first as a malware and then in the later half I will try to shed some light on its command and control architecture.

Lets start with a particular donbot sample (273a07dccdfff421bfde652912f02e32).  Like its peer botnets (Ozdok, Xarvester etc), Donbot is also a template based spam bot.  Everything from the subject line to the mailing list, the message body, and the User Agents to be used in the SMTP headers are retrieved from the CnC server. 

Template

Continue reading "A little more on Donbot..." »

FE Malware Researcher on 2009.10.28 in Bad Actors | | Comments (0) | TrackBack (0)

2009.07.21

Bad Actors Part 7 - 3fn (Or: Cutwail - How to do it right)

“Wait … *beep beep* back up for a second, Alex.  I heard 3fn was brought down by the FTC!” 

That would be correct!  On June 4th the FTC served a takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert, APX Telecom, APS Communications) off the Internet.  I was approached by law enforcement looking for evidence of malicious activities, and luckily, I was in the midst of writing up an article for my Bad Actors blog series.  I decided to wait until a little time had passed before publishing details as not to tip off 3fn and possibly ruin an investigation.  (Note that the investigatory group that approached me was at the federal level, but was not the FTC)

Below you’ll find my analysis of their IP blocks and a large amount of data about the Bad Actors whom they supported.  Most of the links below are completely Not Safe For Work, possibly malicious, and frankly, many of them are disgusting in name as well as content.  It’s not advised that you actually visit any of them.  I also have more content that I didn't post, and if you're interested in it, feel free to drop me a line.

Continue reading "Bad Actors Part 7 - 3fn (Or: Cutwail - How to do it right)" »

FE Malware Researcher on 2009.07.21 in Bad Actors | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

2009.06.17

Killing the beast...Part II

In this second part of the series I will try to analyze the command and control structure/coordinates for another famous botnet, Koobface. This article is not a detailed analysis of the malware itself but covers mostly its botnet aspect. Readers who are interested to learn about the internals of this malware may refer these articles:

Koobface Leaves Victims the Black Spot

How to Defeat Koobface

These articles were published back in December 2008 but most of the details are still valid for the newer versions.

Back to the CnC structure ...  Koobface relies mostly on domain names to locate its CnC servers, instead of using hard coded IPs like Pushdo.  As a matter of fact, I observed that it tends to change its CnC domains more often than the IPs behind those domains. Based on my lab data (for the last 3 months or so) I see Koobface connecting to 23 unique domains.

Here is the complete list:

Continue reading "Killing the beast...Part II" »

FE Malware Researcher on 2009.06.17 in Bad Actors, Botnet Activities / Outbreaks | | Comments (4) | TrackBack (0)

2009.06.11

Killing the beast...Part I

The purpose of this series of articles is very simple, to give our readers an idea about the current geographical distribution of command and control coordinates for the some of the top botnets.  Based on this data I'll try to estimate whether it is possible to shutdown these botnets by puling the plug for these servers.  The Botnets which will be discussed in these articles are Pushdo, Xarvester, Rustock, Koobface and Ozdok.  These stats are based on my sandnet logs for the last 3 months or so.  By no means is this list complete but it will give our reader a reasonable idea about the current motherships for these botnets.

Pushdo

Here is the list of Pushdo CnCs arranged in tabular form:

Continue reading "Killing the beast...Part I" »

FE Malware Researcher on 2009.06.11 in Bad Actors, Botnet Activities / Outbreaks | | Comments (7) | TrackBack (0)

2009.03.08

Bad Actors Part 6 - Eurohost LLC (aka UralNet?)

A funny thing happened the day after I posted my last article - the UralNet IP block was removed from the global routing table.  I didn't see any notifications in the press or on any network operations lists (although I am not on any RIPE-specific listservs), so my suspicion is that they are simply lying low for a bit.  I assume that if they had their plug forcibly pulled then the responsible party would want to be recognized (rightfully) for taking a step against cyber-crime in the region.

Another reason why I believe they are lying low is that an AS that had been dormant (unrouted) for months came back online this week and immediately started hosting much of the malware that used to be on UralNet.  They've only been back on the Bloc for a week, have a mere /24 (256 IPs), don't have a corporate homepage, and yet, already have quite a few criminal customers.

Continue reading "Bad Actors Part 6 - Eurohost LLC (aka UralNet?)" »

FE Malware Researcher on 2009.03.08 in Bad Actors, Botnet Research | | Comments (7) | TrackBack (0)

2009.03.06

The Business Of Mr. Alexander S Kopylov

On the FireEye blog we have talked a lot about Botnets, their CnC coordinates, bad ISPs, etc. You may be curious to know who actually runs these Botnets. Who are these puppet masters and what is their business model? How they work and who are their customers?

There are many questions but the answers are scarce. In this post I will try to answer some of them which often pop up in my mind as well.

It’s no secret that most of the SPAM Botnets are invented in Russia and controlled by Russian cyber-criminals.  Why should I believe this to be the case?  Srizbi’s recent comeback gave me some valuable hints to confirm the industry suspicion. Here is one email sent by Srizbi that day:


From: "herbie eliot" <dabliktom@centrum.cz>
To: <info@****lends.com>
Subject: =?koi8-r?B?88HNwdEg3MbGxcvUydfOwdEg0sXLzMHNwQ==?=
Date: Thu, 12 Feb 2009 04:28:14 +0000
MIME-Version: 1.0
Content-Type: text/plain;
.charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

.. ..... ..... ........... ..... .......... ..... ....... - http://advert1.ru

Continue reading "The Business Of Mr. Alexander S Kopylov" »

FE Malware Researcher on 2009.03.06 in Bad Actors, Botnet Activities / Outbreaks | | Comments (1) | TrackBack (0)

2009.03.03

Bad Actors Part 5 - UralNet

I'm not actively picking on the Eastern Bloc, but finding purely malicious IP blocks there is duck soup.  In this posting I'll be looking at UralNet, which is registered to an organization in Russia, but appears to be administered out of the Ukraine.

Continue reading "Bad Actors Part 5 - UralNet" »

FE Malware Researcher on 2009.03.03 in Bad Actors, Botnet Research | | Comments (8) | TrackBack (0)

2009.02.27

Bad Actors Part 4 - HostFresh

There was an excellent report published in 2008 by HostExploit that showed the connections between Atrivo and those for whom it provided downstream services. One of those such customers was a Chinese provider called HostFresh. I thought it might be interesting to look at two IP blocks which were previously part of the Atrivo network - 58.65.232.0/21 and 116.50.8.0/21 - but are now routed by others.

Continue reading "Bad Actors Part 4 - HostFresh" »

FE Malware Researcher on 2009.02.27 in Bad Actors | | Comments (2) | TrackBack (0)

2009.02.17

Bad Actors Part 3 - Internet Path/Cernel

Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog.  While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed.

Continue reading "Bad Actors Part 3 - Internet Path/Cernel" »

FE Malware Researcher on 2009.02.17 in Bad Actors | | Comments (1) | TrackBack (0)

2009.02.13

Bad Actors Part 2 - ZlKon

In this edition of "rooting out the Bad Actors" I'm going to take a look at ZlKon, hosted by "Datoru Express Serviss, Ltd" in Latvia.

Continue reading "Bad Actors Part 2 - ZlKon" »

FE Malware Researcher on 2009.02.13 in Bad Actors, Malware Research | | Comments (3) | TrackBack (0)

Older »