Lets start with a particular donbot sample (273a07dccdfff421bfde652912f02e32). Like its peer botnets (Ozdok, Xarvester etc), Donbot is also a template based spam bot. Everything from the subject line to the mailing list, the message body, and the User Agents to be used in the SMTP headers are retrieved from the CnC server.
That would be correct! On June 4th the FTC served a
takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert,
APX Telecom, APS Communications) off the Internet. I was approached by law enforcement looking
for evidence of malicious activities, and luckily, I was in the midst of
writing up an article for my Bad Actors blog series. I decided to wait until a little time had
passed before publishing details as not to tip off 3fn and possibly ruin an
investigation. (Note that the investigatory
group that approached me was at the federal level, but was not the FTC)
Continue reading "Bad Actors Part 7 - 3fn (Or: Cutwail - How to do it right)" »
In this second part of the series I will try to analyze the command and control structure/coordinates for another famous botnet, Koobface. This article is not a detailed analysis of the malware itself but covers mostly its botnet aspect. Readers who are interested to learn about the internals of this malware may refer these articles:
Koobface Leaves Victims the Black Spot
These articles were published back in December 2008 but most of the details are still valid for the newer versions.
Back to the CnC structure ... Koobface relies mostly on domain names to locate its CnC servers, instead of using hard coded IPs like Pushdo. As a matter of fact, I observed that it tends to change its CnC domains more often than the IPs behind those domains. Based on my lab data (for the last 3 months or so) I see Koobface connecting to 23 unique domains.
Here is the complete list:
The purpose of this series of articles is very simple, to give our readers an idea about the current geographical distribution of command and control coordinates for the some of the top botnets. Based on this data I'll try to estimate whether it is possible to shutdown these botnets by puling the plug for these servers. The Botnets which will be discussed in these articles are Pushdo, Xarvester, Rustock, Koobface and Ozdok. These stats are based on my sandnet logs for the last 3 months or so. By no means is this list complete but it will give our reader a reasonable idea about the current motherships for these botnets.
Pushdo
Here is the list of Pushdo CnCs arranged in tabular form:
A funny thing happened the day after I posted my last article - the UralNet IP block was removed from the global routing table. I didn't see any notifications in the press or on any network operations lists (although I am not on any RIPE-specific listservs), so my suspicion is that they are simply lying low for a bit. I assume that if they had their plug forcibly pulled then the responsible party would want to be recognized (rightfully) for taking a step against cyber-crime in the region.
Another reason why I believe they are lying low is that an AS that had been dormant (unrouted) for months came back online this week and immediately started hosting much of the malware that used to be on UralNet. They've only been back on the Bloc for a week, have a mere /24 (256 IPs), don't have a corporate homepage, and yet, already have quite a few criminal customers.
Continue reading "Bad Actors Part 6 - Eurohost LLC (aka UralNet?)" »
On the FireEye blog we have talked a lot about Botnets, their CnC coordinates, bad ISPs, etc. You may be curious to know who actually runs these Botnets. Who are these puppet masters and what is their business model? How they work and who are their customers?
There are many questions but the answers are scarce. In this post I will try to answer some of them which often pop up in my mind as well.
It’s no secret that most of the SPAM Botnets are invented in Russia and controlled by Russian cyber-criminals. Why should I believe this to be the case? Srizbi’s recent comeback gave me some valuable hints to confirm the industry suspicion. Here is one email sent by Srizbi that day:
From: "herbie eliot" <dabliktom@centrum.cz>
To: <info@****lends.com>
Subject: =?koi8-r?B?88HNwdEg3MbGxcvUydfOwdEg0sXLzMHNwQ==?=
Date: Thu, 12 Feb 2009 04:28:14 +0000
MIME-Version: 1.0
Content-Type: text/plain;
.charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
.. ..... ..... ........... ..... .......... ..... ....... - http://advert1.ru
Continue reading "The Business Of Mr. Alexander S Kopylov" »
I'm not actively picking on the Eastern Bloc, but finding purely malicious IP blocks there is duck soup. In this posting I'll be looking at UralNet, which is registered to an organization in Russia, but appears to be administered out of the Ukraine.
There was an excellent report published in 2008 by HostExploit that showed the connections between Atrivo and those for whom it provided downstream services. One of those such customers was a Chinese provider called HostFresh. I thought it might be interesting to look at two IP blocks which were previously part of the Atrivo network - 58.65.232.0/21 and 116.50.8.0/21 - but are now routed by others.
Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog. While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed.
Continue reading "Bad Actors Part 3 - Internet Path/Cernel" »
In this edition of "rooting out the Bad Actors" I'm going to take a look at ZlKon, hosted by "Datoru Express Serviss, Ltd" in Latvia.
