« September 2008 · March 2009 · September 2018 »

November 2008
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
December 2008
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
293031    
January 2009
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 

Calendar:

Newest first Oldest first

Wednesday, 31 December 2008

Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?


You wouldn't have to be living under a rock to have missed out on all the "Waledac" excitement from the past week and a half or so, but it is definitely fairly widespread. In case you missed it we're going to recap, provide some new details, and throw out some conjecture. A new trojan, which has been called a Waledac variant, appeared in recent weeks hyping up Christmas e-cards with nice inviting e-mails leading you to cute website that you can get your e-card at. We know what you are thinking already and we probably both speculating the same thing.

For the end user it all starts with a nice inviting e-mail that looks something like this:

If one decides to click the link from the e-mail, it will lead to a website that looks like this:

Lately the website has been peddling either "ecard.exe" or "postcard.exe" for download. But the fun does not end there. There's a nice little JavaScript reference pointing to "google-analysis.js" which has some nasty excitement embedded into it. The JavaScript currently loads a page from the domain "seocom.mobi" which in turns attempts to exploit the user and install a trojan which gets its commands from the same site. It is ultimately instructed to download and install the same Waledac trojan.

Fast-flux Domains

These e-mail lures have involved several different domains of which all are part of a fast flux network. Each of the domains has a TTL set to 0 for its DNS record. Nearly each time the domains are resolved a new IP address is returned. Thus making the network rather difficult to shut down. The best option is to block the domains. The following is a list of all of the domains known to Shadowserver to be associated with the Waledac trojan:

	bestchristmascard.com
	blackchristmascard.com
	cardnewyear.com
	cheapdecember.com
	christmaslightsnow.com
	decemberchristmas.com
	directchristmasgift.com
	freechristmassite.com
	freechristmasworld.com
	freedecember.com
	funnychristmasguide.com
	holidayxmas.com
	itsfatherchristmas.com
	justchristmasgift.com
	livechristmascard.com
	livechristmasgift.com
	mirabellaclub.com
	mirabellaonline.com
	newlifeyearsite.com
	newmediayearguide.com
	newyearcardcompany.com
	newyearcardfree.com
	newyearcardonline.com
	newyearcardservice.com
	superchristmasday.com
	superchristmaslights.com
	superyearcard.com
	themirabelladirect.com
	themirabellahome.com
	whitewhitechristmas.com
	yourchristmaslights.com
	yourdecember.com
	youryearcard.com

Additional exploit domains seen from these domains that are not fluxing or in e-mails:

	seofon.net
	seocom.name
	seocom.mobi

The Malicious Binary and Peer-to-Peer over HTTP

The binaries we have seen recently have been around 380KB in size. Once executed the trojan immediately starts beaconing to a seed list of IP addresses that are embedded in the executable. It also adds a String Value named "PromoReg" entry to load itself from the registry via '''HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run '''. The file is loaded right from whereever it is downloaded to, which in most cases on an infected system will be the Temporary Internet Files directory.

As we mentioned the trojan is fairly loud and starts beaconing right away to seeded hosts. The following is an example of a POST and server response that we observed in testing:

POST /pxoq.htm HTTP/1.1
Referer: Mozilla
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 208.96.18.58
Content-Length: 957
Cache-Control: no-cache
a=_wAAArkEUih-Ac9XKXcrmaS-cd95t_CK5iP07AagKqfcgrO-YeRJ4agp4oudkNcbrJ5Qmr4SEIRFHtHmGI1gXrQXIk2115P6PtUD6_XGTq
yY8afECU1uBHAYTqJ8REBzMN-mhxyk1dlFgeVR2zUTw-eBkAw9k7SlAKkrDH_m1Yd4_bm5o_h8k9cNII5VRv_ipsERtw_W_ESvQPhV62zvRF
xCij-Pf7ik4QDQiCXVgyoAaawMc9FxBu7Z44BZ6wGqELq3aH5J0M0gVeidcrEmLk1mM0mnhGZkLrR6vGIqBtZ8NnaV75saJep87v-R1IblJz
s3wO449KRXsRbEfDEXbSdFz3hH1vQ9b3DsGn-jp2kHOB9sjaalHozyAHeaJ7-04q8a2eOofNJNS4XdGjFaMNzGjj5d8hMiryFClmwZPtveDy
woyq4yueNzsCERGzdRpKSGgnCeaO3x4Va1zFgKRVfJnWc5i17CThzsDqHVuGbv1XKsZZuRCbKSmnmwip_rXMHHSL6xKYYM1mfo_ETaIGHoKT
99iZFK4FHPBFTQIg9Efsig-nTZF5Xf4qrOPzB048qXlEAsfjyd_n-PrOSXlCp-W41IKcUXbAkxEoVDp5nwQg95-lO59aMKt8S_nU3FY8sX_3
2VcInYU9aZV8n_MaN9vTrthW1M2KLx5-DtEHZc20QMGAMjT_Nvp7Hf3R-o64bkmojDNrzNo9KmcvlFx_6X1tFW9txGgdg3mq1ivM-5MOjD4V
rGqgH5cVowjLmSoaCMZ5lk0r6WVxL0VgCkXr8yODnHSqXYQAlwdmAZ7_g4G0dZ6CZ42FnoDE3g62KmVuFQwXRMPL3EtkxDkU-75Tkw5n5oab
OuIjOU_Po4F0Y228939hlMXmS0wi7FvUKlcXgsB0a2AN12BekwUyODg1ORpgs-EKTQ5uATfPzuxw9mKQgOPg&b=AAAAAA

HTTP/1.1 200 OK
Server: nginx/0.6.34
Date: Mon, 29 Dec 2008 17:17:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.6

172
_wAAARBpoik0zkIPA1B2gFuXn572lrXl92PIe1phvlQcNzFRIqyb8KqNER3q_64C4aNPUgO8GFVpfxuQusXvKUQd2vRXPuDvKaQ-MaI35Cf-
veUJdTDJdRtVXGxJ6XuS7lhhqZ1luM0OAqY2KaDxgaR_B11hirjIr_CcPm5QfNrAgIJTY05BOtJi0FkrA-gIo0WHe-7wlvrNFxj2qZWSawee
vG6hPDM-PoZo0OdsSkazYMRfd6Lpvkr_rVmg8yoiJrwXPHxfICHXpskXUQPLCgvSPX8RLHBFje-sbumVzsGyUOEt4gmzz_9lXDhDxVDvOdr5
2EiUc9aY2oEZkmV4eGuzB5j-RFuSKk6OUWdVIT5hxXID9w
0

As you can see the payload traffic is not very readable. Looking at the string values of the trojan running in memory we can see there are a number of references to OpenSSL and different PKI items to include a public certificate. While we have not analyzed it to this level, we suspect the network is using some form of strong encryption for this communication. The transport traffic itself is all unencrypted HTTP, but the payload as seen above is certainly not clear text.

It would seem that web servers nodes forward on and send traffic to other web server nodes effectively working in a peer-to-peer network. As our friend "W" calls it.. HTTP2p. There is certainly a back end mothership somewhere, but it does not seem that infected web nodes talk directly to it or at least not every time. It is also interesting to note that if the trojan does not successfully connect to any of its seed IPs for ten minutes it will then attempt to grab a php file from one of the domains that is hard coded inside the binary.

Public Certificate: SHA-1 Signing with RSA 1024 Encryption

We mentioned that there was a certificate in memory that was easy to see and rip out. Well here it is for you to view:

-----BEGIN CERTIFICATE-----
MIICxTCCAi6gAwIBAgIJALvFkWML/1R5MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
BgNVBAoTDk15IENvbXBhbnkgTHRkMB4XDTA3MTAyMTIwMTE0OFoXDTA3MTEyMDIw
MTE0OFowTDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UE
BxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJ90+vC7isUhKB8oAzMB/wmE/ypICLU2o1nr8gVlSJC8
ZXYBIE1OAziASYadAJtN0Av6KW0su3Dh8GIJy7zJBP+i094w4Yy2B0pjtLr9g2Ng
nWwFGt/0GjEagemMayf6ADUtKiE3pGG9JrRiKC99TX31AJsjYSM3qsL4Q8lTITLJ
AgMBAAGjga4wgaswHQYDVR0OBBYEFC9d9isQdTjn6UnsfY0jzn1GM14QMHwGA1Ud
IwR1MHOAFC9d9isQdTjn6UnsfY0jzn1GM14QoVCkTjBMMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N
eSBDb21wYW55IEx0ZIIJALvFkWML/1R5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAWYphFm/bi5HP7hmPEGt8j0JfxcvW8P1Wt2XCopO8GiwSOUnRFCCa
m+PIYZnuTSQMHOfQCjoCD2Ih+jEGu+bOpcHCly/Erd7swHo5WcGhFqpyyiTQt1Jj
bbDdKRpbzuY1pp1LxfwsoEadUi8wZ8HtIrg5tmd6J1IBkXh9e4z0rvk=
-----END CERTIFICATE-----

A few interesting items from the plain text to note:

Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd
Validity
Not Before: Oct 21 20:11:48 2007 GMT
Not After : Nov 20 20:11:48 2007 GMT

Since we haven't reversed it or heard about anyone that has we are not sure entirely what to make of this. This key could potentially be used for encryption even though it has expired. Then again it could be using any other number of means to encrypt this data. I am sure we will see some reports out soon that help clarify all of this.

Storm Worm?

Right! You are not the only one thinking this. In fact a lot of people are drawing similar comparisons. There are a ton of differences, but there's also a bunch of similarities for sure. Here's a few similarities we along with our fellow collaborators/security researchers have come up with:

  • Fast-flux Network (domains are fast fluxing and name servers frequently change IPs)
  • Several Name Servers per Domain (ns[1-6].<waledac.domain>)
  • Use of Nginx (sure lots of people use it, but hey it's a similarity)
  • Spreading through e-mail and Holiday Themes
  • Use of "ecard.exe" and "postcard.exe" (both previously used by Storm)
  • Drive-by Exploit in Domains (Storm previously used Neosploit)

There's also a ton of differences which we are not going to list. We can't say for sure that they are related but we do acknowledge a number of interesting similarities.

Prevention and Detection

The first step as always is not not click the links from your e-mail. This will keep you relatively safe and Waledac free. However, we all know that can and will click nearly anything. Your next step is to block the above listed domains. There will surely be new ones added to the mix in the future, but blocking this will definitely help in the near term. Antivirus being up to date can't hurt either.

However, let's assume you get infected or someone comes on to your network infected. How about a nice Snort signature to detect this traffic. Now available in the Emerging Threats ruleset:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac Beacon Traffic Detected"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Referer\: Mozilla|0d 0a|"; nocase; within:50; content:"|0d 0a|User-Agent\: Mozilla|0d 0a|"; within:120; content:"a="; nocase; within: 100; classtype:trojan-activity;reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; sid:2008958; rev:1;)

Have a Happy and Waledac/Storm free 2009 everyone!

Credit

Shadowserver would like to thank W, bertdg, and scholar for their feedback, contributions, and collaboration with respect to research on both Waledac and the Storm Worm.

=>Posted December 31, 2008, at 11:53 AM by Steven Adair