Category Archives: Mass Malware

TDL Variant (Backdoor.Pihar) Clickfraud Traffic

Use these to help find infected hosts on your network…

Clickfraud domains

4dj-and-zorro.com
a-dom24.net
achernar-ab.net
andersongibson.net
ankunding.biz
arcturus7a.info
batznolan.info
beierlehner.org
bepettones.net
betelgeuse-xl.com
block27.biz
blockcollins.biz
brandom-what.org
canopus23.com
capella15a.com
cronawalter.org
cummings-west3.net
deep-free.org
delta-club777.com
dereban16.net
dolchernalt.com
ebertlittle.com
emardkunze.info
ernestr45.com
feestkuhic.com
fernaldorte.net
framinicolas.net
gemord5.org
gleichner.name
gorzentas.org
greenholt.info
grenn-ggord.org
gulgowski.org
gusikowski.info
haxhoxhex.net
hudson-secnd.biz
jewe.biz
kemmerbrekke.net
kerlukerobel.com
labadie-xz.org
larson17.net
lebsacklakin.net
mann-grn.biz
marvinstark.org
medhurst.biz
moenhauck.biz
mosciskiprosacco.com
nerrtor-dep.net
oconner.biz
peaseof16.com
procyon-q4.info
rabbertiro.com
rander-east3.info
redest-om.net
reftorro6.com
rigel-al2.org
rigil-kentaurus5.biz
rongty6.net
runtemetz.info
rutherfordleannon.name
sawaynturner.name
schoen17.net
sirees42.org
sirius-beta7.net
sky-blue45.com
spencerhermann.com
stantasisrt.com
streichhills.net
stromanbraun.info
swaniawski.com
torphy.net
torportiz.info
tortoller5.net
vailendon.org
vega-beta2.net
wittingkiehn.name
yatzza7.net
zentost88.com
zibbringelds.net

Clickfraud “search engine” domains

yuppy-search.com
yabadabadu-search.com
web-searcher.net
searchtheplanet.net
mega-searcher.net
keyword-search.net
global-searcher.net
gblsearch.net
websearchones.com
searcherones.com
masssearchone.com

Possible Regexes for these include the below, but legitimate sites use them as well.

\/\?query=
\/\?q=

Involved IP Addresses

5.45.64.158
5.45.64.159
5.45.64.160
5.45.65.190
5.45.65.232
5.45.65.233
5.45.65.234
5.45.66.181
5.45.66.208
5.45.68.199
5.45.67.216
5.45.65.190
5.45.64.145
46.249.42.197
46.249.42.196
46.249.42.195
46.249.42.194
46.249.42.193
46.249.42.192
46.249.42.191
46.249.42.190
46.249.42.189
46.249.42.188
46.249.42.187
46.249.42.186
46.249.42.185
46.249.42.184
5.199.138.89
50.7.228.170
50.7.228.171
50.7.228.172
50.7.228.173
50.7.228.174

Often these are using a specific UA (not always):

Mozilla/5.0 (compatible; MSIE 1.0; Windows NT; 57473847)

Clickfraud Redirects

HTTP Method = GET
Content-Type = text/html
HTTP URI = \/(f|k|task)\/(6|24|25|26|27)(\/)?$

Examples:

rigil-kentaurus5.biz/k/27
nerrtor-dep.net/f/25
sirius-beta7.net/f/27
ebertlittle.com/task/25
rutherfordleannon.name/task/27/

Base64-like Clickfraud Requests

HTTP Method = GET
Content-Type = text/html
HTTP URI = \/[a-z]\/[a-zA-Z0-9%]{50,}(%3d){1,2}\/$

Examples:

http://torphy.net/c/eTBsMGdlbmVyYXRpbmd5MGwwVEhJU3RyYWZmaWN0aGlzaXNOT1R3aG%2fF0dGhlYWNUVUFMYmFzZTY0eTBsMFcwdWxkRGVjMEQzVDAF0dGhlYWNUVUFMYmFzZTY0eTBsMFcwdWxkRGVjMEQzVDA%3d%3d/

http://dolchernalt.com/d/RoaXNJTmhlcmVzb2FzdG9OT1Rna%2bXZlYXdheW FueXRoaW5ndG9USEVIMHN0c3RoYXRXM1JF%3d/

http://procyon-q4.info/d/aGV5bG9va3kwbDB0aGlzaXNKVVN%2bUYWJ1bmNob2ZiYXNlNjRtYXRjaGluZ3kwbDB0ZXh0aVBVVH%3d/

Kuluoz Updated Distribution Links

*Update 22/11/2013*

Thanks to a tip from @StopMalwar we can see another variant, using some random characters.

Examples:

http://hanoumat.com/eylebpl.php?56vxfdV03Y//SXq3tnG6krkNWN6cTpKMqsKgM8yJW3M
http://ametgroup.com/kcvexvg.php?gQ8V3e62zMo4oB/npoXtgRb+ULuJzVpdTamGCBlvrYE=

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/([a-z]{7}|mirror)\.php\?[a-zA-Z0-9+/]{42,43}(=)?$

See Examples on UrlQuery.net

They also seem to be moving either very fast, or one shot only.

Since my previous posting, somewhere along the way Kuluoz distribution links changed format.

Attack vector is the same as far as i know. It’s a zip file, requiring the user to actually extract the zip and run the executable.

===================
===199.79.62.165===
===================

2013-05-24 06:59:22 http://calquan.com/img/get.php?get_info=ss00_323
2013-10-17 00:57:50 http://www.qabandigroup.com/get.php?invite=BW23JzJ92KvOgkce4NLidGC1MDDEXcRaDb7r77wYCJw

Examples:

http://rigas.name/item.php?message=Jyj6qil+nLBgj9MjzxCYSfbU3wGMwHN1dZccfDSWCcM=
http://wentworth.aero/app.php?message=85wJGcjFxbxLb7OArN/4Tx+tHIWnExbiJRKRasnOGDw=
http://pravopom.com/get.php?invite=g9VL3vhFBKWbvtQ3zNgpNmqaQuXRe3z/FiD8Fxm8hAY=
http://hnhc.org/main.php?label=Kzhjih0ExKbXbV97sII/dLcqBGaaCB7c3KAwdp9RVyY=
http://stamfordses.org/info.php?cargo=li5glNSESMJkAGkF5lP3sDhVYQF40mWI15JUqCpgpiA=

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/[a-z]+\.php\?[a-z]+=[a-zA-Z0-9+/]{42,43}(=)?$

OR

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/(app|main|info|get|place|item|voice|message|msg)\.php\?(message|label|id|cargo|inv|invite|vmid|wed)=

Thanks to @eplekompott and @ekse0x for helping to keep this updated!

See more Examples on UrlQuery.net

Turning Vendor Blog Posts Into Actionable Intelligence (re: Solarbot)

When i see blog posts like these, they make my day. Thanks ESET/Avast!

http://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/
https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/

The actionable data from them (IMO) is the below:

Filename = *www.facebook.com.exe

HTTP Method = POST
Content-type = application/x-www-form-urlencoded
Content-length < 100
HTTP URI (not domain) = \/[a-z]+\/$

We’re able to use great sites like Virustotal, UrlQuery, Malwr.com, CleanMX, Malc0de.com, and some simple googlefu to build more intelligence around the indicators that were given.

You can then turn around and use this in your environment to detect compromised machines.

dabakhost.be – 81.177.180.60

From VT

2013-08-28 04:15:56 http://dabakhost.be/solbrwq/
2013-08-09 22:40:17 http://dabakhost.be/Loader.exe

From UrlQuery

2013-08-09 04:29:35 http://dabakhost.be/Loader.exe [Russian Federation] 81.177.180.60

From CleanMX

http://privathosting.be/Solar.exe

terra-araucania.cl – 69.73.130.24

From VT

2013-08-28 12:16:00 http://terra-araucania.cl/
2013-08-28 03:57:10 http://terra-araucania.cl/solar/

xyz25.com – 92.243.18.120, 92.243.1.61

From VT

2013-08-16 13:17:33 http://xyz25.com/

From UrlQuery

2013-09-17 15:21:12 http://www.xyz25.com/mf2cqb60hvpg/j12515f1e3xelm6/Image_024-WWW.FACEBOOK.COM.exe
[France] 92.243.1.61

From Malwr.com

1. https://malwr.com/analysis/NjQ0N2YzNTMwMGNkNDJkMTg5ZGI5MjJiMTAyYmYyN2Q/
2. https://malwr.com/analysis/ZjUwZjZiOGJlZTk5NDgyNmE1MmFmM2JjNDAwZDBiODg/
3. https://malwr.com/analysis/MTlmMmQ0YjliNzM0NGQ5MmI4MGI4ZjkzMWVjYjUxNTI/

Some additional activity is seen in Report #2 that may or may not be related…

http://upload.tehran98.com/upme/uploads/91e26a25c62c3cd91.png – 144.76.94.237

GET /upme/uploads/91e26a25c62c3cd91.png HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: upload.tehran98.com
Connection: Keep-Alive

http://zxc.ao2r9k.com/l1I.php – 95.142.171.14

GET /l1I.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36
Host: zxc.ao2r9k.com
Cache-Control: no-cache

UA is different than in either of the writeups, showing us that the binary probably isn’t using a static UA.

yandafia.com – 85.25.208.82, 85.25.23.154, 93.190.141.106

From VT

2013-09-19 13:36:43 http://yandafia.com/456.exe
2013-08-31 14:23:37 http://yandafia.com/wp-admin/css/css/css/csx/
2013-07-29 15:00:54 http://yandafia.com/450.exe
2013-07-20 20:08:27 http://yandafia.com/order.php
2013-07-11 01:49:29 http://yandafia.com/

elzbthfntr.com – 37.139.3.132

From VT

2013-08-04 37.139.3.132

alfadente.com.br – 200.234.196.75

From VT

2013-09-26 14:27:10 http://alfadente.com.br/
2013-08-07 03:28:59 http://alfadente.com.br/Image.Skype.29.07.2013.exe
2013-08-04 03:35:25 http://alfadente.com.br/s.exe
2013-08-03 12:29:25 http://alfadente.com.br/i.exe

cmeef.info – 93.174.94.64, 178.238.237.110

From VT

2013-09-26 14:14:29 http://cmeef.info/e6ct/index.php
2013-09-05 15:16:41 http://cmeef.info/
2013-09-05 14:01:06 http://cmeef.info/e6ct/

From there you can build out more domains on the IPs and start building some IOCs for use in your network. Network Analysis is Iterative.

Detecting TDSS Variants

These have caught some TDSS infected hosts lately.

HTTP Method = GET
Regex HTTP URI for \/[a-z]\/[0-9]{4}\/[0-9]{1,4}\/[0-9]{13}_[0-9]{13,14}\/([0-9]+\/)?$

Examples:

espeak911.com/s/1097/5005/1348834772843_32880252672854/11/
runrunfaster.com/s/1500/0/1361145743122_5741195516747/11/
novemberrainx.com/c/1600/0/1354942684608_34784241188532/
wewillrocknow.com/s/1306/0/1369426784608_34784241188532/11/

HTTP Method = GET
Regex HTTP URI for \/j\/js[1-9]$

Examples:

woohoowoo.com/j/js9
woohoowoo.com/j/js8
woohoowoo.com/j/js4
woohoowoo.com/j/js3
woohoowoo.com/j/js2
woohoowoo.com/j/js1
woohoowoo.com/j/js7
woohoowoo.com/j/js6
woohoowoo.com/j/js5

You can also look for these, potentially many FPs.

HTTP Method = GET
Regex HTTP URI for \/(x|z|d)\/$

paspartux.com/x/
crossmatchx.com/x/
85.195.92.11/x/
novemberrainx.com/z/
oleolex98.com/x/
yawszaw89.com/x/

Known Malicious Domains:

37.220.36.44
79.143.186.52
79.143.186.52
79.143.177.199
79.143.186.53
85.195.92.11
85.195.92.12
88.208.57.134
88.208.57.133
88.208.58.149
colexity777.com
crossmatchx.com
espeak911.com
fastbonitax.com
fastmasterz.com
movemovenow.com
novemberjean.com
novemberrainx.com
octoberbeer.com
oleolex98.com
paspartux.com
runrunfaster.com
wewillrocknow.com
whooyeeee.com
woohoowoo.com
yawszaw89.com

References:

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YVC/detailed-analysis.aspx
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~TDSS-IY/detailed-analysis.aspx
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~TDSS-IX/detailed-analysis.aspx
http://www.pchelpforum.com/xf/threads/espeak911-colexity777-37-220-36-44-malicious-url-sites.141526/page-5 (solved w/ TDSSKiller)

Clickfraud traffic from infected hosts

Check for this on your network to find infected hosts performing clickfraud.

HTTP Method = GET
HTTP Destination contains *=/?l=eyJhYyI6* (Thats a lower case “L”)
Regex HTTP URI for \/[0-9]{8,9}\/[A-Za-z0-9]{7}=\/\?l=[A-Za-z0-9]{300,}(==?)?$

You can base64 decode the long field at the end to see some add’l info about the activity.

Seeing this in hosts that have been compromised with Neutrino lately.

EXEs downloaded by STYX loader

Noticed some easy sigs for EXEs being downloaded by STYX loader.

RogueAV, ZA, and Zbot…

HTTP Method = GET
User-Agent = Mozilla/4.0
Content-type = application/octet-stream

Also Infostealer.gift

HTTP Method = POST
User-Agent = Mozilla/4.0
Content-type = application/x-www-form-urlencoded

Probable ZBOT Post-Compromise Activity

Found these in a very noisy redkit attack…not totally sure that it’s ZBOT. Corrections welcome…

POST naurg. com/xhobdogfz.db
POST naurg. com/fjgmzzllvqoycbsustahfwbsuytqzhtidcjihpgvtu.rtf
POST naurg. com/issrxrdzlpofezkwhmuhymmorkplnc.7z
POST naurg. com/ixzygseaenf.log
POST ronavo .com/npjvncroe.log
POST ronavo .com/lwtirttzxoevcaztzylqbou.7z
POST ronavo .com/kaaaaaabnqayupqau.rar
POST ronavo .com/bzmqvwtwbrejgqibfkgmjirjcpwoclitfdshtsmftyuhvtwbdsqrkvgpnozym.php3

HTTP Method = POST
Content-Type = “application/x-www-form-urlencoded”
Regex HTTP URI for ^http:\/\/[a-zA-Z0-9-.]+\/[a-z]+\.(db|pif|log|rar|tpl|7z|rtf|tiff|php3|doc|pl|cgi)$

http://kargid. org/c.htm?uvZA8kUIv7AwOZCMqkqhwl7jDZUOEtWFwErdgRUr
http://joshuagsilverman .com/q.htm?tVgNliikvKhhITo2QcV1ooZ6QICtS8
http://homedecorreviews. com/g.htm?Eyl5gRHaELSinXQ9fvb8k3XUOfoOTq
http://heritageclothingcompany .com/w.htm?OomDwn2fWkkW598iEtR5afe
http://solomaquetas. com/l.htm?ZQjpwNPWV1o94aEFkSdd1vYt1ZjKWC4zOr
http://gorgeoregon. com/w.htm?f9QAXSZ4vUh6qvt43YOaauWiEfSqvZKlDjI
http://compstar .us/k.htm?oyQWBuciU6G3qqIu73gpbnxia7m2m8A8baezO51
http://canadabook .ca/y.htm?qELp27uE4QF76X65tsSEitdFC63ymvKqICc16

HTTP Method = GET
Content-Type = “application/octet-stream”
User-Agent = “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Regex HTTP URI for \/[a-z]\.htm\?

Regex HTTP URI for ^[a-zA-Z0-9:/.?-_]{57,64}$ > they all seem to be 57-64 char right now…

Slight change to Facebook malware

This is a slight change to this post.

null

http://heartbeat.scoundrelly .eu/load/dlimage4.php?9618

You can also catch this if its coming directly from facebook (main distibution method) with something like this:

HTTP Method = GET
HTTP Referer = http://www.facebook.com/
Content-type = application/force-download

Locker Post Compromise Traffic

Very Noisy Malware.

HTTP Request Method = GET
Content-type = application/octet-stream
HTTP URI ends with *.php OR *.html
Regex HTTP URI for “\/[a-z-_]{70,}\.(php|html)$” OR “\/([a-z]+(\-|_)){5,}(\-|_)?\.(php|html)$”

Examples:

http://dbtnw.ru/oa-hjyq-ybtisddnxojg-tskorpvqvrdg_ksauqkddxxrcelpaehsdceal-alla-ousu-mrwfqs-xjytcnxignohzh-qt.php
http://wvrxe.su/cgcgcgcg-cgcg_cgcgwp-ezpl-htqu-oaysvpuxoncu_vtpt-wiko-jxus-ixwgjuykxsvi_nehtxjlldgcbdmbadukseb-.php
http://dbtnw.ru/cu-opvkdgksbafvsu-oayhrn-dwmr-yejz-nlxtxyfrrcawrtez-jwfr-yvtecotumsdn-vait-dify-pipt-narpjkduuq.php
http://wvrxe.su/dhxsdknq-zajpfcgtvyzv_cegonl-eljv-mpph-kqsy-mxfyiprakylgop_fzgo_ohlxprrtxiyn-hcgb-nhbtiqfrcosh.php

http://proimagecreativeservices.com/forums/vkwqahirbdwviurviuujvsgusnsgazrxryqf-xtorlp-htxadiamwi-plgc-plspnnlwenogdkyxtm_dklbsncxny.html
http://proimagecreativeservices.com/news/kwnnjrwsjspvefgz_gkig_qqsl-jruu-rrjrhioprrbp-qvkvfqhuwjdkcpzk-ylwk-mtnc-afzfbfksynfl_xtwqaq-el.html

http://unknownbringing.asia/news/bheyvibfiqfzcjynvnvyqclidgtskfdhsnpi-ysjkqzllys-nwfz_tfrpqkxovpdf-gtjzkbjhptdaxtjlwflzcu-.html

Finding Zeus/Zbot in your DNS logs

Regex your DNS logs with this to find hosts that are compromised.

^[a-z]{30,}\.biz

eg.

sdfiehfdkhfuwekjdsfoisdfhjehddfeers.biz
kfdijfkjeifjfgasufdkjfsdukwejkfhiushdf.biz
tqwehgnbzxctfdsowkjdhsfldgjkhmnlskhfsiu.biz

You’ll likely see some DGA style domain lookups for other top level domains as well. .biz has less false positives.