[Emerging-Sigs] Strange UDP Trojan check-in

Martin Holste mcholste at gmail.com
Tue Oct 4 12:16:33 EDT 2011


We stumbled on a fairly strange Trojan
(http://mwanalysis.org/?page=report&analysisid=459552&password=sdlnrdqkxc)
that's served up by a run-of-the-mill Blackhole exploit server that
has a fairly unique C2 mechanism.  Here are some example payloads
which go to random UDP ports but are always 114 bytes in total packet
length:

0000   6a 6b 6b 69 ef 52 d3 a8 03 d9 f1 f7 af 6d 64 ec  jkki.R.......md.
0010   c8 67 d4 6a a7 93 83 da 19 45 66 89 74 37 de 9a  .g.j.....Ef.t7..
0020   a1 87 b2 fd 69 95 02 3b 3f ae 9b da 70 5d 36 63  ....i..;?...p]6c
0030   0b 5f f0 3b ac 15 ef 17 4c 7e 93 29 0c 64 f6 6e  ._.;....L~.).d.n
0040   6e 6e 6e 6e 6e 6e 6e 6e                          nnnnnnnn

0000   24 25 25 27 5c 66 11 4b 49 a5 c1 b3 a1 22 03 c2  $%%'\f.KI...."..
0010   37 20 b1 44 3f 6d 0b 2b 0e 40 09 b7 d5 50 5d 80  7 .D?m.+. at ...P].
0020   44 36 14 f6 3f af 5b 76 f6 2b 87 75 df f2 99 cc  D6..?.[v.+.u....
0030   a4 f0 5f 94 03 ba 40 b8 e3 d1 3c 86 a3 cb 59 c1  .._... at ...<...Y.
0040   c1 c1 c1 c1 c1 c1 c1 c1                          ........

0000   f3 f2 f2 f0 2e ca d2 d7 c8 5a 48 13 0a b3 d2 5b  .........ZH....[
0010   a8 30 72 00 2f 31 41 e9 2a 76 55 ba 47 04 ed a9  .0r./1A.*vU.G...
0020   92 b4 81 ce 5a a6 31 08 0c 9d a8 e9 7a 02 40 57  ....Z.1.....z. at W
0030   6e ee df c4 d7 f7 58 cc 90 6c 4e 4f 76 6d a3 0d  n.....X..lNOvm..
0040   0d 0d 0d 0d 0d 0d 0d 0d                          ........

0000   ca cb cb c9 3b 9d 02 87 aa 8f 59 a0 99 bc a3 d0  ....;.....Y.....
0010   38 32 46 bf c8 41 24 9c 5f 03 20 cf 32 71 98 dc  82F..A$._. .2q..
0020   e7 c1 f4 bb 2f d3 44 7d 79 e8 dd 9c 23 60 89 0b  ..../.D}y...#`..
0030   b9 64 bf 61 0c 56 37 82 87 6d b9 63 98 04 b0 d5  .d.a.V7..m.c....
0040   d5 d5 d5 d5 d5 d5 d5 d5

You can catch these with a simple BPF like this:
udp and len==114 and udp[71:4]==udp[75:4] and udp[78:1]==udp[79:1]
which will find UDP packets of length 114 in which the last nine bytes
are identical.

Has anyone seen this?  It almost feels like P2P, but I don't think it
is, and it is definitely malicious.  VirusTotal had only three hits
and the best guess was Kryptik.  Any idea how to create signature from
that BPF?  I'm not too good with byte_test.


More information about the Emerging-sigs mailing list