[Emerging-Sigs] Strange UDP Trojan check-in

Adam Brunner adam.brunner at internetidentity.com
Tue Oct 4 13:03:09 EDT 2011


Hi First time posting here. This is a new variant of Zeus that actually
has a p2p component. It also has a DGA algorithm as well in case any of
those addresses below ( peers ) don't respond. It will reach out to
peers on random udp ports as you have stated it will also reach out to
random nodes on TCP ports and finally reach out to a domain based c2
usually requesting a gameover.php or gameover2.php.


On 10/4/11 9:55 AM, Martin Holste wrote:
> Here are the check-in IP addresses, which are probably bots.  One
> address was observed sending spam and phishing emails, which the
> customer has told us was the infection vector (Trojan in email).
> James, if you could add these to the RBN list that would be great:
>
> 68.231.75.49
> 72.233.203.25
> 84.30.119.253
> 85.74.27.43
> 74.171.201.192
> 203.45.115.134
> 99.71.75.16
> 114.77.16.111
> 123.193.112.177
> 118.137.162.185
>
> 75.196.16.26
> 85.75.135.70
> 83.254.14.70
> 70.128.127.16
> 94.64.241.39
> 223.207.96.218
> 75.27.189.123
> 78.87.116.43
> 173.247.3.14
> 99.166.109.197
>
> 79.127.51.130
> 65.95.128.67
> 110.44.171.67
> 69.145.222.181
> 94.69.149.54
> 99.166.109.197
> 69.11.29.47
> 71.28.108.26
> 94.214.21.112
> 114.45.161.123
>
> 203.45.115.134
> 124.13.247.75
> 203.45.236.54
> 201.13.194.67
> 99.152.206.246
> 75.45.176.254
> 74.171.201.192
> 24.231.16.54
> 94.71.187.112
> 24.245.47.215
>
> On Tue, Oct 4, 2011 at 11:16 AM, Martin Holste <mcholste at gmail.com> wrote:
>> We stumbled on a fairly strange Trojan
>> (http://mwanalysis.org/?page=report&analysisid=459552&password=sdlnrdqkxc)
>> that's served up by a run-of-the-mill Blackhole exploit server that
>> has a fairly unique C2 mechanism.  Here are some example payloads
>> which go to random UDP ports but are always 114 bytes in total packet
>> length:
>>
>> 0000   6a 6b 6b 69 ef 52 d3 a8 03 d9 f1 f7 af 6d 64 ec  jkki.R.......md.
>> 0010   c8 67 d4 6a a7 93 83 da 19 45 66 89 74 37 de 9a  .g.j.....Ef.t7..
>> 0020   a1 87 b2 fd 69 95 02 3b 3f ae 9b da 70 5d 36 63  ....i..;?...p]6c
>> 0030   0b 5f f0 3b ac 15 ef 17 4c 7e 93 29 0c 64 f6 6e  ._.;....L~.).d.n
>> 0040   6e 6e 6e 6e 6e 6e 6e 6e                          nnnnnnnn
>>
>> 0000   24 25 25 27 5c 66 11 4b 49 a5 c1 b3 a1 22 03 c2  $%%'\f.KI...."..
>> 0010   37 20 b1 44 3f 6d 0b 2b 0e 40 09 b7 d5 50 5d 80  7 .D?m.+. at ...P].
>> 0020   44 36 14 f6 3f af 5b 76 f6 2b 87 75 df f2 99 cc  D6..?.[v.+.u....
>> 0030   a4 f0 5f 94 03 ba 40 b8 e3 d1 3c 86 a3 cb 59 c1  .._... at ...<...Y.
>> 0040   c1 c1 c1 c1 c1 c1 c1 c1                          ........
>>
>> 0000   f3 f2 f2 f0 2e ca d2 d7 c8 5a 48 13 0a b3 d2 5b  .........ZH....[
>> 0010   a8 30 72 00 2f 31 41 e9 2a 76 55 ba 47 04 ed a9  .0r./1A.*vU.G...
>> 0020   92 b4 81 ce 5a a6 31 08 0c 9d a8 e9 7a 02 40 57  ....Z.1.....z. at W
>> 0030   6e ee df c4 d7 f7 58 cc 90 6c 4e 4f 76 6d a3 0d  n.....X..lNOvm..
>> 0040   0d 0d 0d 0d 0d 0d 0d 0d                          ........
>>
>> 0000   ca cb cb c9 3b 9d 02 87 aa 8f 59 a0 99 bc a3 d0  ....;.....Y.....
>> 0010   38 32 46 bf c8 41 24 9c 5f 03 20 cf 32 71 98 dc  82F..A$._. .2q..
>> 0020   e7 c1 f4 bb 2f d3 44 7d 79 e8 dd 9c 23 60 89 0b  ..../.D}y...#`..
>> 0030   b9 64 bf 61 0c 56 37 82 87 6d b9 63 98 04 b0 d5  .d.a.V7..m.c....
>> 0040   d5 d5 d5 d5 d5 d5 d5 d5
>>
>> You can catch these with a simple BPF like this:
>> udp and len==114 and udp[71:4]==udp[75:4] and udp[78:1]==udp[79:1]
>> which will find UDP packets of length 114 in which the last nine bytes
>> are identical.
>>
>> Has anyone seen this?  It almost feels like P2P, but I don't think it
>> is, and it is definitely malicious.  VirusTotal had only three hits
>> and the best guess was Kryptik.  Any idea how to create signature from
>> that BPF?  I'm not too good with byte_test.
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


More information about the Emerging-sigs mailing list