[Emerging-Sigs] Strange UDP Trojan check-in

Martin Holste mcholste at gmail.com
Tue Oct 4 13:22:36 EDT 2011


Thanks for the info.  Can you confirm that the TCP attempts go to
different hosts than the UDP attempts?  All of the UDP attempts are
firewalled, so we should see the TCP connections, but it's tough to
locate without something more to go on (this host is NAT'ed so we can
just dump all flows).  We've not seen any requests for gameover.php
lately, so I am assuming the TCP connections are working.

On Tue, Oct 4, 2011 at 12:03 PM, Adam Brunner
<adam.brunner at internetidentity.com> wrote:
> Hi First time posting here. This is a new variant of Zeus that actually
> has a p2p component. It also has a DGA algorithm as well in case any of
> those addresses below ( peers ) don't respond. It will reach out to
> peers on random udp ports as you have stated it will also reach out to
> random nodes on TCP ports and finally reach out to a domain based c2
> usually requesting a gameover.php or gameover2.php.
>
>
> On 10/4/11 9:55 AM, Martin Holste wrote:
>> Here are the check-in IP addresses, which are probably bots.  One
>> address was observed sending spam and phishing emails, which the
>> customer has told us was the infection vector (Trojan in email).
>> James, if you could add these to the RBN list that would be great:
>>
>> 68.231.75.49
>> 72.233.203.25
>> 84.30.119.253
>> 85.74.27.43
>> 74.171.201.192
>> 203.45.115.134
>> 99.71.75.16
>> 114.77.16.111
>> 123.193.112.177
>> 118.137.162.185
>>
>> 75.196.16.26
>> 85.75.135.70
>> 83.254.14.70
>> 70.128.127.16
>> 94.64.241.39
>> 223.207.96.218
>> 75.27.189.123
>> 78.87.116.43
>> 173.247.3.14
>> 99.166.109.197
>>
>> 79.127.51.130
>> 65.95.128.67
>> 110.44.171.67
>> 69.145.222.181
>> 94.69.149.54
>> 99.166.109.197
>> 69.11.29.47
>> 71.28.108.26
>> 94.214.21.112
>> 114.45.161.123
>>
>> 203.45.115.134
>> 124.13.247.75
>> 203.45.236.54
>> 201.13.194.67
>> 99.152.206.246
>> 75.45.176.254
>> 74.171.201.192
>> 24.231.16.54
>> 94.71.187.112
>> 24.245.47.215
>>
>> On Tue, Oct 4, 2011 at 11:16 AM, Martin Holste <mcholste at gmail.com> wrote:
>>> We stumbled on a fairly strange Trojan
>>> (http://mwanalysis.org/?page=report&analysisid=459552&password=sdlnrdqkxc)
>>> that's served up by a run-of-the-mill Blackhole exploit server that
>>> has a fairly unique C2 mechanism.  Here are some example payloads
>>> which go to random UDP ports but are always 114 bytes in total packet
>>> length:
>>>
>>> 0000   6a 6b 6b 69 ef 52 d3 a8 03 d9 f1 f7 af 6d 64 ec  jkki.R.......md.
>>> 0010   c8 67 d4 6a a7 93 83 da 19 45 66 89 74 37 de 9a  .g.j.....Ef.t7..
>>> 0020   a1 87 b2 fd 69 95 02 3b 3f ae 9b da 70 5d 36 63  ....i..;?...p]6c
>>> 0030   0b 5f f0 3b ac 15 ef 17 4c 7e 93 29 0c 64 f6 6e  ._.;....L~.).d.n
>>> 0040   6e 6e 6e 6e 6e 6e 6e 6e                          nnnnnnnn
>>>
>>> 0000   24 25 25 27 5c 66 11 4b 49 a5 c1 b3 a1 22 03 c2  $%%'\f.KI...."..
>>> 0010   37 20 b1 44 3f 6d 0b 2b 0e 40 09 b7 d5 50 5d 80  7 .D?m.+. at ...P].
>>> 0020   44 36 14 f6 3f af 5b 76 f6 2b 87 75 df f2 99 cc  D6..?.[v.+.u....
>>> 0030   a4 f0 5f 94 03 ba 40 b8 e3 d1 3c 86 a3 cb 59 c1  .._... at ...<...Y.
>>> 0040   c1 c1 c1 c1 c1 c1 c1 c1                          ........
>>>
>>> 0000   f3 f2 f2 f0 2e ca d2 d7 c8 5a 48 13 0a b3 d2 5b  .........ZH....[
>>> 0010   a8 30 72 00 2f 31 41 e9 2a 76 55 ba 47 04 ed a9  .0r./1A.*vU.G...
>>> 0020   92 b4 81 ce 5a a6 31 08 0c 9d a8 e9 7a 02 40 57  ....Z.1.....z. at W
>>> 0030   6e ee df c4 d7 f7 58 cc 90 6c 4e 4f 76 6d a3 0d  n.....X..lNOvm..
>>> 0040   0d 0d 0d 0d 0d 0d 0d 0d                          ........
>>>
>>> 0000   ca cb cb c9 3b 9d 02 87 aa 8f 59 a0 99 bc a3 d0  ....;.....Y.....
>>> 0010   38 32 46 bf c8 41 24 9c 5f 03 20 cf 32 71 98 dc  82F..A$._. .2q..
>>> 0020   e7 c1 f4 bb 2f d3 44 7d 79 e8 dd 9c 23 60 89 0b  ..../.D}y...#`..
>>> 0030   b9 64 bf 61 0c 56 37 82 87 6d b9 63 98 04 b0 d5  .d.a.V7..m.c....
>>> 0040   d5 d5 d5 d5 d5 d5 d5 d5
>>>
>>> You can catch these with a simple BPF like this:
>>> udp and len==114 and udp[71:4]==udp[75:4] and udp[78:1]==udp[79:1]
>>> which will find UDP packets of length 114 in which the last nine bytes
>>> are identical.
>>>
>>> Has anyone seen this?  It almost feels like P2P, but I don't think it
>>> is, and it is definitely malicious.  VirusTotal had only three hits
>>> and the best guess was Kryptik.  Any idea how to create signature from
>>> that BPF?  I'm not too good with byte_test.
>>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list