[Emerging-Sigs] Strange UDP Trojan check-in

Adam Brunner adam.brunner at internetidentity.com
Tue Oct 4 13:39:00 EDT 2011


Sorry might have jumped the gun on that one.. The same 'type' of traffic
comes from that bot , but looking at this a bit closer it doesn't seem
to match sorry...

On 10/4/11 10:22 AM, Martin Holste wrote:
> Thanks for the info.  Can you confirm that the TCP attempts go to
> different hosts than the UDP attempts?  All of the UDP attempts are
> firewalled, so we should see the TCP connections, but it's tough to
> locate without something more to go on (this host is NAT'ed so we can
> just dump all flows).  We've not seen any requests for gameover.php
> lately, so I am assuming the TCP connections are working.
>
> On Tue, Oct 4, 2011 at 12:03 PM, Adam Brunner
> <adam.brunner at internetidentity.com> wrote:
>> Hi First time posting here. This is a new variant of Zeus that actually
>> has a p2p component. It also has a DGA algorithm as well in case any of
>> those addresses below ( peers ) don't respond. It will reach out to
>> peers on random udp ports as you have stated it will also reach out to
>> random nodes on TCP ports and finally reach out to a domain based c2
>> usually requesting a gameover.php or gameover2.php.
>>
>>
>> On 10/4/11 9:55 AM, Martin Holste wrote:
>>> Here are the check-in IP addresses, which are probably bots.  One
>>> address was observed sending spam and phishing emails, which the
>>> customer has told us was the infection vector (Trojan in email).
>>> James, if you could add these to the RBN list that would be great:
>>>
>>> 68.231.75.49
>>> 72.233.203.25
>>> 84.30.119.253
>>> 85.74.27.43
>>> 74.171.201.192
>>> 203.45.115.134
>>> 99.71.75.16
>>> 114.77.16.111
>>> 123.193.112.177
>>> 118.137.162.185
>>>
>>> 75.196.16.26
>>> 85.75.135.70
>>> 83.254.14.70
>>> 70.128.127.16
>>> 94.64.241.39
>>> 223.207.96.218
>>> 75.27.189.123
>>> 78.87.116.43
>>> 173.247.3.14
>>> 99.166.109.197
>>>
>>> 79.127.51.130
>>> 65.95.128.67
>>> 110.44.171.67
>>> 69.145.222.181
>>> 94.69.149.54
>>> 99.166.109.197
>>> 69.11.29.47
>>> 71.28.108.26
>>> 94.214.21.112
>>> 114.45.161.123
>>>
>>> 203.45.115.134
>>> 124.13.247.75
>>> 203.45.236.54
>>> 201.13.194.67
>>> 99.152.206.246
>>> 75.45.176.254
>>> 74.171.201.192
>>> 24.231.16.54
>>> 94.71.187.112
>>> 24.245.47.215
>>>
>>> On Tue, Oct 4, 2011 at 11:16 AM, Martin Holste <mcholste at gmail.com> wrote:
>>>> We stumbled on a fairly strange Trojan
>>>> (http://mwanalysis.org/?page=report&analysisid=459552&password=sdlnrdqkxc)
>>>> that's served up by a run-of-the-mill Blackhole exploit server that
>>>> has a fairly unique C2 mechanism.  Here are some example payloads
>>>> which go to random UDP ports but are always 114 bytes in total packet
>>>> length:
>>>>
>>>> 0000   6a 6b 6b 69 ef 52 d3 a8 03 d9 f1 f7 af 6d 64 ec  jkki.R.......md.
>>>> 0010   c8 67 d4 6a a7 93 83 da 19 45 66 89 74 37 de 9a  .g.j.....Ef.t7..
>>>> 0020   a1 87 b2 fd 69 95 02 3b 3f ae 9b da 70 5d 36 63  ....i..;?...p]6c
>>>> 0030   0b 5f f0 3b ac 15 ef 17 4c 7e 93 29 0c 64 f6 6e  ._.;....L~.).d.n
>>>> 0040   6e 6e 6e 6e 6e 6e 6e 6e                          nnnnnnnn
>>>>
>>>> 0000   24 25 25 27 5c 66 11 4b 49 a5 c1 b3 a1 22 03 c2  $%%'\f.KI...."..
>>>> 0010   37 20 b1 44 3f 6d 0b 2b 0e 40 09 b7 d5 50 5d 80  7 .D?m.+. at ...P].
>>>> 0020   44 36 14 f6 3f af 5b 76 f6 2b 87 75 df f2 99 cc  D6..?.[v.+.u....
>>>> 0030   a4 f0 5f 94 03 ba 40 b8 e3 d1 3c 86 a3 cb 59 c1  .._... at ...<...Y.
>>>> 0040   c1 c1 c1 c1 c1 c1 c1 c1                          ........
>>>>
>>>> 0000   f3 f2 f2 f0 2e ca d2 d7 c8 5a 48 13 0a b3 d2 5b  .........ZH....[
>>>> 0010   a8 30 72 00 2f 31 41 e9 2a 76 55 ba 47 04 ed a9  .0r./1A.*vU.G...
>>>> 0020   92 b4 81 ce 5a a6 31 08 0c 9d a8 e9 7a 02 40 57  ....Z.1.....z. at W
>>>> 0030   6e ee df c4 d7 f7 58 cc 90 6c 4e 4f 76 6d a3 0d  n.....X..lNOvm..
>>>> 0040   0d 0d 0d 0d 0d 0d 0d 0d                          ........
>>>>
>>>> 0000   ca cb cb c9 3b 9d 02 87 aa 8f 59 a0 99 bc a3 d0  ....;.....Y.....
>>>> 0010   38 32 46 bf c8 41 24 9c 5f 03 20 cf 32 71 98 dc  82F..A$._. .2q..
>>>> 0020   e7 c1 f4 bb 2f d3 44 7d 79 e8 dd 9c 23 60 89 0b  ..../.D}y...#`..
>>>> 0030   b9 64 bf 61 0c 56 37 82 87 6d b9 63 98 04 b0 d5  .d.a.V7..m.c....
>>>> 0040   d5 d5 d5 d5 d5 d5 d5 d5
>>>>
>>>> You can catch these with a simple BPF like this:
>>>> udp and len==114 and udp[71:4]==udp[75:4] and udp[78:1]==udp[79:1]
>>>> which will find UDP packets of length 114 in which the last nine bytes
>>>> are identical.
>>>>
>>>> Has anyone seen this?  It almost feels like P2P, but I don't think it
>>>> is, and it is definitely malicious.  VirusTotal had only three hits
>>>> and the best guess was Kryptik.  Any idea how to create signature from
>>>> that BPF?  I'm not too good with byte_test.
>>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>


More information about the Emerging-sigs mailing list