[Emerging-Sigs] Strange UDP Trojan check-in

Martin Holste mcholste at gmail.com
Tue Oct 4 13:44:45 EDT 2011


Well, the mwanalysis link I sent does show TCP connection attempts as
well, so it does fit in that regard.  What do you mean by "type" of
traffic?  Do the last 9 bytes stay the same?

On Tue, Oct 4, 2011 at 12:39 PM, Adam Brunner
<adam.brunner at internetidentity.com> wrote:
> Sorry might have jumped the gun on that one.. The same 'type' of traffic
> comes from that bot , but looking at this a bit closer it doesn't seem
> to match sorry...
>
> On 10/4/11 10:22 AM, Martin Holste wrote:
>> Thanks for the info.  Can you confirm that the TCP attempts go to
>> different hosts than the UDP attempts?  All of the UDP attempts are
>> firewalled, so we should see the TCP connections, but it's tough to
>> locate without something more to go on (this host is NAT'ed so we can
>> just dump all flows).  We've not seen any requests for gameover.php
>> lately, so I am assuming the TCP connections are working.
>>
>> On Tue, Oct 4, 2011 at 12:03 PM, Adam Brunner
>> <adam.brunner at internetidentity.com> wrote:
>>> Hi First time posting here. This is a new variant of Zeus that actually
>>> has a p2p component. It also has a DGA algorithm as well in case any of
>>> those addresses below ( peers ) don't respond. It will reach out to
>>> peers on random udp ports as you have stated it will also reach out to
>>> random nodes on TCP ports and finally reach out to a domain based c2
>>> usually requesting a gameover.php or gameover2.php.
>>>
>>>
>>> On 10/4/11 9:55 AM, Martin Holste wrote:
>>>> Here are the check-in IP addresses, which are probably bots.  One
>>>> address was observed sending spam and phishing emails, which the
>>>> customer has told us was the infection vector (Trojan in email).
>>>> James, if you could add these to the RBN list that would be great:
>>>>
>>>> 68.231.75.49
>>>> 72.233.203.25
>>>> 84.30.119.253
>>>> 85.74.27.43
>>>> 74.171.201.192
>>>> 203.45.115.134
>>>> 99.71.75.16
>>>> 114.77.16.111
>>>> 123.193.112.177
>>>> 118.137.162.185
>>>>
>>>> 75.196.16.26
>>>> 85.75.135.70
>>>> 83.254.14.70
>>>> 70.128.127.16
>>>> 94.64.241.39
>>>> 223.207.96.218
>>>> 75.27.189.123
>>>> 78.87.116.43
>>>> 173.247.3.14
>>>> 99.166.109.197
>>>>
>>>> 79.127.51.130
>>>> 65.95.128.67
>>>> 110.44.171.67
>>>> 69.145.222.181
>>>> 94.69.149.54
>>>> 99.166.109.197
>>>> 69.11.29.47
>>>> 71.28.108.26
>>>> 94.214.21.112
>>>> 114.45.161.123
>>>>
>>>> 203.45.115.134
>>>> 124.13.247.75
>>>> 203.45.236.54
>>>> 201.13.194.67
>>>> 99.152.206.246
>>>> 75.45.176.254
>>>> 74.171.201.192
>>>> 24.231.16.54
>>>> 94.71.187.112
>>>> 24.245.47.215
>>>>
>>>> On Tue, Oct 4, 2011 at 11:16 AM, Martin Holste <mcholste at gmail.com> wrote:
>>>>> We stumbled on a fairly strange Trojan
>>>>> (http://mwanalysis.org/?page=report&analysisid=459552&password=sdlnrdqkxc)
>>>>> that's served up by a run-of-the-mill Blackhole exploit server that
>>>>> has a fairly unique C2 mechanism.  Here are some example payloads
>>>>> which go to random UDP ports but are always 114 bytes in total packet
>>>>> length:
>>>>>
>>>>> 0000   6a 6b 6b 69 ef 52 d3 a8 03 d9 f1 f7 af 6d 64 ec  jkki.R.......md.
>>>>> 0010   c8 67 d4 6a a7 93 83 da 19 45 66 89 74 37 de 9a  .g.j.....Ef.t7..
>>>>> 0020   a1 87 b2 fd 69 95 02 3b 3f ae 9b da 70 5d 36 63  ....i..;?...p]6c
>>>>> 0030   0b 5f f0 3b ac 15 ef 17 4c 7e 93 29 0c 64 f6 6e  ._.;....L~.).d.n
>>>>> 0040   6e 6e 6e 6e 6e 6e 6e 6e                          nnnnnnnn
>>>>>
>>>>> 0000   24 25 25 27 5c 66 11 4b 49 a5 c1 b3 a1 22 03 c2  $%%'\f.KI...."..
>>>>> 0010   37 20 b1 44 3f 6d 0b 2b 0e 40 09 b7 d5 50 5d 80  7 .D?m.+. at ...P].
>>>>> 0020   44 36 14 f6 3f af 5b 76 f6 2b 87 75 df f2 99 cc  D6..?.[v.+.u....
>>>>> 0030   a4 f0 5f 94 03 ba 40 b8 e3 d1 3c 86 a3 cb 59 c1  .._... at ...<...Y.
>>>>> 0040   c1 c1 c1 c1 c1 c1 c1 c1                          ........
>>>>>
>>>>> 0000   f3 f2 f2 f0 2e ca d2 d7 c8 5a 48 13 0a b3 d2 5b  .........ZH....[
>>>>> 0010   a8 30 72 00 2f 31 41 e9 2a 76 55 ba 47 04 ed a9  .0r./1A.*vU.G...
>>>>> 0020   92 b4 81 ce 5a a6 31 08 0c 9d a8 e9 7a 02 40 57  ....Z.1.....z. at W
>>>>> 0030   6e ee df c4 d7 f7 58 cc 90 6c 4e 4f 76 6d a3 0d  n.....X..lNOvm..
>>>>> 0040   0d 0d 0d 0d 0d 0d 0d 0d                          ........
>>>>>
>>>>> 0000   ca cb cb c9 3b 9d 02 87 aa 8f 59 a0 99 bc a3 d0  ....;.....Y.....
>>>>> 0010   38 32 46 bf c8 41 24 9c 5f 03 20 cf 32 71 98 dc  82F..A$._. .2q..
>>>>> 0020   e7 c1 f4 bb 2f d3 44 7d 79 e8 dd 9c 23 60 89 0b  ..../.D}y...#`..
>>>>> 0030   b9 64 bf 61 0c 56 37 82 87 6d b9 63 98 04 b0 d5  .d.a.V7..m.c....
>>>>> 0040   d5 d5 d5 d5 d5 d5 d5 d5
>>>>>
>>>>> You can catch these with a simple BPF like this:
>>>>> udp and len==114 and udp[71:4]==udp[75:4] and udp[78:1]==udp[79:1]
>>>>> which will find UDP packets of length 114 in which the last nine bytes
>>>>> are identical.
>>>>>
>>>>> Has anyone seen this?  It almost feels like P2P, but I don't think it
>>>>> is, and it is definitely malicious.  VirusTotal had only three hits
>>>>> and the best guess was Kryptik.  Any idea how to create signature from
>>>>> that BPF?  I'm not too good with byte_test.
>>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>
>


More information about the Emerging-sigs mailing list