[Emerging-Sigs] Strange UDP Trojan check-in

Adam Brunner adam.brunner at internetidentity.com
Tue Oct 4 14:01:06 EDT 2011


So I just checked out a known Zeus sample that does have the p2p
component and it looks like the same thing ... which is strange. I have
attached a pcap from that infected machine. It looks like your filter
below also matched up on traffic I was seeing.


On 10/4/11 10:44 AM, Martin Holste wrote:
> Well, the mwanalysis link I sent does show TCP connection attempts as
> well, so it does fit in that regard.  What do you mean by "type" of
> traffic?  Do the last 9 bytes stay the same?
>
> On Tue, Oct 4, 2011 at 12:39 PM, Adam Brunner
> <adam.brunner at internetidentity.com> wrote:
>> Sorry might have jumped the gun on that one.. The same 'type' of traffic
>> comes from that bot , but looking at this a bit closer it doesn't seem
>> to match sorry...
>>
>> On 10/4/11 10:22 AM, Martin Holste wrote:
>>> Thanks for the info.  Can you confirm that the TCP attempts go to
>>> different hosts than the UDP attempts?  All of the UDP attempts are
>>> firewalled, so we should see the TCP connections, but it's tough to
>>> locate without something more to go on (this host is NAT'ed so we can
>>> just dump all flows).  We've not seen any requests for gameover.php
>>> lately, so I am assuming the TCP connections are working.
>>>
>>> On Tue, Oct 4, 2011 at 12:03 PM, Adam Brunner
>>> <adam.brunner at internetidentity.com> wrote:
>>>> Hi First time posting here. This is a new variant of Zeus that actually
>>>> has a p2p component. It also has a DGA algorithm as well in case any of
>>>> those addresses below ( peers ) don't respond. It will reach out to
>>>> peers on random udp ports as you have stated it will also reach out to
>>>> random nodes on TCP ports and finally reach out to a domain based c2
>>>> usually requesting a gameover.php or gameover2.php.
>>>>
>>>>
>>>> On 10/4/11 9:55 AM, Martin Holste wrote:
>>>>> Here are the check-in IP addresses, which are probably bots.  One
>>>>> address was observed sending spam and phishing emails, which the
>>>>> customer has told us was the infection vector (Trojan in email).
>>>>> James, if you could add these to the RBN list that would be great:
>>>>>
>>>>> 68.231.75.49
>>>>> 72.233.203.25
>>>>> 84.30.119.253
>>>>> 85.74.27.43
>>>>> 74.171.201.192
>>>>> 203.45.115.134
>>>>> 99.71.75.16
>>>>> 114.77.16.111
>>>>> 123.193.112.177
>>>>> 118.137.162.185
>>>>>
>>>>> 75.196.16.26
>>>>> 85.75.135.70
>>>>> 83.254.14.70
>>>>> 70.128.127.16
>>>>> 94.64.241.39
>>>>> 223.207.96.218
>>>>> 75.27.189.123
>>>>> 78.87.116.43
>>>>> 173.247.3.14
>>>>> 99.166.109.197
>>>>>
>>>>> 79.127.51.130
>>>>> 65.95.128.67
>>>>> 110.44.171.67
>>>>> 69.145.222.181
>>>>> 94.69.149.54
>>>>> 99.166.109.197
>>>>> 69.11.29.47
>>>>> 71.28.108.26
>>>>> 94.214.21.112
>>>>> 114.45.161.123
>>>>>
>>>>> 203.45.115.134
>>>>> 124.13.247.75
>>>>> 203.45.236.54
>>>>> 201.13.194.67
>>>>> 99.152.206.246
>>>>> 75.45.176.254
>>>>> 74.171.201.192
>>>>> 24.231.16.54
>>>>> 94.71.187.112
>>>>> 24.245.47.215
>>>>>
>>>>> On Tue, Oct 4, 2011 at 11:16 AM, Martin Holste <mcholste at gmail.com> wrote:
>>>>>> We stumbled on a fairly strange Trojan
>>>>>> (http://mwanalysis.org/?page=report&analysisid=459552&password=sdlnrdqkxc)
>>>>>> that's served up by a run-of-the-mill Blackhole exploit server that
>>>>>> has a fairly unique C2 mechanism.  Here are some example payloads
>>>>>> which go to random UDP ports but are always 114 bytes in total packet
>>>>>> length:
>>>>>>
>>>>>> 0000   6a 6b 6b 69 ef 52 d3 a8 03 d9 f1 f7 af 6d 64 ec  jkki.R.......md.
>>>>>> 0010   c8 67 d4 6a a7 93 83 da 19 45 66 89 74 37 de 9a  .g.j.....Ef.t7..
>>>>>> 0020   a1 87 b2 fd 69 95 02 3b 3f ae 9b da 70 5d 36 63  ....i..;?...p]6c
>>>>>> 0030   0b 5f f0 3b ac 15 ef 17 4c 7e 93 29 0c 64 f6 6e  ._.;....L~.).d.n
>>>>>> 0040   6e 6e 6e 6e 6e 6e 6e 6e                          nnnnnnnn
>>>>>>
>>>>>> 0000   24 25 25 27 5c 66 11 4b 49 a5 c1 b3 a1 22 03 c2  $%%'\f.KI...."..
>>>>>> 0010   37 20 b1 44 3f 6d 0b 2b 0e 40 09 b7 d5 50 5d 80  7 .D?m.+. at ...P].
>>>>>> 0020   44 36 14 f6 3f af 5b 76 f6 2b 87 75 df f2 99 cc  D6..?.[v.+.u....
>>>>>> 0030   a4 f0 5f 94 03 ba 40 b8 e3 d1 3c 86 a3 cb 59 c1  .._... at ...<...Y.
>>>>>> 0040   c1 c1 c1 c1 c1 c1 c1 c1                          ........
>>>>>>
>>>>>> 0000   f3 f2 f2 f0 2e ca d2 d7 c8 5a 48 13 0a b3 d2 5b  .........ZH....[
>>>>>> 0010   a8 30 72 00 2f 31 41 e9 2a 76 55 ba 47 04 ed a9  .0r./1A.*vU.G...
>>>>>> 0020   92 b4 81 ce 5a a6 31 08 0c 9d a8 e9 7a 02 40 57  ....Z.1.....z. at W
>>>>>> 0030   6e ee df c4 d7 f7 58 cc 90 6c 4e 4f 76 6d a3 0d  n.....X..lNOvm..
>>>>>> 0040   0d 0d 0d 0d 0d 0d 0d 0d                          ........
>>>>>>
>>>>>> 0000   ca cb cb c9 3b 9d 02 87 aa 8f 59 a0 99 bc a3 d0  ....;.....Y.....
>>>>>> 0010   38 32 46 bf c8 41 24 9c 5f 03 20 cf 32 71 98 dc  82F..A$._. .2q..
>>>>>> 0020   e7 c1 f4 bb 2f d3 44 7d 79 e8 dd 9c 23 60 89 0b  ..../.D}y...#`..
>>>>>> 0030   b9 64 bf 61 0c 56 37 82 87 6d b9 63 98 04 b0 d5  .d.a.V7..m.c....
>>>>>> 0040   d5 d5 d5 d5 d5 d5 d5 d5
>>>>>>
>>>>>> You can catch these with a simple BPF like this:
>>>>>> udp and len==114 and udp[71:4]==udp[75:4] and udp[78:1]==udp[79:1]
>>>>>> which will find UDP packets of length 114 in which the last nine bytes
>>>>>> are identical.
>>>>>>
>>>>>> Has anyone seen this?  It almost feels like P2P, but I don't think it
>>>>>> is, and it is definitely malicious.  VirusTotal had only three hits
>>>>>> and the best guess was Kryptik.  Any idea how to create signature from
>>>>>> that BPF?  I'm not too good with byte_test.
>>>>>>
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at emergingthreats.net
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: capture.pcap
Type: application/octet-stream
Size: 777220 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/adf65df6/capture-0001.obj


More information about the Emerging-sigs mailing list