[Emerging-Sigs] Strange UDP Trojan check-in

Adam Brunner adam.brunner at internetidentity.com
Tue Oct 4 14:14:50 EDT 2011


Ah ok awesome glad that actually helps you out. The infection vector for
that one was Spam posing at the IRS -> blackhole exploit -> Zeus download.


On 10/4/11 11:12 AM, Martin Holste wrote:
> Yep, dead ringer for my traffic.  It even matches the pattern of the
> larger UDP packets which I did not talk about previously.  This is
> very helpful, because it's got the TCP traffic in there as well which
> we do not have access to.  Actually, I checked and we have hits to the
> 88.172.109.221 address in the pcap back in September, but it's UDP
> instead of TCP.  Do you have the infection vector for your sample?
>
> On Tue, Oct 4, 2011 at 1:01 PM, Adam Brunner
> <adam.brunner at internetidentity.com> wrote:
>> So I just checked out a known Zeus sample that does have the p2p
>> component and it looks like the same thing ... which is strange. I have
>> attached a pcap from that infected machine. It looks like your filter
>> below also matched up on traffic I was seeing.
>>
>>
>> On 10/4/11 10:44 AM, Martin Holste wrote:
>>> Well, the mwanalysis link I sent does show TCP connection attempts as
>>> well, so it does fit in that regard.  What do you mean by "type" of
>>> traffic?  Do the last 9 bytes stay the same?
>>>
>>> On Tue, Oct 4, 2011 at 12:39 PM, Adam Brunner
>>> <adam.brunner at internetidentity.com> wrote:
>>>> Sorry might have jumped the gun on that one.. The same 'type' of traffic
>>>> comes from that bot , but looking at this a bit closer it doesn't seem
>>>> to match sorry...
>>>>
>>>> On 10/4/11 10:22 AM, Martin Holste wrote:
>>>>> Thanks for the info.  Can you confirm that the TCP attempts go to
>>>>> different hosts than the UDP attempts?  All of the UDP attempts are
>>>>> firewalled, so we should see the TCP connections, but it's tough to
>>>>> locate without something more to go on (this host is NAT'ed so we can
>>>>> just dump all flows).  We've not seen any requests for gameover.php
>>>>> lately, so I am assuming the TCP connections are working.
>>>>>
>>>>> On Tue, Oct 4, 2011 at 12:03 PM, Adam Brunner
>>>>> <adam.brunner at internetidentity.com> wrote:
>>>>>> Hi First time posting here. This is a new variant of Zeus that actually
>>>>>> has a p2p component. It also has a DGA algorithm as well in case any of
>>>>>> those addresses below ( peers ) don't respond. It will reach out to
>>>>>> peers on random udp ports as you have stated it will also reach out to
>>>>>> random nodes on TCP ports and finally reach out to a domain based c2
>>>>>> usually requesting a gameover.php or gameover2.php.
>>>>>>
>>>>>>
>>>>>> On 10/4/11 9:55 AM, Martin Holste wrote:
>>>>>>> Here are the check-in IP addresses, which are probably bots.  One
>>>>>>> address was observed sending spam and phishing emails, which the
>>>>>>> customer has told us was the infection vector (Trojan in email).
>>>>>>> James, if you could add these to the RBN list that would be great:
>>>>>>>
>>>>>>> 68.231.75.49
>>>>>>> 72.233.203.25
>>>>>>> 84.30.119.253
>>>>>>> 85.74.27.43
>>>>>>> 74.171.201.192
>>>>>>> 203.45.115.134
>>>>>>> 99.71.75.16
>>>>>>> 114.77.16.111
>>>>>>> 123.193.112.177
>>>>>>> 118.137.162.185
>>>>>>>
>>>>>>> 75.196.16.26
>>>>>>> 85.75.135.70
>>>>>>> 83.254.14.70
>>>>>>> 70.128.127.16
>>>>>>> 94.64.241.39
>>>>>>> 223.207.96.218
>>>>>>> 75.27.189.123
>>>>>>> 78.87.116.43
>>>>>>> 173.247.3.14
>>>>>>> 99.166.109.197
>>>>>>>
>>>>>>> 79.127.51.130
>>>>>>> 65.95.128.67
>>>>>>> 110.44.171.67
>>>>>>> 69.145.222.181
>>>>>>> 94.69.149.54
>>>>>>> 99.166.109.197
>>>>>>> 69.11.29.47
>>>>>>> 71.28.108.26
>>>>>>> 94.214.21.112
>>>>>>> 114.45.161.123
>>>>>>>
>>>>>>> 203.45.115.134
>>>>>>> 124.13.247.75
>>>>>>> 203.45.236.54
>>>>>>> 201.13.194.67
>>>>>>> 99.152.206.246
>>>>>>> 75.45.176.254
>>>>>>> 74.171.201.192
>>>>>>> 24.231.16.54
>>>>>>> 94.71.187.112
>>>>>>> 24.245.47.215
>>>>>>>
>>>>>>> On Tue, Oct 4, 2011 at 11:16 AM, Martin Holste <mcholste at gmail.com> wrote:
>>>>>>>> We stumbled on a fairly strange Trojan
>>>>>>>> (http://mwanalysis.org/?page=report&analysisid=459552&password=sdlnrdqkxc)
>>>>>>>> that's served up by a run-of-the-mill Blackhole exploit server that
>>>>>>>> has a fairly unique C2 mechanism.  Here are some example payloads
>>>>>>>> which go to random UDP ports but are always 114 bytes in total packet
>>>>>>>> length:
>>>>>>>>
>>>>>>>> 0000   6a 6b 6b 69 ef 52 d3 a8 03 d9 f1 f7 af 6d 64 ec  jkki.R.......md.
>>>>>>>> 0010   c8 67 d4 6a a7 93 83 da 19 45 66 89 74 37 de 9a  .g.j.....Ef.t7..
>>>>>>>> 0020   a1 87 b2 fd 69 95 02 3b 3f ae 9b da 70 5d 36 63  ....i..;?...p]6c
>>>>>>>> 0030   0b 5f f0 3b ac 15 ef 17 4c 7e 93 29 0c 64 f6 6e  ._.;....L~.).d.n
>>>>>>>> 0040   6e 6e 6e 6e 6e 6e 6e 6e                          nnnnnnnn
>>>>>>>>
>>>>>>>> 0000   24 25 25 27 5c 66 11 4b 49 a5 c1 b3 a1 22 03 c2  $%%'\f.KI...."..
>>>>>>>> 0010   37 20 b1 44 3f 6d 0b 2b 0e 40 09 b7 d5 50 5d 80  7 .D?m.+. at ...P].
>>>>>>>> 0020   44 36 14 f6 3f af 5b 76 f6 2b 87 75 df f2 99 cc  D6..?.[v.+.u....
>>>>>>>> 0030   a4 f0 5f 94 03 ba 40 b8 e3 d1 3c 86 a3 cb 59 c1  .._... at ...<...Y.
>>>>>>>> 0040   c1 c1 c1 c1 c1 c1 c1 c1                          ........
>>>>>>>>
>>>>>>>> 0000   f3 f2 f2 f0 2e ca d2 d7 c8 5a 48 13 0a b3 d2 5b  .........ZH....[
>>>>>>>> 0010   a8 30 72 00 2f 31 41 e9 2a 76 55 ba 47 04 ed a9  .0r./1A.*vU.G...
>>>>>>>> 0020   92 b4 81 ce 5a a6 31 08 0c 9d a8 e9 7a 02 40 57  ....Z.1.....z. at W
>>>>>>>> 0030   6e ee df c4 d7 f7 58 cc 90 6c 4e 4f 76 6d a3 0d  n.....X..lNOvm..
>>>>>>>> 0040   0d 0d 0d 0d 0d 0d 0d 0d                          ........
>>>>>>>>
>>>>>>>> 0000   ca cb cb c9 3b 9d 02 87 aa 8f 59 a0 99 bc a3 d0  ....;.....Y.....
>>>>>>>> 0010   38 32 46 bf c8 41 24 9c 5f 03 20 cf 32 71 98 dc  82F..A$._. .2q..
>>>>>>>> 0020   e7 c1 f4 bb 2f d3 44 7d 79 e8 dd 9c 23 60 89 0b  ..../.D}y...#`..
>>>>>>>> 0030   b9 64 bf 61 0c 56 37 82 87 6d b9 63 98 04 b0 d5  .d.a.V7..m.c....
>>>>>>>> 0040   d5 d5 d5 d5 d5 d5 d5 d5
>>>>>>>>
>>>>>>>> You can catch these with a simple BPF like this:
>>>>>>>> udp and len==114 and udp[71:4]==udp[75:4] and udp[78:1]==udp[79:1]
>>>>>>>> which will find UDP packets of length 114 in which the last nine bytes
>>>>>>>> are identical.
>>>>>>>>
>>>>>>>> Has anyone seen this?  It almost feels like P2P, but I don't think it
>>>>>>>> is, and it is definitely malicious.  VirusTotal had only three hits
>>>>>>>> and the best guess was Kryptik.  Any idea how to create signature from
>>>>>>>> that BPF?  I'm not too good with byte_test.
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Emerging-sigs mailing list
>>>>>>> Emerging-sigs at emergingthreats.net
>>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>>
>>>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>>>> _______________________________________________
>>>>>> Emerging-sigs mailing list
>>>>>> Emerging-sigs at emergingthreats.net
>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>
>>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>>>>


More information about the Emerging-sigs mailing list