EstDomains & Intercage: A Perfect Couple in Crime

If you track malware issues as readily as I do, you're likely aware of the failings of clownpacks like EstDomains and their hosting buddies Atrivo/Intercage. You need only follow Sunbelt's take on the topic, or search Emergingthreats to come up to speed.
Yesterday, EstDomains posted the most inept, ridiculous response ever issued to the endless and worthy criticism, largely leveled by Brian Krebs at the Washington Post.
Not only can't these morons from EstDomains write, they're either so deeply clueless or flagrantly malicious (likely both), it's beyond laughable. This section sums it up best:
"The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance."
What? Really?
Again, aside from the absolute butchery of the language, did they just say "The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality."? SIGH...yes, they did.

Allow me to exemplify just how ridiculous a claim that is.
Following is content from a packet capture I took during a recent Storm worm analysis.

Using the ip2asn module included in NSM-console availabe in HeX, we find:
27595 | 216.255.189.211 | INTERCAGE - InterCage, Inc.

Using Etherape, also included in HeX, we see:



Using Eric Hjelmvik's NetworkMiner, we see:



See the recurring theme? Intercage, EstDomain's "reliable ally in its battle against malware".
Nice work, guys...keep it up.

I'm submitting this to The Daily WTF as we speak.

del.icio.us | digg

Visualized Storm fireworks for your 4th of July

As expected, the Storm botnet maestros have queued up some pwnage for your 4th of July.
See the SANS diary for all the details.
Upon receipt of my first fireworks.exe sample this evening, I went through the standard routine and ran it through the analysis mill. Like the ISC said, not much new here, but if you'd like the nitty-gritty, I've put the analysis report here, the peers config list here, and the pcap here.
However, what I was really inspired to do this evening was visualize the pcap with Raffael Marty's AfterGlow. His new book, Applied Security Visualization, is coming out next month, so we can turn old Storm news into a celebration of the 4th and the pending release of Applied Security Visualization. By the way, Raffael's visualization workshop slides from the 20th Annual FIRST Conference in Vancouver, B.C. last week are here, and mine regarding Malcode Analysis for Incident Handlers are here.
So, a little AfterGlow magic,
tcpdump -vttttnnelr /home/rmcree/pcap/fireworks.pcap | ./tcpdump2csv.pl "sip dip ttl" | perl ../graph/afterglow.pl -c /home/rmcree/afterglow/src/perl/graph/color.properties -p 2 | neato -Tgif -o fireworks.gif, and the results look just like the fireworks we hoped they would.
Happy 4th of July everyone!
Except you Storm a$$hat$. ;-)



del.icio.us | digg

Beware the Zangobot!

While this news is likely speculative and unfounded, it has ramifications I couldn't resist. My good friend Steve and I have, for the last couple of years, jokingly inferred that Zango must have some form of bot, be it a crawler or IRC/P2P. Now this was stated entirely in jest, mind you, but I have to throw the phrase open now that to a story from Trendmicro claiming Zango and Storm: Possibly in Cahoots.

How could I pass? This is indeed the prospect of a Zangobot!

From Trend's post: "The presence of these clues means either of two possibilities. One, that Storm is now targeting computers that have Zango adware installed in them, or two, that Storm has now been commissioned to deploy Zango adware. Zango (also ePIPO, 180solutions, HotBar) is an adware company notorious for planting software that runs on startup, displays advertisements, and comes bundled with other software."

Alex Eckelberry rightfully puts a cautionary spin on the story in his post on the Sunbelt blog:
"After years of tracking Zango/180, etc., we have a really hard time believing that Zango would knowingly work with distributors of Storm. While there’s no love between us, they're not complete idiots, and they know that if they got caught they'd be in serious trouble with the FTC."

Nonetheless, let the speculation and research begin.
BEWARE THE ZANGOBOT!

I hereby declare a contest! We need a Zangobot graphic. Get your creative juices flowing and send your Zangobot character/avatar/image to me at holisticinfosec at gmail dot com.
The winner receives mention here, an information security book of my choosing, and a Daily WTF sticker.

del.icio.us | digg

Storm keeps coming (4th variant)

They just keep coming...this one is very similar to the 3rd variant we reviewed, but some changes are apparent.
1) Hash: 1f362ad74d62262bff6bcb1d078cbf7d
2) Aside from yet again changing the domain and binary, the hidden files written upon execution are as follows:

Helios Rootkit Detector
Scanning File System For Hidden Files

[*] Scanning Drive C
1 C:\WINDOWS\system32\bldy.config Hidden From API
2 C:\WINDOWS\system32\bldy3a80-61.sys Hidden From API
Execute Duration (in seconds)=18

Loaded Drivers:
Driver File Company Name Description
C:\WINDOWS\System32\bldy3a80-61.sys

Kernel31 Api Log
***** Installing Hooks *****
4012d8 CreateFileA(C:\WINDOWS\System32\bldy.config)
40117f CreateFileA(C:\WINDOWS\System32\bldy3a80-61.sys)

DirwatchData
WatchDir Initilized OK
Watching C:\WINDOWS
Created: C:\WINDOWS\system32\bldy.config
Modifed: C:\WINDOWS\system32\bldy.config
Modifed: C:\WINDOWS\system32
Created: C:\WINDOWS\system32\bldy3a80-61.sys
Modifed: C:\WINDOWS\system32\bldy3a80-61.sys

Better AV coverage again:

AntiVir - TR/Crypt.XDR.Gen
Authentium - W32/Dropper.gen6
Avast - Win32:Zhelatin-ASX
AVG - Dropper.Generic.TLX
BitDefender - Trojan.Peed.IRG
ClamAV - Trojan.Peed-66
DrWeb - Trojan.Spambot.2386
Fortinet - W32/Tibs.G@mm
F-Prot - W32/Dropper.gen6
F-Secure - Email-Worm.Win32.Zhelatin.pr
Kaspersky - Email-Worm.Win32.Zhelatin.pr
NOD32v2 - Win32/Nuwar.BA
Panda - Suspicious file
Prevx1 - Stormy:Worm-All Variants
Sophos - Mal/Dorf-H
Symantec - Trojan.Peacomm
VirusBuster - Trojan.DR.Zhelatin.AS
Webwasher-Gateway - Trojan.Crypt.XDR.Gen

Aside from the inherent value of keeping an eye on the ISC Diary, please refer to the US-CERT alert.
They'll keep coming, we'll keep watching.

Holiday Storm Part 3

I know, I know...enough already. But our Storm friends have changed the game a bit for the third round, as discussed on the ISC Diary, in particular Update 3. The changed domain and binary name led me to ponder what else has changed. So...
1) New hash: BE22F894AC662C905C37CEFDE66DE065
2) Better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?). No more hanging out in the open, easily seen.
The Helios Rootkit Detector, now included in RAPIER, discovered darker voodoo than the last two versions:

Scanning File System For Hidden Files
[*] Scanning Drive C
1 C:\WINDOWS\system32\cleanmgr.exe Hidden From API
2 C:\WINDOWS\system32\clean.config Hidden From API
3 C:\WINDOWS\system32\clean6c9-3320.sys Hidden From API
4 C:\WINDOWS\system32\dllcache\cleanmgr.exe Hidden From API

SysAnalyzer says:

Loaded Drivers:
Driver File Company Name Description
C:\WINDOWS\System32\clean6c9-3320.sys

Kernel31 Api Log
***** Installing Hooks *****
4012c1 CreateFileA(C:\WINDOWS\System32\clean.config)
40117f CreateFileA(C:\WINDOWS\System32\clean6c9-3320.sys)

DirwatchData
WatchDir Initilized OK
Watching C:\WINDOWS
Created: C:\WINDOWS\system32\clean.config
Modifed: C:\WINDOWS\system32\clean.config
Modifed: C:\WINDOWS\system32\config\system.LOG
Modifed: C:\WINDOWS\system32
Created: C:\WINDOWS\system32\clean6c9-3320.sys
Modifed: C:\WINDOWS\system32\clean6c9-3320.sys

3) AV coverage is further improved for this version:

AntiVir 7.6.0.46 - TR/Rootkit.Gen
Authentium - W32/StormWorm.R
Avast - Win32:Zhelatin-ASX
AVG - Dropper.Generic.TLF
BitDefender - DeepScan:Generic.Malware.FMH@mmign.55A134E9
ClamAV - Trojan.Zhelatin
DrWeb - Trojan.Spambot.2387
Fortinet - W32/Tibs.G@mm
F-Prot - W32/StormWorm.R
F-Secure - Email-Worm.Win32.Zhelatin.pl
Ikarus - Virus.Win32.Zhelatin.ASX
Kaspersky - Email-Worm.Win32.Zhelatin.pl
Microsoft - Backdoor:WinNT/Nuwar.B!sys
NOD32v2 - Win32/Fuclip.AW
Panda - Suspicious file
Prevx1 - Stormy:Worm-All Variants
Sophos - Mal/Dorf-H
Webwasher-Gateway - Trojan.Rootkit.Gen

How perfectly unpleasant, making things more difficult to spot. Here's my New Years wish for the Storm lamers. Bugger off (kept pleasant for the kids).

Malware analysis tools

I've been asked to share the tools I use for malware analysis, in particular API details.
The Malcode Analysis Software Tools from iDefense Labs are extremely useful. toolsmith featured the suite in the July 2007 column.
API-Logger can be used as a standalone tool or you can run the .exe through SysAnalyzer which includes API-Logger output.
Other important pieces in my sandbox included VMWare Server (Linux host, Windows VMs), PE Explorer, RAPIER 3.2, Wireshark, Mandiant Red Curtain (MRC), and the Systinternals tools.
Check the toolsmith page for articles on Wireshark, MRC, and RAPIER use as well.
Required reading from the "The Godfather of RE", Lenny Zeltser, includes his Reverse Engineering Malware paper.

New Years Storm deja vu

Not content to settle for all the new bot's they got for Christmas, the RBN would like to wish you a Happy New Year as well with hxxp://uhavepostcard.com/happy2008.exe.
New hash, 5bb3606d36019142507043f30401c5d2, same malware as that we received when we fell for the Christmas strip show they offered us ;-).
Again, it copies itself to C:\WINDOWS as disnisa.exe, writes the same registry keys and config file, and follows the same network attributes as mentioned in previous post, but better AV coverage now that this variant's been around for a few days:

AntiVir - Worm/Zhelatin.ob
Authentium - W32/StormWorm.P
BitDefender - Trojan.Peed.IRE
CAT-QuickHeal - (Suspicious) - DNAScan
DrWeb - Trojan.Packed.263
eSafe - Suspicious File
eTrust-Vet - Win32/Sintun.AT
F-Prot - W32/StormWorm.P
F-Secure - Packed.Win32.Tibs.gu
Kaspersky - Packed.Win32.Tibs.gu
Microsoft - Trojan:Win32/Tibs.gen!ldr
Prevx1 - Stormy:Worm-All Variants
Symantec - Trojan.Peacomm.D
Webwasher-Gateway - Worm.Zhelatin.ob

I was further intrigued by the name they chose for the .exe, in particular, disnisa. Appears it was or is the name of a wine and spirits import company in Nicaragua, importers of Heineken, Chivas Reagal, Cuervo, Concha y Toro, and Moet & Chandon. Is there correlation given the time of year? Who knows.
Happy New Years from disnisa. Drink the product (responsibly), but don't open the ecard. ;-)

Storm-Bot stripshow analysis

Merry Christmas from the RBN. Now on a PC near you, a stripshow from Santa's helpers. Or not.
The ISC reported the expected Storm surge Christmas eve at 0000 GMT.
hxxp://merrychristmas.com/stripshow.exe (modified to protect the innocent) yields a hash of 2BBA62FBC3B9AF85C3C7D64A82E1237C. Once executed it immediately copies itself as disnisa.exe to C:\WINDOWS and adds a startup registry key for the same.

Current AV detection includes:
Kaspersky stripshow.exe - Email-Worm.Win32.Zhelatin.pd.
eTrust-Vet - Win32/Sintun.AT
Microsoft - Trojan:Win32/Tibs.gen!ldr
Symantec - Trojan.Peacomm.D

After a quick time check to Microsoft's time server, this variant switches immediately to very noisy P2P on a variety of ports. In addition to the ISC-recommended HTTP and email blocks for outbound to merrychristmasdude.com, you have to consider if you really need outbound UDP traffic above 1024. I'm a firm believer in deny all and make exceptions only via legitimate business case. If you can achieve such lockdown, even though your hosts may suffer infection, they won't be communicating with their friends and neighbors.
From API analysis we see a few interesting tidbits:

w32tm /config /update
403014 Copy(c:\malware\stripshow.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
402ba0 WinExec(w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov,100)
77e7d0b7 WaitForSingleObject(788,64)
402ba8 WinExec(w32tm /config /update,100)
40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)
71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71a5716a LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71aa14eb GlobalAlloc()
40da1b bind(8c, port=26790)
77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)

Nice, do a little time sync, allow ourselves through the firewall, then bind, listen, and wait.
First, add another registry entry,

0cd2d RegCreateKeyExA (HKLM\Software\Microsoft\Windows\ITStorage\Finders,)

then start connecting:

71a54cee LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
77e7ac53 CreateRemoteThread(h=ffffffff, start=71a519c4)
40d9f1 connect( 193.33.146.178:24714 )
40d9f1 connect( 74.60.173.98:3887 )
40d9f1 connect( 58.74.135.13:30843 )
40d9f1 connect( 222.119.113.135:22295 )
40d9f1 connect( 71.234.220.147:20232 )
40d9f1 connect( 76.84.231.43:14172 )
40d9f1 connect( 124.5.147.194:16544 )
40d9f1 connect( 58.8.236.130:13224 )
40d9f1 connect( 190.79.151.75:2952 )
40d9f1 connect( 58.8.122.191:29646 )

Once this little bugger hits the network, expect flood-like traffic.
My infected sandbox victim exhausted my 1.5mb DSL connection instantly, in part from a ton of inbound responses from peers being logged at my firewall:

SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=59178 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=60978 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=4987 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=6619 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=13762 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=18384 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=19891 PROTO=UDP SPT=24045 DPT=26790 LEN=33

At last, the peer list referred to by the ISC, written to C:\WINDOWS (many more entries not included):

[config]
[local]
uport=20142
[peers]
00003D6C8F338A3FDD3DF3648666F55C=0CCE03EE2BD100
0100A634122F3553A046EC451061927C=0CCEEF9C5BF700
02007E238D780D25FD5511285E2E596E=0CD9D73081A500
03001E62DC533E7AF6161729A953891B=180BB9671B4800
0400EB5EC13599373A3D544A2D6AF94F=180FAC024F7300
05004710B3440F5D2117CE555A62D04A=1810D0AE22DA00
06001471521206296D099433C93EC427=1813911C2E6100
07002D6D5B0FE3019C56B1290A564E59=1820B08043D700
0800A2417153943DC23C6C5C817C4159=18257B254F2600


There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes.
User awareness, as always, is your strongest defense.
Cheers and happy holidays, except for you RBN a$$h0735.