Malware Research

From the Sasfis tracker results, the IP address of Sasfis C&C servers is changing every 2-3 mins.

Hence, my first thought is Sasfis went to fast-flux. But after I checked server responses which are related to the same domain name but different ip addresses.
I found NOT all of them could give the right command, some of them are even dead already. For example, one of its server domain has 148 different ip addresses, but only 4 of them could give the right command to the bot.

Another thing is, Sasfis removed the “delay” and “upd” from the command message. Delay is the waiting time before the next connection to the c&c server. upd is to indicate whether there is a update need to be done. By doing this, Sasfis would abandon the update function. Simply put, it seems Sasfis will abandon the botnet it already established, just treats every single computer as a new one, rather than try to update them. Because, the author(s) maybe find out that the backurl and main server could be blocked after Sasfis compromised the machine, it’s impossible to update through URL/BackURL in the init command. Before, the domain name is not changed frequently and it stick to 1-1 mapping(1 domain name – 1 IP).Moreover, there are only 1-2 backurls. Now, the backurls increased to 6-8. Then, the domain name would be the main target of some protection systems. Maybe after it went to fast-flux, its domain name will be changed  every time when spreading with the help of cutwail, but the mapping IPs are still.

From above, i drop 2 possible conclusions:

1. Sasfis is on the stage to implement the double-flux, not finish yet.

*2. If the none-response ones are not actual Sasfis C&C server IPs(some of them are used by Bredolab and Zbot before) . Then, Sasfis is trying to hide the true C&C server IPs among those decoy IPs.

Either of those 2, the critical drawback of Sasfis is still there, its http request is still pattern-able. Hence, we don’t need to worry about the fast-flux stuff until it change its protocol.

Sasfis tracker could deal with this situation, it will log all the IPs which Sasfis tried to use, all the positive response from the server and this server’s IP.

http://sasfis.re-malware.com/sasfis_tracker/

The Sasfis tracker is working fine. I also added the “offline time” to show when it is going offline and added the “BackURL” checking. Following are the new tracker results.

Continue reading ‘Sasfis tracker is working!’ »

As I promised, the sasfis tracker is online now.

The info is only the basic one, but it is enough to track this downloader.

Why I missed the sample before?

With the help of this tracker, i finally figure out why i always missed the samples. I checked the time line from the link first came to alive to dead.  Actually, the sample will only alive around 10 hours. After that time, the author(s) will point a new A record to the C&C server and the URL in the command also changed to another domain name. I need to wait until they do this. Probably, i need to wait sasfis’s old friend Pushdo/Cutwail seeding sasfis.

Continue reading ‘Sasfis Tracker is online’ »

Sasfis, simply is just another downloader. It normally downloads FakeAV, Pushdo(2nd gen, 3rd gen,3.5 gen). Before, it was really active, made lots of troubles to us, not only because its packer-like loader(anti-emu tricks), but also we’re more like FakeAV. :P

It leads me to think, “where is it come from?”

Continue reading ‘Sasfis is dying?’ »

New version of Pushdo(magadan) introduced the new version of Gootkit, Gootkit 1.2, named “GoogleBot”.
I personally think the “Gumblar attack” should have the relations with the Pushdo Gang. Any ideas?

Functions:

Continue reading ‘Pushdo/Cutwail/Webwail Botnet Changing II’ »

After I gave a presentation about Pushdo/Cutwail/Webwail Botnet on BlackHat EU 2010. They started changing FROM 2010-05-10.

Changes:

1. Project name
“revolution6″ to “magadan”.
“Protect” to “OuterDrv”, error handle routine change a little bit.
f:\programs\magadan\rkinstall\objfre_wxp_x86\i386\RkInstall.pdb
f:\programs\magadan\outerdrv\objfre_wxp_x86\i386\OuterDrv.pdb
f:\programs\magadan\innerdrv\objfre_wxp_x86\i386\InnerDrv.pdb
f:\programs\magadan\loader\objfre_wxp_x86\i386\PreLoader.pdb(thanks to steve)
f:\programs\magadan\loader\objfre_wxp_x86\i386\Loader.pdb

2. “Drop file” decryption algorithm changed.
Before: xor and swap by dword.
Now: xor, add, sub by byte.

3. Loader
(1). ldrver changed from 0×37 to 0×64.
(2). Get Product ID from 2 registy keys, before is only one.
(3). hard-coded server ip counts changed from 9 to 6.

Actually, those modifications are not changing the 3rd Pushdo totally,esp on communication protocol and encryption aspects. Hence, I prefer to call it 3.5th generation Pushdo.

Following are some outputs from the Botnet monitor scripts. They are just some simple perl scripts.

If you don’t know what are those Botnets, please read the following blogs.

Storm 2.0, New or Old? and  “what is its name” or katusha/codepack?

Storm 2:

root@ubuntu:~/sc# perl storm2.pl

[Storm 2 Bot Simulator 1.0]

Usage storm2.pl [req]
Example: perl storm2.pl 1

Req:
Req = 1 => Bot(1) send basic info to request the server ip
Req = 2 => Bot(2) send update request
Req = 3 => Bot(6) send DDOS request to retrieve the ddos ip addr
Req = 4 => Bot(3) send spam request to retrieve spam template and links
Req = 5 => Bot(3) send update template request to retrieve the new template and links(Not 100% Sure)

Continue reading ‘Storm2 and Katusha(Not Sure) Monitor Tool’ »

After unpacked this sample, all the API and useful strings are encrypted with RC4.

The bot request and server response are encrypted with base64 and RC4.
*The real malicious executable file is embedded in a GIF file.

Continue reading ‘“what is its name” or katusha/codecpack?’ »

Almost one month later, the new botnet which i’m not sure what is its name is wildly spread with the help of Sasfis.

Usually named setup.exe in the “setting for you xxx are changed” spam email, or loader_0x..exe as the email attachmet.

Please be sure DO NOT open those attachments.

Recently, i came across a worm which will send the malicious link via Yahoo messenger.

Command Example:

:get.lost 332 NEW-[CHN|00|P|49925] #imb :.msn.stop|.msn.msg foto :D http://space4foto.com/image.php?=
:get.lost 333 NEW-[CHN|00|P|49925] #imb wd98 1272908965
The interesting thing is, it used the IRC channel which is rarely seen in the modern botnet. I’m not familiar with the IRC stuff, no idea what are the advantages when it using IRC.
The true innovation is the first layer loader, it will customize the true payload which will act different behaviors depends on different hard-coded parameters, turns the binary to a poly-behavior malware. I first seen this feature is in the Sasfis loader which will act different Anti-debug/emu tricks depends on different hard-coded parameters.  The common thing between them is, they don’t have any packers.

Parameters used by the loader:
-usbspread
-inject
-hide
-autostart
-bind
-memexec