Zombie malware without command & control servers

As malware needs to communicate in some ways with its operators (for getting commands, updates and sending stolen data) they typically implement a form of communication to command & control servers. Those C&Cs are either hard-coded or generated (based on some type of seed) domain names or IPs. For generated domains they implement a domain generation algorithm (DGA) which often takes the current day (or time frame, like week) as seed, though in more exotic cases it was observed that the attackers switched to taking text out of tweets as input as the time based DGA was predictable by security researchers and resulted in sinkholing and takedown operations (i.e. registering all possible domains generated in advance). Few Trojans also implement peer-to-peer (p2p) algorithms where the Trojans share commands & updates within the p2p botnet with no central C&C.

And then there is malware without any form of C&C – zombie malware. They do not take any commands, they cannot be updated, they will just do whatever they were programmed to do. There are 3 good examples of malware which does not have any command & control server:

  1. A backdoor malware (even though just a fallback of the actual malware) listening on port 8000 and piping everything there directly to the command line
  2. VBKlip, a .NET Trojan which replaces IBANs in the clipboard, intended to steal money from bank accounts
  3. Allaple, a self-spreading ddos malware developed to seek revenge against an insurance company and ISP

The interesting thing is that those viruses are “unkillable” from a central point because there is none. In order to kill the botnet every single infection would have to be cleaned up. This could lead to intricate situations where the virus is doing destructive behavior (like launching ddos attacks to pre-defined targets) and cannot be stopped even if the malware author is arrested.

Though, there are currently only few Trojans out in the wild with no C&C functionality and the simple reason to that is that most crime (whether it’s financial fraud, ad-clicks, spam, login stealing, …) require the operator to communicate with the bot (send instructions and updates of the binary & configuration, receive stolen information).

Allaple

Allaple is a worm that has no command & control server. It has the hard-coded ddos targets www.online.if.ee, www.if.ee and www.starman.ee embedded. It spreads via exploitation of a Windows network vulnerability and possibly has code for brute-forcing SMB shares. The Trojan was initially spread in early 2007 and some infections are still likely to be active.

It was reported in media in 2010, that the creator Artur Boiko (44) was convicted to 2 years 7 months jail and paying a compensation of total 6.5 million Estonian Krones (415.000 EUR) to the two companies. Reportedly he was to “seek revenge against insurance firm IF following a dispute over a rejected car accident insurance claim”.

Technical Analysis

We analyzed a bunch of different Allaple samples, with the SHA1 hashes 6E1DD56301DB2D83D2D729B1963DF1E48FBF67A5, 7826CBC58A8BC7CB0D097C05DEAE07086FCB01C9, 3804ADF83CE4E30C993FF700D0C17E869029473C, 93A05CAC0E7189AFFCEAF8BE51F367D1A097118F, DF7DCBE66373FCCCB35A39599920852209BA891C, 96527347F4403E6EAE6286A12DDC0CA445647F87 and C3FBEFE98E3431A54BD4DD2A49B91048A2DFFAD2. None of them worked under Windows 7 because they rely on the function kernel32.dll!CreateVirtualBuffer which only exists on XP.

When executed, it ICMP Echos (pings) random /16 nets and tries to exploit them. A ThreatExpert report (report not available anymore..) with a similar sample lists that it uses “MS04-012: DCOM RPC Overflow exploit – replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).”. It also looks like it has a password list embedded (probably for bruteforce). Read this report for additional info on its spreading capabilities.

After running 5 minutes in the VM and 30.000 ICMP packets later the running malware didn’t find any host to exploit. Additional information on the ddos functionality of Allaple is available in this report.

This is sample 96527347F4403E6EAE6286A12DDC0CA445647F87 scanning for vulnerable hosts (without any luck):

Allaple 1

Statistics generated by Wireshark:

Allaple 2

Below is text from a memory dump of the running process. You can see the ddos targets there (www.online.if.ee, www.if.ee and www.starman.ee) as well as references to SMB shares and to a list that looks like being used as a password brute-force list.

Admin.W....PC NETWORK PROGRAM 1.0..LANMAN1.0..Windows for Workgroups 3.1a..LM1.2X002..NT LM 0.12.\\*SMBSERVER\IPC$.\browser.\samr.\epmapper.\ntsvcs.\atsvc.\srvsvc.ÈO2Kp.Ó..xZG¿náˆ....@NŸ.= Î..i..>0......j(.9.±Ð.›¨.ÀOÙ.õ.... .......À......F....‚.÷.Q.è0.mt.èÎé‹....%s...%s (%s).\\%s.S$.c:\.d:\.dmhelpserver.exe.c:\temp.exe.%s (%s) %s:%s.%s (%s) NullSesss.}A6.............‹A6.........Administrator.Admin.‹A6.ýD6.öD6..C6.ìD6.èD6.ãD6.ÝD6.ÖD6.ÎD6.ÅD6.ÃD6.ÀD6.¼D6.•D6.±D6.ªD6.¢D6.™D6..D6.ˆD6..D6.xD6.rD6.kD6.fD6.bD6.\D6.XD6.QD6.JD6.CD6.?D6.9D6.4D6.*D6.!D6..D6..D6..D6..D6..D6.üC6.óC6.íC6.åC6.àC6.ÞC6.ÛC6.ÕC6.ÏC6.ÇC6.¾C6.¸C6.³C6.«C6.¥C6..C6.•C6.‘C6.‰C6.„C6.}C6.vC6.oC6.jC6.cC6.ïD6.ZC6.RC6.KC6.DC6.=C6.8C6.1C6.+C6.$C6..C6..C6..C6..C6.ýB6.õB6.ñB6.............W...www.windows.visitor.test2.password.test1.test.temp.telnet.ruler.remote.real.random.qwerty.public.private.poiuytre.passwd.pass.oracle.nopass.nobody.nick.newpass.new.network.monitor.money.manager.mail.login.internet.install.hello.guest.go.X.demo.default.debug.database.crew.computer.coffee.bin.beta.backup.backdoor.anonymous.anon.alpha.adm.access.abc123.system.sys.super.sql.shit.shadow.setup.security.secure.secret.123456789.12345678.1234567.123456.12345.1234.123.12.1.00000000.0000000.000000.00000.0000.000.00.server.asdfgh.root.irdvxc.exe .jhdgcjhasgdc09890gjasgcjhg2763876uyg3fhg.CLSID\%s.CLSID\%s\LocalServer32.{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}.<html>...<OBJECT type="application/x-oleobject"CLASSID="CLSID:%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X"></OBJECT>...%s\%s.*.*.qwertshertshjklzxcvbnjklbnjklzxcvbnmzxcvbnm.%s%s.exe.SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices. /service."%s" /service.RegisterServiceProcess.kernel32.dll.MSDisk.Network service for disk management requests.Network helper Service./service./start./installservice./uninstallservice./stop..........G6..G6..G6.$G6.6G6.....................advapi32.dll.-embedding.%sirdvxc.exe.....Global\1CKPUPP.patch:.SeDebugPrivilege.AdjustTokenPrivileges.LookupPrivilegeValueA.OpenProcessToken.%s%s.dll.\CLSID.%s\InprocServer32.;H6.GH6.QH6.^H6.gH6.sH6.~H6.ŠH6.shell32.dll.ole32.dll.oleaut32.dll.fm20.dll.thumbvw.dll.mshtml.dll.shdocvw.dll.browseui.dll.www.starman.ee.www.if.ee.www.online.if.ee.............CreateServiceA.OpenSCManagerA.OpenServiceA.ChangeServiceConfig2A.ControlService.CloseServiceHandle.DeleteService.StartServiceA.QueryServiceStatus.StartServiceCtrlDispatcherA.RegisterServiceCtrlHandlerA.SetServiceStatus.................................................ÍH6.ÜH6.ëH6.øH6..I6..I6.0I6.>I6.LI6._I6.{I6.—I6..........d.b.........cwww.online.if.ee.www.if.ee.GET / HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*..Accept-Language: en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)..Host: www.if.ee..Connection: Keep-Alive.........Global\2gjkgsjqgq.KERNEL32.dll....|‚ƒ.ÁÃÇÈÉÊËÌÏÑÒÓÔÕØÙÚÛÜÝÞ:;<=>?@ABCDEHPQRSTWXYÿicmp.dll.IcmpCreateFile.IcmpSendEcho.IcmpParseReplies.IcmpCloseHandle.%s...%s:%d.%s:%d.Babcdefghijklmnopqrstuvwabcdefghi