Launching viruscheck.me – Free Infection Checks

We are proud to launch http://viruscheck.me/ – a free 1-click check to test whether your IP address appears in the Virus Tracker database. Every day we see about 3 million infected devices – including laptops, TVs, point-of-sale systems, mobile phones and even nuclear power plants. Virus Tracker is active since 2012 and altogether we have more than 1 billion infection records in our database.

The check is completely free and uses your current IP address.

shot-20150130-464-1btus6

We also have a new Android app named Virus Tracker where you can do the same infection check and also see general worldwide virus infection statistics.

Virus Tracker Android App 1

Cybercrime Organizations – Behind the scenes

On January 13, 2015 we will present about “Cybercrime Organizations – Behind the scenes” in Zurich, Switzerland. The topic:

    How is organized cybercrime operating? Are the different groups connected to each other? How is their set-up? The talk will give an answer to these questions and a look behind the curtain. Different real-world cybercrime organizations will be analyzed.

Criminal organizations are usually built up like companies; they consist of multiple people each assigned with a dedicated task. While one person is responsible for developing the Trojan software, the other one is responsible for infecting new people (via spam, drive-by exploits) and the next one for cashing out and laundering the money. Much as in the “normal” economy tasks are also externalized to 3rd parties, which offer their services on shady “underground” hacking forums and dedicated websites.

2 famous examples are the Russian speaking forums “exploit.in” and “verified.cm” which are used by many criminals to buy and sell their services. Examples include the source code and services around the banking trojans TinyBanker, ZeuS and Android ransomware.

verified.cm Epxloit.in

During the presentation we will connect the dots between cybercrime organizations, actors, service providers and at the other end also researchers / anti-virus companies / law enforcements. As a special case example we will explain what happened with ZeuS Gameover and one of the largest takedown operations initiated by the FBI & Europol in history.

Virus Tracker presentation at Botconf

We presented Virus Tracker at Botconf 3-5 December 2014 in Nancy, France!

The presentation slides are available here, the presentation itself was video recorded and is available here via YouTube.

Colleagues published very good summaries about the conference here: Day 1, Day 2, Day 3.
We would like to thank all participants and the Botconf organization crew for this awesome conference!

Virus Tracker under 1 Gbps ddos attack

Yesterday one of our Virus Tracker sinkhole server was under a nice 1 Gbit/s ddos attack combined of ICMP, UDP and TCP ddos for a few minutes. The ddos attack wouldn’t have necessarily impacted our server, however the datacenter preventively null-routed the IP for 2 hours. We haven’t received any claims of responsibility, however, it is evident that someone is not happy with our operations.

1 source IP which served a 11.4 Mbit UDP ddos is a government military IP – which is possibly though a false positive as IPs can be spoofed in UDP packets. There are still many ISPs out that route such packets from your connection outgoing.

We are only aware of 1 IP that executed the TCP ddos attack (all the others participated only in ICMP and UDP attacks), which is an active Sality infection. This could be a coincidence, or the Sality operators are angry on us and used their botnet to launch the ddos attack.

This is a screenshot of 2 days traffic on the particular Virus Tracker server.

Ddos 1

And a screenshot over the time frame yesterday:

Ddos 2

Below details on the top 10 attacker IPs. We have redacted some IPs as we still investigating more details and do not want anyone to interfere with it at the current point.

 Top 10 flows by bits per second for dst IP: 69.195.129.70
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
     0.067 UDP      178.78.246.45     53  62933     2048    30567  370.2 M
     0.008 TCP       [redacted]    54245     80     2048   255999  281.6 M
   101.264 UDP      204.145.94.87  47446     80   16.4 M   161794  119.1 M
     0.019 ICMP    94.203.140.192      5    0.1     3072   161684   90.5 M
     0.340 UDP       178.47.45.22     53  62933     2048     6023   73.0 M
    98.668 UDP     209.119.225.25     53  12162   421888     4275   51.8 M
   179.829 UDP      162.249.122.2     53  12162   753664     4191   50.8 M
    98.318 UDP     209.122.107.49     53  12162   411648     4186   50.7 M
    98.282 UDP          80.73.1.1     53  12162   387072     3938   47.7 M
    97.400 UDP     216.174.102.25     53  12162   367616     3774   45.7 M

 Top 10 flows by packets per pecond for dst IP: 69.195.129.70
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
     0.008 TCP       [redacted]    54245     80     2048   255999  281.6 M
   101.264 UDP      204.145.94.87  47446     80   16.4 M   161794  119.1 M
     0.019 ICMP    94.203.140.192      5    0.1     3072   161684   90.5 M
     0.069 ICMP     94.231.13.165      5    0.1     4096    59362   33.2 M
     0.039 ICMP     94.203.96.121      5    0.1     2048    52512   29.4 M
     0.045 ICMP    223.19.249.167      5    0.1     2048    45511   25.5 M
     0.066 UDP       5.175.146.31  21807     53     2048    31030   16.1 M
     0.067 UDP      178.78.246.45     53  62933     2048    30567  370.2 M
     0.243 ICMP    209.55.123.196      5    0.1     6144    25283   14.2 M
     0.088 UDP       [redacted]     9704  35133     2048    23272   11.4 M
 
 Top 10 flows by flows per second for dst IP: 69.195.129.70
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
   101.264 UDP      204.145.94.87  47446     80   16.4 M   161794  119.1 M
   179.829 UDP      162.249.122.2     53  12162   753664     4191   50.8 M
   179.079 UDP    162.242.221.105     53  12162   701440     3916   19.2 M
   179.675 UDP      5.144.137.103     53  12162   474112     2638   32.0 M
    98.668 UDP     209.119.225.25     53  12162   421888     4275   51.8 M
    98.318 UDP     209.122.107.49     53  12162   411648     4186   50.7 M
    98.683 UDP     209.134.54.161     53  12162   410624     4161   23.3 M
    98.281 UDP     162.243.233.43     53  12162   397312     4042    2.5 M
    98.282 UDP          80.73.1.1     53  12162   387072     3938   47.7 M
    97.954 UDP     162.220.11.230     53  12162   375808     3836    2.4 M

Kleissner & Associates to acquire the cz.cc / uni.me sub-domain service!

We are happy to announce that we have acquired the infamous cz.cc / uni.me sub-domain service!

cz.cc has a long history, it started in 2009, was kicked out of the Google index in 2011 due to abuse of the service by criminals and the same year Microsoft sued the company operating the sub-domain service again due to abuse by criminals.

In the beginning of 2014 it was sold from Netcom Limited to an US based company and now on 10/7/2014 we acquired it from that company.

We as European secure provider, FBI & NSA proof

We are an European company, hence we are obliged to Czech and European laws. There are very strong data privacy laws which prohibit us (without your consent) to pass any personal information to 3rd parties. Of course we have to obey European court orders (as we under European jurisdiction), but not US ones. Foreign law enforcements have to go the legal way through the law enforcement treaty (request for assistance in a criminal matter).

Abuse policy

We are developing a strong abuse policy but at the very same time we are having a strong data privacy policy. We will take down domains participating in illegal activities, however, we will not redirect those domains to 3rd parties as for example Microsoft was previously seeking for and writing in their official blog:

Rather, the controllers of the Kelihos botnet leveraged the subdomain services offered by Mr. Piatti’s cz.cc domain.
As part of the settlement, Mr. Piatti has agreed to delete or transfer all the subdomains used to either operate the Kelihos botnet, or used for other illegitimate purposes, to Microsoft.

Our abuse policy includes:

  • Spam
  • Phishing
  • Malware distribution and exploits
  • Botnet C&C
  • Publishing or transmitting child pornography

We only take down domains on a case-by-case base and only upon solid proof. Just sending us an email “domain XY is malicious” is void.

When reporting malicious activity always make sure to take sustainable actions, i.e. file a complaint at the police or the public prosecutor and send a takedown letter to the actual server hosting provider – otherwise the criminal would just move on with a new domain/infrastructure/setup.

Future plans

We want to continue with providing a free and secure sub-domain service. There is right now a paid professional plan with more features like an API which costs 19.95 USD per month – we are lowering that to 10 USD per month.

We are right now in the technical transition of the infrastructure. As you can verify in the who-is, we own the domains and do not hide behind any who-is privacy settings:

Registrant ID:AAR3403372396
Registrant Name:Authorized Representative
Registrant Organization:Kleissner & Associates s.r.o.
Registrant Address:Na strzi 1702/65
Registrant Address2:
Registrant Address3:
Registrant City:Praha
Registrant State/Province:http://uni.me/abuse.php to report abuse on a subdomain
Registrant Country/Economy:CZ
Registrant Postal Code:14000
Registrant Phone:+420.00000000
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:domains@kleissner.associates

As soon as the technical transition is completed we will start with improving the service for our customers!

The worlds first Tor domain blacklist

We are publishing the worlds first Tor (.onion) blacklist: http://dev.virustracker.info/lists/tor blacklist.txt

You can use the blacklist just like normal domain blacklists to

  1. Detect infected machines on proxy level
  2. Prevent the malware from communicating to the C&C, sending stolen data and receiving commands

As Tor is usually running locally (not on a company wide proxy, which would decrease the security and the purpose of using Tor) this Tor domain list is rather useless other than for research purposes.

You can use this blacklist for free in your solutions (including commercial/proprietary ones). It mostly contains C&C domains (one is for an Android based botnet!) and also ransomware related domains where further action is required when a hit is detected. The format is CSV with the header ‘Domain, Trojan’.

.onion domains are not real domains which are present in the public DNS, rather they are actually public keys that are used in the Tor network. Therefore blocking or taking down Tor hidden services is a totally different topic than with normal domains and servers.

Tor functionality in Virus Tracker

One of the cool things of running your own company and being a programmer yourself is that you can develop your own tools – you do not have to rely on crappy Java based tools. We have developed our own directory buster tool that brute forces directories on web servers, which helps for example in determining what panel software a web server runs (if there’s a ZeuS panel, or a Blackhole panel etc).

Using Tor in your own program is easy, all you need to do is proxying the traffic through a Tor proxy. In our instance we have one Tor.exe process running and Privoxy which opens a HTTP proxy and tunnels it via Tor’s socket proxy to the Tor network. In theory you could instruct Windows to directly use the Tor socket proxy, which failed however in our tests.

Whether or not our program uses Tor for the connection it is easily determined by the URL (if has a .onion domain):

    if (strstr(Url, ".onion/"))
        Internet = InternetOpen(NULL, INTERNET_OPEN_TYPE_PROXY, L"http=http://127.0.0.1:8118", NULL, 0);
    else
        Internet = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);

In our tests we have encountered that massive parallel directory busting is very slow on the Tor network and returns very fast timeouts and thus incomplete results. This is because of certain Tor circuit limitations. Bypassing such limits could be done by opening multiple Tor processes and thus using multiple separate connections into the Tor network. A good idea would be also to use multiple IP addresses for those Tor connections.

Ddos attacks in Tor?

Tor hidden services have one big issue: Protecting against ddos attacks that come from the Tor network. Protecting against ddos attacks means you know what and how to block, i.e. specific IPs, protocols or on a higher level specific requests or request types etc. (besides doing load balancing as a ddos prevention which won’t work at all in Tor). In the Tor case, however, the attacker remains completely anonymous on the network level, thanks to Tor (therefore no network level filtering/blocking/logging). The only IPs you will see are those of Tor nodes.

How long it takes for a botnet to die

Virus Tracker is in operation since September 2012. We have more than 1 billion infection records in our database and keep all historical data. All the important botnets are in our system – including APTs such as Stuxnet, Flame, APT1, including banking Trojans such as Sinowal, MultiBanker, many ZeuS, SpyEye botnets, UrlZone, ZeuS Gameover and other bigger botnets like ZeroAccess and Sality.

Therefore we have a quite good understanding of how long it takes for botnets to die. Everytime there is a takedown (whether just legal or just technical nature) of a botnet we can monitor its impact in the following weeks. If there is no takedown and the criminals abandoned their botnet we also see a natural infection reduction – the cause to that is that antiviruses remove the infections and people simply reinstall their OS or get rid of their old computer.

Let’s have a look at some examples:

The first one is Sinowal. It had at peak 99.104 active infections per day. In December the operators apparently abandoned their botnet. On 11/27/2013 it had 33.268 infections dropping down within 7 months to yesterday 7/2/2014 to 14.273 infections. That’s an average monthly reduction (not taking negative compound interest into account of the calculation) of roughly 8.15%.

Sinowal

Next we see Conficker (blue) and ZeroAccess (red). For ZeroAccess there was the Microsoft takedown in December 2013 (peak 871.965 infections on 11/21/2013) and as you can see the botnet decreases day per day. Conficker was at peak 1.624.271 infections on the day 6/5/2013 and went down within a year now to roughly 1 million active infections per day.

Conficker and ZeroAccess

The last sample is ZeuS Gameover. There was the FBI, Europol & friends takedown. At peak we have seen 141.432 infections on 3/26/2014. Starting with 5/12/2014 (3 weeks before the takedown was publicly announced) we start to see a massive drop.

ZeuS Gameover

Info regarding the measurement ‘unique active infections per day’: Some other AVs/researchers often claim that botnet X has this million or hundred thousands of infections, though they take often unique IPs per 48 hours, 7 days or even longer. As dynamic IPs for end-customers are typically reallocated within 24 hours such numbers are not representative. In the entire Virus Tracker system we only use unique IPs per day (even though multiple infection can be behind 1 single IP), which is the only measurement that actually makes sense. Claiming a botnet would have “2 million infections” would wrongly create the impression that a botnet master could direct 2 million machines at a time to attack (i.e. ddos) a server, though in reality even if the botnet would have 1 million infections per day there would be roughly only 50k-100k bots online at a time.

Antivirus Tracker revisited

Back in October 2009 Antivirus Tracker was released publicly – a website that lists public IP addresses of online sandboxes/analysis systems such as Anubis and ThreatExpert. There have been very divergent perceptions of the publication. The Russian antivirus company Kaspersky and a smaller unimportant Austrian local one both filed lawsuits against Antivirus Tracker (both civil and criminal) – and lost in front of court (and thanks to that we have the legally binding verdict black on white that Antivirus Tracker is legal).

Today the Antivirus Tracker website is run by Kleissner & Associates. We do not agree with and condone security by obscurity (in contrast to some colleagues working at antivirus companies) and do not think that publishing the information of public (!) analysis systems harms their security. Submitting your own samples and URLs on such analysis systems just takes minutes – this is not rocket science and can be done by anyone with little technical knowledge and skills. As mentioned in previous blog posts, all servers and domains of Kleissner & Associates are publicly flagged as such (just check for the who-is information). There is no need for hide and seek in a professional environment.

Approach – laying out the bait, and why we do it

We have now submitted our own “baits” to analysis systems such as URL scanners, online anti-virus scanners, domain checkers and sandboxes. We do this because we want to know all IPs that are used by those analysis systems – so that we can flag potential false positive infections as such. An infection record in Virus Tracker generated by for example ThreatExpert or UrlQuery is not a real genuine infection – and we want to know when that’s the case in order to have a clean data set.

We want to share here our results with the community – you can use it to detect (or block) accesses by such automatic systems. While we were doing the research we actually didn’t just focus on detecting analysis systems but also on detecting search bots (such as Googlebot and and Baiduspider), proxies (including Tor) and other non-antivirus related bots (domain checkers).

All in all to detect and reduce false positive infection records in Virus Tracker we took these approaches for research:

  1. Using a /robots.txt on every of our domains to disallow any search bots
  2. Detecting search bots based on the User Agent
  3. Detecting analysis systems and domain checkers based on many accessed domain by one or few IPs
  4. Same as Antivirus Tracker: Sending out bait URLs and samples and monitoring the incoming connections

Detecting search bots, crawlers, spiders

These are the search bots that we quickly identified in our data set during research. All summarized you can blacklist search bots by just checking the User Agent for containing one of the keywords: bot, virustotalcloud, crawler, slurp, spider, wget/, curl/, urllib/

User Agents

Notable Companies

Websense is probably the biggest company in terms of doing URL scans. We get tons of accesses by them all the time.

DomainTools LLC is directly connected to Name Intelligence, they connect to the web servers to get information like the status code, the title and they also generate a screenshot of the website for their DomainTools service.

TrendMicro, Cisco and UrlVoid are interestingly are the only ones that we found to have IPv6 capabilities for their domain scanners.

Below are all the IPs that we found to be attached to named (known) companies. While we have now a quite comprehensive list, there are definitely more IPs being used by such analysis systems (this is obviously not a 100% complete list). Before we start receiving criticism for publishing those IPs we want to point out that we publish them so other researchers don’t have to do the same work over and over again. We have pointed out previously of how important it is to classify services/domains/servers/IPs correctly as for example to avoid takedowns of legitimate infrastructure (which happened multiple times in the past). We discovered parts of the IPs below belonging to analysis systems by checking out our Virus Tracker dataset and parts of them by laying out the baits and checking the connections.

Websense
    204.15.64.200
    208.80.194.121
    208.80.194.122
    208.80.194.123
    208.80.194.127
    208.80.194.26
    208.80.194.27
    208.80.194.29
    208.87.232.180
    208.87.238.180
    208.80.194.30

DomainTools LLC
    199.30.228.x
    199.30.228.128
    199.30.228.129
    199.30.228.130
    199.30.228.131
    199.30.228.132
    199.30.228.133
    199.30.228.134
    199.30.228.135
    199.30.228.136
    199.30.228.137
    199.30.228.151
    199.30.228.152
    199.30.228.153
    199.30.228.154

Name Intelligence
    64.246.161.42
    64.246.165.140
    64.246.165.150
    64.246.165.170
    64.246.165.180
    66.249.16.211
    66.249.16.212

Websense Hosted Security Network
    208.87.238.180
    85.115.52.180
    85.115.60.180
    85.115.33.180

Compass Communications
    216.145.17.190
    64.246.161.190
    64.246.178.34

MSP Format Ltd.
    91.250.15.69
    
TrendMicro
    2620:101:4037:/
    2620:101:4035:/

Cisco
    2620:101:2005:/

University of Georgia
    128.192.76.200

Georgia Institute of Technology
    130.207.203.2

Ikarus
    91.212.136.221
    91.212.136.222
    91.212.136.50

Bitdefender
    81.161.59.17
    91.199.104.141
    91.199.104.149
    91.199.104.15
    91.199.104.228
    91.199.104.3
    91.199.104.6

ESET
    109.74.154.83

Kaspersky    
    93.159.230.28
    93.159.230.39
    93.159.230.87
    93.159.230.88
    93.159.230.89
    93.159.230.90

Panda Autovin
    202.190.74.29

Anubis
    198.134.106.15

Malwr
    46.244.22.2

UrlVoid
    2001:41d0:8:9261::1

University of California Santa Barbara
    128.111.48.6

Team Cymru
    38.229.0.75

Who bit into the bait?

Within 1 week we have a total of 202 infection records for all our bait URLs. Here is the bait that we actually sent out. We generated a ZeuS executable containing our bait URL, a custom version of the original Antivirus Tracker executable and we reported the plain URL to analysis systems.

Bait

Below is the full list of IPs that contacted our bait URLs. It is interesting to see that there are certain services getting the URLs from multiple sites – for example you will find that some IPs behind UrlQuery also exist in the Virus Total list. We have (for your convenience) extracted already the operating system and the browser from the User Agent.

Services behind Virus Total
    207.102.138.3	Ubuntu	Firefox 15.0.1
    107.178.200.3	Windows	IE 9.0
    83.24.114.185	Windows 2000	Firefox 3.0.1
    80.254.75.128	Windows 7	IE 10.0
    80.254.73.17	Windows 7	IE 10.0
    91.218.247.141	Windows 7	IE 10.0
    46.253.179.138	Windows 7	IE 10.0
    80.254.74.144	Windows 7	IE 10.0
    31.192.104.93	Windows 7	IE 10.0
    93.94.244.10	Windows 7	IE 10.0
    31.192.106.133	Windows 7	IE 10.0
    93.94.246.128	Windows 7	IE 10.0
    93.80.113.250	Windows 7	IE 7.0
    188.99.253.202	Windows 7	IE 7.0
    62.210.74.186	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    50.97.98.134	Windows XP	IE 6.0
    213.37.5.133	Windows XP	IE 6.0
    88.26.239.242	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    91.121.71.92	Windows XP	IE 6.0
    93.80.51.225	Windows XP	IE 6.0
    176.195.189.195	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    84.177.32.153	Windows XP	IE 6.0
    84.73.135.119	Windows XP	IE 6.0
    84.177.6.222	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    176.195.189.195	Windows XP	IE 6.0
    84.177.6.222	Windows XP	IE 6.0
    95.26.98.244	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    93.80.51.225	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    95.220.174.236	Windows XP	IE 6.0
    84.177.8.191	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    95.26.98.244	Windows XP	IE 6.0
    176.195.189.195	Windows XP	IE 6.0
    89.178.94.96	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    95.24.190.229	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    84.177.31.107	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    176.195.189.195	Windows XP	IE 6.0
    95.220.174.236	Windows XP	IE 6.0
    176.195.227.163	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    93.80.78.140	Windows XP	IE 6.0
    95.220.174.236	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    84.177.31.95	Windows XP	IE 6.0
    84.177.23.60	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    128.69.36.57	Windows XP	IE 6.0
    176.195.227.163	Windows XP	IE 6.0
    95.220.176.249	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    84.177.12.45	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    95.220.176.249	Windows XP	IE 6.0
    176.195.227.163	Windows XP	IE 6.0
    72.12.209.146	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    128.68.211.220	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    84.177.61.231	Windows XP	IE 6.0
    128.68.246.26	Windows XP	IE 6.0
    84.177.42.73	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    50.22.252.66	Windows XP	IE 6.0
    176.195.172.254	Windows XP	IE 6.0
    95.220.176.249	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    46.188.47.207	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    199.87.154.255	Windows XP	IE 7.0
    209.249.180.207	Windows XP	IE 7.0
    107.182.135.43	Windows XP	IE 7.0
    66.135.33.230	Windows XP	IE 7.0
    128.68.125.68	Windows XP	IE 7.0
    128.72.187.85	Windows XP	Opera 10.63
    83.6.158.40	Windows Vista	IE 8.0
    31.172.30.3	Windows XP	IE 6.0
    76.19.47.29	Windows XP	IE 6.0
    4.31.163.2	Windows XP	IE 6.0
    76.19.47.29	Windows XP	IE 6.0
    142.0.42.8	Windows XP	IE 7.0
    79.150.27.5	Windows XP	IE 8.0
    54.211.91.5	Ubuntu 10.04	Firefox 3.6.13

Services behind UrlQuery
    12.167.151.85	Windows XP	IE 8.0
    128.69.36.57	Windows XP	IE 6.0
    173.236.152.132	Windows 7	IE 9.0
    176.195.189.195	Windows XP	IE 6.0
    176.195.227.163	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    195.159.140.216	Windows 7	Firefox 3.6.13
    2001:15c0:65ff:235::2	Linux	Firefox 27.0
    203.31.216.156	Windows XP	Firefox 4.0.1
    2607:f298:5:103f::166:2cbe	Windows 7	IE 9.0
    46.188.47.252	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    64.69.91.210	Windows XP	IE 6.0
    67.213.212.245	Windows 7	IE 10.0
    76.19.47.29	Windows XP	IE 6.0
    81.27.122.104	Windows 7	Chrome 18.6.872
    84.177.12.45	Windows XP	IE 6.0
    84.177.31.95	Windows XP	IE 6.0
    84.177.6.222	Windows XP	IE 6.0
    91.22.223.105	Windows XP	IE 6.0
    91.22.241.88	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    93.80.51.225	Windows XP	IE 6.0
    93.80.78.140	Windows XP	IE 6.0
    95.220.174.236	Windows XP	IE 6.0
    95.220.176.249	Windows XP	IE 6.0
    95.26.98.244	Windows XP	IE 6.0

Services behind Anubis
    198.134.106.15	Windows XP	IE 6.0
    216.232.78.104	Windows XP	IE 6.0
    84.42.39.77	Windows XP	IE 6.0

Services behind Malwr
    173.236.152.132	Windows 7	IE 9.0
    2607:f298:5:103f::166:2cbe	Windows 7	IE 9.0
    46.244.22.2	Windows XP	IE 6.0
    63.217.168.94	Ubuntu	Firefox 30.0

Services behind ThreatTrack
    72.55.154.6	Other	Other
    38.229.0.75	Other	Other
    66.129.97.253	Other	Other
    72.55.154.15	Other	Other
    217.149.63.66	Other	Other
    193.138.244.231	Other	Other
    66.129.99.119	Windows XP	IE 7.0
    72.64.146.112	Windows XP	IE 8.0
    64.69.91.210	Windows XP	IE 7.0
    85.143.167.19	Windows XP	IE 8.0
    178.24.98.220	Windows XP	IE 8.0
    85.143.167.19	Windows XP	IE 8.0
    85.143.167.19	Windows XP	IE 7.0
    81.27.122.24	Windows 7	Chrome 18.6.872
    2620:101:4037:3a03:150:70:97:88	Windows XP	IE 8.0

Surprisingly most accesses come from Russia 45%, while US has 23% followed by Germany 11%.

Bait Country

Even a week after initial submission of the URLs and samples we still get about 15 accesses on the bait URLs per day:

Bait Per Day

What’s next? A conclusion.

You can use above lists to check if antivirus systems contacted your web server. As mentioned, this can be useful to detect and classify false positives. As the different services from antivirus and intelligence companies change over the time you should take care to update your list every couple of months to cover the latest used IPs.

Malware infections on IPv6 – already nearly 1% in the US!

Our entire Virus Tracker system here at Kleissner & Associates is IPv6 compatible: All of our domains have AAAA records, all our servers have IPv6 addresses and the database and Virus Tracker system handle IPv6 addresses properly. We are the first security company having IPv6 enabled on all sinkhole domains.

Due to the abstraction of the domain name system it does not matter in general for the malicious software whether the command & control server is being reached via IPv4 or IPv6 (as long as the software uses high-level HTTP functions and not raw sockets). In general (HTTP, ICMP) we have observed that Windows uses by default IPv6 – if available. Internet Explorer always tries first to use IPv6 for the HTTP connection and falls back to IPv4 with the very same request if the IPv6 connection fails.

Because we have enabled IPv6 everywhere on our servers and Windows uses IPv6 by default we have some kind of overview of how IPv6 ready the (infected side) of the internet is. Below are some statistics out of our data, turning nothing into something!

Statistics in the US

On 6/5/2014 we have a total of 120.992 unique infection records for the US. 1.079 records are connections via IPv6 – that is 0.89%. These numbers include, however, potential false positive infection records such as generated by analysis systems and crawlers. The malware related to the IPv6 connections:

IPv6 US

The ASNs where we see the IPv6 infections from:

AS10297 eNET Inc.
AS10507 Sprint Personal Communications Systems
AS10796 Road Runner HoldCo LLC
AS11351 Road Runner HoldCo LLC
AS11426 Road Runner HoldCo LLC
AS11427 Road Runner HoldCo LLC
AS11650 Pioneer Long Distance Inc.
AS12083 KNOLOGY, Inc.
AS12271 Road Runner HoldCo LLC
AS16417 Cisco Systems Ironport Division
AS16591 Google Fiber Inc.
AS16880 Global IDC and Backbone of Trend Micro Inc.
AS18777 Texas State University - San Marcos
AS18779 EGIHosting
AS18978 Enzu Inc
AS19108 Suddenlink Communications
AS19262 Verizon Online LLC
AS20001 Road Runner HoldCo LLC
AS20115 Charter Communications
AS21547 Oxford Networks
AS22394 Cellco Partnership DBA Verizon Wireless
AS22773 Cox Communications Inc.
AS237 Merit Network Inc.
AS26347 New Dream Network, LLC
AS29761 Web Africa Proxy aut-num object
AS29859 WideOpenWest Finance LLC
AS3 Massachusetts Institute of Technology
AS30036 Mediacom Communications Corp
AS30264 Columbia Power and Water Systems
AS33363 BRIGHT HOUSE NETWORKS, LLC
AS33387 DataShack, LC
AS40336 Jacobi International Inc.
AS46475 Limestone Networks, Inc.
AS54540 Incero LLC
AS6112 Auburn University
AS6128 Cablevision Systems Corp.
AS6621 Hughes Network Systems
AS6939 Hurricane Electric, Inc.
AS7018 AT&T Services, Inc.
AS7922 Comcast Cable Communications, Inc.
AS8001 Net Access Corporation
AS8047 GENERAL COMMUNICATION, INC.

The observed operating systems and how many times they occurred:

1     Mac OS X 10.6 (this one belongs to a machine in the Cisco ASN)
1     Mac OS X 10.7.1
2     Windows 2000
198   Windows XP
149   Windows Vista
221   Windows 7
1     Windows 8

Statistics in Germany

For Germany we have on the same day a total of 19.654 infection records. Out of them are 53 connections via IPv6 – that is only 0.27%. Again the originating ASNs:

AS13184 Telefonica Germany GmbH & Co.OHG
AS20825 Unitymedia NRW GmbH
AS24940 Hetzner Online AG
AS31334 Kabel Deutschland Vertrieb und Service GmbH
AS3320 Deutsche Telekom AG
AS34127 Flughafen Muenchen GmbH
AS51167 Contabo GmbH
AS8767 M-net Telekommunikations GmbH, Germany
AS8881 Versatel Deutschland GmbH

Awesome backdoor is awesome! A comprehensive study.

One of the most awesome facts about Kleissner & Associates is that we are completely independent and at the same time we have very good IT security intelligence capabilities. We are a family company, not backed up by any VCs, do not have to report to anyone and can happily criticize anyone we want. It also opens the opportunity for research & development like this:

In this blog entry we are going to have a look on a backdoor from 2012 which was spread via email spam as alleged receipt. Others have analyzed this particular backdoor already with more or less detailed and accurate reports: [1] [2] [3] [4] [5]

This backdoor opens just a backdoor on port 8000 and maps it directly to the command line so that you have a remote command line. It is the most awesome backdoor and virus that we have analyzed at all, because it is so small and yet so powerful – while at the same time the researcher (us) can’t figure out any background info because there is no command & control server and nothing that gives a clue about what is actually the intention and end-result of this backdoor.

This backdoor could be spread from someone who is simply bored or by an intelligence service – there is no way to distinguish it. As this backdoor is just passively listening, one need to know the IP address of the infected machine in order to control it. An option to this would be doing massive port scans.

We figured out two major programming flaws in this backdoor which both affects its actual operational usage:

  • It does not support UPnP, so NATs and firewalls are breaking it
  • It does not add itself as exception to the Windows Firewall, so that one will pop up

As you can read on below, we developed a backdoor scanner, scanned 15% of the internet got some very interesting results! Among the results was 1 open real backdoor and a PowerGrid (according to its own name).

Technical Analysis

The analysis starts here with the extracted (unpacked) file, MD5 CF33F44D150EE590ED9DF3962A8D31D8, size 16.9 KB. Its compilation date (according to PE header time stamp) is 5/22/2012 12:55 UTC-0.

In the start routine it uses “system\currentcontrolset\services\disk\enum” and later checks for “qemu”, “vbox” and “wmwa”. That’s how it detects the VMs and sandboxes. Then it also checks for the time stamp counter (again to detect sandboxes and VMs), very easy but powerful code:

1

The other code is just used then for resolving imports, relocation and decryption of the real code. Only exactly the first part of the file contains code, the rest is the encrypted code.

Upon running it the Windows Firewall asks for permission (badly programmed, they could have added the firewall exception themselves as already pointed out):

2

It’s then just listening for incoming commands at port 8000:

3

It adds itself as very obvious “SunJavaUpdateSched” to the Run key and copies itself to C:\ProgramData\:

4

Once it runs you can do a direct telnet to the IP and port 8000.

5

This is the actual (and very easy) code which spawns the backdoor:

6

The new command line runs as sub-process of the backdoor process:

7

In the TCP traffic there is purely the command line text being transmitted:

8

The Backdoor Scanner

With the information of above it is a piece of cake for us to scan the entire internet for machines with this backdoor open and basically in theory to take control over them. The first step to this is doing port scanning of the internet (at least the IPv4 address space) for any IP with open TCP port 8000.

We used masscan and stopped after 15% of the internet was scanned. We found a total of 476.066 IPs with port 8000 open.

9

The second step is to develop your own backdoor scanner, in the screenshot below you can see some lines of the code. The scanner is very simple, it opens a TCP connection to the remote peer, then listens (reads) with a preset timeout everything into a buffer and later analyzes that buffer to verify whether there is the analyzed backdoor behind or not (in the function VerifyCommandLine). If it is, then the buffer holds the text of the command line, which usually contains the Windows version and the start line like “C:\”. We actually not only checked for the above backdoor but are also logging anything that returns “telnet” within the buffer which could also indicate a remote (even though legitimate) backdoor.

11

At one point during research we also just outputted the buffers to the command line so that we can see what services hide on the internet behind port 8000. We found plenty of HTTP servers, FTP, IRC, other messengers, SSH and apparently also IP cameras:

10

Our custom scanner is fed with the result list from masscan. Of those 476.066 IPs that have port 8000 open we found 1 real infection with the described backdoor and some others which spawn password protected telnet shells, like this power grid (at least according to its name) at 216.226.136.9:8000:

12

You really shouldn’t use insecure protocols such as telnet anywhere as its communication is unencrypted, can be easily intercepted by NSA & friends, your ISP, any relay points in the internet that your traffic comes across and anyone listening to your local network. Plus, going a step further and writing a password bruteforce program for this particular remote management backdoor would be also a piece of cake.

This is the actual scan result of the backdoor scanner:

13

Update 4/28/2014: As some researchers pointed out, this backdoor analyzed above is only used when virtual machines are detected and it’s apparently part of the Andromeda bot (it could be just used to fool researchers). There are two reports [6] [7] that dig into that. Thanks to Charlie Hurel and Raashid Bhat for pointing that out. Everything said here remains valid.