Me puppet master: Behind the scenes of crawling P2P botnets

At Kleissner & Associates we run world-wide operations on detecting virus infections. We put quite some efforts in detecting viruses – even for elder threats such as ZeroAccess 1 which is from 2011 and was superseded by ZeroAccess 2 in 2012.

ZeroAccess 1

We finished the implementation of the ZeroAccess 1 crawler already in December 2013, however had no initial peers. The embedded peer lists in the samples are of course outdated. The crawler needs some initial peers to find it’s way into the p2p network. We tried reaching out to our arrogant colleagues from Dell SecureWorks which, however, never responded.

The solution to finding initial peers was port scanning. We scanned the entire internet (at least the IPv4 space) for IPs with open ZeroAccess 1 ports. The result list of this scan was then fed to the crawler which contacted every IP and asked for a peer list update. We used masscan, a great tool by Robert Graham to scan the internet. The scan time for the entire internet was about 18 hours (the network devices in the datacenter didn’t allow a faster speed even though it would have been possible with the internet line and the server itself).

For most ZA1 botnets (there are 6 ones with each a different port) we actually only scanned part of the internet, as we only require 1 IP that is hooked into the rest of the p2p network. After a couple of abuse complaints to our datacenter and scanning 6% of the internet we found 110.029 IPs with port 34354 open. Out of them, there were 178 real infections. They were more than enough to hook the crawler into the p2p network.

As of right now there are still 31.428 ZeroAccess 1 infected machines:

ZA1 2-18-2014

It is interesting to see that for 2 ZeroAccess 1 botnets (“ZAv1 25700” and “ZAv1 22292”) our colleagues last year discovered less bots than we did now (the picture is copypasta from the p2pwned report):

p2pwend

Initially, before we proceeded with massive port scanning we tried bruteforcing peers by just contacting IP after IP. That process, however, turned out to be way too slow and impracticable.

BgEILC3CAAACw0s

ZeroAccess 2

Since the criminals reportedly abandoned their botnet we see major peer decreases every week. While it was a little bit over 1 million at peak in December 2013, it reduced down to roughly 500k within few weeks and since last week it dropped down to 455.479 peers right now:

ZA2 2-18-2014

One thing that is easy to do on ZeroAccess (both versions) is peer list injection (/poisoning) and therewith potential ddos. It would be a piece of cake injecting for example cia.gov (198.81.129.107) as a peer into every peer list and letting the botnet do the rest (flooding/ddosing cia.gov). This type of attack is very much comparable to DNS amplification attacks, in which other peers unintentionally do the work and multiply the attack.

Peer list injection though is a feature by design. Peers share each other peer lists so that they maintain connectivity. In fact, we also use peer list injection to “send” one peer to another crawling server. We run distributed p2p sinkholing to maximize the chances of catching any peer and provide at the same time redundancy.

ZeuS Gameover

Thanks to our colleagues from Dell SecureWorks and Crowdstrike who launched multiple disruption attacks against different botnets including ZeroAccess and ZeuS Gameover, the criminals added quite a lot protections to their bot code in order to protect the botnet from crawling, disruption, forging requests and replay attacks.

While we appreciate any efforts on taking down criminals and making the IT world more secure, we ask anyone to take sustainable actions. Just like Microsoft taking down a huge list of domains (and not even checking if the domains are actually sinkholes by researchers) it makes no sense doing a PR stunt like disrupting a botnet for a week. What happens is what see with ZeuS Gameover: The criminals enhance their code and and ultimately any monitoring (and detecting the infections) on the botnet might be jeopardized.

Ultimately the criminals running the botnet have to be arrested and at the same time the bar of the technical and financial obstacle of running a botnet have to be raised to prevent others from even thinking to engage in such activity. Otherwise the criminals will just continue with their activity. And that’s why you shouldn’t disrupt botnets.

Here is how ZeuS Gameover secures itself (some information was collected out of other’s research papers, some from own research and reverse engineering):

  • To contact a peer you need to know the IP, port and the bot id (20 byte identifier). The bot id is a SHA-1 generated out of the computer name + volume GUID of the first hard disk.
  • ZeuS uses random ports, that’s why you cannot use port scanning to detect possible infections
  • Packets are encrypted (RC4) using the receivers bot id. Without the id you cannot decrypt the packet.
  • IDSes cannot make signatures over the packet, as contents, port and size always change. Each packet has a random amount of random bytes appended to randomize the packet.
  • If there was no updated within 7 days, ZeuS Gameover falls automatically back to the DGA, that was done against peer list poisoning
  • Internal peer list is limited to netmask 255.255.255.128 per entry (prevents poisoning with ips from the same range)
  • There is a blacklist of subnets on the configuration. There is also a dynamic blacklist to limit connections to 10 packets/minute.
  • The most ingenious feature in ZeuS Gameover to prevent crawling: Peers only return peers in the peer list reply that are xor-nearest to you (to the bot id). So no matter if you contact 10 peers, or 100.000 peers you are likely to *always* get about the same “neighbour” peers. Because every peer knows you with your bot ID and uses it to encrypt the packet, you cannot simply change it.
  • Annoyingly ZeuS Gameover stores and uses internally always only the RC4 keystate, which means you cannot (easily) retrieve the RC4 key itself. You can use, however, the keystate for encryption/decryption or try to find the point where the keystate is initially generated out of the key.

Of course we found a way around that limitations – that is, however, a company secret. We can reveal, however, that our crawler has the bot id “KLEISSNER ASSOCIATES” – how cool is that.

ZeuS Gameover technical analysis

Interested in how to analyze ZeuS Gameover? Here’s how, step-by-step:

First of all you need from somewhere the ZeuS Gameover sample. There are public malware sharing sites (for example http://virusshare.com/). Once you got the sample, use API Monitor to set a breakpoint on WriteProcessMemory. That function is together with CreateRemoteThread very often used to inject malicious code into other processes.

ZGO 0

ZeuS Gameover will (like the normal ZeuS versions) copy itself into the %AppData% directory and spawn a second process. When the breakpoint is hit you can use directly API Monitor to investigate the memory. You can quickly see that the source buffer contains the MZ signature (of the PE header). By using HxD (a free hex editor) and the values of lpBuffer and size you can easily manually extract the memory and store it to a file.

ZGO 2

ZGO 3

The exported exe is already relocated, so the gaps (between raw start of section and virtual one) have to be removed manually. It’s a little bit tricky as you also have to take care if virtual size > raw one (deleting the extra memory), but if you manage to do it properly the import directory is rebuilt nicely:

ZGO 4

The executable is now very easy to analyze. As there are no valid relocations though, you will have to tell IDA manually to load it at address 005A0000h:

ZGO 5

ZGO 6

Then.. tadaa! Easy to analyze:

ZGO 7

If you trace back “GetVolumeInformationW” (which is required for generating the bot it) you can easily find the function that gets the volume GUID:

ZGO 9

It is even more interesting to trace back recvfrom(), as the function is used to receive UDP packets.

ZGO 10

In OllyDbg you can attach to taskhost.exe (ZeuS Gameover always uses that process for I/O) and set directly a breakpoint on it:

ZGO 11

Using taskview you can quickly find out on what port ZeuS Gameover listens for incoming packets (and it’s also a good verification if it runs correctly):

ZGO 12

For testing you can use the Packet Sender and send a dummy packet to your local ZeuS Gameover infection. As you can see in the second picture on the below right frame the code receives the packet successfully. The base code addresses in the picture is different because the machine had to be restarted during analysis due to changed network adapters.

ZGO 13

If you trace the code back in IDA you can see the outer function, ReceivePacket2:

ZGO 14

A very important function called in DecryptPacket is VerifyPacket which uses heuristic checks to check whether the packet is valid after decryption or not.

ZGO 15

ZGO 16

If you patch this verification check you in memory you can force your ZeuS Gameover infection to accept old unecrypted messages – which means that you now only need to know the IP and port. No longer the bot id. That is ideal for getting an initial list of peers.

ZGO 17

Then, after little of this and that, there’s the full-featured ZeuS Gameover P2P crawler which is hooked into the p2p network:

ZGO 18

Stuxnet still has active infections in Iran, we observe

As discussed in the last post we see worldwide virus activity. As the only company in the world we are also able to see the still active Stuxnet infections. Why? Because we own part of the Stuxnet command & control (C&C) infrastructure. If we were evil (which we are not) we could send them updates and commands. How did we acquire the Stuxnet C&C infrastructure? Company secret.

General virus activity in Iran

For December 2013 (until today) we have 1.274.013 infection records (with 417.206 unique Iranian IPs). Among the infected organizations are many many universities and research organizations. We cannot quickly say about how many virus infections appear at the Iranian government as we would have to find some sources regarding their used IP ranges.

We have seen 20.000 unique infections per day max, with ZeroAccess being with 64% the biggest threat there:

Iran December 2013 Graph

Iran December 2013

Stuxnet Active Infections

Yes, there are still computers in Iran infected with Stuxnet. We still observe internationally multiple active Stuxnet infections. Below are all infections still active in Iran.

Iran Stuxnet Infections

Worldwide Stuxnet activity monitored on our servers (infected machines connecting to the command & control infrastructure):

Stuxnet All

Stuxnet sends some information in the GET request. An example request (made by the “Pars Online” infection) is “/index.php?data=66a96e28270b6b4b93c9e63cf84b1307da7c7a046e50a46acba7b1f643e03f9a5390d546f2a7645fa21d659d3fb4a857946291a6f89da476b4b6e3842e0cac56dc8427bdea6c5b62b58c9d3fb5a877a54fa391baa9e54283”.

Hands on North Korea: Virus infections and IT security in the DPRK

At Kleissner & Associates we have the world’s largest sinkhole and passive virus detection system in place.

Based on our data we can confidently say that everyone is a target. With everyone we mean everyone – from private persons, over multi-national corporations and governments to the Central Intelligence Agency everyone features virus infections. On our systems we see ordinary threats such as banking trojans and password stealers, but also much more interesting threats such as targeted attacks (APTs). If you know the protocol the virus speaks (and have the encryption key if required) you can basically take over the infected machine – that’s one of the reasons why (even dead) virus infections pose a security risk.

Internet in North Korea

Internet is a very limited good in North Korea. Wikipedia states that they have only 1024 IPs (175.45.176.0 – 175.45.179.255) and use some ranges officially assigned to their partner China.

Within their IP range (on 175.45.176.67, that’s ASN AS131279 Ryugyong-dong) they have their weird propaganda website http://www.naenara.com.kp/ (which has sqli vulnerabilities) hosted. Some technical information and research about the internet status in North Korea is published here.

Virus infections in North Korea

As initial stated everyone is being targeted – including North Korea. In 2013, Kleissner & Associates discovered 4 IPs that showed virus network activity, making .4% of the North Korean internet space being “infected”. Below are the graphs from our VirusTracker system on the data that we have in 2013 on North Korea.

North Korea Viruses 2013

North Korea Virus Types

These are the infected IPs (and internal IPs):

175.45.176.140
175.45.176.144
175.45.176.145
175.45.177.144

192.168.0.4
192.168.0.6
192.168.100.6

These user agents were discovered, indicating at least 34 distinct infected machines (with are all running on Windows XP):

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AlexaToolbar/amzni-3.0; InfoPath.3; AlexaToolbar/amzni-3.0; .NET4.0C; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100200)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100200; InfoPath.2; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100425; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100499; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100499; InfoPath.3; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100501; InfoPath.2)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100501; InfoPath.2; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS99496; InfoPath.2; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS99497)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS99499)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS99499; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; InfoPath.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.3; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQPinyin 722)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS100021; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS100200; InfoPath.2; BRI/2)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS100991)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS98707)

It was an interesting discovery that there was one ZeroAccess 2 infection in North Korea which was actively participating in the ZeroAccess P2P network:

NK ZA

Starting development of the Kay Bot

Kleissner & Associates is happy to announce the first (to us known) research bot. We will use this research/educational bot to assist our entire sinkhole and virus infection detection system. Essentialy it comes down to using some of the same techniques as the criminals (e.g. fast flux) but for a better reason, with a different objective and realization (especially looking towards the legal aspect).

With our current system we have come down to a couple of (current) limitations – can we scan the entire IPv4 and IPv6 address space “safely” from our datacenters? Safely by the meaning of the impact to our servers (and IPs, domains) and other customers at the datacenter. The next reason is time reasons and simply infrastructural considerations.

Our ZeroAccess 2 crawler for example has always roughly 1 million IPs (= unique infections over past 30 hours) loaded – and it tries to contact all 1 million each within 10 minutes. In the ZeroAccess 1 and 2 botnets there are a lot disconnected peers – finding them would require scanning the IPv4 address space all the time, contacting each IP, knocking at the door and saying “hello, ZeroAccess infection here?”. There are simple limitations here such as the max. port limit (64k by design, then there’s the max. user port value in Windows registry). Even when raised, 50.000 connections at once are not a lot considering that some machines might keep the TCP connection open for multiple seconds or longer.

Blacklisting of sinkhole and analysis systems is another topic relevant here. For example Sinowal was successfully blacklisting the IP addresses of various sinkholes (including our own). Setting up a new server with a new IP is a traditional cat and mouse game (they will just add the new IP to the blacklist and prevent you from doing your job). The solution is proxying the relevant communication through one of many peers, which just acts itself as proxy/relay to the (real) sinkhole server.

The solution: Kay Bot

The solution to the above problems is something for which we might receive some critics from pseudo white-hats (we kindly refer anyone to Group-IB first). A simple bot – Kay bot – will help us in finding virus infections on the internet.

These are the first tasks that we want to use the new Kay Bot for:

  • Scanning the IPv4 and IPv6 space for infections: In the beginning ZeroAccess 1, 2 and Conficker C (all p2p)
  • Act as HTTP proxy for Sinowal, being part in a fast flux system

Essentially you can think of the Kay bot as of nothing else than one of our servers. Or of SETI@home, just looking for virus infections out there instead of aliens.

Malware AG? Staying on the legal side

There are a couple of serious legal considerations in such a project. First of all, most countries have laws against malware, in Europe they are based on the “Convention on Cybercrime” from 2001. One of the key actions that are illegal by law is (unwanted) data manipulation, theft of passwords and data in general and also bypassing security obstacles such as logins.

Our policy of the Kay Bot will include,

  • Not to touch (read or modify) any existing files
  • Not to harm the system in any way
  • No excessive data download/upload or CPU usage
  • Not hiding the presence of Kay Bot
  • Making the Kay Bot easily removable (just deleting the file in explorer will be enough)
  • Signing the executable with the Kleissner & Associates Authenticode key
  • Providing an uninstallation program
  • Providing a terms of use of the program

Furthermore it has to be pointed out that the installations for the Kay Bot have to come from a legal source (for example such as voluntary installations, comparable to SETI). The intention is to fight computer crime, not to (even if indirectly) support it.

1 2

Open Source

We will keep the source code closed for now. Companies, universities or researchers interested in this project are welcome to drop us a note.

Thousands of O2 customers in the Czech Republic are at risk

We made a discovery that thousands of O2 customers in Czech Republic (specifically in Prague but most likely country-wide) are at risk.

Anyone who has a O2 internet connection can directly access the routers of any other O2 customer (including our own), and if the default password settings are enabled (which is the case with nearly all home installations), an attacker can control the router, upload malicious code, set DNS servers or IPv4 routes and therefore control the entire internet traffic, stealing sensitive data such as logins, bank transactions or place malware on the machines.

The reason is that Telefónica Czech Republic assigns all internet users internal IPs as WAN IP – which is wrong, broken and a big security issue. All customers are in one big virtual LAN and there is no security whatsoever (a firewall or defined routes) that prevent one from accessing directly the neighbors router and re-configuring it.

Unfortunately Telefónica Czech Republic makes a good job at hiding their contact details (email of CSO or anyone in charge of security), hence this public blog post.

Background info

In the Czech Republic we have an internet connection from O2. We could not get port forwarded working when we made an interesting discovery: O2 gives your router an internal (!) IP address as shown in the below images. In the setup of O2, this effectively prevents one from doing port forwarding. Only packets directly addressed to the internal IP are forwarded – however not the ones sent to the public IP.

O2 5

O2 6

Technically, Telefónica Czech Republic runs a big VLAN with the id 848 where all customers are attached.

Real life check

One person at the forum http://forum.mikrotik.com/viewtopic.php?f=13&t=78570 pasted his configuration and complained last week that port forwarding does not work. His WAN IP assigned O2 is 10.226.139.143.

He complains that his custom router is not accessible from the internet. What he does not know, however, is that it is accessible from within the O2 network:

o2 1

Attacking other Telefónica Czech Republic customers

There are many customers who have the default setup and their routers can be directly accessed:

o2 2

Using a port scanner it is a piece of cake finding the other O2 customers:

o2

Attacks on other customers are practical. As mentioned there are multiple possibilities:

  • Uploading a malicious firmware
  • Changing the DNS servers and therefore control the persons internet (similar to DNSChanger malware)
  • Setting hard-coded IPv4 routes and literally control the entire internet traffic of the persons

If you for example change the DNS server to your customer one (example below), you can show people who visit “google.com” your own site, return them fake results, advertisements or simply just proxy the traffic to the real sites and capture all logins and maybe replacing executables that are downloaded by the person behind the computer.

o2 7

The joke about this

The real joke about this is that every O2 customer can access directly the routers of the other customers, AND that O2 gives internal IP addresses where public ones should be given. Routers are generally (per default) enabled to only show their administrator panel to local IPs – not good if the ISP assigns a local one and allows your neighbor to connect to you.

Apple and the Flashback (Mac virus) domains

Flashback is a Mac virus and was discovered in September 2011. There are some analyses at [1] [2] [3]

The first domain generation algorithm implemented in Flashback generates 5 domains every day with the TLDs com, net, kz, in and info:

9/27/2013 mdrmcwayiivnrvo.com
9/27/2013 mdrmcwayiivnrvo.net
9/27/2013 mdrmcwayiivnrvo.kz
9/27/2013 mdrmcwayiivnrvo.in
9/27/2013 mdrmcwayiivnrvo.info

All current Flashback domains were registered by Apple Inc and point to their sinkhole at 23.21.71.54. Who-is data of mdrmcwayiivnrvo.com:

Registrant: 
Apple Inc.
Domain Administrator
1 Infinite Loop 
Cupertino, CA 95014
US
Email: domains@apple.com

Who-is data of mdrmcwayiivnrvo.kz:

Domain Name............: mdrmcwayiivnrvo.kz

Organization Using Domain Name
Name...................: Hostmaster
Organization Name......: Apple Inc.
Street Address.........: 1 Infinite Loop
City...................: Cupertino, CA
State..................: 
Postal Code............: 95104
Country................: US

We have checked all domains – they are all sinkholed by Apple Inc until end of 2013.

Apple Sinkholes

About the sinkholes

The reason why Apple has sinkholed all these domains is to a) get statistics of the infections and b) prevent the criminals from controlling the infected machines. An important thing here though is that Apple registered the domains until end of 2013 – so with January 2014 the criminals do have the ability to take back control of their botnet.

Criminals use domain generation algorithms (DGAs) to basically prevent single domain takedowns. In this case, however, the DGA generated only 5 domains per day, a fairly low amount compared to other DGAs which generate for example 1000 week (ZeuS Gameover) or 250 daily (Conficker A/B). These 5 domains per day, 1780 domains per year, can be easily registered by anyone and effectively close the criminals out from their own botnet. Kleissner & Associates registered some domains valid for 2014 in order to generate statistics.

As result, as reported by Symantec, the criminals implemented 2 other DGAs out of which one uses a Twitter message as input seed to generate the domain.

Fake DGA: Simda

We have lately analyzed a sample of Simda (= new version of Expiro). It features a fake domain generation algorithm (DGA) which generates domains, however, not really using them. The sample has 4 hard-coded IP addresses embedded of which it tries to connect as command & control (C&C) server. If one server is not responding in the way it should, it tries the next IP address. In the HTTP request it sets the Hosts field (in the HTTP header) to the randomly generated domain. This special trick makes a lot anti-virus analyzing systems to display the domain name in the reports, however not the IP address. As the generated domain name is never used, it is in fact useless.

A look into the algorithm reveals that it uses the time stamp counter as input seed and (more or less) really generates a non-predictable domain name.

1

Here are some example domains which appear in this report, however are all unregistered:

report.o7o3179a1k931wsk.com
update.9ik8rgxkc3zlg0.com
update2.hpl4i1i6elvmn3.com

The linked article, however, links Simda to Fake AV campaigns.

Below is a valid request from the infected machine to the hard-coded C&C 65.98.83.117:

65.98.83.117

The 4 hard-coded IP C&Cs are 65.98.83.117, 94.23.116.81, 74.82.216.6 and 95.141.38.173 – all located around the world:

Simda C&Cs GeoIP

It uses a blacklist of process image file names to detect security tools and do nothing in case it finds one:

cv.exe
irise.exe
IrisSvc.exe
wireshark.exe
dumpcap.exe
ZxSniffer.exe
Aircrack-ng Gui.exe
observer.exe
tcpdump.exe
WinDump.exe
wspass.exe
Regshot.exe
ollydbg.exe
PEBrowseDbg.exe
windbg.exe
DrvLoader.exe
SymRecv.exe
Syser.exe
apis32.exe
VBoxService.exe
VBoxTray.exe
SbieSvc.exe
SbieCtrl.exe
SandboxieRpcSs.exe
SandboxieDcomLaunch.exe
SUPERAntiSpyware.exe
ERUNT.exe
ERDNT.exe
EtherD.exe
Sniffer.exe
CamtasiaStudio.exe
CamRecorder.exe

There is also a list of blacklisted registry keys:

Software\CommView
SYSTEM\CurrentControlSet\Services\IRIS5 
Software\eEye Digital Security
Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
Software\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
Software\ZxSniffer
Software\Cygwin 
Software\Cygwin
Software\B Labs\Bopup Observer
AppEvents\Schemes\Apps\Bopup Observer 
Software\B Labs\Bopup Observer
Software\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1 
Software\Win Sniffer
Software\Classes\PEBrowseDotNETProfiler.DotNETProfiler
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
SYSTEM\CurrentControlSet\Services\SDbgMsg 
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
Software\Syser Soft
Software\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
Software\APIS32
Software\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
SYSTEM\CurrentControlSet\Services\VBoxGuest
Software\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
SYSTEM\CurrentControlSet\Services\SbieDrv 
Software\Classes\Folder\shell\sandbox 
Software\Classes\*\shell\sandbox
Software\SUPERAntiSpyware.com
Software\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
Software\SUPERAntiSpyware.com
Software\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1

There is also a report from ESET about the same virus.

Simda downloads a native 64-bit executable (if running on 64-bit Windows) and contains a driver and a bootkit – Rovnix, or also known as ZeroKit. The same bootkit was used by the Carberp gang.

Endgame Systems and ipTrust

Our colleagues at Engdame Systems run a quite interesting product – ipTrust. It is the Virus Tracker from 2010/2011 and Endgame Systems is the Kleissner & Associates from 2010/2011. There is quite some information available, cited within this report herein later. [1] [2] [3] [4] [5]

They have contracts and ties to CIA and NSA (one executive of Endgame Systems was the Director of NSA). Endgame Systems took off all their internet presence including iptrust.com and LinkedIn profiles in “summer 2011” (according to one linked source above) – a step that is understandable. If Kleissner & Associates was making contracts with CIA and NSA this blog entry would probably vanish magically too. Technically the ipTrust.com website completely vanished on 7/4/2012 (stopped resolving to an IP).

Some information from the linked sources:

Security software provider Endgame Systems raised $29 million in the fall and simultaneously launched ipTrust, a product meant to detect and manage the harm caused by malware and botnets in cloud computing environments

IpTrust’s strategy is to register the domain names these botnets try to contact; thus, when the botnet attempts to communicate with command and control it contacts ipTrust, revealing itself and the IP address of the infected computer

Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems. Endgame weaponry comes customized by region-the Middle East, Russia, Latin America, and China-with manuals, testing software, and “demo instructions.” There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million. A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million.

Their HQ in Atlanta, Georgia

Interestingly, they are based in Atlanta, Georgia. In Georgia there is also based Georgia Tech (University) and Damballa, both doing a lot research & development regarding sinkholing and DNS identification on malware. They might share their sinkhole data with each other (even though that is just pure speculation). Endgame Systems CFO Mark Snell studied at Georgia State University (though just MBA, not an IT technical study).

Sinkholing infrastructure

We have identified that this infrastructure described below belong directly to Endgame Systems and ipTrust. The exact multiple connections and hints to this discovery are described later in this section.

Sinkhole IP: 166.78.144.80

malware-sinkhole.com -> 50.16.214.154 (formerly)
ns1.malware-sinkhole.com -> 69.20.95.4

malware-sinkhole.com was pointing to 50.16.214.154, according to DomainTools:

50.16.214.154

The IP 50.16.214.154 is part of Amazon EC2 (Amazon Web Services):


NetRange:       50.16.0.0 - 50.19.255.255
CIDR:           50.16.0.0/14
OriginAS:       
NetName:        AMAZON-EC2-8
NetHandle:      NET-50-16-0-0-1
Parent:         NET-50-0-0-0-0
NetType:        Direct Assignment

RegDate:        2010-10-07
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-50-16-0-0-1

OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Elastic Compute Cloud, EC2
Address:        1200 12th Avenue South
City:           Seattle
StateProv:      WA
PostalCode:     98144
Country:        US
RegDate:        2005-09-29
Updated:        2009-06-02
Comment:        For details of this service please see
Comment:        http://ec2.amazonaws.com/
Ref:            http://whois.arin.net/rest/org/AMAZO-4

Looking on the former ipTrust website https://www.iptrust.com/howitworks/ reveals that Endgame Systems uses Amazon Web Services for their infrastructure:

1

The more interesting thing on malware-sinkhole.com is the date of registration. The who-is data reveals that it was registered on 12/14/2010. 2 months earlier, in October 2010 Endgame Systems got a 29 million funding to create iPTrust, a “cloud-based botnet and malware detection service that collects and distills security data into a reputation engine. This could be a timely coincidence, however the registration of malware-sinkhole.com totally fits into Endgame Systems product timeline and evolvement. Their domain iptrust.com was just as malware-sinkhole.com also registered via godaddy.com.

Domain Name: MALWARE-SINKHOLE.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2013-04-04 10:08:21
Creation Date: 2010-12-14 13:40:51
Registrar Expiration Date: 2013-12-14 13:40:51
Registrar: GoDaddy.com, LLC
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 14747 N Northsight Blvd Suite 111, PMB 309
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: United States
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy.com
Admin Street: 14747 N Northsight Blvd Suite 111, PMB 309
Admin City: Scottsdale
Admin State/Province: Arizona
Admin Postal Code: 85260
Admin Country: United States
Admin Phone: (480) 624-2599
Admin Fax: (480) 624-2598
Admin Email: malware-sinkhole.com@domainsbyproxy.com
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 14747 N Northsight Blvd Suite 111, PMB 309
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: United States
Tech Phone: (480) 624-2599
Tech Fax: (480) 624-2598
Tech Email: malware-sinkhole.com@domainsbyproxy.com
Name Server: DNS1.STABLETRANSIT.COM
Name Server: DNS2.STABLETRANSIT.COM

Their sinkhole (166.78.144.80) and formerly used name server (ns1.malware-sinkhole.com -> 69.20.95.4) are both hosted at Racketspace Hosting in San Antonio, Texas:

Endgame System Sinkhole IPs

Below are all domains currently pointing to the sinkhole server at 166.78.144.80. They act as sinkhole domains, i.e. infected machines (bots) connect to these. Some of them used to use (not anymore) ns1.malware-sinkhole.com – now they use pdns01.domaincontrol.com and ns1.dynadot.com.

026ac50bb7a03a66.net, 12eriujdjdjjdunog.info, 4vaamaakapku.com, advdomain2.com, aeorclucdlhzdzdmdqhyppn.info, afsdfsyb.info, akkixiodzmfdbntasp.com, alrhsfbz.info, amnsreiuojy.biz, anhfqzmzcliuahobamnrs.com, aqxpsonn.info, asjdiweur87wsdcnb.info, aspnet5ulalalala-lux-premium.info, auaitionalgalsworthymr.com, avilantup.com, b08e6870b2a1ef9e.com, b18h34h34l68duezgsm29luorgybsdrlvcrdr.info, b4canadahatea.com, blogsmoneyok.info, bniwedsafe.com, bol3eraxermitser27erty.com, bpfq02.info, brfroadh.org, bxnet-nt.com, c29mzb68ivnrgqpqb38euiyluh44dtfxhyhr.info, camnetfbvoor5.info, camnetfdfoor4.info, camnetqwfoor4.info, carambmaining.net, caravelaoroltd.com, cirriantiworksansidd89.net, cleansales-agent9.info, cqlrpartbulkyf.com, cqtssgpduscfuaikjeagmozljnrylzt.info, crimatorieviedirkiofthe68.net, cteqgyjsere21jyltprauo41pzaqg23j46os.info, cydzctpxd10crf12aukueqgwo31lunyivjz.info, cyuxrqripzalpspqkoldwlabx.com, daily-poo-91.biz, data-forumziforsexxi01.info, defeatswirly1.net, dggubvhxorb.com, dikixy.info, ditwkukaylebyxhmmzjqoj.info, dofipsdfkjfifps.com, doubtcatch.net, draftlxn.com, dwveuejf.com, dxfetecs.biz, dysaqsjuzuijcvkljyzatbfn.com, dzp52mrlrjunzo11a17pzj16nzcspzhqpzhw.info, dzsmahpcki.info, e41jqd40argtp22owfrjrg13kudqareqbxe11.info, e51lzlvfsg23htf12hrlzb38p12i55orhxoxcy.info, e61gtg53pqotfsm39lxlwbtm69h44mzk57mvbq.info, ebbfmd29fnbs4ww363.info, eigauvlvljonlnhxpnh.info, electrichonor.net, elementarimagine.net, eocfa.org, etlfexgfuxctbypvidxopcq.info, f5ds1jkkk4d.info, fifaua1914aaafa2.info, foemwwi.info, frjgeljennanariq.com, froyoexplainss.com, fvhtedsafe.com, fvvcxjst.biz, fwmavqvphidhnrxcxvcnx.com, fzbtf32ozmto61kqktowd10cyo31gvitiqgw.info, fzbvaydropud.com, g13lviqi45f22d20n20ftevd20k67c49j26aucrb48.info, g1ikdcvns3sdsal.info, gabrabnopolesite.net, gladshoe.net, gmtkkhmnbudlbobaepnhyhiyh.info, golesgo.com, googlesafebrowsing-ads.com, gqnjdudibuphikjsdcuhl.info, grayhorse-love1.info, greatestvacationeverx.com, gtcqiypsarprlvmtd40ktmyc69arescwd30.info, gtiva67ara27o11krjzerg63mvjqbvfrixbs.info, gulibyvwtwxvguktwszxaiscr.info, gvbvgreve45by4dd33.com, gxkyg13n20fxm49lxgudzp62k27dunue61mun20.info, gxvybytxd.info, h44d40pxhqevnwh54gwb58n40kwozpsdxd40c29.info, hambqwqfggnablouonee.com, hamburdgoutversionenable.com, he3ns1k.info, hqasf52jyowhzpvoqn20l28l68mycyoza57f42.info, htbwe31arbrhui65d60c59ftm69cwovk57kzjt.info, hugcicpatk.com, hunuczfibkpglbqfgjun.com, hvm49fybqk67bvc59f32ltj36a57isgsb48fyb18.info, i35cym19ltg63lvj46n10p62duj46lsdvo11dvn10.info, ibmzuwqsugnvpjuotkgfmnrdezl.info, ickxxkwv.biz, ieujje239cm.com, iffqqrgvkdlbtsofrfipbdiwcytpj.info, ikehifhjduufjd77ddjfj.info, irmzxsjviwceikceknvozdprmbtgqk.info, ivpdakfaifyhihnvjftdaikn.info, ixa17gzludqlybuj56fqksf12n30d60c69bto61.info, iym39hzj16i55greuk57cskwfxjrpymqdtav.info, izcqmvhwlznvdizlftkovtknv.info, j26nrdqdwn20lrk47cvawcyewl38l38ordyc59.info, j66bujqnyezotl18asixo11fumsj46iuf22f62.info, jckhbgjj.com, jegh34kjhwe8889321.com, jifyhsqkbyykzamdeuceakjf.info, jimsterdark3746.com, jknceldiknaxgmnfgedd.info, jks49sdgrled9.com, jrttuuemjk.biz, justiceforpeople.net, jxmgowupblossomylixuf.com, k57mymqbsmudxkzaslxn50psavb28g53f22iw.info, keywordkr.com, kinstelertiong.com, kjuhhwiusatt.org, kkdydy.com, kltxyyd.info, kmrmbbemjtotaepnpfqkrwgvwin.info, koreasys2.com, koteroselvo.com, krexjdsamdx.com, ktiijejk.biz, kulnd.com, kwngbladderfiorenzewn.com, kwtoestnessbiophysicalohax.com, l28b38drlyjvg63kyevmua37o21humwo11pso11.info, ladadensuarupddipl.info, lenexiusdeotime.net, lettheimmoralityrule2.org, lfvbondencycausticallywutaq.com, litcyleyzrglkulaifkrx.com, ljsomjonmvushavkgaqwtpzjf.info, ljupvinskycattederifg.com, lnprpshztsceyoblrzrowcfiauae.info, lolofaa888mfudodkfkfjdkf.info, look4profits1.net, lpnzrseayswdydwcivzprfqs.info, lprkmfswgqmnfmlvovtwibovgifm.info, lruwxvqgruwswrwifhymzmnyleu.info, lxpznvbqewh14k47pqc19i35g13fzjrnri45av.info, lye21h44f62atb68e21c29b28ish34m39mwp62ive11.info, mafia-ag.info, maltest.info, mdrftwyy.info, miamiola.com, microupdate14.info, mkkuei4kdsz.com, mkvrpknidkurcrftiqsfjqdxbn.com, mopiiueus.com, motionubpo.com, mpgspjpl.info, mtewotiwmtma.com, mtfsf42e11oxmrfwd20fvg53o41aupvexmyjv.info, mxfhfg.info, nblraumbahittwwglzxeawgztaqlv.info, netdanet.com, newdomainsconf2221.com, northgeremy.info, ns2275ab.com, nzipesroater.com, obnyi-pesxbeg.net, odksm9luj.biz, ok-money-blogs.info, orbxpvaxi65avm59a27bzh24hwm29a17kvczl18.info, ovpxbvmsc29gymwfwl18o11d20nwiqo11gufw.info, oxc69htgrl48irixp62f42a57kwhsp42czavp62.info, pbajancorml.com, pgdzcic.info, prgeuzydfucylrqspgigiyl.info, pricheshueisherstkugladko.com, protectionadaptss.com, proton-tm9999999.org, psxgwcydypvaknheqk.info, ptlbaemhupbcuizguvszddyqk.info, pxvlcs.info, qbsiauhmoxfkrgfqey.com, qedoluv.info, qekyqop.com, qetyfuv.com, qpafmch.info, qszxaboxdiubxfxsooeio.com, quarterjelly.com, quitfsasaf144new.net, recorduntil.net, rgefa-bugin.com, rjxudurrij.info, rqqyfomgpnqqfrnn.info, s87g7g81ffsdb.com, satriavision.net, sdkhwniuslkjdhfjd.com, sfbnjwetermbkaerynioerter.info, sfmnkyriowjnetnwietwryet.info, sgeagqjfucuwjrhdaitzof.info, singleshotscreen.info, smrebrf.info, smspex201.com, soddddfdddda.com, streetchildhood.net, submit-moonlight-pictures.info, swtryldgapbbyeiirljxtgvohqxc.info, tfmwtnykfxw.net, tiktak10.com, tnyshuxmiax.com, tspddtovautjvtcethathm.info, ubibictj.biz, uhenovqtemgvennnvugvtu.com, uopobqtyhorogupjdcigl.info, uqyfierihon.com, uwggpbhfemzplnrgxtklba.info, vfucck.info, vgfsowmleomwconnxmnyfhle.com, vieajzkg.info, vijthukg.com, vjlvchretllifcsgynuq.com, vperedzaddos.com, vwqoxobapgehxseufamwgrs.info, wadkeci.com, wgcairpfqcdlhthmrsqccmdy.info, wgylqqcqwovdztucwljbrkvcypbe.info, wimeamead.com, winsoft3.com, wokrguxvopgitsxdinjumjx.info, wvwuihci.biz, xbytclrzlwkrukmjayxhimnovpfov.info, xgbmeyqcrchiytcvgcmlktzh.info, xkfqbarkcfyhjzaifgerfqbu.info, xkxfpyur.info, xlotxdxtorwfmvuzfuvtspel.com, xmgwapexg.info, yardlive.net, ymbjswagenherefordacyl.com, yoillzlag.net, ypauwsljdalrbijfakffunztsrg.info, zbijbnrushlvaeypovfimfzijvwv.info, zmdgqi.info, zxddadmxdskamcqemlzlzddqc.info 

One email address connected to “malware-sinkhole.com” (set in the SOA record of it) could be recovered and is malsinkhole@gmail.com.

What happens now?

Kleissner & Associates has a good history and experience with “playing with open cards”. We do not think that there is any necessity for security companies to hide their technical infrastructure (including servers, domains, IPs, who-is info, used technology) behind anonymity. This equals to security by obscurity and just hides it rather than securing it.

It is fascinating and interesting to see how closely Endgame Systems is tied to the US government and how they closed their public appearance in 2011. There are clear reports that they not only passively sinkhole but actively provide the infrastructure for attacking infected systems. Providing offensive tools and at the same time hiding behind anonymity – just like the criminals – makes it nebulous about who is actually the good and the bad guy.

Uncovering a high profile Russian attack

In July 2013, researchers at Kleissner & Associates uncovered what appeared to be an active espionage campaign targeting high profile companies worldwide including a European Bank and several FORTUNE 500 companies.

For details please see the full report:

http://virustracker.info/download/K&A%20Russian%20Attacks.pdf

For any press inquiries please write info@virustracker.info.

Carberp source code leak

Yesterday (6/24/2013) the Carberp source code eventually leaked to the public. It is a 1.9 GB package containing different source codes including the Carberp and Rovnix bootkit source. The package also contains sensitive data such as chat logs, logins, GIT repository URLs, original projects paths and user names in Visual Studio configuration files. There are good blog entries of my colleagues here and here with some nice screenshots.

It was first sold on exploit.in (second screenshot), then leaked on darkode.com (first screenshot) and later it leaked on other forums and eventually on Twitter.

BNi_qoZCYAAsMl4

exploit.in Carberp sale

Download

Link 1: http://multiupload.nl/A6CFLK4U6M
Link 2: https://mega.co.nz/#!0YsXWBRD!CMqd9nrm1d0XABKlifI9vmxprpQ6RnfsdhBHeKrDXao

The password is:

Kj1#w2*LadiOQpw3oi029)K   Oa(28)uspeh

Analysis of the package

Via kernelmode.info:

Ursnif related

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\VNCDLL.dll
pro\all source\TZ\vnc\VNCd.7z->VNCd/VNCDLL.dll
pro\source builder plugins inj's modules etc\WndRec\vncdemo\VNCDLL.dll
pro\source builder plugins inj's modules etc\Сорцы и Модули\VNCd.7z->VNCd/VNCDLL.dll

Rovnix related (BKLoader itself)

pro\all source\bootkit.old\KLoader\release\i386\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\bksetup.exe
pro\all source\test\bootkit\1\bksetup.exe
pro\all source\test\bootkit\1\setupdll.dll
pro\all source\test\bootkit\bksetup.exe
pro\all source\test\bootkit\setupdll.dll
pro\all source\TZ\bootkit\bin\bksetup.exe
pro\all source\TZ\bootkit\bin\setupdll.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\bin\release\i386\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\bin\release\i386\SetupDll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkSetup.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\setupdll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\setupdll.dll
pro\source builder plugins inj's modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/DrvTest.sys
pro\source builder plugins inj's modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/SpoolNetAdvr.sy_
pro\all source\bootkit\bin\Release\i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\driver_i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\driver_i386\kloader.sys
pro\all source\TZ\bootkit\BK\bin\release\i386\kloader.sys
pro\all source\bootkit.old\KLoader\release\amd64\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\BkSetup.dll

Alureon related (dropper of old variants, still ITW)

pro\all source\DropSploit1.rar->DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1.rar->DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit\out\builder_Release.exe
pro\all source\DropSploit\out\builder_Release.sys
pro\all source\DropSploit\out\dropper.dll
pro\all source\DropSploit\out\Release\dropper.dll
pro\all source\DropSploit\test\1\builder_Release.exe
pro\all source\DropSploit\test\2\builder_Release.exe
pro\all source\DropSploit\test\3\builder_Release.exe
pro\all source\DropSploit\test\5\builder_Release.exe
pro\all source\DropSploit\test\6\builder_Release.exe
pro\all source\DropSploit\test\7\builder_Release.exe
pro\all source\DropSploit\test\8\builder_Release.exe

Claywhist (VNC) related
pro\all source\RemoteCtl\Release\hvnc.exe

Phdet related

pro\all source\TZ\kill_os\bin\os_kill_debug.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe

Zeus related

pro\all source\GrabberIE_FF\Release\GrabberIE_FF.dll
pro\all source\temp\zeus src.rar->zeus src\output\builder\zsb.exe
pro\all source\temp\zeus src.rar->zeus src\output\client32.bin
pro\all source\ZeuS 2.0.8.9\output\builder\zsb.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/builder/zsb.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/client32.bin

SpyEye related

pro\source builder plugins inj's modules etc\Сорцы и Модули\spyinject2.zip->iehookdll_mod.dll
pro\all source\RemoteCtl\Release\rdp.dll
pro\all source\temp\rdp.dll
pro\all source\temp\rdp.exe
pro\all source\TZ\rdp\rdp.plug
pro\source builder plugins inj's modules etc\plugs\rdp.plug

Vundo related

pro\all source\AgentFullTest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\new.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav2.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release\new.exe
pro\all source\bootkit\BkBuild\BootkitRunBot.dll
pro\all source\Demo_Cur2\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Debug\RU.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\WhiteJoe.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\WhiteJoe.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkInstaller.dll
pro\source builder plugins inj's modules etc\ConfigBuilder\ConfigBuilder\ConfigBuilder.exe
pro\source builder plugins inj's modules etc\ConfigBuilder\for test\ConfigBuilder.exe

Carberp itself

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\disktest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\FakeDll.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG2.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_FDI_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release\bki.plug
pro\all source\BJWJ\Builds\Bin\Release\bktest.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav1.exe
pro\all source\BJWJ\Builds\Bin\Release\bootkit.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release\bot.plug
pro\all source\BJWJ\Builds\Bin\Release\docfind.exe
pro\all source\BJWJ\Builds\Bin\Release\first.plug
pro\all source\BJWJ\Builds\Bin\Release\Full.exe
pro\all source\BJWJ\Builds\Bin\Release\ifobstst.exe
pro\all source\BJWJ\Builds\Bin\Release\livrus.exe
pro\all source\BJWJ\Builds\Bin\Release\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release\mmm.exe
pro\all source\BJWJ\Builds\Bin\Release\mybot.exe
pro\all source\BJWJ\Builds\Bin\Release\mytest.exe
pro\all source\BJWJ\Builds\Bin\Release\ola.exe
pro\all source\BJWJ\Builds\Bin\Release\ola1.exe
pro\all source\BJWJ\Builds\Bin\Release\ola2.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_FDI.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_serg.exe
pro\all source\BJWJ\Builds\Bin\Release\second.plug
pro\all source\BJWJ\Builds\Bin\Release\test.exe
pro\all source\BJWJ\Builds\Bin\Release\testftp.exe
pro\all source\BJWJ\Builds\Bin\Release\testnew.exe
pro\all source\BJWJ\Builds\Bin\Release\testtt.exe
pro\all source\BJWJ\Builds\Bin\Release\tinytst.exe
pro\all source\BJWJ\Builds\Bin\Release\tst.exe
pro\all source\BJWJ\Builds\Bin\Release\vnctest.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec2.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.exe
pro\all source\Bot Builder\WhiteJoeRebootPing.exe
pro\all source\temp\2012-07-04_FakeDllFiles\bot.plug
pro\all source\temp\marazm\Droper\WhiteJoe.exe
pro\all source\test\test\ola.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Bot.plug
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Loader_dll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\WhiteJoeRebootPing.dll
pro\source builder plugins inj's modules etc\Full.exe
pro\source builder plugins inj's modules etc\Full_btc.exe
pro\source builder plugins inj's modules etc\plugs\bki.plug
pro\source builder plugins inj's modules etc\plugs\bki_log.plug
pro\source builder plugins inj's modules etc\plugs\bot.plug
pro\source builder plugins inj's modules etc\plugs\bot_log.plug
pro\source builder plugins inj's modules etc\plugs\log\bki.plug
pro\source builder plugins inj's modules etc\plugs\log\bot.plug
pro\source builder plugins inj's modules etc\RU_Az_btc.exe
pro\source builder plugins inj's modules etc\RU_Az_if.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\DBG_bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB_hnt.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU.exe
pro\all source\BJWJ\Builds\Bin\Release\mmmm.exe
pro\all source\BJWJ\Builds\Bin\Release\RU.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_Cur2\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Debug/WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Release\RU.exe
pro\source builder plugins inj's modules etc\InjTest.exe
pro\all source\BJWJ\Builds\Bin\BootkitTest\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\CoreDll.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\Locker\bin\Debug\locker.exe
pro\all source\temp\Demo_cur.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\temp\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\Demo_ifobs.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\Demo_iFOBS_src.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\iFobsLdr.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\src2\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\WndRec\output\log\IBank\1237\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.dll
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.dll
pro\all source\bootkit\BkBuild\ping.dll
pro\all source\temp\marazm\Droper\WhiteJoe.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Loader.exe

Stoned framework with Black Hat Europe 2007 Vipin Kumar POC, detected as Sinowal
pro\source builder plugins inj's modules etc\Сорцы и Модули\Stoned Bootkit Framework.zip

There is also a copy of Win32 Obfuscator known as Mystic Compressor.

adminpanel без иконки\bot_adm\cache\cryptor\CRYPTOR.EXE
pro\all source\BootkitDropper\nbuild\Tools\Mystic.exe
pro\all source\Locker\build\Tools\mystic.exe
pro\all source\test\Mystic.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\Tools\Mystic.exe