Partnership with uni.me

http://uni.me/, the worlds leading free sub-domain provider and Kleissner & Associates are announcing a partnership. We will analyze potential malware domains and provide statistical information to security companies and the public in order to make the internet a safer place.

Historical incidents

In 2011 .cz.cc (which is also owned by uni.me) was kicked out from the Google index due to the high amount of malicious/infecting URLs. Microsoft was seizing in 2011 Kelihos related domains registered via uni.me.

In 2013 Microsoft was also seizing Bamital and Citadel related malware domains (registered via uni.me).

Collateral damage by Microsoft

There is a good blog post by our colleague Roman Hüssy regarding Microsofts recent operation ‘b54’. Microsofts operation was not about arresting the developers of Citadel. It was not about arresting the users/customers of Citadel malware (it is for sale to anyone with $$$ on “hacker” forums). It was about taking over mostly old Citadel malware domains (where infected machines connect to).

Get a security researcher Microsoft

Unfortunately Microsoft just seized (via court orders) all Citadel domains it could find – without checking its owners. What happened is that they took away a lot sinkholed domains. In other words: They stole domains from other security companies.

Microsoft was already under critics with its operation b71 where the exact same thing happened.

Identifying sinkholes is an easy task (if you understand security): Check the who-is information, check the name server, check for other domains pointing to the specific IP, ask around in the security industry. We have written algorithms ourselves (and published information about it previously in this blog) to identify sinkholed domains – to not falsely classify them as criminals (which could have serious impact such as blacklisting company networks and servers on certain domain blacklists).

6 sub-domains (used by Citadel/ZeuS malware) pointed to Kleissner & Associates sinkholes and were stolen by Microsoft in their operation b54.

The criminals

This is like seizing a getaway car and doing nothing else. The criminal will just use another car during their next theft, and so will the Citadel users just register a new domain. We want to know how Microsoft internals think that this is a success and helps anyone. Just as operation b71 this is rather a PR stunt.

Microsoft email from their lawyer

From: publications@orricklawfirm.com
To: 
Date: Wed, 5 Jun 2013
Subject: IMPORTANT LEGAL NOTICE / ИЗВЕЩЕНИЕ ДЛЯ ОТВЕТЧИКОВ - PLEASE READ IMMEDIATELY: Microsoft Corp. v. John Does 1-82, Case No. 3:13cv319 (Western District of North Carolina)

This email relates to domain .
Plaintiff Microsoft Corporation ("Microsoft") has sued defendants John Does 1-82 associated with the Internet Domains and Internet IP Addresses located at http://www.botnetlegalnotice.com/citadel/.  Microsoft alleges that Defendants have violated Federal and state law by operating a computer botnet through these Internet domains and Internet IP addresses, causing unlawful intrusion, intellectual property violations and dissemination of unsolicited bulk e-mail to the injury of Microsoft and the public.  Microsoft seeks a preliminary injunction and seizure order directing the registries and web hosting companies associated with these Internet domains and IP addresses to take all steps necessary to disable access to and operation of these Internet domains and IP addresses, ensure that changes or access to the Internet domains and IP addresses cannot be made absent a court order and that all content and material associated with these Internet domains and IP addresses is to be isolated and preserved pending resolution of the dispute.  Microsoft seeks a permanent injunction, other equitable relief and damages.  Full copies of the pleading documents are available at http://www.botnetlegalnotice.com/citadel.  
NOTICE TO DEFENDANT:  READ THESE PAPERS CAREFULLY!  You must 'appear' in this case or the other side will win automatically.  To 'appear' you must file with the court a legal document called a 'motion' or 'answer.'  The 'motion' or 'answer' must be given to the court clerk or administrator within 21 days of the date of first publication specified herein.  It must be in proper form and have proof of service on the Microsoft's attorneys, Neil T. Bloomfield, Moore & Van Allen PLLC, 100 North Tryon Street, Suite 4700, Charlotte, NC 28202-4003; or Gabriel M. Ramsey at Orrick, Herrington & Sutcliffe LLP, 1000 Marsh Rd., Menlo Park, California, 94025.  If you have questions, you should consult with your own attorney immediately.
Истец, корпорация Microsoft Corp. («Microsoft»), обратилась с иском против Неустановленных лиц №№1-82, связанных c интернет-доменами и IP-адресами, расположенных на http://www.botnetlegalnotice.com/citadel/. Компания Microsoft заявляет, что, осуществляя деятельность компьютерного ботнета через эти интернет-домены и IP-адреса, Ответчики нарушили Федеральное законодательство и законодательство штатов, совершив незаконное вторжение, нарушения интеллектуальной собственности и распространение массовой нежелательной электронный почты, причинив тем самым вред компании Microsoft и населению. Компания Microsoft обращается с просьбой о вынесении предварительного судебного запрета и судебного приказа о конфискации, обязующих компании-регистраторы и хостинговые компании принять все необходимые меря для прекращения доступа и функционирования этих интернет-доменов и IP-адресов, гарантии невозможности изменения этих интернет-доменов и IP-адресов или получения доступа к ним в случае отсутствия судебного приказа, а также гарантии, что все содержание и все материалы, имеющие отношение к этим интернет-доменам и IP-адресам, будут изолированы и сохранены до разрешения этого спора. Компания Microsoft обращается к суду с просьбой о вынесении бессрочного судебного запрета, осуществлении иных средств судебной защиты по праву справедливости и возмещении убытков. Полную версию» состязательных бумаг можно найти на сайте http://www.botnetlegalnotice.com/citadel. 
ВАЖНАЯ ИНФОРМАЦИЯ ДЛЯ ОТВЕТЧИКА: ВНИМАТЕЛЬНО ПРОЧИТАЙТЕ ЭТИ ДОКУМЕНТЫ! Вы должны «предстать перед судом» по этому делу. Чтобы «предстать перед судом», вам необходимо официально подать в суд юридический документ, который называется «ходатайство» или «ответ». «Ходатайство» или «ответ» должны быть предоставлены секретарю или администратору суда в течение 21 дня с даты первой публикации, указанной в настоящем документе. Они должны быть оформлены должным образом и сопровождаться документом, подтверждающим официальное вручение адвокатам Microsoft Нилу Блумфильду, юридическая фирма Moore & Van Allen PLLC, 100 North Tryon Street, Suite 4700, Charlotte, NC 28202-4003; или Габриелю Рэмзи, юридическая фирма Orrick, Herrington & Sutcliffe LLP, 1000 Marsh Rd., Menlo Park, California, 94025.  Если у вас есть вопросы, немедленно проконсультируйтесь с вашим адвокатом.
 

GABRIEL M. RAMSEY 
Partner
ORRICK, HERRINGTON & SUTCLIFFE LLP
1000 MARSH ROAD MENLO PARK, CA 94025-1015 
tel 650-614-7361
fax 650-614-7401
gramseyorrick.com 

www.orrick.com

Gigantic digital parasites, fast flux and blacklisting by the Sinowal botnet

In earlier blog posts we discussed sinkholing operation and how the criminals could prevent sinkholing. As discussed, they can easily deploy blacklists of known IPs (or NS) that belong to security companies. In fact malware is already using such blacklists for different purposes. Thanks to AV Tracker malware also can hide from analysis systems (act like a wolf in sheep’s clothing).

A couple of days ago the Sinowal people started blacklisting BFK edv-consulting GmbH’s sinkholes (this is an excerpt of the current Sinowal configuration):

41,173.212.213.0/24,Blacklisted subnet
41,24.176.33.0/24,Blacklisted subnet
41,124.185.37.0/24,Blacklisted subnet
41,58.172.169.0/24,Blacklisted subnet
41,95.223.83.0/24,Blacklisted subnet
41,71.67.115.0/24,Blacklisted subnet
41,77.61.125.0/24,Blacklisted subnet
41,64.191.19.0/24,Blacklisted subnet
41,108.61.35.0/24,Blacklisted subnet
41,66.197.200.0/24,Blacklisted subnet
41,64.27.3..0/24,Blacklisted subnet

Game Over for researchers?

This is a typical cat and mouse game: As soon as the researcher gets a new IP address, the criminals are blacklisting it. Automation on both sides can raise the level of efforts for the other side. Automation like automatically setting up VPSes as proxies to forward the request to the real sinkhole. This would be more convenient because changing the IP would mean typically to completely set up a new server for sinkholing (and no one has time to every day set up a new sinkhole server).

Fast flux could also be the answer. Of course this requires more infrastructure. Dr. Web, for example, uses fast flux to hide their sinkhole. They actually use the fast flux functionality of Sinowal itself (ironic, isn’t it?).

Security by obscurity is not an option

We think that security by obscurity is not an option. That’s why we always list our full company info in the who-is of any sinkholed domain – contrary to other companies (including anti-virus companies). That’s also why we don’t mind that Virus Tracker and Antivirus Tracker are open to both sides of the industry.

If we can for example list other sinkholers, if we can list anti-virus systems, so can the criminals. The difference is just that we are doing it “openly”.

Info on the Pushdo DGA

Our colleagues from Dell SecureWorks who never reply to our emails published a research paper about Pushdo and it’s domain generation algorithm (DGA). DGAs are implemented malware to evade takedowns. Other malware that features DGAs are Conficker A/B/C, ZeuS Gameover, MultiBanker, Shiz, Bamital, Sinowal, ZeroAccess, TDSS and others.

This is the Pushdo DGA:

Pushdo DGA

Be aware that the old variant uses the TLD “.com”, while the new one uses “.kz”. It generates 30 domains a day, if no active C&C found goes back up to 30 days and then forward up to 15 days, resulting in total of 1.380 ‘possible’ domains on a single day.

Before it hits the DGA, however, it tries hard-coded C&Cs. The current one is lyuchta.org.

We have implemented the DGA and checked for active domains today (this is just an excerpt, the entire list is bigger):

Date,Day Offset,Domain,IP,Owner
5/22/2013,0,wamanleasux.com,208.73.211.34,Parked/expired
5/22/2013,-1,ceisandir.com,208.73.211.34,Parked/expired
5/22/2013,-3,sicafjodokw.com,208.73.211.152,Parked/expired
5/22/2013,-5,tirmeafozvil.com,208.73.211.152,Parked/expired
5/22/2013,-6,winirqoqt.com,208.73.211.152,Parked/expired
5/22/2013,-7,woqhugpeav.com,208.73.211.152,Parked/expired
5/22/2013,-8,canxirpank.com,80.79.119.118,Criminals
5/22/2013,-9,cunirgugp.com,208.73.211.152,Parked/expired
5/22/2013,-10,heigoqqonu.com,208.73.211.152,Parked/expired
5/22/2013,-11,gafwozlozmuc.com,208.73.211.152,Parked/expired
5/22/2013,-12,waduxovosup.com,208.73.211.152,Parked/expired
5/22/2013,-14,hugdusupsu.com,208.73.211.152,Parked/expired
5/22/2013,-15,kiluxkoju.com,208.73.211.152,Parked/expired
5/22/2013,-16,foqusulih.com,208.73.211.152,Parked/expired
5/22/2013,-17,jocoqhotowi.com,208.73.211.152,Parked/expired
5/22/2013,-18,suxlukeatupw.com,208.73.211.152,Parked/expired
5/22/2013,-19,manjiseovatx.com,208.73.211.152,Parked/expired
5/22/2013,-20,goxoqvacanq.com,208.73.211.152,Parked/expired
5/22/2013,-21,jeagugkato.com,208.73.211.152,Parked/expired
5/22/2013,-22,lozjafupvabi.com,208.73.211.152,Parked/expired
5/22/2013,-23,puxjeofobaja.com,208.73.211.152,Parked/expired
5/22/2013,-24,xoklupeilu.com,208.73.211.152,Parked/expired
5/22/2013,-25,kamozsoca.com,208.73.211.152,Parked/expired
5/22/2013,-26,nafkasictirx.com,208.73.211.152,Parked/expired
5/22/2013,-27,tirhakokmuph.com,208.73.211.152,Parked/expired
5/22/2013,-28,batqeodiji.com,208.73.211.152,Parked/expired
5/22/2013,-29,huxmozmuriji.com,208.73.211.152,Parked/expired
5/22/2013,1,himoviwam.com,208.73.211.34,Parked/expired
5/22/2013,2,wanjozrilj.com,208.73.211.34,Parked/expired
5/22/2013,3,tirderirkeot.com,208.73.211.34,Parked/expired
5/22/2013,4,muqafdilf.com,208.73.211.34,Parked/expired

Going back in time we can see our colleagues from Damballa / Dell SecureWorks / Georgia Tech and Anubis Networks running sinkholes:

Date,Day Offset,Domain,IP,Owner
4/1/2013,0,xokgopozca.com,208.73.211.152,Parked/expired
4/1/2013,-2,bozrokivoq.com,208.73.211.152,Parked/expired
4/1/2013,-8,huxmeorugjoz.com,198.199.69.31,Sinkhole by Georgia Institute of Technology
4/1/2013,-9,keidilrat.com,198.199.69.31,Sinkhole by Georgia Institute of Technology
4/1/2013,-27,linaqiwicro.com,195.22.26.231,Sinkhole by Anubis Networks
4/1/2013,-30,dilfanhats.com,143.215.130.33,Sinkhole by Georgia Institute of Technology
4/1/2013,1,qickugfivi.com,208.73.211.152,Parked/expired
4/1/2013,3,wodaheodo.com,208.73.211.152,Parked/expired
4/1/2013,4,quceifeiq.com,208.73.211.152,Parked/expired
4/1/2013,5,suhumoqdo.com,208.73.211.152,Parked/expired
4/1/2013,6,beibanqeaman.com,208.73.211.152,Parked/expired
4/1/2013,7,xukorokfe.com,208.73.211.152,Parked/expired

Update: In an earlier version we stated that there are a lot collisions generated with the DGA. This is not the case.

News on MultiBanker, features now a jabber p2p functionality

In March we have blogged about the MultiBanker gang and their operation. It turns out that earlier this year they were updating their software – hence we saw no active command & control server on the old infrastructure for some time.

New MultiBanker (2013) version

This is a very quick comparison between the old and the new MultiBanker version:

                            MultiBanker 1           MultiBanker 2
Highest known version       835                     43
Directory                   %AppData%               C:\Windows\System32
Main File                   appconf32.exe           jabcon32.exe
Main Mutex                  UpdateAppConf32         UpdateJbr32
Main activity inside        Browser process         explorer.exe

For their new version they have reset the version numbering and feature an internal version “a” and “f”. The domain generation algorithm remains the same (the first 4 chars of the domain change on every iteration).

A new feature is a potential Jabber p2p network functionality.

Spot MultiBanker domains

Finding MultiBanker domains is easy. They always use one of these 3 who-is identities for their domains:

   Andreas Rueping andreasrueping@yahoo.com
   +49.1708073753 fax: +49.1708073753
   Uhlenflucht 1A
   Barth Mecklenburg-Vorpommern 18356
   de

   Julien Michel Dumke julienmicheldumke@yahoo.com
   +49.1772525187 fax: +49.1772525187
   Koppelweg 28A
   Gifhorn Niedersachsen 38518
   de

   Stefan Kuehlein stefankuehlein@yahoo.com
   +49.17675588328 fax: +49.17675588328
   Willy Brandt Strasse 82
   Bergisch Gladbach Nordrhein-Westfalen 51469
   de

For all their domains they were using in the past weeks the IP 41.77.136.140 as their main server. Some example domains:

displeasuredehydratorysagp.com
antisemitismgavenuteq.com
cantorcajanunal.com
andersensinaix.com
formidablyhoosieraw.com
gbpsenhancedysb.com
genialitydevonianizuwb.com
gerhardenslavetusul.com
kennanerraticallyqozaw.com
rozellaabettingk.com
doniellefrictionlessv.com
anshanarianaqh.com
buckbyplaywobb.com

These domains were all just active for few hours. The criminals are actually testing their new software, hence the infection count is pretty low (for each test botnet only a handful). On our servers we can see for example these infections:

MultiBanker 2 infections

Jabber P2P botnet functionality?

Interestingly, the bot software contains a potential jabber (xmpp) p2p botnet functionality. When being hooked in the jabber chat, messages like the following appear:

(20:27:22) gd000826@bestjabber.com:
-----BEGIN PGP MESSAGE-----

JnwqBA63a7pyb0OLM7/inZGSHhxr5bzlWQ==
-----END PGP MESSAGE-----

We found following login information via Virus Total.

KEY: 0x000000b8\Pass01
TYPE: REG_SZ
VALUE: 515E5DC1 (successful)

KEY: 0x000000b8\jid01
TYPE: REG_SZ
VALUE: marriageabilitybobbye8429@zlug.asia/vki4yzcznzg3my0znzkwyzg4y18001 (successful)

Being logged in with the ‘marriageabilitybobbye8429@zlug.asia’ account, these are the other contacts:

MultiBanker Jabber

Where is this going?

The MultiBanker people are actively updating their software. A comparison of the new versions showed that they are still updating it, e.g. by changing the names of registry keys.

We will continue to monitor their operation and keep the public updated on any movements that we observe.

UEFI private signing key leaked, when security goes totally wrong, with the help of a security researcher

Today there was a blog post http://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/ by security researcher Adam Caudill. Apparently source code to EFI Firmware leaked through an insecure Tawianese FTP server.

Unfortunately he did not wait until the FTP was completely secured. For security researchers – like us – it is easy to find loopholes, to find the original FTP URL even though it was not published in the blog post. The “leaky” ftp was ftp://ftp.jetway.com.tw/ and here’s a screenshot:

FTP Screenshot

The catch is when the blog post was published, the “CODE” directory was password protected from file listing – however not its files from being downloaded. Through http://www.mmnt.net/db/0/0/ftp.jetway.com.tw you could still walk through the directory structure and get the direct download links.

Index Directory

These are the files in 018s.zip:

File

In \018s\Keys\Variables there are some key files:

File2

There is even documentation in the package on the private key:

SecureMod

Include PK

The real private key is stored at \018s\Keys\FW\.priKey (EXCERPT!):

Private Key

Thanks to the Taiwanese FTP, and thanks to Adam Caudill who could not wait for publishing his blog post, we have now the key. And if we have it, others might too.

Behind MultiBanker, what the security industry doesn’t tell you and its money mule network

MultiBanker (also called Patcher, BankPatch/BankPatcher) is a nasty banking Trojan around since early 2007. It is a very targeted banking Trojan as it is only developed and used by one single group and they only target specific countries (mainly Austria and Germany) and specific banks. As they only have a couple of thousands infected machines, their botnet does not raise big alarms and does not make it to the news. This goes that far that the MultiBanker C&C only responds to IP addresses from Europe, which in turn makes it automatically non-interesting for American anti-virus companies to investigate or handle.

The Trojan has its main component (appconf32.exe, stored in %AppData%) and several plugins which are specific to the installed software (browser) and visited websites. For banks it has special plugins (technically BHOs) that allow exchanging the account number of online banking transactions on the infected machine, effectively stealing the money out of the victims bank account.

Connecting to the Command & Control Server

There are a lot of things that do not match with the other man-in-the-browser Trojans such as ZeuS, Citadel and SpyEye. Instead of having a fixed domain (or a list of) for connecting to it’s command & control server, each sample has an initial domain and uses a domain generation algorithm (DGA) to generate the next ones (always the first 4 characters are altered). While leaving the C&C IP address the same for some time (several weeks), the domain changes nearly daily. For researchers unaware of this algorithm and technique this makes it very difficult to trace and also to blacklist. Several things make researching more tricky, for example it only downloads its plugins 24 hours after infection.

Here are for example the domains and the IPs of the C&C from the past days:

    3/18/2013   vhngedsafe.com      103.8.27.39
    3/19/2013   uuzledsafe.com      103.8.27.39
    3/20/2013   yypkedsafe.com      103.8.27.39
    3/21/2013   bjinedsafe.com      103.8.27.39
    3/22/2013   hlhredsafe.com      103.8.27.39

Our Virus Tracker system checks every day 129.564 potential domains if they are active, if they are expired and classifies them all (check out the previous blog post). We use Google’s DNS servers for the requests, thanks Google for not limiting the access! Below is the detailed listing of the possible domains in the DGA with the domain ending. Usually they pick a new domain ending every few months. There are more older botnets, however they are inactive.

    XXXXedsafe.com          15372 possible domains
    XXXXhuxmiax.com         15372 possible domains
    XXXXierihon.com          2196 possible domains
    XXXXtomvader.com        15372 possible domains
    XXXXednog.com           15372 possible domains
    XXXXapontis.com         15372 possible domains
    XXXXefnomosk.com         2196 possible domains
    XXXXdminmont.com        15372 possible domains
    XXXXesroater.com        15372 possible domains
    XXXXggelds.com           2196 possible domains
    XXXXmobama.com          15372 possible domains

Interestingly, right now – few days after doing an intensive investigation on the MultiBanker botnet, there is no C&C up and running. It could be a coincidence, or the criminals recognized our activities.

Who else is involved?

When researching a particular botnet or Trojan it’s always interesting to know who else is looking at the things you are looking at. For MultiBanker, we have following parties:

Other than that, it has not attracted much attention from other parties in the anti-virus and security industry (for the reason mentioned in the first paragraph). This article here should create a little bit more awareness of what is going on behind the scenes.

Sinkhole server by our colleagues

When we investigate a potential C&C there are a couple of questions to answer. Is it still active? Is it a sinkhole server? Sinkholes are usually passive servers to just log the request to subsequently generate statistics (as done on http://virustracker.info/). You just have to register a domain that is used by the bot – this can be a backup domain, an expired or a DGA-generated one.

What you can technically do on a sinkhole server is responding with a valid message to the infected machine, which usually would make the infected machine sticking to your server. Or in other words: The criminals lose a bot. If you do that with every bot, well, you take over the entire botnet! As this would raise alarms to the criminals, they would implement counter-measures (e.g. blacklisting of sinkholed domains) and would be counter-productive as at the same time the criminals also would be alerted that someone is snooping around.

We picked a random sinkhole domain and modified a sample to use it as C&C instead of the hard-coded one:

    yyqbierihon.com     82.165.25.210    Sinkhole by a German company

We were more than surprised to see that their server actually returns with a valid message (!).

The returned message from the C&C/sinkhole makes the bot returning the stolen data. In the screenshot you can see the stolen cookie belonging to Peter Kleissner, CEO of K&A, going to the German company operated server. Not nice.

2

At this point we will leave any conclusions open regarding the legality of instructing infected machines to send stolen data. However, we strongly discourage such a behavior and think this is counter productive.

Protecting against sinkholes

As mentioned, the most easy and effective way is by blacklisting the sinkholes. In fact, MultiBanker C&Cs distributes a blocklist to its infected machines although this blocklist is currently not maintained. In the first place (before blacklisting) you have to detect and know the sinkholes. As example, this is a sinkhole server (NS, domain, IP):

    NS          ns1.torpig-sinkhole.org
    Domain      ieqgapontis.com
    IP          82.165.25.210
    Owner       Sinkhole by 1&1 Internet AG

What you can do now is either blacklisting the NS (would be very generic), the IP address or the domain. Unfortunately due to an (intentionally?) broken DNS implementation the NS cannot always be queried for this sinkhole. Therefore the next point (layer) of detection would be the IP level. Here is an example code that we use ourselves during the domain classification on Virus Tracker:

#include <Windns.h>
#define Ip2Ulong(a,b,c,d)       (a + (b << 8) + (c << 16) + (d << 24))

int IsSinkholeByGermanCompany(char * Domain)
{
    DNS_RECORDA * DnsRecord;

    if (DnsQuery_A(Domain, DNS_TYPE_A, DNS_QUERY_BYPASS_CACHE, NULL, (PDNS_RECORD *)&DnsRecord, NULL) == DNS_ERROR_RCODE_NO_ERROR &&
        DnsRecord->Data.A.IpAddress == Ip2Ulong(82,165,25,210) )
        return 1;

    return 0;
}

Before anyone comes now up with the opinion this would help any criminal, these are just few lines, no rocket science. Banking Trojans are much more complex and in the cases of MultiBanker and Sinowal they already feature such a blacklist capability.

The money mule network

As mentioned initially, MultiBanker has the ability to steal money by exchanging the beneficiaries account number on bank transactions. Once the computer is infected, it is a piece of cake injecting malicious code into the browser process which then parses the internet traffic and manipulates and exchanges the “right” fields where necessary.

Committing a crime is easy – however, getting away with it not. What happens in 100% of the cases is that the account owner detects the money loss and reports it to his/her bank and the police. In as good as all cases the money is in fact gone (transacted), that is how online banking works (at last on the value date which is usually 1-2 business days after initiating the transaction). Though gone does not mean that you or the police cannot claim afterwards the money from the money mule – it is then just a legal question rather than a bank-technical-transaction one.

For obvious reasons the criminals cannot send the money directly to their own bank accounts (they would immediately get caught and arrested). What they do is recruiting people under false pretenses to provide bank accounts, pick up the money and send most of it further through Western Union. Then, they money trace stops, as the money goes to countries such as Russia or African states and the identities of the people picking up the money on the other end are usually faked. People can be tricked and get involved into this money laundering scheme by thinking they would get easily money – they are enticed by being told to keep 10%-20% as their salary.

We were checking the domains used by the MultiBanker people and one particular domain, zia-gruppe.com, did not fit into the DGA scheme. A short lookup reveals that it is being used in an email spam campaign to recruit money mules:

    Mitarbeiter gefragt: Arbeit für Dich! Gut bezahlte Arbeit
Wir bieten Dir die Möglichkeit an, das Geld ganz einfach zu verdienen. Möglich ist die Vereinbarung mit anderer Tätigkeit!
Arbeit in unserer Firma wird nicht mehr als 2-3 Stunden pro Tag 1-2 Mal pro Woche in Deinem Arbeitsplan in Anspruch nehmen.
Kurze Beschreibung der Tätigkeit:

1. Wir überweisen auf Dein Bankkonto ab 3000 bis 8000 Euro.
2. Nach dem Geldeingang hebst Du das Geld ab.
3. Du hast schon 20 % von dem überwiesenen Betrag verdient! 600-1600 Euro behältst Du für Dich!
4. Den restlichen Betrag übermittelst Du uns.

Betrag und Zahl von Überweisungen werden im Voraus vereinbart und können nach Deinem Wunsch beliebig sein. Diese Tätigkeit
ist absolut legal und verletzt keine Gesetze Deutschlands und EU. Wenn Du in unserem Angebot interessiert bist, teile uns
darüber per folgende e-Mailadresse mit: de@zia-gruppe.com. Wir kontaktieren Dich in möglichst kürzer Zeit und beantworten
alle Fragen. Beeile Dich, Zahl von Stellenangeboten ist begrenzt! Ihre E-Mailadresse haben wir aus offenen Quellen genommen.
Wir bitten Sie um Entschuldigung, wenn unsere E-Mail Sie gestört hat. Falls Sie Ihre E-Mailadresse aus unserem Verteiler 
löschen möchten, senden Sie eine leere E-Mail auf folgende E-Mailadresse: del@zia-gruppe.com

The text is in German, but these are the basic proposed conditions:

  • The criminals wire you 3000 EUR to 8000 EUR and you withdraw it
  • You can keep 20% as salary
  • You send the rest per Western Union, Paysafecard or Ukash
  • Work is only 2-3 hours/day and 1-2 days/week

We found following email addresses being used. They suggest that there is some kind of DGA used too (one scheme is de@XXXY-gruppe.com):

    de@zia-gruppe.com
    de@gds-gruppe.com
    de@zimm-team.com
    de@lmxx-group.com
    de@xemm-gruppe.com
    de@llks-group.com
    de@jyog-gruppe.com
    de@netca-gruppe.com
    de@komax-gruppe.com
    de@netca-gruppe.com
    de@gesd-gruppe.com
    ...
    de@finsk-group.com
    de@gelix-group.com
    de@jyj-group.com

A subsequent email from the MultiBanker people (to a potential recruited money mule) with more information on this “work” is published at http://www.konsumer.info/?p=25181.

Active money mule network

Nearly all of the previously mentioned emails were active in August, September and October 2012. However, we found following still active domains. You can probably still write the MultiBanker people by sending your application to “de@keri-group.com”.

All of them are hosted on 37.9.54.245 in Russia. As you can see in the screenshot, the website asks for an user id and password, however it remains unclear whether there is a real portal behind or not.

HK FinanzgruppeKeri Group

Conclusion

The MultiBanker gang is around since 2007 already and they know how to do their job. They know how to stay under the radar and keep attraction off. As they automatically change the used C&C domain every day, this requires automated systems to keep track of the domains. With Virus Tracker we have such a system, we see all the used domains and if there is any change we are the first ones after the criminals who know.

The next step to this would be a real police investigation, seizing and requesting all the records from the hosting, domain and email providers. It only requires one IP record where the criminals failed to use a VPN (for example if the VPN disconnects and the person does not realize immediately) to trace them back. Or maybe one VPN provider then has enough information (payment credit cards..) to trace them back. The issue is not lacking technical possibilities, it’s lacking interest (+ awareness + knowledge) in this case by authorities.

Domain classification service, for security researchers

1. Enter your domains here
2. Classify them
3. ????
4. PROFIT!

K&A offers a new free domain classification service on Virus Tracker for security researchers. For classifying malware domains, following types are introduced:

      Parked/expired    Domains that are parked or (about to be) expired
      Collision         When there is a legitimate domain colliding with a DGA
      Suspended         Suspended by the registrar
      Criminals         If the domain wasn't detected as any other type
      Fast flux         When there are multiple A records
      Sinkhole by X     Sinkhole by a known entity
      Not registered    Non registered domain
      Ghosted           Domain without any A records

Please note that “Criminals” means nothing more than “probable active C&C”. As the intension is to classify a bunch of known malware domains, the program cannot distinguish between a legitimate website/server and a maliciously used one. The output format is CSV. Here is an example of the output of the classification service:

Domain,IP,NS,Owner
arqogipjsbcdmk.com,72.172.91.230,arqogipjsbcdmk.com,Parked/expired
axigleyldgeq.com,176.31.62.76,ns1.suspended-domain.org,Sinkhole by zinkhole.org
caosuihgsvivlxh.com,204.13.162.116,ns1.dsredirection.com,Parked/expired
carrerfullezz.com,69.43.161.180,ns1.above.com,Parked/expired
nbykkrkevuri.com,198.61.227.6,ns0.sinkdns.com.nbykkrkevuri.com,Sinkhole by Georgia Institute of Technology

This becomes handy when analyzing malware and you see the DNS requests but you don’t know which of the domains are actually still active or are already expired and so on.

A short look behind the curtains

Behind the Virus Tracker system there is a program called “Datenkrake” (English: data kraken) which is doing the entire magic. It checks the domains, contacts the C&Cs, the name servers, knows the sinkholes, the malware protocols and has heuristic detection algorithms implemented. It generates the data displayed on Virus Tracker.

Datenkrake

We check automatically 102.131 domains every day, using Google’s DNS servers, thanks Google! Through the DNS requests we know exactly which domains are actively used by the criminals which allows further operations (such as takedown and sharing the knowledge and intel with the security community).

We own the Russian Business Network! (at least their domain)

Kleissner & Associates s.r.o. is a newly founded company in Prague, Czech Republic. One of the founders is Peter Kleissner, a Czech resident. K&A is the company behind the Virus Tracker – an automated system to monitor botnets and gather longterm botnet statistics from both the infection and the command & control side.

Russian Business Network

The Russian Business Network used to be a hosting provider (operating like a company but not legally registered) whose main customers were hosting command & control and drop servers of different types of botnets. Some background information is available on Wikipedia [1]. For their web presence they had used the domain rbnnetwork.com.

RBN Mails

Behind the technical details

Recently we acquired the domain of the infamous Russian Business Network – rbnnetwork.com. If you check the who-is information, you can see us as the legal owner:

Domain rbnnetwork.com

Date Registered: 2011-11-9
Date Modified: 2012-12-7
Expiry Date: 2013-11-9

DNS1: ns1.easyname.eu
DNS2: ns2.easyname.eu

Registrant
Kleissner & Associates s.r.o.
Authorized Representative
Email:info@rbnnetwork.com
Na strzi 1702/65
140 00 Praha
Czech Republic
Tel: +420.00000000

We installed a SMTP sinkhole which catches all emails being sent to *@rbnnetwork.com and added it to the Virus Tracker system. From December 2012 to January 2013, we received emails addressed to the following recipients:

47175755.6020800@rbnnetwork.com
abuse@rbnnetwork.com
info@rbnnetwork.com
maria@rbnnetwork.com
natalia@rbnnetwork.com
ncc@rbnnetwork.com
noc@rbnnetwork.com
ripe@rbnnetwork.com
support@rbnnetwork.com
tim@rbnnetwork.com
vladimir@rbnnetwork.com

All emails were sent from automated systems of newsletters, forums and spam bots. Once you own a domain name you can set up your own email server and receive any emails. This means you can use the password recovery functionality built into most forums and websites. All you need to know usually is the users email address or user name – which you might get through automated newsletters.

We have automated the process of catching all emails and automatically generating a listing. You can download the daily generated overview of the received emails here (xlsx). Also, there is a new tab on http://virustracker.info/.

About the operation

The first step was to register the domain. Once you own it, there is the question what to do with it. There are legal considerations on how far one can go – technically a lot is possible. The policy of K&A is, however, to not return any payload data on any kind of sinkholes. While our mission is to do the technical investigation of botnets (and criminal organizations) we do not stand above the law and it is not up to us to catch criminals.

The interest behind this operation is to show what there is technically possible to do. This here (a small piece of a bigger puzzle) helps investigate the criminal network and understand the organizational structure (even though it is considerable old by now). If you own the domain of an organization (whether it is a company or a criminal network) you can simply impersonate it – social engineering comes up here. This might become interesting when for example probing a government or intelligence – offering a criminal service and checking their response. The Russian Business Network has “good” street credits out.

We will keep this blog post updated if there are any new developments.

References

[1] http://en.wikipedia.org/wiki/Russian_Business_Network
[2] http://www.bizeul.org/files/RBN_study.pdf