[nsp-sec] Attn: Microsoft/MSN Messenger - MSN-bot Social Engineering Messages

Rob Thomas robt at cymru.com
Tue Feb 26 14:27:32 EST 2008 

Hi, Brian.

Nice find!

> A botnet using a command of "msn.url" was seen (a bit over an hour  
> ago)
> sending out messages to try to social engineer people into installing
> hXXp://www.massiverender.com/ingles/p3.exe (http changed to hXXp to
> prevent possible clicking).

This one also showed up on 2008-02-22 16:31:04 UTC as photo38.JPG on  
a myspace page, I think.

The bot installs itself as C:\WINDOWS\system32\poolmc.exe.  It makes  
at least one registry key change:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run  
"Windows Pool Setup" = poolmc.exe

The bot creates an interesting mutex named "pool4" (no quotes), which  
we see in only two members of our malware menagerie.

It's interesting that it subsequently runs:

    C:\ipconfig /flushdns.*

The bots are using 01.cybernix.info as the C&C DNS RR.  This  
presently resolves to:

    01.cybernix.info has address 216.151.162.19
    01.cybernix.info has address 64.34.166.236
    01.cybernix.info has address 64.34.168.165
    01.cybernix.info has address 64.34.193.234
    01.cybernix.info has address 64.34.203.207
    01.cybernix.info has address 195.137.213.67

7393    | 216.151.162.19   | 216.151.160.0/20    | CA | arin     |  
2006-07-20 | CYBERCON - CYBERCON, INC.
29339   | 195.137.213.67   | 195.137.212.0/23    | DE | ripencc  |  
2003-07-31 | MBBG-AS Markus Bach Betriebs Gesellschaft mbH
30099   | 64.34.166.236    | 64.34.160.0/19      | US | arin     |  
2004-07-15 | SB-2 - ServerBeach
30099   | 64.34.168.165    | 64.34.160.0/19      | US | arin     |  
2004-07-15 | SB-2 - ServerBeach
30099   | 64.34.193.234    | 64.34.192.0/19      | US | arin     |  
2004-07-15 | SB-2 - ServerBeach
30099   | 64.34.203.207    | 64.34.192.0/19      | US | arin     |  
2004-07-15 | SB-2 - ServerBeach

We see at least 14 samples in our malware menagerie that use the  
01.cybernix.info DNS RR.  The oldest sample that uses *.cybernix.info  
entered our collection on 2008-01-23 17:05:07 UTC.

Ah!  Watch out!  This is also using:

    pool.hybridtx.com PORTS: 9035 SERVPASS: gsaxx00

We have 85 samples in our malware menagerie that use the  
*.hybridtx.com DNS RRs.  The oldest dates back to - bleh - 2007-01-08  
22:32:28 UTC.  So the possible DNS RRs include:

       timestamp      |     dns_name      |      ip
--------------------- ------------------- ---------------
  2008-02-11 00:22:23 | 01.cybernix.info  | 64.34.203.207
  2008-02-22 00:20:23 | crib.acidfox.info | 64.34.203.207
  2008-01-06 00:33:07 | pool.hybridtx.com | 64.34.203.207

The bots are gathering on TCP 3055.  Other C&C ports from the past  
include TCP 9035, TCP 3050, and TCP 9058.  The server password is  
"gsaxx00" (no quotes) and the bots have nicks of the format "\00\USA 
\85p8rc2zhh" (no quotes).

Hmm, interestingly it appears that at least one of the C&C servers is  
a Win2K box, not the more frequent *nix IRC server.

There are at least 103 bots on the TCP 3055 botnet, but I'm still  
pulling those numbers and looking at traffic to the other C&C ports.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");

More information about the nsp-security mailing list