[nsp-sec] Asprox/Danmec traffic

Rob Thomas robt at cymru.com
Thu Jul 3 10:26:52 EDT 2008 

Hi, team.

This comes to you from our own Chas Tomlin.  He did a bit of malware and 
traffic analysis on the Asprox/Danmec malware.  One bit I'll add - 
several of the involved C&C points appear to be controlled through the 
use of PrivateWire, TCP 4449.

    <http://www.arx.com/products/privatewire.php>

This is a bit speculative presently, as the TCP 4449 traffic might not 
be related to the malware activity.

Gerard:  Please ping me when you have a mo', as some of that control 
traffic is coming from your area.

Here is Chas' analysis:

Hi,

Team Cymru spent some time analyzing a few recent Asprox/Danmec samples 
over the last 24 hours. We observed some interesting behavior mainly in the
network traffic from the C&C points. Looking at a section of a response 
we see a something that looks like it may contain a list of IPs but 
encrypted
using a simple substitution cipher.

)*-5*.+5,"5))-
-/5*"*5*/5#.
--5*",5*-#5.
--5*",5)*-5))"
--5*",5)((5*((
--5*""5)/*5"#
--5)()5*+)5*-"
,/5.+5*+-5*-)'4h%

Using a memory dump of the malware we were able to obtain the plain text 
IPs and from there figure out the following numeric substitutions;

5=.
*=1
)=2
(=3
/=4
.=5
-=6
,=7
#=8
"=9

We have checked this against other samples and they all appear to be 
using the same scheme.

Using a very simple snort rule we were able to identify a live infected 
host and we pulled the following IPs from the encoded response;

812     | 99.233.217.232   | ROGERS-CABLE - Rogers Cable Communications Inc.
3301    | 213.67.254.75    | TELIANET-SWEDEN TeliaNet Sweden
3307    | 85.252.75.246    | BANETELE-NORWAY BaneTele AS (formerly 
Enitel), Norway
4837    | 58.23.67.58      | CHINA169-BACKBONE CNCGROUP China169 Backbone
6128    | 24.44.191.232    | CABLE-NET-1 - Cablevision Systems Corp.
6128    | 67.81.36.254     | CABLE-NET-1 - Cablevision Systems Corp.
6128    | 69.119.119.178   | CABLE-NET-1 - Cablevision Systems Corp.
6128    | 69.122.77.115    | CABLE-NET-1 - Cablevision Systems Corp.
6298    | 68.109.177.165   | COX-PHX - Cox Communications Inc.
6298    | 98.165.213.34    | COX-PHX - Cox Communications Inc.
6830    | 213.93.96.142    | UPC UPC Broadband
7132    | 69.221.159.62    | SBIS-AS - AT&T Internet Services
7132    | 70.244.38.106    | SBIS-AS - AT&T Internet Services
7725    | 71.56.42.87      | CCH-AS7 - Comcast Cable Communications 
Holdings, Inc
7725    | 98.192.74.13     | CCH-AS7 - Comcast Cable Communications 
Holdings, Inc
7757    | 76.171.151.145   | CCCH-AS4 - Comcast Cable Communications 
Holdings, Inc
8551    | 84.108.154.107   | BEZEQ-INTERNATIONAL-AS Bezeqint Internet 
Backbone
10994   | 72.187.175.42    | TAMPA2-TWC-5 - Road Runner HoldCo LLC
11232   | 208.107.82.31    | MIDCO-NET - Midcontinent Media, Inc.
11351   | 72.228.111.136   | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
11351   | 76.179.26.169    | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
11427   | 24.28.150.162    | SCRR-11427 - Road Runner HoldCo LLC
13432   | 68.224.31.128    | COX-LAS-VEGAS - Cox Communications Inc.
15149   | 216.150.79.226   | EZZI-101-BGP - EZZI.NET
15149   | 66.199.241.98    | EZZI-101-BGP - EZZI.NET
19108   | 74.194.70.138    | SUDDENLINK-COMMUNICATIONS - Suddenlink 
Communications
19115   | 75.143.150.108   | CHARTER-LEBANON - Charter Communications
20001   | 76.175.178.111   | ROADRUNNER-WEST - Road Runner HoldCo LLC
21788   | 64.191.14.85     | NOC - Network Operations Center Inc.
21788   | 66.197.168.5     | NOC - Network Operations Center Inc.
21788   | 66.197.216.229   | NOC - Network Operations Center Inc.
21788   | 66.197.233.133   | NOC - Network Operations Center Inc.
22258   | 75.66.193.0      | CCCH-AS1 - Comcast Cable Communications 
Holdings, Inc
22773   | 68.98.49.71      | CCINET-2 - Cox Communications Inc.
26496   | 208.109.122.207  | PAH-INC - GoDaddy.com, Inc.
29802   | 66.232.102.169   | HVC-AS - HIVELOCITY VENTURES CORP
29802   | 74.50.106.162    | HVC-AS - HIVELOCITY VENTURES CORP
33491   | 76.16.197.120    | DNEO-OSP7 - Comcast Cable Communications, Inc.
33491   | 76.16.2.13       | DNEO-OSP7 - Comcast Cable Communications, Inc.
33491   | 98.223.61.12     | DNEO-OSP7 - Comcast Cable Communications, Inc.
33491   | 98.223.79.10     | DNEO-OSP7 - Comcast Cable Communications, Inc.
33655   | 69.247.175.135   | DNEO-OSP7 - Comcast Cable Communications, Inc.
36727   | 74.138.199.132   | INSIGHT-COMMUNICATIONS-CORP-AS1 - INSIGHT 
COMMUNICATIONS COMPANY, L.P.

This list has stayed pretty static for the last few hours.

Snort rule (would benefit from some anchoring, within, etc);

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"asprox test"; 
content:"COMMON.BIN"; sid:1500050; rev:1;)

sed;

sed -e 's/5/Z/g' -e's/+/0/g' -e 's/*/1/g' -e 's/)/2/g' -e 's/(/3/g' -e 
's/\//4/g' -e 's/\./5/g' -e 's/-/6/g' -e 's/,/7/g' -e 's/#/8/g' -e 
's/"/9/g' -e
's/Z/\./g'


Cheers

Chas



-- 
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/

More information about the nsp-security mailing list