[nsp-sec] follow up on spam bounces - the botnet

Andreas Bunten bunten at dfn-cert.de
Thu Jul 3 11:14:22 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

a German university was severely hit by spam bounces and I posted a list
of bouncers and later a list of bots who send the spam generating the
bounces.

Stephen Gill helped out by pointing me towards the malware and the C&Cs
and domain names connected to this.

On Thu, 19 Jun 2008, Stephen Gill wrote:

> The biggest thing in common I see amongst your Ips is the fact that they are
> reaching out to this C&C on TCP 80 and TCP 443:
>
> 26780   | 208.72.169.189   | MCCOLO - McColo Corporation
(...)

I tested most of the malware Steve provided. Some C&Cs were offline,
many behaved very similar to what Steve ponted out:

> Looking at our heuristics for the most recent malware sample in the list I
> see this:
>
> FLOWs
>
> timestamp      src ip:port      dst ip:port      proto      size
> 2008-06-17 00:41:59     192.168.1.1:2631     206.51.236.94:25     6     0 B
> 2008-06-17 00:41:59     192.168.1.1:2632     208.72.169.189:80     6     0 B
> 2008-06-17 00:41:59     192.168.1.1:2630     208.72.169.189:80     6     118
> B
> 2008-06-17 00:41:59     192.168.1.1:2628     195.93.218.28:80     6     86
> KB
> 2008-06-17 00:41:59     192.168.1.1:2627     195.93.218.28:80     6
> 23.89 KB
(...)

206.51.236.94 is found by asking for MX of catcherinvest.com. It seems to
be a mailserver and the malware I looked at did all exactly this (local IP
and hostname masked):

      220 msn.com ESMTP dreefJom
      HELO localhost
      250 msn.com(88) Hello xxxx.xxxx.xxxxxxxxx.de [10.10.10.10]
      MAIL FROM: host
      250 Ok
      RCPT TO: host at abc.tld
      250 Accepted
      DATA
      354 Enter message, ending with "." on a line by itself
      helo
      test
      letter
      .
      250 OK id=f525ed83c29d7c47131687f62205b495
      QUIT
      221 msn.com

This is certainly not MSN, the mailserver answers with '250 OK' on empty
FROM and other malformed input, the id is probably a md5 hash of the data
section.

In order to spare the world more spam, Klaus and I built a spamtrap with
a postfix which accepts everything but only puts it in the hold queue and 
iptables redirection. This works perfectly for the spam pumped out, but
not for this pseudo-smtp session at the beginning. The malware uses
different routines to do this it seems. And if I don't let it talk to the
real machine (206.51.236.94) the malware will not become active and start 
to spam 20 minutes later.

Therefore, I assume that this is a modified mail software with the sole 
purpose to count bots.

The hoster and its provider (AS 29802) share the same postbox ->

   OrgName:    NOC4Hosts Inc.
   OrgID:      NOC4H
   Address:    400 N Tampa St
   Address:    #1025
   City:       Tampa
   StateProv:  FL
   PostalCode: 33602
   Country:    US

   AS29802

   OrgName:    HIVELOCITY VENTURES CORP
   OrgID:      HVC-3
   Address:    400 N Tampa St
   Address:    #1025
   City:       Tampa
   StateProv:  FL
   PostalCode: 33602
   Country:    US

Searching for NOC4Hosts and RBN gives quite a few hits. Any chance of 
getting at this - as it seems malicious - provider ?

The host 208.72.169.189 (galileoboots.info) and also 208.72.169.101
(both at McColo Corporation) are talked to on port 80 by the malware.
Though, this is not HTTP. Every 40 seconds data is exchanged. It seems
to be used as a keep alive and also to transfer new commands. These
are transitted after around 20 minutes runtime of the malware.

An example for the protocoll can be seen in the anubis analysis of
one of the malware pieces (section 1: unknown tcp traffic).

http://analysis.seclab.tuwien.ac.at/result.php?taskid=4e1c96d50ff6549425f69fffbf74fbd8

Depending on the piece of malware, more software is downloaded using
realt http this time. In one case from 204.72.168.215 (also in the US).

There is also https communication with 67.198.203.242 (almbarcoz.info)
which I unfortunately could not look at - the sebek client I used did
not protocoll all content.

Cap-files, more details etc. available upon request.


Sorry - for the long mail. My questions:

Had anyone contact with these IPs running the botnet?

   206.51.236.94   mail2.catcherinvest.com / pseudo smtp - NOC4Hosts
   208.72.169.189  galileoboots.info / McColo
   208.72.169.101  / McColo
   204.72.168.215  / Triticom
   67.198.203.242  almbarcoz.info / KRYPT

I could not find them in previous mails and not in the RR.

NOC4hosts seems malicious to me. Anybody had contact or handled a
similar case?

Regards,
andreas-b, as 680 (German research network)
-----BEGIN PGP SIGNATURE-----

iQEVAwUBSGzs1ygU04YpslABAQEBeQf8D6PWaubttRGjnLGdvv1P5S3N5LVtomFi
5HiiEmRWZHajdl9noMiaocA2FLoEX6AkIofCcot6F7SvSDmBvtb7lglSKwFreF6Y
T0kg51Vel7d62+YVtd7q2FZUv1yXQXXOV1hiKhCsbixDgO5VylhY29rO6pdksJmd
ddB3ug4l7uvO81QdS+HCSnd8pO887HnPhm6Kll5hGetF+Un9+zWzcW98NRhqWeIp
YpSuoUvKLpFM2zxIryBW9HF1Gl6G1hhRICvOYYLmkXebiKkaXv8WfNtnRRHc63DV
zsixLsdLn/L9co1K8tMUBJu2c6RHwzptMc7byYHykefVIErZbA6XDA==
=Sgsx
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list