[nsp-sec] Asprox/Danmec traffic
William Salusky
william.salusky at aol.net
Mon Jul 7 00:02:40 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The TCP 4449 activity is not related to the PrivateWire product in any
obvious way that I've noted. I suppose I missed my target audience when
I share these details previously.
Have a look at the following:
http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux
http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux_Analysis
http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux_1_forum-php
http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux_2_forum-php
http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux-Mass_SQL_Injection-forum_asp_php
W
Rob Thomas wrote:
| ----------- nsp-security Confidential --------
|
| Hi, team.
|
| This comes to you from our own Chas Tomlin. He did a bit of malware and
| traffic analysis on the Asprox/Danmec malware. One bit I'll add -
| several of the involved C&C points appear to be controlled through the
| use of PrivateWire, TCP 4449.
|
| <http://www.arx.com/products/privatewire.php>
|
| This is a bit speculative presently, as the TCP 4449 traffic might not
| be related to the malware activity.
|
| Gerard: Please ping me when you have a mo', as some of that control
| traffic is coming from your area.
|
| Here is Chas' analysis:
|
| Hi,
|
| Team Cymru spent some time analyzing a few recent Asprox/Danmec samples
| over the last 24 hours. We observed some interesting behavior mainly
in the
| network traffic from the C&C points. Looking at a section of a response
| we see a something that looks like it may contain a list of IPs but
| encrypted
| using a simple substitution cipher.
|
| )*-5*.+5,"5))-
| -/5*"*5*/5#.
| --5*",5*-#5.
| --5*",5)*-5))"
| --5*",5)((5*((
| --5*""5)/*5"#
| --5)()5*+)5*-"
| ,/5.+5*+-5*-)'4h%
|
| Using a memory dump of the malware we were able to obtain the plain text
| IPs and from there figure out the following numeric substitutions;
|
| 5=.
| *=1
| )=2
| (=3
| /=4
| .=5
| -=6
| ,=7
| #=8
| "=9
|
| We have checked this against other samples and they all appear to be
| using the same scheme.
|
| Using a very simple snort rule we were able to identify a live infected
| host and we pulled the following IPs from the encoded response;
|
| 812 | 99.233.217.232 | ROGERS-CABLE - Rogers Cable Communications
| Inc.
| 3301 | 213.67.254.75 | TELIANET-SWEDEN TeliaNet Sweden
| 3307 | 85.252.75.246 | BANETELE-NORWAY BaneTele AS (formerly
| Enitel), Norway
| 4837 | 58.23.67.58 | CHINA169-BACKBONE CNCGROUP China169 Backbone
| 6128 | 24.44.191.232 | CABLE-NET-1 - Cablevision Systems Corp.
| 6128 | 67.81.36.254 | CABLE-NET-1 - Cablevision Systems Corp.
| 6128 | 69.119.119.178 | CABLE-NET-1 - Cablevision Systems Corp.
| 6128 | 69.122.77.115 | CABLE-NET-1 - Cablevision Systems Corp.
| 6298 | 68.109.177.165 | COX-PHX - Cox Communications Inc.
| 6298 | 98.165.213.34 | COX-PHX - Cox Communications Inc.
| 6830 | 213.93.96.142 | UPC UPC Broadband
| 7132 | 69.221.159.62 | SBIS-AS - AT&T Internet Services
| 7132 | 70.244.38.106 | SBIS-AS - AT&T Internet Services
| 7725 | 71.56.42.87 | CCH-AS7 - Comcast Cable Communications
| Holdings, Inc
| 7725 | 98.192.74.13 | CCH-AS7 - Comcast Cable Communications
| Holdings, Inc
| 7757 | 76.171.151.145 | CCCH-AS4 - Comcast Cable Communications
| Holdings, Inc
| 8551 | 84.108.154.107 | BEZEQ-INTERNATIONAL-AS Bezeqint Internet
| Backbone
| 10994 | 72.187.175.42 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
| 11232 | 208.107.82.31 | MIDCO-NET - Midcontinent Media, Inc.
| 11351 | 72.228.111.136 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
| 11351 | 76.179.26.169 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
| 11427 | 24.28.150.162 | SCRR-11427 - Road Runner HoldCo LLC
| 13432 | 68.224.31.128 | COX-LAS-VEGAS - Cox Communications Inc.
| 15149 | 216.150.79.226 | EZZI-101-BGP - EZZI.NET
| 15149 | 66.199.241.98 | EZZI-101-BGP - EZZI.NET
| 19108 | 74.194.70.138 | SUDDENLINK-COMMUNICATIONS - Suddenlink
| Communications
| 19115 | 75.143.150.108 | CHARTER-LEBANON - Charter Communications
| 20001 | 76.175.178.111 | ROADRUNNER-WEST - Road Runner HoldCo LLC
| 21788 | 64.191.14.85 | NOC - Network Operations Center Inc.
| 21788 | 66.197.168.5 | NOC - Network Operations Center Inc.
| 21788 | 66.197.216.229 | NOC - Network Operations Center Inc.
| 21788 | 66.197.233.133 | NOC - Network Operations Center Inc.
| 22258 | 75.66.193.0 | CCCH-AS1 - Comcast Cable Communications
| Holdings, Inc
| 22773 | 68.98.49.71 | CCINET-2 - Cox Communications Inc.
| 26496 | 208.109.122.207 | PAH-INC - GoDaddy.com, Inc.
| 29802 | 66.232.102.169 | HVC-AS - HIVELOCITY VENTURES CORP
| 29802 | 74.50.106.162 | HVC-AS - HIVELOCITY VENTURES CORP
| 33491 | 76.16.197.120 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33491 | 76.16.2.13 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33491 | 98.223.61.12 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33491 | 98.223.79.10 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33655 | 69.247.175.135 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 36727 | 74.138.199.132 | INSIGHT-COMMUNICATIONS-CORP-AS1 - INSIGHT
| COMMUNICATIONS COMPANY, L.P.
|
| This list has stayed pretty static for the last few hours.
|
| Snort rule (would benefit from some anchoring, within, etc);
|
| alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"asprox test";
| content:"COMMON.BIN"; sid:1500050; rev:1;)
|
| sed;
|
| sed -e 's/5/Z/g' -e's/+/0/g' -e 's/*/1/g' -e 's/)/2/g' -e 's/(/3/g' -e
| 's/\//4/g' -e 's/\./5/g' -e 's/-/6/g' -e 's/,/7/g' -e 's/#/8/g' -e
| 's/"/9/g' -e
| 's/Z/\./g'
|
|
| Cheers
|
| Chas
|
|
|
- --
William Salusky
william.salusky at aol.net
Sr. Technical Security Investigator - AOL Operations Security
703-265-4924 (desk)
703-201-8873 (cell)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
iD8DBQFIcZVfXyx2ON3+G40RAo6cAJ4wNb/04snQqaBsBHAZxtlKkQHWcACeOqYY
I7DaeDmmCIlJyz8sIColmO8=
=u4WB
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list