[nsp-sec] spam bounces - the sending bots
Stephen Gill
gillsr at cymru.com
Thu Jun 19 15:13:11 EDT 2008
Hi Andreas,
The biggest thing in common I see amongst your Ips is the fact that they are
reaching out to this C&C on TCP 80 and TCP 443:
26780 | 208.72.169.189 | MCCOLO - McColo Corporation
Here's a snapshot of some of the malware sample hashes and dnsrrs associated
with the flows:
0b2e8bedc1db068e9f432d7e2e818d225f652bee | 7c90c3a0c57bc0794774b3aa1d42c0e3
| 2008-05-03 10:28:45 | almbarcoz.info | 208.72.169.189 | A
0b2e8bedc1db068e9f432d7e2e818d225f652bee | 7c90c3a0c57bc0794774b3aa1d42c0e3
| 2008-05-04 06:21:47 | almbarcoz.info | 208.72.169.189 | A
99c1a6cf08adbeaae43613ada967f47ceb77addc | 410814218f05fa6066a811864624d66e
| 2008-05-18 18:35:11 | galileoboots.info | 208.72.169.189 | A
99c1a6cf08adbeaae43613ada967f47ceb77addc | 410814218f05fa6066a811864624d66e
| 2008-05-18 18:35:11 | galileoboots.info | 208.72.169.189 | A
312e85a2da001605a81e2849ce9d9ed2780f08c1 | cff445ac0d9db7ecc4f649ad1499b117
| 2008-05-23 03:04:46 | mazerattikrak.info | 208.72.169.189 | A
55326699432ee72b117648cdb1138ce94c24b4c9 | 8c0ae1d6a24a634a19f7694d555ab427
| 2008-05-24 13:09:22 | galileoboots.info | 208.72.169.189 | A
05e75aeeb87b647edea185a48bf7cb112f33a1cb | fdc73133f7d9b9e42e87acbf1a5b21ca
| 2008-06-03 05:06:29 | galileoboots.info | 208.72.169.189 | A
527add805ff3a39263bbd56cb79f383d7e22556f | f66e890c1ca6a123b4b77187640f1e6a
| 2008-06-03 11:02:54 | galileoboots.info | 208.72.169.189 | A
305fdecf4bd533e4b1f68f3964a60e51e79a6ca5 | 6001c69b44113685f0644c145b308047
| 2008-06-05 06:02:15 | galileoboots.info | 208.72.169.189 | A
50a4813e1fbc98dc4ea21853991f445c7985ae8f | 12a312dd74267e450922664a465be6ab
| 2008-06-05 08:24:45 | galileoboots.info | 208.72.169.189 | A
0170b3c455437332ac513195fd7bfe6ab1a3b9ef | 7604087e28a4cae87015b013515f99a7
| 2008-06-07 23:20:32 | galileoboots.info | 208.72.169.189 | A
7c28cdbef3b53c77ae1b4e29118af30b793c500f | 5828a8337b11c7ad3e761c715ff9ddd3
| 2008-06-12 02:06:23 | galileoboots.info | 208.72.169.189 | A
305fdecf4bd533e4b1f68f3964a60e51e79a6ca5 | 6001c69b44113685f0644c145b308047
| 2008-06-12 20:19:31 | galileoboots.info | 208.72.169.189 | A
9474411bc8bcfd0a3b13f509a834e74c6e8d5166 | ff3d4978f5d02f90c963182fe9c8f444
| 2008-06-13 02:58:16 | galileoboots.info | 208.72.169.189 | A
3bd8f6c865f455a91d2fe996e38fd6b6f13fe645 | dce2f354fe96fc06cbac7630b2a9877f
| 2008-06-14 22:57:38 | galileoboots.info | 208.72.169.189 | A
c30ee15348f8964c03c114ddd2bd796d0e8f494b | 4d3e83103d7c68fba6a927fe47d309e3
| 2008-06-17 00:41:59 | galileoboots.info | 208.72.169.189 | A
Looking at our heuristics for the most recent malware sample in the list I
see this:
FLOWs
timestamp src ip:port dst ip:port proto size
2008-06-17 00:41:59 192.168.1.1:2631 206.51.236.94:25 6 0 B
2008-06-17 00:41:59 192.168.1.1:2632 208.72.169.189:80 6 0 B
2008-06-17 00:41:59 192.168.1.1:2630 208.72.169.189:80 6 118
B
2008-06-17 00:41:59 192.168.1.1:2628 195.93.218.28:80 6 86
KB
2008-06-17 00:41:59 192.168.1.1:2627 195.93.218.28:80 6
23.89 KB
DNS
dnsrr: galileoboots.info
ip: 208.72.169.189
type: A
dnsrr: host.catcherinvest.com
type: MX
answer: mail2.catcherinvest.com
dnsrr: mail2.catcherinvest.com
ip: 206.51.236.94
type: A
URLs
hxxp://195.93.218.28/s4/dd.exe
type: GET
hxxp://195.93.218.28/s4/u.php
type: GET
hxxp://195.93.218.28/s4/email.exe
type: GET
useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727)
RELATIVES
195.93.218.28 (87)
206.51.236.94 (39)
208.72.169.189 (14)
mail2.catcherinvest.com (27) 2008-04-23 23:32:44
mail2.uikkl.info (2) 2008-02-09 07:55:30
galileoboots.info (11) 2008-05-18 18:35:11
almbarcoz.info (2) 2008-05-03 10:28:45
mazerattikrak.info (2) 2008-04-13 20:46:58
195.93.218.28 (65) 2008-04-13 06:32:08
AV
AV engine Country Signature
Ahnlab KR Win-Trojan/Downloader.8704.RD
Aladdin (esafe) IL no_virus
Alwil (avast) CZ Win32:Trojan-gen {Other}
Authentium US W32/Downldr2.AVPU
Avira (antivir) DE TR/Crypt.XPACK.Gen
Bit9 (fileadvisor) US no_virus
BitDefender RO Trojan.Agent.AGGZ
CA (E-Trust Ino) US no_virus
CA (E-Trust Vet) US Win32/Chepvil!generic
CAT (quickheal) IN TrojanDownloader.Small.hie
ClamAV Trojan.Downloader-20352
Dr. Web RU Trojan.DownLoader.38511
Eset (nod32) US Win32/TrojanDownloader.Tiny.NDC
Ewido DE Downloader.Small.umk
Fortinet US no_virus
Frisk (f-prot) IS W32/Downldr2.AVPU
Frisk (f-prot4) IS no_virus
F-Secure FI W32/Malware
GData DE Win32:Trojan-gen
Grisoft (avg) CZ Generic9.AHNZ
Ikarus AT no_virus
Kaspersky RU no_virus
Mcafee US no_virus
Microsoft US TrojanDownloader:Win32/Chepvil.gen!A
Norman NO W32/Malware
Panda ES W32/Mydoom.GE.worm
Prevx GB no_virus
Rising CN no_virus
Securecomputing (webwasher) US Trojan.Crypt.XPACK.Gen
Sophos GB Troj/TinyDo-Fam
Sunbelt US no_virus
Symantec US no_virus
TheHacker PE no_virus
UNA UA no_virus
VirusBlokAda (vba32) BY Trojan-Downloader.Win32.Small.hif
VirusBuster HU no_virus
Other URLs seen at the 195.93.218.28 IP from sandboxing in 2008:
hxxp://195.93.218.28/1688/211.exe
hxxp://195.93.218.28/1688/212.exe
hxxp://195.93.218.28/1688/bz.exe
hxxp://195.93.218.28/1688/m.exe
hxxp://195.93.218.28/200.exe
hxxp://195.93.218.28/bot.exe
hxxp://195.93.218.28/dds/?act=online&s4=0&s5=0&nickname=BASE64_ENCODED
hxxp://195.93.218.28/gl/1.php
hxxp://195.93.218.28/lll.exe
hxxp://195.93.218.28/m/1.php
hxxp://195.93.218.28/mail.exe
hxxp://195.93.218.28/m.exe
hxxp://195.93.218.28/mmm.exe
hxxp://195.93.218.28/pch/gate.php
hxxp://195.93.218.28/rus/212.exe
hxxp://195.93.218.28/rus/ftp.exe
hxxp://195.93.218.28/s1/0030.exe
hxxp://195.93.218.28/s1/200.exe
hxxp://195.93.218.28/s1/212.exe
hxxp://195.93.218.28/s1/bz.exe
hxxp://195.93.218.28/s1/dd.exe
hxxp://195.93.218.28/s1/m.exe
hxxp://195.93.218.28/s1/mm.exe
hxxp://195.93.218.28/s1/unn.php
hxxp://195.93.218.28/s2/200.exe
hxxp://195.93.218.28/s2/atom.exe
hxxp://195.93.218.28/s2/dd.exe
hxxp://195.93.218.28/s2/email.exe
hxxp://195.93.218.28/s2/mail.exe
hxxp://195.93.218.28/s2/mm.exe
hxxp://195.93.218.28/s2/u.php
hxxp://195.93.218.28/s3/u.php
hxxp://195.93.218.28/s4/204.exe
hxxp://195.93.218.28/s4/dd.exe
hxxp://195.93.218.28/s4/dw.exe
hxxp://195.93.218.28/s4/email.exe
hxxp://195.93.218.28/s4/u.php
Hopefully that should get you started ;).
Cheers,
Steve, Team Cymru
On 6/19/08 7:37 AM, "Andreas Bunten" <bunten at dfn-cert.de> wrote:
> ----------- nsp-security Confidential --------
>
> Hi teams, I wrote yesterday:
>
> < I am writing on behalf of a German university which is receiving
> < massive amounts of spam bounces.
> <
> < Somebody was and still is sending out great amounts of spam with faked
> < 'From' headers which point to <barid AT fht-esslingen.de> and sometimes
> < other email addresses under the same domain. The mail server at this
> < university are now receiving around 2 million bounces from non
> < deliverable spam messages every day.
>
> Many thanks to everyone with good suggestions and who explained (or
> even solved) the bounce-problem to their mail admins! This does help
> a lot! I'll leave the list online for late comers who still want to
> have a look.
>
> Unfortunately, this 'only' mitigates the damage done. I am curious
> about the botnet sending the spam.
>
> In order to find the botnet, I am looking for the malware. I have a
> couple of thousand bounce-samples. Some of them containing the full
> original message. Since the spam was send the same way all around,
> it's not that difficult to extract the sending IPs. I checked various
> samples and built in some safety catches, so I'm fairly sure that
> there should be very few false positives if at all.
>
> The list of spam sending, probably compromised hosts can be found here:
>
> https://www.dfn-cert.de/downloads/irt/spam_sender_compromised.lst
>
> If you have hosts on the list and you are able to retrieve the malware,
> that would be greatly appreciated! (and repaid in beer or other beverages
> at the next conference) The list of AS is appended to the mailbody.
>
> The list of bounce sending (not compromised!) hosts is still there,
> but I did not update it:
>
> https://www.dfn-cert.de/downloads/irt/bounce_sender_top5percent.lst
>
> You will need these credentials:
>
> User: nspsec
> Pass: zaYie9si
>
> Regards,
> andreas-b, as 680 (German research network)
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list