[nsp-sec] Ping AS8001/AS36351 - possible botnet C&C

Rob Thomas robt at cymru.com
Wed Mar 12 12:56:31 EDT 2008 

Hi, Zoe.

Nice catch!

> 8001    | 64.21.149.167    | NET-ACCESS-CORP - Net Access Corporation

That one had some interesting DNS RRs pointed to it:

       timestamp      |     dns_name      |      ip
--------------------- ------------------- ---------------
  2008-01-04 04:46:42 | bdubefoeug.yi.org | 64.21.149.167
  2008-01-05 04:37:46 | bpdyttrlp.yi.org  | 64.21.149.167

There are at least 15 members of our malware menagerie that point to  
that IP (just for 2008).  Note the destination UDP port!

       timestamp      |                   sha1                    
|               md5                |    dst_ip     | dst_port |  
protocol | size
--------------------- ------------------------------------------  
---------------------------------- --------------- ----------  
---------- ------
  2008-03-03 17:22:15 | 1a4eb3c98eeba930cd83eae3c3cf4b650c0b0a2d |  
b40bc629139865271ce45aff4b086da3 | 64.21.149.167 |      447 |       17 |
  2008-03-03 09:21:02 | 217df238d10969db21be00fb1f2c7f52d5ff45e1 |  
703ff2a975a27bac457dee7329def827 | 64.21.149.167 |      447 |       17 |
  2008-03-03 17:20:54 | 31cf2da94c782f1f28928386f3d172781555ec93 |  
2ffd7b848f9a618b16a7938b013565d0 | 64.21.149.167 |      447 |       17 |
  2008-03-03 21:21:31 | 40b17b3c84e3356a450a5bf53a84a7d947383746 |  
a8e614b5832d706f2bbb233e097572d9 | 64.21.149.167 |      447 |       17 |
  2008-03-03 18:22:47 | 48eeea42126653d8efa9482c8dd7688a71cfda0a |  
592523a88df3d043d61a14b11a79bd55 | 64.21.149.167 |      447 |       17 |
  2008-02-20 06:14:17 | 5c1b3065216a3dcaaf5a99830c6ee313002745b4 |  
6e9ade37a57089c4d04d942da92eee83 | 64.21.149.167 |      447 |        
17 |   82
  2008-03-03 16:22:24 | 6e6d2a2a6c483df10c7ea6f385036f8187f24dc3 |  
f465a25e2815267dc28a5f13c04c78eb | 64.21.149.167 |      447 |       17 |
  2008-03-11 01:22:11 | a257e572658b70d644d8851634c6784a120717eb |  
b69783a2535bc8a0bd591382d8a70386 | 64.21.149.167 |      447 |       17 |
  2008-01-11 14:33:07 | aed0d16b0a364213df445fadc1829b29b5c00452 |  
48a61c59981bc91f7b9d4c0b53bb5690 | 64.21.149.167 |      447 |       17 |
  2008-03-11 17:57:52 | b7940dc9df288608e8f55247812676cd34dd60a9 |  
3fe2d05decefc98e3b06b8a487978855 | 64.21.149.167 |      447 |        
17 |   83
  2008-03-02 20:20:29 | c26640e5ece91c2be2e54efcea20b44d477048dd |  
57573896a389770557ea48fff8fd7645 | 64.21.149.167 |      447 |       17 |
  2008-02-08 16:08:36 | cdd9ec7f9c1040cfb651a5ccd8297cd7ad31299d |  
082ac78cb4341acff1d3380f8cede99a | 64.21.149.167 |      447 |        
17 |   83
  2008-03-04 02:23:05 | ce3087483789260c19ec84341d3618d8c9ba52f7 |  
e39f1356d03d247706d0fc372448a1d9 | 64.21.149.167 |      447 |       17 |
  2008-03-02 09:23:03 | ce4ac2789817e84be50cf68af8df6066922dc139 |  
56004a353fbd54a5493cf0aa6ec1ec0f | 64.21.149.167 |      447 |       17 |
  2008-03-07 07:09:45 | f78da76ff8f75b20e2f6d09e1a39cb35aedaca5f |  
bd4d709723ae6a052e1d57144db6ac99 | 64.21.149.167 |      447 |        
17 |   82

Looking at only one of those samples, we see the following:

It installs itself as c:\windows\system32\ip.exe.  It then launches  
ip.exe.

ip.exe modifies one registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ip"  
= C:\WINDOWS\system32\ip.exe
\ "ip" = C:\WINDOWS\system32\ip.exe

It looks up some funny looking DNS RRs, one of which you'll recognize  
from the DNS RRs posted above:

quowesuqbbb.mooo.com
adrcgmzrm.dyndns.org
bpdyttrlp.yi.org

It sends packets to UDP 447 of course, and also seems to test TCP 25.

And I responded too slowly and see that Ryan has already squashed  
this one.  Thanks, Ryan!  :)

> 36351   | 208.101.42.28    | SOFTLAYER - SoftLayer Technologies Inc.

We see three malware samples pointed to this IP:

       timestamp      |                   sha1                    
|               md5                |    dst_ip     | dst_port |  
protocol | size
--------------------- ------------------------------------------  
---------------------------------- --------------- ----------  
---------- ------
  2008-03-11 21:21:50 | 083d5dde9121108b64065921504e2aa60573aafc |  
1cb1aa6bef34f7ed54a880e975878ba2 | 208.101.42.28 |      447 |        6 |
  2008-03-11 18:22:10 | 09d18db4e8a16c164f0249af5760fd2ac2805397 |  
97952509cb134a2c8dc22f2d4c785a54 | 208.101.42.28 |      447 |        6 |
  2008-03-11 04:20:14 | 48a1904d46c936cf5af45a4c44d7419a3e1fe44b |  
e33f27292f832212374b985750bab0a7 | 208.101.42.28 |      447 |        6 |


> 36351   | 208.101.42.29    | SOFTLAYER - SoftLayer Technologies Inc.
> 36351   | 208.101.52.83    | SOFTLAYER - SoftLayer Technologies Inc.
> 36351   | 208.101.52.85    | SOFTLAYER - SoftLayer Technologies Inc.
> 36351   | 208.101.52.86    | SOFTLAYER - SoftLayer Technologies Inc.
> 36351   | 208.101.54.242   | SOFTLAYER - SoftLayer Technologies Inc.
> 36351   | 208.101.54.246   | SOFTLAYER - SoftLayer Technologies Inc.

I'll skip these since they're likely to be similar to the ones  
above.  Let me know if you need gory details.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");

More information about the nsp-security mailing list