[nsp-sec] IcePoint DDoS Bot Description
Jose Nazario
jose at arbor.net
Fri Jul 31 09:43:18 EDT 2009
SUMMARY
a new ddos bot family, coded in VisualBasic, that may be worth
keeping an eye on.
--- DISTRIBUTION
observed URLs:
hxxp://www.tyd8.com/cc.exe 416eab216688bd3231f8f8a116ca4ad5
hxxp://ddos.tyd8.com/3.exe bb412c4a3c54f86a3ee3870fb025a7ac
??? c411db43d44e326f7b952fe79d276748
this URL appeared in a downloader configuration from some chinese
malware. the nature of that downloader configuration is lost, however.
-- Fri Jul 31 13:22:36 2009 GMT
==> Checking www.tyd8.com
multi.surbl.org Phishing data source
uri.ca2.sophosxl.com Reactively blacklisted
dnsbl.mailshell.net Blacklisted
www.tyd8.com | 60.223.226.73 | A | 120 | Wed, 01 Apr 2009 12:22:49
UTC | Wed, 01 Apr 2009 12:26:20 UTC
tyd8.com | 60.223.226.73 | A | 120 | Wed, 22 Jul 2009 09:47:19 UTC |
Wed, 22 Jul 2009 09:47:19 UTC
ddos.tyd8.com has address 60.223.226.73
AS | IP | AS Name
4837 | 60.223.226.73 | CHINA169-BACKBONE CNCGROUP China169
Backbone
--- C&C SERVERS
81073958.3322.org TCP port 2222
vipupdate.8800.org TCP port 2222
60.223.226.84 TCP port 2222
vipupdate.8800.org has address 67.228.214.67
AS | IP | AS Name
36351 | 67.228.214.67 | SOFTLAYER - SoftLayer Technologies Inc.
interesting tie in there.
--- COMMUNICATIONS
to date i have only seen the check in but never the commands relayed
out:
SEND
$0000 73 74 61 74 65 3A 20 30 20 2D 20 7A 6F 6D 62 69 state: 0 - zombi
$0010 65 20 69 73 20 72 65 61 64 79 20 66 6F 72 20 63 e is ready for c
$0020 6F 6E 74 72 6F 6C 20 7C 20 31 2E 30 2E 30 ontrol | 1.0.0
no targets seen hit by this bot yet.
--- ATTACK CAPABILITIES
static analysis of the binary suggests it's capable of basic UDP,
TCP, ICMP and HTTP attacks:
ICMP
icmpstop
Apache
stopapache
HTTP
httpstop
udpstop
TCPstop
CrackTcpIp
these attacks are done using VB bindings to the MSWinSock libary it
seems.
--- DROPPED FILES
C:\WINDOWS\system32\MSWINSCK.OCX
C:\WINDOWS\IPdriver.exe
C:\WINDOWS\IcePoint.exe
C:\kill.bat
C:\WINDOWS\driver.inf
--- CHILD PROCESSES
Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\WINDOWS
\driver.inf
net.exe stop Windows Firewall/Internet Connection Sharing (ICS)
sc config Windows Firewall/Internet Connection Sharing (ICS) start=
DISABLED
net.exe stop sharedaccess
sc config sharedaccess start= DISABLED
net.exe stop System Restore Service
sc config System Restore Service start= DISABLED
net.exe stop TCP/IP NetBIOS Helper
sc config TCP/IP NetBIOS Helper start= DISABLED
net.exe stop Automatic Updates
sc config Automatic Updates start= DISABLED
C:\WINDOWS\system32\grpconv.exe -o
net1 stop sharedaccess
net1 stop Windows Firewall/Internet Connection Sharing (ICS)
net1 stop System Restore Service
net1 stop Automatic Updates
net1 stop TCP/IP NetBIOS Helper
--- REGISTRY CHANGES
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\:
Microsoft WinSock Control, version 6.0 (SP6)
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\InprocServer32\:
C:\\WINDOWS\\system32\\MSWINSCK.OCX
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\InprocServer32\ThreadingModel:
Apartment
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MSWinsock.Winsock\:
Microsoft WinSock Control, version 6.0 (SP6)
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MSWinsock.Winsock\\CLSID\:
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MSWinsock.Winsock\\CurVer\:
MSWinsock.Winsock.1
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MSWinsock.Winsock.1\:
Microsoft WinSock Control, version 6.0 (SP6)
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MSWinsock.Winsock.1\\CLSID\:
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\VersionIndependentProgID\:
MSWinsock.Winsock
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\ProgID\:
MSWinsock.Winsock.1
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\TypeLib\:
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\Version\:
1.0
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\MiscStatus\:
0
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\MiscStatus\\1\:
132497
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD896-
BB45-11CF-9ABC-0080C7E7B78D}\\ToolboxBitmap32\:
C:\\WINDOWS\\system32\\MSWINSCK.OCX, 1
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD897-
BB45-11CF-9ABC-0080C7E7B78D}\:
Winsock General Property Page Object
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{248DD897-
BB45-11CF-9ABC-0080C7E7B78D}\\InprocServer32\:
C:\\WINDOWS\\system32\\MSWINSCK.OCX
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{248DD890-
BB45-11CF-9ABC-0080C7E7B78D}\\1.0\:
Microsoft Winsock Control 6.0 (SP6)
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{248DD890-
BB45-11CF-9ABC-0080C7E7B78D}\\1.0\\FLAGS\:
2
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{248DD890-
BB45-11CF-9ABC-0080C7E7B78D}\\1.0\\0\\win32\:
C:\\WINDOWS\\system32\\MSWINSCK.OCX
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{248DD890-
BB45-11CF-9ABC-0080C7E7B78D}\\1.0\\HELPDIR\:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD892-
BB45-11CF-9ABC-0080C7E7B78D}\:
IMSWinsockControl
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD892-
BB45-11CF-9ABC-0080C7E7B78D}\\ProxyStubClsid\:
{00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD892-
BB45-11CF-9ABC-0080C7E7B78D}\\ProxyStubClsid32\:
{00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD892-
BB45-11CF-9ABC-0080C7E7B78D}\\TypeLib\:
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD892-
BB45-11CF-9ABC-0080C7E7B78D}\\TypeLib\Version:
1.0
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD893-
BB45-11CF-9ABC-0080C7E7B78D}\:
DMSWinsockControlEvents
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD893-
BB45-11CF-9ABC-0080C7E7B78D}\\ProxyStubClsid\:
{00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD893-
BB45-11CF-9ABC-0080C7E7B78D}\\ProxyStubClsid32\:
{00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD893-
BB45-11CF-9ABC-0080C7E7B78D}\\TypeLib\:
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{248DD893-
BB45-11CF-9ABC-0080C7E7B78D}\\TypeLib\Version:
1.0
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
\pressure test:
C:\\WINDOWS\\IPdriver.exe
HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\SharedAccess\
\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\
\List\C:\\WINDOWS\\IcePoint.exe:
C:\\WINDOWS\\IcePoint.exe
HKEY_CLASSES_ROOT\.grp:
MSProgramGroup
HKEY_CLASSES_ROOT\MSProgramGroup:
Microsoft Program Group
HKEY_CLASSES_ROOT\MSProgramGroup\\Shell\\Open\\Command:
C:\\WINDOWS\\system32\\grpconv.exe %1
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
Init Application.
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
bdg: ...
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
bdg: Done.
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
dros: ...
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
dros: Renames.
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
dros: Copies.
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
dros: Deletes.
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
dros: Done.
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\
\GrpConv\Log:
Uninit Application.
--- AV DETECTION
AV detection is pretty good but in most cases very ambiguous.
File 651054f0165d626a36c8015832132800ed96ff69.EXE received on
2009.05.01 21:26:10 (UTC)
Antivirus Version Last Update Result
AhnLab-V3 5.0.0.2 2009.05.01 Win-Trojan/Xema.variant
AntiVir 7.9.0.160 2009.04.30 BDS/VB.fra
Antiy-AVL 2.0.3.1 2009.04.30 Backdoor/Win32.VB
Authentium 5.1.2.4 2009.05.01 W32/VB-EMU:VB-Backdoor-HRS-based!Maximus
Avast 4.8.1335.0 2009.05.01 Win32:Trojan-gen {Other}
AVG 8.5.0.327 2009.05.01 Generic11.PWG
BitDefender 7.2 2009.05.01 Backdoor.Generic.101638
CAT-QuickHeal 10.00 2009.04.30 Backdoor.VB.fra
ClamAV 0.94.1 2009.05.01 Trojan.VB-4610
Comodo 1141 2009.05.01 TrojWare.Win32.VB.~ACC
DrWeb 4.44.0.09170 2009.05.01 BackDoor.Icepoint
eSafe 7.0.17.0 2009.04.30 Suspicious File
eTrust-Vet 31.6.6486 2009.05.01 Win32/AMalum.AACPP
F-Prot 4.4.4.56 2009.05.01 W32/VB-EMU:VB-Backdoor-HRS-based!Maximus
F-Secure 8.0.14470.0 2009.05.01 Backdoor.Win32.VB.fra
Fortinet 3.117.0.0 2009.05.01 W32/BDoor.FRA!tr.bdr
GData 19 2009.05.01 Backdoor.Generic.101638
Ikarus T3.1.1.49.0 2009.05.01 Trojan.Win32.VB
K7AntiVirus 7.10.721 2009.05.01 Backdoor.Win32.VB
Kaspersky 7.0.0.125 2009.05.01 Backdoor.Win32.VB.fra
McAfee 5602 2009.05.01 BackDoor-DSY
McAfee+Artemis 5602 2009.05.01 BackDoor-DSY
McAfee-GW-Edition 6.7.6 2009.04.30 Trojan.Backdoor.VB.fra
Microsoft 1.4602 2009.05.01 Backdoor:Win32/Icenipto.A
NOD32 4049 2009.05.01 probably a variant of Win32/Genetik
Norman 2009.04.30 W32/VBDoor.LML
nProtect 2009.1.8.0 2009.05.01 -
Panda 10.0.0.14 2009.05.01 Adware/AccesMembre
PCTools 4.4.2.0 2009.05.01 -
Prevx1 3.0 2009.05.01 Medium Risk Malware
Rising 21.27.41.00 2009.05.01 Trojan.Win32.VB.fzf
Sophos 4.41.0 2009.05.01 -
Sunbelt 3.2.1858.2 2009.05.01 Trojan-Downloader.Generic
Symantec 1.4.4.12 2009.05.01 Trojan Horse
TheHacker 6.3.4.1.317 2009.05.01 Backdoor/VB.fra
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.01 Backdoor.Win32.VB.fra
ViRobot 2009.5.1.1717 2009.05.01 Backdoor.Win32.VB.79429
VirusBuster 4.6.5.0 2009.05.01 Backdoor.VB.ETUD
Complete scanning result of "4234912", processed in VirusTotal
at 07/31/2009 15:29:19 (CET).
[ file data ]
* name..: 4234912
* size..: 79379
* md5...: 416eab216688bd3231f8f8a116ca4ad5
* sha1..: 92f9943e4d9b3f135c10cb4f9cd2e52c54203344
* peid..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John
Reiser
[ scan result ]
a-squared 4.5.0.24/20090731 found [Trojan.Win32.VB!IK]
AhnLab-V3 5.0.0.2/20090731 found [Win-Trojan/Xema.variant]
AntiVir 7.9.0.236/20090731 found [BDS/VB.fra]
Antiy-AVL 2.0.3.7/20090731 found [Backdoor/Win32.VB]
Authentium 5.1.2.4/20090731 found [W32/VB-Backdoor-HRS-based!Maximus]
Avast 4.8.1335.0/20090730 found [Win32:Trojan-gen {Other}]
AVG 8.5.0.406/20090731 found [Generic11.PWG]
BitDefender 7.2/20090731 found [Backdoor.Generic.101638]
CAT-QuickHeal 10.00/20090730 found [Backdoor.VB.fra]
ClamAV 0.94.1/20090731 found [Trojan.VB-4610]
Comodo 1823/20090731 found [TrojWare.Win32.VB.~ACC]
DrWeb 5.0.0.12182/20090731 found [BackDoor.Icepoint]
eSafe 7.0.17.0/20090730 found [Suspicious File]
eTrust-Vet 31.6.6649/20090731 found [Win32/ASuspect.FHWTG]
F-Prot 4.4.4.56/20090730 found [W32/VB-Backdoor-HRS-based!Maximus]
F-Secure 8.0.14470.0/20090731 found [Backdoor.Win32.VB.fra]
Fortinet 3.120.0.0/20090731 found [PossibleThreat]
GData 19/20090731 found [Backdoor.Generic.101638]
Ikarus T3.1.1.64.0/20090731 found [Trojan.Win32.VB]
Jiangmin 11.0.800/20090731 found [Backdoor/VB.dsx]
K7AntiVirus 7.10.806/20090730 found [Backdoor.Win32.VB]
Kaspersky 7.0.0.125/20090731 found [Backdoor.Win32.VB.fra]
McAfee 5693/20090730 found [BackDoor-DSY]
McAfee+Artemis 5693/20090730 found [Artemis!416EAB216688]
McAfee-GW-Edition 6.8.5/20090731 found [Trojan.Backdoor.VB.fra]
Microsoft 1.4903/20090731 found [Backdoor:Win32/Icenipto.A]
NOD32 4294/20090731 found [probably a variant of Win32/Genetik]
Norman 6.01.09/20090731 found [W32/VBDoor.LML]
nProtect 2009.1.8.0/20090731 found nothing
Panda 10.0.0.14/20090731 found [Trj/CI.A]
PCTools 4.4.2.0/20090731 found nothing
Prevx 3.0/20090731 found [High Risk Worm]
Rising 21.40.44.00/20090731 found [Trojan.Win32.VB.fzf]
Sophos 4.44.0/20090731 found [Mal/Generic-E]
Sunbelt 3.2.1858.2/20090731 found [Bulk Trojan]
Symantec 1.4.4.12/20090731 found [Trojan Horse]
TheHacker 6.3.4.3.374/20090730 found [Backdoor/VB.fra]
TrendMicro 8.950.0.1094/20090731 found nothing
VBA32 3.12.10.9/20090731 found [Backdoor.Win32.VB.fra]
ViRobot 2009.7.31.1863/20090731 found [Backdoor.Win32.VB.79429]
VirusBuster 4.6.5.0/20090730 found [Backdoor.VB.GKXF]
--- PACKER:
i've seen UPX2.x usd as the packer.
--- EXAMPLE ANALYSIS REPORTS
http://research.sunbelt-software.com/partnerresource/MD5.aspx?
md5=bb412c4a3c54f86a3ee3870fb025a7ac
_____________________________
jose nazario, ph.d. jose at arbor.net
manager of security research, arbor networks
http://asert.arbor.net/
More information about the nsp-security
mailing list