[nsp-sec] the new "azenv" or "what is my IP?"

jose nazario jose at arbor.net
Sat Mar 20 13:01:16 EDT 2010 

for some time now i've been seeing binaries that make checks to a  
handful of IPs on port 8392 to get their externally visible IP. bots  
used to do this with scripts like "azenv" or services like  
"whatismyip". appears to be related to virut infections.

an example sample's ICSG XML format is enclosed.

the servers in question are:

    dst_host    | dport
----------------+-------
173.45.105.218 |  8392
174.133.126.2  |  8392
174.133.72.250 |  8392
204.27.57.154  |  8392
208.43.250.162 |  8392
64.120.176.66  |  8392
64.191.44.5    |  8392
64.191.44.8    |  8392
66.96.221.101  |  8392
74.52.142.226  |  8392
74.54.201.210  |  8392
74.54.89.66    |  8392
74.55.37.210   |  8392
bfkq.com       |  8392
jsactivity.com |  8392				
jsactivity.com A 69.64.147.217

we have a bunch of these:

malware=# SELECT count(distinct(aml_id)) from aml_connection where  
dport = 8392;
count
-------
   417
(1 row)

they run the past year and a half:

malware=# SELECT min(date), max(date) from aml where id in (select  
distinct(aml_id) from aml_connection where dport = 8392);
    min     |    max
------------+------------
2008-08-11 | 2010-03-14
(1 row)

communications are something like this:

Destination: 173.45.105.218 port 8392/TCP
Communications Data
SEND
$0000	00 00 78 E3	..x.
SEND
$0000	00 00 4F 95	..O.
SEND
$0000	00 00 00 04	....
SEND
$0000	65 63 68 6F	echo
RECEIVED
$0000	00 00 00 0C	....
RECEIVED
$0000	XX XX XX XX XX XX XX XX   [IP omitted]

a little while later you see:

Destination: 64.191.44.8 port 8392/TCP
Communications Data
SEND
$0000	00 00 78 E3	..x.
SEND
$0000	00 00 27 B3	..'.
SEND
$0000	00 00 00 15	....
SEND
$0000	32 2E 30 5F 75 6E 6B 6E 6F 77 5F 73 61 6D 70 6C	2.0_unknow_sampl
$0010	65 2E 65 78 65	e.exe


in short this is a firm marker for botted hosts, i suggest you track  
flows to those dst IPs and ports and see if you don't spot something  
else amiss there.

i hope this helps.


_____________________________
jose nazario, ph.d. jose at arbor.net
sr. manager of security research, arbor networks
http://asert.arbor.net/

More information about the nsp-security mailing list