[nsp-sec] C&C Server: Request for information

Tim Wilde twilde at cymru.com
Wed May 12 14:10:37 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/12/2010 1:17 PM, Keith Schoenefeld wrote:
> I'm looking for any intelligence that people may have with regard to
> 72.36.112.141, or the DNS name that's currently associated with it
> backwards[dot]bounceme[dot]net.

Good afternoon Keith,

We have three different samples referencing that DNS RR, all in the
month of March 2010:

95e60391bf8ca6ea1ba969f3fdecd01806e05274   2010-03-14 05:47:52
221 KB
md5: 06da6a544af022eacad1b7c310103b2f
filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

e7721afebf64cfb73ec4316300afa215f5222f27   2010-03-09 00:54:53
242.5 KB
md5: fde261272756250201132fef74429852
filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

3a3bc2f9d868fc67a898e6275241a3b55577df55   2010-03-05 06:40:44
174.5 KB
md5: 4b253e646b5a85c13b9b6d05217854e7
filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

AV has generally identified these samples as Swisyn or Maximus.  The C&C
was pointing to a different IP when we sandboxed them, and it doesn't
appear to have been live at the time, so I don't have a lot of detail
about what it tries to do.  It appears to use the channel #bnet with a
channel password of 313313313.  I've got some additional analysis
running now, and will share it if anything interesting pops up.

> In particular, I just need to know if this is a run of the mill "DDoS
> for hire" botnet, or something more nefarious.  I'm (possibly
> stupidly) assuming that since it currently runs on over tcp/6667 it's
> not terribly sophisticated, but I'm trying to cover bases.

I wouldn't necessarily say IRC C&C on TCP/6667 == not sophisticated.  We
still see plenty of sizeable networks and long-standing crews using IRC
C&C, many of them even still using TCP/6667.  HTTP C&C is certainly on
the rise and eclipsing IRC, but I don't think it's safe to assume a
given sophistication level just based on the IRC C&C and use of TCP/6667.

That said, in the analysis we do have, I don't see anything that screams
"superstar killer bot" or "targeted attack", it does in fact appear to
be a rather run-of-the-mill bot, all things considered.

We'll pass on any additional information we get and can share from analysis!

Regards,
Tim Wilde

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkvq7x0ACgkQluRbRini9tjZbACdEJJ73ISH+XSLML8tbXdIzbV0
xdAAnjc0XLALjrvundBzP+ZQhM3bK/9X
=oxFq
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list