[nsp-sec] Skunkx botnet

Jose Nazario jose at arbor.net
Wed Mar 9 20:26:12 EST 2011 

A couple of weeks ago we found a bot codebase we dubbed 'skunkx' (better than the author's intended name, "Nig Bot 1.0").. The bot’s capabilities include:

	• Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
	• Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
	• Spread over USB, MSN, YahooMessenger
	• “Visit” sites, speedtest
	• Download and install, update, and remove arbitrary software
	• Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
	• Spread as a torrent file
	• Steal logins stored in the SQLite DB by Mozilla

We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used went back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. Observed CnC servers (all on TCP):

nig.imageshak.biz 4502
v2z.imageshak.biz 2040
v4.imageshak.biz 4506
zk.imageshak.biz 4507
zzk.imageshak.biz 4922

Via BFK:
2010-05-28 12:49:37     nig.imageshak.biz       A       124.217.248.140
2010-12-23 09:59:42     v2z.imageshak.biz       A       91.211.117.9
2011-03-02 06:18:51     v2z.imageshak.biz       A       149.20.54.185
2010-07-03 10:39:12     v4.imageshak.biz        A       91.211.117.31
2010-08-24 04:34:46     zk.imageshak.biz        A       91.211.117.31
2010-10-17 18:49:43     zzk.imageshak.biz       A       91.211.117.31

Malware samples by hash and dates:

2010-11-05-8b0ec6c72ba825ef6f6c51ec7940c5d1
2010-10-21-a6bcc047bd5c020d4ab0fc985a955930
2010-09-14-49aa607813acff4d4ee0e6f97a18496a
2010-08-19-201ecebc3ce0a62918c9e03acf2a691b
2010-06-14-678ea804716f80ca1a107467c0ac0d4c
2010-06-03-89d846b4cf063af0c3e34d8f96505299
2010-05-31-659cefcf48c770b9dec7fbc820feb08c
2010-07-27-9105d79b81ec98ff4bb739d65980dbed
2010-07-30-bd9bc177f68823cfd7cc98ce77033787

We're now sinkholing the domain 'imageshak.biz' to catch the bots, and include the last 4 hours worth of logs for folks here. Top infected ASNs:

bots | network
  76 AS45595
  67 AS12322
  60 AS17974
  55 AS7132
  54 AS19262
  53 AS577
  52 AS45899
  44 AS6128
  40 AS8151
  38 AS5769

If you want to see if you're affected you can peek at this worldmap:

	http://atlas-public.ec2.arbor.net/tmp/2011-03-10/sinkhole/worldmap/447c346f823e7b7777cf361853ce4c92.png

Data format of the attachment:

	131222  | 180.215.9.43     | IN | 1299719080      | MTS-INDIA-IN 334,Udyog Vihar

ASN | IP | CC | UTC timestamp of last sinkhole hit | NETNAME

I will be rolling this data into the ATLAS email reports I produce for some of you, but no ETA on this getting into ATLAS SRF feeds or the portal.

_____________________________
jose nazario, ph.d. jose at arbor.net
sr. manager of security research, arbor networks
http://asert.arbor.net/

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: skunkx.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110309/22726696/attachment-0001.txt>

More information about the nsp-security mailing list