Bestehen Bedenken im Hinblick auf VPN-Sicherheitslücken? Erfahren Sie, wie Sie von unserem VPN-Migrationsangebot inklusive 60 Tagen kostenlosem Service profitieren können.

Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

30 Days Of Cycbot

image
THREATLABZ
April 15, 2011 - 3 Lesezeit: Min

Image

Introduction:

I started doing some analysis on a beaconing pattern that I observed this past week. Initially the pattern and domains that I observed had little open-source information available for my searches, but as I started widening my search in the logs I found other infected customers across a variety of sectors and was able to track a botnet using a large number of IPs and domains for its command and controls. This is the "Cycbot" botnet... newly detected around August 2010 (reference), it is a botnet that has not appeared much in the media, but appears to be making its rounds infecting hosts in greater numbers- especially within the last month from my perspective.

 
The Beaconing Pattern:
The pattern typically followed HTTP GET requests with this format:
 
FQDN/blog/images/3521.jpg?vNUM1=NUM2&tq=BASE64_Data
and the transactions were made with User Agent string: "mozilla/2.0"
 
The BASE64_Data appears to be base64 encoded "encrypted" data.
The vNUM1=NUM2 parameter was occasionally omitted, when this was omitted I was able to obtain a possible brute-force the BASE64 data that was XOR "encrypted". When the "v" parameter was present I was not able to decrypt. This particular encoded pattern was consistent among infected hosts:
 

tq=RA1DQxZBDVlUFQN0AQYECRUCBlMVA3QBAwcWQw0BFlhCQw0APXNzJnE9aWQ=

 
Which might be decoded with:
 
0x30 XOR key, displaying:
t=ss&q=id%3D1649%26c%3D137&s=1&hrs=0
which is, t=ss&q=id=1649&c=137&s=1&hrs=0
 
or 0x55 XOR key, displaying a possible cryptic output / command: s:tt!v:nc"4C613>"51d"4C640!t:6!out:7
 
Note: while tracking the incident back in time, really the only consistent string to trigger on for the beacons are:
  • ?tq=BASE64_data
  • ?vNUM1=NUM2&tq=BASE64_Data
Which by itself could generate some false-positives.
 
Tracing back in time through our logs, this pattern first emerges the morning of March 10th. From this initial infection to present, the number of infected hosts and C&C IPs/domains used has consistently risen.
 
Open-Source Information:
Googling around, this was a related and very recently submitted samples to ThreatExpert
These reports identify that the malware opens a backdoor on the infected system (e.g., 59495/TCP), and also shows the MD5 of the submitted samples:
46991fb9d3839e7b5b2dce4fb997340d
60c6636f9cae2df3d0ae76e5487521d3
4E6BE45CFF3CAAABA9D08622A6B0DC2C
Using the MD5 as a search on VirusTotal, I was able to find recent anti-virus reports with very low detection:
Which is identified as malware names:
Gen:Variant.Kazy.19331, Win32:Cycbot-CL, Win32/Kryptik.MPX
 
Command and Control Infrastructure:
Tracking the observed infections back over time, I was able to track a fairly robust set of IPs and domains used to keep the botnet alive. Below is the information that I saw since March 10:
 
C&C Domains
Image
C&C IPs
ImageSome of the C&Cs appear to be sites that were compromised, for example: onlineinstitute.com
In each of the cases of these sites, directory indexing is on, e.g.,
onlineinstitute.com/g7/images/
Many of the sites appear to be hosted by BlueHost.
 
But the majority of the C&Cs were recently registered domains with registration information ranging from China to Russia to "private" registration. Below is a list of some of the email addresses used (by the criminals) to register the domains,
Image

Using the above information in Google searches, it is possible to correlate other malicious domains. Keep an eye out for Cycbot in your networks, this botnet does not seem to be slowing down. And always be on the lookout for new beaconing patterns that emerge within your environment!

form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

dots pattern

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.