The Background
This end of week, Zeus P2P Gameover (in short: GMO) is having a large campaign by utilizing Upatre (with using latest version to download encrypted ZZP file w/many extensions) which are riding the Cutwails spambots (I checked those by IP and templates). As so many good writings and coverage stated out there, these recent GMO is having a new trend to use Necurs Rootkit, sending new callback (with POST /write) HTTP header to the CNC, dropping themself (GMO payloads) with the polymorphic hashes to evade detection, thus tons of randomized DGA to fire P2P callbacks for the botnet functionality purpose (the last one is apparently not new).Shotly, this new "trend" with the large volume of campaign brought my interest, so I started to collect what came up to my honeypot from March 18, 2014 until today as the background of this post.
The Quick Research
Below is the pictures of the malvertisement that the crook was kindly sent me personally:
And the below is the list of analysis I did in Virus Total, see the comment of each post for the details:
d866214d1f921028f9001ae399e9f8dec32ec8998c84d20d60a992164888a6fc
37a835b0ac6d9727bf881743a90e3a8684ca53fdf485645ce07617ec1a203067
947470a114311049e707dfefce904fa727c8170eae8c46165730c699e7636b5f
4514fc971127fb0a38a7eb6ce45ce44a68b1b3298ff98d5dd6e4f9bd2af0b1ac
abf2a63b0b02979d79edd4563f784c7c375eb0cb3ef4dc12ccba2612d07a9dc2
e49c5883dfe16916a262f54013735d20fec64ecaf5d6f598c4493f4f68fb9199
e5270d906ef13a91e176cf60473747e5bf91bc60fe457dd0f3201a5f51cf6524
5593370060e811aeacbb09161b9d8ebbf4251286f821503dbede0993f248d13c
a7739611b998ed82e060d4297d38f8f0792f4866c54575ba5ba6f2b454246f07
e85446688c08dd62bb17a21255fe486eb2fb8ca4acc2e4ae974e31a4ad9dfbe0
There are many interesting details about this threat, like VRT (link) and CERT Polska (link), which are very good reports! Since I am dead busy right now, so please kindly bear with this short post, and I won't wrote much of etc technical details covered in previous reports by others. SO I want to stress here is only one aspect: the DGA callback domains used by GMO (as per below picture) which wasn't covered much in prev. articles, but it is important to understand and learned since the DGA used by GMO is having their weak points to be used stop or mitigate the threat, and giving the bad actor behind the scene a "sting" :))
What's with these "Lame" DGA?
By skipping the details of reversing binaries for security purpose and and comparing the result in the forensics, I collected these callbacks as per below list of domains:
aqivobfijnxoprdqldqqkvwdix,com aqxoythmntgevmjqsjrugdadhyjn,com aulbbiwslxpvvphxnjij,biz bajzlscthulrtnjvcibtgmuouwzd,ru bemjdihsgemsgiwgdyfizxvrw,org bjvinbegehaukxdsmfzpeq,com bnzcehetzhqwxlzhqtnjivr,ru butjbrljaucztbiwolfpzgyrmz,biz bywcdgijrswmbeulnmjsijcx,info dayhqkcqojyhaqjvovtazttaul,info desushrswsiinxwzprvogafml,com dgklnrswwccmkjhutgujzxkaep,com dmayvgdknfuxsyugbaeukbxw,ru eqqbubmhueuxtmvbiojxba,ru eqqcdilqbqfxspbecde,org famvcsozxzdlnhyrchdjqw,ru gmqxkrkeaugifzaurtvhuqcxslr,com gysskqkhygyhgaeueiqoayskbmk,biz hatkyptpevgemjlrbqbexor,com hcauodzppnmrijgyxvdzhdq,info hgfuzrgylxkllnbkrvorkuox,info hswldexoeuamvkswaqgmhgairpj,net irvgwtcxcyxptqsbmbqeitwf,biz iveienbhxqhqtqcepxkfm,biz jbdswlfxvctooztvgjfdbquspr,biz jzcyqbadyhqovwsdaqpkrtpnciib,com kflfhivsfybaknyhwckvbagqdof,com kvinhaqkbygelobdanlzphqfq,com kzhmtwovopnvwfdthsgirpzp,biz kzpaqmrmjdifztxcbuynvcqkfkj,info mptwtibibmrhqtobeizlzzdnfwc,com nqocjrqxuknbmbqgkhmtoxpcu,ru ofpgecihvtcwaeamcepvmnt,info ojwpbugadizpnzdipnlvrwhpuoyp,info oozovinytdpbbelsqgsodtsc,net ovmffmmneilyzpqwsonztcbqo,net pdmvoeqbacuizdmojswirkrkvqgqw,org peucehqxsgmzhgujfsoeihmpvhiz,info pifztmzgezpdmgylwkyqnzmzgum,org pntcizrlfqjzuklhlnlnauln,com ppbxsydtwvjvrvkiflzfiqcrylor,biz qcrosgrnrlvtdmjtdzlfad,net qlbaibmivxcucpgdyaescxdq,org qroeyypcaqsoyzxxkyldifulry,org rgpjaymbpfizgionvclzlbjzlwsov,com rwinsaewkqkrokrhucofaqwxwkv,ru scrgemdyymrtdqfieaibjbqrs,ru tccieupuwpyxtzxdqohuqwdqx,org tcvkwsbqnjhjobgyttklnfxo,com ucqgfpqcfqzpemgahmylfathq,info udtgqcgulzjzgqpvkyplzfxzh,net xkjjvucjfhmkvvgqwyptxshgqo,ru xohmozgqxkncqcmljrqsyllkrfy,biz xqavknbthqjvnvxsuojnrsc,org xwporinufyfyrgdnvzplrfaofbpf,net ztcpgudtkrwpzjrpcebaoxgp,ru zxjzaypibnjayfmpzpalkbaunzl,com zxxpvolvljwkeuofkukydiugrwro,org "// Additional:" ojsuwplrsygiduobtlbvw,ru yltwhytojzhenrxwxoeuljztivbq,biz bafagqcapzxsvghrhtwzpylgy,net qkljydlcikfqktsunraynji,org aemzlxlnduaigyqpjfqdiqopnyp,info vwbaxhtylxcbetsdwdhahhmx,com tcrcxkvcvkovvgcadeiqwfqvc,ru yhqomvsdcmjvhywcjfeieybq,com huuwvcrbyzmjirmfujbgmeqjb,info daiaxifkbrtydtamghe,org daeemibxfaifxocuaevklr,net "// Additional:" hyvguwdisgtkfjvpzrshijmjmngu.info vsskfudeqsorzhhawghonhknp.ru zttwocyqkpdegqgiytvcxphhy.biz mftodqwheaiozkbzduwjzydwkonv.com pvdlcaxlflgavwmfzvgcqhafm.com swskvaylddwvkhursjhbyx.org rccicerggqhswvgwolryhvsgqwsxvs.net aulbbiwslxpvvphxnjij.biz uoxztdipjzppjdpyttxcjrdiz.ru zzgezdvwtwyhypfqhytcjraygqp.com gugquwcumizhgyibbaqobajfvolbh.info "// Aditional:" ylaylfxuoscicyxtgbefjb.net wydyprzfyydcumzqclbhdm.info vovgytxofhdprlzhzxbmijr.biz xsjbizzdydceiztcdobtwugisokv.com "// Additional:" vclbvginizzlydbqpdumvqclv.info biayvwobmkptpjddpjnvrc.com ypzdfiheskxgmjpjvunvvvsmjtvw.ru hzdmjjneyeuxkpzkrunrgyqgcukf.org qkdapcqinizsczxrwaelaimznfbqq.biz fejbjfceztaigmizxlpjtkivcy.infoThese are the "Lame DGA" that GMO uses, means these are strings that are being decoded in the malware binary and without seeds, a wannabe DGA (Domain Generation Algorithm) which is not randomized and the logic of extracting each strings is in the GMO binary itself for the listed samples I stated above. One doesn't have to be a reverser to figure some of these "Lame DGA" domains are used & spotted over and over in many samples. So why so many domains made, and "looks" to be randomized in name? "Maybe" they (as of GMO crooks) want us to think as DGA to avoid blocking actually. It is an insult to decent people's intelligent and will be a massive big #FAIL for the crooks itself if people starting to aim cannon for this weak spot (yes, friends, aim your cannon there, THERE!).
What? Blocking? Is it blockable? Not a decoy or something? Are these really activated? < Answer of all these generally are "YES!", and also could be a decoy too (if they're not going to activate these domains anyway). Great, isn't it? :D
Activation, IP Information & Getting Closer to CNC??
As the PoC: Now (TODAY to be precised) I found four of the domains above is actually activated and ALIVE:
aulbbiwslxpvvphxnjij,biz, "50,116,4,71 DNS1-5,REGISTRAR-SERVERS,COM" peucehqxsgmzhgujfsoeihmpvhiz,info, "212,71,235,232 NS1-4, MONIKERDNS,NET" tcvkwsbqnjhjobgyttklnfxo,com, "23,239,140,156 NS1-4,MONIKERDNS,NET" zxjzaypibnjayfmpzpalkbaunzl,com, "178,79,178,243 DNS1-2,NAMESECURE,COM" "// Additional:" bjvinbegehaukxdsmfzpeq.com, "94.126.178.29 NS61.DOMAINCONTROL.COM" daeemibxfaifxocuaevklr.net, "88.80.191.245 NS1-4.MONIKERDNS.NET" mftodqwheaiozkbzduwjzydwkonv.com "192.210.237.212 DNS1.REGISTRAR-SERVERS.COM xsjbizzdydceiztcdobtwugisokv.com, "192.210.237.212 NS1-4.MONIKERDNS.NET" qkdapcqinizsczxrwaelaimznfbqq.biz, "178.79.178.243 DNS1.NAMESECURE.COM"
With the details information below:
Yes, LINODE is having a serious matter with Zeus/Gameover, because all of these IP addresses are GMO's control and centre front ends :-))
These 4 (four) and just added one new (will add more) IP addresses, which are also not ISDN/pool IP, but a static IP, and two of them are in the status of Corporate ones. So if you think that these four IPs are the peer-tp-peer's or infected PC's IP, the answer is no, and please start to deduct the further investigation step on why GMO is collaborating these IPs.
ADDED: Cut the crap! What's the connection of the DGA to CNC??
I was asked many questions about what's this DGA actually does. I will try to write simple explanation as per follows, sorry to my fellow researchers to burp this fact here, because "some people" are starting to think that I am trying to sell "candy bar" here..
Gameover is rapidly requested DNS for the active IP address of CNC by using this DGA, "WITH OR WITHOUT internet connection" (since I heard a noise said to prevent internet connection to make GMO querying lots of domain..which is just WRONG).
Even the connection of internet exists, GMO will request the rapid calls as per screenshot PCAP above (see below for re-post)
The purpose is to confuse researchers and they are aiming only one (or max: two) IP address(es) of CNC that actually being registered under "few" of "tons" of lame DGA domains. To be more clear, take a look of the PoC below:
As the PoC look at the latest sample's DGA, we detected the activation of the IP address below:
Receiving the IP address from the DGA requested, then GMO can send request to the CNC as per below PoC in real:
This is the connection, and how the DGA is actually very important for Gameover communication to the CNC, blocking these DGA will block its communication to CNC, and without CNC connection GameOver is just "another" bonnet without master's command and control and will work on peer to peering each other without any control from the herder < this is the connection you all asked for, this is the attack point. (Forgive me the God if InfoSec to burp this info out in public here, there is no way I can convince others without telling this fact loud and clear..)
What's the point??
Below are my points, I make it as simple as possible:
1. Get these DGA domain registration info! These DGA is registered only by the bad actor, is not hacked sites, is not a hacked domains. We have tons of experience now for nailing crook's ID by this method, so please extract the information from your known registrars and please passed to law enforcement immediately.
2. A suggestion; Chance to catch "in the act". The unregistered domains will likely to be registered sooner or later after the current ones are blocked/suspended, so it is a good for registrars, CERT and law enforcement to make an extra effort: A list, or better yet, an Auto Block Scheme and maybe a Direct Alert System to be sent to law enforcement to trap the crook's collaborated channels to be "caught in the act" to be legally investigate.
3. Do it NOW. GMO coders is implementing the logic of the DGA in the GMO binary which are stuff that is not easily remake, unless redeveloping big part of the current malware, so we can hope this scheme lasts for a while, so it is a chance for good guys! :-))
4. Words for the "malware crooks": I really love to see malware "crooks's" faces while they're reading this post :P) A few words for the malware coders from us; We are security engineers here, we reverse stuffs very good, we investigate things deep, don't make us coming at you now, STOP your coding malware practise and get the decent work like all of us. Life, no matter what, is never easy, let's code something useful & positive even we only receive few pennies for it.
Samples
.@OrLiraz Here is recent of Zbot #Gameover I analysed (pic) http://t.co/eJsmrm8fZI
pwd is as usual.
#MalwareMustDie! pic.twitter.com/Bk9x38x2CN
— MalwareMustDie, NPO (@MalwareMustDie) March 25, 2014
Additional & Follow up
Mr. Conrad Longmore was extracting more related DGA via verdicted IP addresses above, thank's Conrad so we don't have to crack binary per binary to get these. Please visit Dynamoo Blog in the link below:
Malware sites to block 23/3/14 (P2P/Gameover Zeus) http://t.co/H1gDWjZzMc @MalwareMustDie
— Conrad Longmore (@ConradLongmore) March 23, 2014
New set of Zeus #GameOver is on! :-)) (pic) pic.twitter.com/MD3ySoBI2v
— MalwareMustDie, NPO (@MalwareMustDie) March 24, 2014
New set #Gameover in VT: Zbot: https://t.co/HzWueCa5Cg Rootkit: https://t.co/h3GHBUycv6 Upatre: https://t.co/2h0qIya0OA
#MalwareMustDie
— MalwareMustDie, NPO (@MalwareMustDie) March 24, 2014
Recent #Zbot/Gameover extracted DGA added: http://t.co/kyxxjzw6NF, thx @malm0u53 for sample. One IP is ALIVE (pic) pic.twitter.com/O1ikS5Hh5m
— MalwareMustDie, NPO (@MalwareMustDie) March 25, 2014
#Zeus #Gameover success #CNC encrypted callbacks(pic) <ALIVE
See the IP? it mached to activated DGA
#MalwareMustDie! pic.twitter.com/pj7KxM0QFe
— MalwareMustDie, NPO (@MalwareMustDie) March 25, 2014
@MalwareMustDie cool write up, here are some CNC addresses from the end of March http://t.co/KJBQQyXQ7B DM me if you want more samples
— thegmoo (@thegmoo) April 6, 2014
Epilogue
What we are posting here is the knowledge for awareness of many PC users, the victims who are getting many hits by this malware's infection, whose credentials were stolen in some botnets panel by these GMO's affiliated gates/panels, to inform you that actually there are so many methodology that can be applied and executed to stop the malware infection scheme that is coming from/using internet. As long as the good guys are still in control in the networking and internet, the scheme to stop malware infection via malvertisement can always be applied.
The only problem is always: HOW BAD we REALLY want to stop these malware?
#MalwareMustDie!!