Friday, January 9, 2015

Indicators - Mudrop Malware

Threat Name: Mudrop

Mudrop has been around for awhile. There are plenty of Snort rules for it and I am pretty sure that many anti-virus applications can find and remove the infection. However, it is always good to know what to look for no matter how old the data. This information can be used for alerting, blocking, or digging through old logs.

Remote Host Connections:

  • api.batbrowse.com (70.186.131.145)
  • api.jotzey.net (70.186.131.34)
  • api.kozaka.net (70.186.131.178)
  • api.linkswift.co (70.186.131.183)
  • api.luckyleap.net (70.186.131.184)
  • api.myfindright.com (70.186.131.61)
  • api.plurpush.net (70.186.131.198)
  • api.secretsauce.biz (70.186.131.214)
  • api.webconnect.co (70.186.131.230)
  • api.whilokii.net (70.186.131.234)
  • api.lemurleap.info (70.186.131.186)
  • api.a-tu-zi.com (70.186.131.16)

HTTP URI Indicators:

The following can be found in the URI:
  • /gdp?alpha=
  • /gdi?alpha=
  • /gcs?alpha=
  • /gmi?alpha=
  • /rs
The URI's containing "alpha" will be followed by Base64 values. The URI containing "/rs" will not be followed by other characters.

HTTP Request Methods:
  • POST
  • GET
POST methods will contact the host with the "/rs" in the URI, while GET methods will contact the other hosts with "alpha" in the URI.

Regex:

The following is a good start at locating Mudrop infections in log files:
  • \/([a-z]{3})\?alpha=
Conclusion:

Feel free to ask questions or comment on the information. Thank you for reading!

No comments:

Post a Comment

Please feel free to leave a comment that is relevant to the post.