Wednesday, July 29, 2015

Indicators - Banking Trojan

Threat: Banking Trojan / ZeuS

These domain requests lit up the DNS logs. After executing an executable file from an email, the malware will attempt many DNS requests to the below sites. There are some good indicators here, along with some regex to help you find the activity in your logs or PCAP files.

Network Analysis:

The malware will make multiple DNS type A queries and HTTP POST connections to the following second level domains (SLDs):
  • dwhxopmcgpix
  • hrjyvfeduuts
  • ipjbvvnjobll
  • jmdwnsmripqn
  • lgccwnffuuwx
  • ncdebbobqmyi
  • njbkkylgqqqp
  • nmhvbbgccckx
  • nnqksrgtdhjk
  • omiwfmnejorf
  • owvcjnfuwtoo
  • pckffwcqdebn
  • pdvxqjnssltt
  • piwxvumpyptp
  • ruutsckgffnj
  • smqwonbiiymq
  • ttsjrnffxovu
  • wwxthsqmupii
Now, each one of these SLDs is followed by one of four top level domains (TLDs):
  • .com
  • .in
  • .net
  • .ru
So all together it will constantly make 72 DNS type A requests. It will also make a single request to the following host:
  • f02783mat0i5r1t.cc
There is also a unique HTTP URI path used when the malware attempts to make HTTP requests:
  • /for193gd63891mat/
Observations:

Each SLD is 12 characters long followed by one of the above four TLDs; the odd ball domain (f02783mat0i5r1t.cc) is the only exception. The SLDs contain all characters in the English alphabet except for the 'a' and 'z' characters; again the f02783mat0i5r1t.cc domain is the only exception.  All HTTP requests are POST over port 80.

Regex:

The following regex should find any of the above hosts.
  • ([b-y]{12})([\.](com|in|net|ru))
Further Information:

Tuesday, July 28, 2015

Houdini Tracker Update

Just a quick post to let you know that I have added a few more indicators to the Houdini RAT tracking list.

Enjoy! I will be updating with another indicator list pretty soon, I just need to clean up a few things.

Wednesday, July 1, 2015

Dyre Controller Servers

I found some interesting connections being made to some remote servers, which appear to be a Dyre botnet. The malware attempts to make a connection to a remote server using a CONNECT request method, followed by a GET with a directory structure containing the host name of the infected machine, the version of Windows the machine is running, and the serial number.

As with any IP address, please be careful when blacklisting as they may be legitimate. Many of the IP's that I looked into were listed on several blacklists, so please do your research. Below is a quick and dirty list of the IP addresses, enjoy!

Remote IP Addresses - CONNECT:
The connections made to the below IP addresses were made with the CONNECT request method.

181.189.152.131:443
184.164.97.60:443
185.31.33.98:443
188.255.236.227:4443
188.255.241.22:4443
194.28.190.84:443
194.28.191.213:443
195.206.255.131:443
195.34.206.204:443
208.123.129.153:4443
208.123.129.218:4443
208.123.135.106:4443
212.37.81.96:4443
212.69.14.89:443
217.23.194.237:443
31.42.170.118:443
38.124.169.163:4443
46.175.23.130:443
67.206.96.30:443
67.206.97.238:443
67.207.228.144:443
67.219.166.113:443
69.118.144.195:4443
75.134.44.251:443
77.104.206.150:443
77.234.235.48:443
80.234.34.137:443
80.87.219.35:443
83.168.164.18:443
84.16.54.22:443
84.16.55.122:443
84.237.229.49:443
85.192.165.229:443
87.116.153.216:443
91.232.157.139:443
91.240.97.141:443
93.91.154.243:443
95.143.131.73:443
184.164.97.242:443
188.123.35.92:443
194.187.219.116:443
213.133.178.154:443
213.174.6.246:4443
31.134.73.151:4443
31.42.172.36:443
46.151.51.75:443
75.98.158.55:443

Remote IP Addresses - GET:
The connections made to the below IP addresses were made with the GET request method. These appear to be the controller servers.

184.164.97.242:443
188.123.35.92:443
194.187.219.116:443
213.133.178.154:443
213.174.6.246:4443
31.134.73.151:4443
31.42.172.36:443

HTTP URI Directory Structure:
The URI directory is a long value that contains unique information pertaining to the infected host. However, there are a few directories that are consistent. Keep in mind that these will only show in the URI when a GET request method has been made.

  • /1106us11/
  • /5/spk/
Thank you for reading, I hope this information is useful!