Showing posts with label trojan. Show all posts
Showing posts with label trojan. Show all posts

Wednesday, July 29, 2015

Indicators - Banking Trojan

Threat: Banking Trojan / ZeuS

These domain requests lit up the DNS logs. After executing an executable file from an email, the malware will attempt many DNS requests to the below sites. There are some good indicators here, along with some regex to help you find the activity in your logs or PCAP files.

Network Analysis:

The malware will make multiple DNS type A queries and HTTP POST connections to the following second level domains (SLDs):
  • dwhxopmcgpix
  • hrjyvfeduuts
  • ipjbvvnjobll
  • jmdwnsmripqn
  • lgccwnffuuwx
  • ncdebbobqmyi
  • njbkkylgqqqp
  • nmhvbbgccckx
  • nnqksrgtdhjk
  • omiwfmnejorf
  • owvcjnfuwtoo
  • pckffwcqdebn
  • pdvxqjnssltt
  • piwxvumpyptp
  • ruutsckgffnj
  • smqwonbiiymq
  • ttsjrnffxovu
  • wwxthsqmupii
Now, each one of these SLDs is followed by one of four top level domains (TLDs):
  • .com
  • .in
  • .net
  • .ru
So all together it will constantly make 72 DNS type A requests. It will also make a single request to the following host:
  • f02783mat0i5r1t.cc
There is also a unique HTTP URI path used when the malware attempts to make HTTP requests:
  • /for193gd63891mat/
Observations:

Each SLD is 12 characters long followed by one of the above four TLDs; the odd ball domain (f02783mat0i5r1t.cc) is the only exception. The SLDs contain all characters in the English alphabet except for the 'a' and 'z' characters; again the f02783mat0i5r1t.cc domain is the only exception.  All HTTP requests are POST over port 80.

Regex:

The following regex should find any of the above hosts.
  • ([b-y]{12})([\.](com|in|net|ru))
Further Information:
Posted by at No comments:
Labels: , , ,

Wednesday, January 14, 2015

Indicators - Houdini RAT

Threat Name: Houdini

 Variants or Other Possible Names: njRAT, Iniduoh.

 This RAT (Remote Access Trojan) has been around for a while, and was first posted by FireEye. It is a pretty nasty RAT, but is quite easy to find in log files. I will brush over the indicators on FireEye's website, as well as some other indicators not listed.

 Remote Host Connections:

 The author is fascinated with no-ip.info and zapto.org, so start your search with those domains. Below are several other domains used by the RAT:
  • introworld.zapto.org
  • j2w2d.no-ip.biz (31.186.179.230)
  • qwqhack.no-ip.biz (37.239.116.223)
  • paltalk.servequake.com
  • terminator9.zapto.org
  • basss.no-ip.info
  • bg1337.zapto.org
  • ronaldo-123.no-ip.biz

HTTP URI Indicators:
  • /is-ready
HTTP Request Methods:
  • POST
User-agent String Values:

This is an easy catch. The below value is used as a separator in the user-agent string field:
  • <|>
Associated Snort Rule:
  • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; classtype:trojan-activity; sid:28817; rev:3;)
Regex:

Search in the user-agent string field.
  • <\|>
Conclusion:

I was never able to find much information for this RAT and I hope it helps you out in your searches.
Posted by at No comments:
Labels: , , ,

Friday, January 9, 2015

Indicators - Mudrop Malware

Threat Name: Mudrop

 Mudrop has been around for awhile. There are plenty of Snort rules for it and I am pretty sure that many anti-virus applications can find and remove the infection. However, it is always good to know what to look for no matter how old the data. This information can be used for alerting, blocking, or digging through old logs.

 Remote Host Connections:
  • api.batbrowse.com (70.186.131.145)
  • api.jotzey.net (70.186.131.34)
  • api.kozaka.net (70.186.131.178)
  • api.linkswift.co (70.186.131.183)
  • api.luckyleap.net (70.186.131.184)
  • api.myfindright.com (70.186.131.61)
  • api.plurpush.net (70.186.131.198)
  • api.secretsauce.biz (70.186.131.214)
  • api.webconnect.co (70.186.131.230)
  • api.whilokii.net (70.186.131.234)
  • api.lemurleap.info (70.186.131.186)
  • api.a-tu-zi.com (70.186.131.16)

 HTTP URI Indicators:

 The following can be found in the URI:
  • /gdp?alpha=
  • /gdi?alpha=
  • /gcs?alpha=
  • /gmi?alpha=
  • /rs
The URI's containing "alpha" will be followed by Base64 values. The URI containing "/rs" will not be followed by other characters.

HTTP Request Methods:
  • POST
  • GET
POST methods will contact the host with the "/rs" in the URI, while GET methods will contact the other hosts with "alpha" in the URI.

Regex:

The following is a good start at locating Mudrop infections in log files:
  • \/([a-z]{3})\?alpha=
Conclusion:

Feel free to ask questions or comment on the information. Thank you for reading!
Posted by at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)