NetWitness Community

REPOST - ORIGINALLY POSTED NOVEMBER 4, 2010

Recent reports from various sources in the security industry show that a large takedown of servers associated with the “Bredolab” trojan occurred within the past few weeks. While most of the reports have focused around the idea that this infrastructure was solely related to the command and control of Bredolab, our research shows that these servers were used as an all-purpose hosting infrastructure for criminal activity.

This criminal system came to our attention in July 2010, when NetWitness analysts were asked to investigate a hacked wordpress blog.

We found that the following obfuscated script had been injected into all .html and php pages on the site:

When decoded, this script created a redirect to the following location:

hxxp://bakedonlion.ru:8080/google.com/pcpop.com/torrentdownloads.net.php

Further investigation revealed an injection of the script into victim webpages via FTP:

These IPs all connected to the victim website within a 20-minute period on May 8^th, and when plotted on a map, it becomes obvious that this is likely a botnet.

Down the Rabbit-hole

Once we established the source of the website compromise, we began back-tracking into the criminal infrastructure to help develop intelligence that would assist our customers.  What we found was the following:

The initial injected script:

bakedonion.ru:8080/google.com/pcpop.com/torrentdownloads.net.php

redirects to obfuscated scripts:

bakedonion.ru:8080/index.php?pid=1&home=1

then:

bakedonion.ru:8080/jquery.jxx?ver=2.1.5

which ultimately result in exploit code being delivered to the visiting browser.   If successful, the following GET occurs which causes the download of the bredolab malware.

bakedonion.ru:8080/welcome.php?id=6&pid=1&hello=503

Discovery of this infection sequence began a 3-month monitoring activity from June to August 2010.

More on Bredolab

Bredolab rose to prominence in the malware community around the middle of 2009.   Trend Micro has a very good report on the malware’s specifics.

In this particular instance, this Bredolab variant downloaded both Fake AV and ZeuS, which are two well-known malware threats.

1) Fake AV – Installs a fake antivirus program that reports non-existent infections on the host workstation.  The option to “clean” the host is given if the user agrees to pay a fee for the “pro” or “advanced” version of the software.  This particular combination of social engineering and malware has been very popular in the past few years as it has a three-part punch:

1. The miscreant establishes a foothold on the compromised PC.
2. The miscreant makes money from those users that pay the “upgrade” fee.
3. The miscreant has access to the payment method of the user after he or she makes payment (credit card, paypal,etc), which can be used for further fraud.

2) ZeuS – An all-purpose information stealer that has historically been focused on financial fraud.   Because online hosts often have the ability to use a web-based client to remotely manage files and folder on a host, this may likely be one of the sources for the stolen FTP credentials used in script injection. 

Although not part of the campaign detailed here, Bredolab has been observed downloading other malware families, which provided evidence that the operator used the system in pay-per-install affiliate programs or provided install services to other miscreants.

Further into the infrastructure

Shortly after our initial investigation began, open source research in the security community into common paths on the miscreant servers revealed active Apache Server Status pages, a feature in the Apache webserver that allows you to monitor performance of your installation.  This finding allowed us to log and further develop intelligence based on the page visits that we observed on the miscreant servers.

With this bit of information, we were able to take the previously known infection sequence, and expand it:

1) The initial directory sequence observed in the original injected script:

“google.com/pcpop.com/torrentdownloads.net.php”

was only one of many variations, some of which are as follows:

• GET /google.com/gazeta.pl/orkut.com.php HTTP/1.0
• GET /google.com/amazonaws.com/tudou.com.php HTTP/1.0
• GET /dangdang-com/google.com/bing.com.php HTTP/1.0
• GET /elpais-com/google.com/telegraph.co.uk.php HTTP/1.0
• GET /focus-cn/google.com/startimes2.com.php HTTP/1.0
• GET /verizonwireless-com/google.com/blogbus.com.php HTTP/1.0
• GET /vmn-net/google.com/godaddy.com.php HTTP/1.0

We surmised that this seemingly random combination of high-traffic sites served two purposes: 

• Establish “legitimacy” during casual inspection.
• Make the creation of intrusion detection signatures on this particular phase difficult.

2) Specific paths to exploit artifacts, which included: 

• GET /Notes1.pdf HTTP/1.0
• GET /Notes2.pdf HTTP/1.0
• GET /Notes3.pdf HTTP/1.0
• GET /Notes4.pdf HTTP/1.0
• GET /Notes5.pdf HTTP/1.0
• GET /Notes6.pdf HTTP/1.0
• GET /Notes7.pdf HTTP/1.0
• GET /Notes8.pdf HTTP/1.0
• GET /Notes9.pdf HTTP/1.0
• GET /Notes10.pdf HTTP/1.0
• GET /NewGames.jar HTTP/1.0
• GET /Games.jar HTTP/1.0
• GET /Applet1.html HTTP/1.0
• GET /Applet4.html HTTP/1.0
• GET /Applet10.html HTTP/1.0

3)   Additional Malware Downloads: 

• GET /images/gr_old_cr.exe HTTP/1.0

Examining Exploits

By taking a closer look at one of the exploits used in this particular campaign during the observed time period, we saw a common theme that is being used by most criminal elements in the current threat environment.

• Client-side vulnerabilities in third-party software

Criminal elements have learned that organizations typically have OS-level patching under control, but the patching of third-party applications is often outside of the capabilities of most organizations.  This is usually due to both the complication of centralizing third-party patching, but more so because of the linking of commodity technologies, such as PDF readers, into mission-critical business processes that may be interrupted by upgraded versions and require lengthy testing prior to extensive deployment. 

In this case, we see the following exploits being used in the exploit PDFs:

• Adobe util.printf overflow – CVE-2008-2992
• Adobe getIcon overflow – CVE-2009-0927

Which, when successful, calls out to the previously observed urls: 

http://anyscent.ru:8080/welcome.php?id=6&pid=2&hello=503

While we did see multiple versions of this pdf file (1-10), they were all structurally identical, with slight changes to change the file enough to bypass antivirus detection.

A change of tactics

On or around June 11^th, we observed a tactics change by the miscreants, based on the previously observed exploit-cycle. The previously seen requests, such as:

• GET /google.com/y8.com/ynet.com.php HTTP/1.0

Stopped occurring, and we began seeing requests formatted as follows:

• GET /E-mail.js HTTP/1.0
• GET /Filename.js HTTP/1.0
• GET /Gnutella.js HTTP/1.0

These requests were made to the same servers, but on port 80 (rather than the previously observed 8080).    While it wasn’t immediately apparent at the time, this change signified a significant shift from a single domain based compromise structure to a multi-domain system that assigned specific roles to domains according to their desired use. 

An Intelligence Breakthrough

At this point in the investigation, we began linking like servers together based on community reports and our own field work with indicators such as malware and exploit filenames.   Since they all had available server status pages, this again expanded our ability to collect intelligence on this system. A breakthrough occurred when we observed one of the exploit servers transferring a tgz archive from one of the other servers in the system via HTTP. With the proper path, we were then able to retrieve this file directly from the exploit server and further explore it. This archive contained a series of DNS zone configuration files that detailed the infrastructure with labels and allowed us completely map the system as it was updated.  We surmised that the configuration files were used by the criminal miscreants to update their exploit system in an automated fashion.  This would allow quick updates when security researcher activity caused a takedown of a suspect domain.  With this discovery, we began logging changes to the infrastructure on a daily basis.

Mapping the Infrastructure

With the zone information and other monitoring, we observed 114 IP addresses resolving to known malicious domains in this system.

Which, when plotted on a map, looks like:

This map example shows the high concentration of compromised servers in the OVH autonomous system, a large hosting company located in France.  While this shouldn’t specifically illustrate that OVH is overtly malicious, it does show that their hosting strategies are permissive to cybercrime (or at least, they are not staffed or equipped to handle abuse requests in a timely manner.).  This data also doesn’t take into account sink-holing activity, in which a security researcher will register a known malicious domain and redirect its traffic to a friendly server for intelligence or defensive purposes.

Historically, however, OVH has been highly ranked in most “malicious organization lists” which include the following:

• HostExploit – http://hostexploit.com/downloads/view.download/4/27.html
• FIRE: http://www.maliciousnetworks.org/

With our new found intelligence in hand, we began mapping the infrastructure according to labels and descriptions that were part of the zone files.   What we found was a tiered infrastructure that spread domains across specific functions. 

A Tiered-Criminal Infrastructure

After analyzing the DNS configuration over the observed time-period, we classified the servers into four distinct “functions”

These were:

• Command and Control – Domains used for command and control functions
• Traffic – Domains used in script injection tasks
• Exploit – Domains used to exploit visiting browsers
• Supporting – Domains used to support other cybercrime ventures

Command and Control Domains 

During our observation, we tracked 23 domains specifically devoted to C2 activity, which were then sub-divided into other categories:

Most of these domains all used the same registrar:

registrar:  NAUNET-REG-RIPN

Naunet , a Russian registrar located in Moscow, has been highly visible in many “known bad organization” lists.  Accord to data at URIBL (http://uribl.com), nearly 100% of the domains recently registered at this registrar are listed for spam, malware or exploits:

Listed Domains registered at NAUNET-REG-RIPN

97.68% – 970 of 993 domains registered at are listed by URIBL in the 5 day period prior to the 48hr publication delay.

Additionally, the ShadowServer organization has tracked additional malicious  behavior (to which NetWitness was a contributor) from this registrar:

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100815

According to the NAUNET website, multiple avenues of “support” contact information are given for contact, but in our experience, abuse notifications are never answered.   This, combined with observed behavior, makes it highly likely that NAUNET-REG-RIPN is complicit in cybercrime activity, if not directly involved.

Traffic Domains

The next group of domains were what we classified as “traffic domains”.

These domains were used specifically in injection and spam tasks, and either via injected script or direct hyperlink to direct visiting browsers to exploit domains for exploitation and malware downloads:

In the case of this group of domains,  all were registered at NAUNET-REG-RIPN:

Again showing ongoing abuse occurring with this registrar.

Exploit Domains

The third group of domains, which were the most numerous (380) of the classifications, where used exclusively for host exploitation and typically listened on port 8080 for connections:

The majority of these domains were again registered at NAUNET, but we also see an additional familiar face in the “bad registrar” space:

• Registrar: BIZCN.COM, INC.  (number 12 on URIBL.com)
• Registrar: ONLINENIC, INC.
• Registrar: PAKNIC (PRIVATE) LIMITED
• Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER

Supporting Domains 

The fourth and final classification of domains in this infrastructure were devoted to a number of “supporting activities”, most notably elements that are typically the subject matter of mass-spam campaigns.

This includes:

• Pharmacy Sites
• Gambling
• Pornography
• Counterfeit Merchandise
• Pirated Video
• Online Dating

The domains in this group were as follows:

Scan4you.net

An added bit of intelligence that came through the server status pages on these servers was the proxying of “scan4you.net” through all of the exploit domains.  This was evident by the following request:

GET /scan4u/ HTTP/1.0,2010-06-10 10:00:01

GETs of the following URL from any exploit domain on port 8080 resulted in a connection to _http://scan4u.net_

http://domain:8080/scan4u

Scan4you.net is essentially a “criminal virustotal plus”.  That is, it is a service where a miscreant can submit a newly created malware binary to gauge the detection rate of various antivirus vendors.  While similar to virustotal in this regard, the key is that scanned binaries aren’t submitted to the antivirus vendors in question, as is done with virustotal.  A general overview of the service (translated from Russian) shows the following key points:

• The service doesn’t submit to anti-virus vendors.
• Antivirus clients are updated hourly to maintain a current definition set.
• Submitted binaries are rechecked on a schedule and customers are emailed about new detections.

As well as antivirus checks, the miscreants running the service appear to have extended their checks into the online blacklist area: 

“Domain check on presence in black list: ZeuS domain blocklist, ZeuS IP blocklist, ZeuS Tracker, MalwareDomainList (MDL), Google Safe Browsing (FireFox), PhishTank (Opera, WOT, Yahoo! Mail), hpHosts, SPAMHAUS SBL, SPAMHAUS PBL, SPAMHAUS XBL, MalwareUrl,SmartScreen (IE7/IE8 malware & phishing Web site),Norton Safe Web, Panda Antivirus 2010, (Firefox Phishing and Malware Protection), SpamCop.net and RFC-Ignorant.Org.”

This update indicates ongoing blacklist checks across a variety of services, including:

• Security researcher and community published blacklists (zeustracker, malwaredomainlist, malwareurl, phishtank, spamhaus)
• Browser-based anti-phishing technology (google safe browsing, smartscreen)
• Vendor blacklists (Norton, Panda, etc.)

Miscreants using this service have a one-stop shop for both the detection of malicious binaries as well as the existence of their delivery systems in disparate blacklists across the Internet.

Tying it together

When the numbers are looked at as a whole, the infrastructure shows knowledge of defender techniques, as well as insight into the various money-making schemes involved.

Exploit domains are, by far, the largest slice of the total number of involved domains.  Because exploit activity is often the “noisiest” of the infection cycle in a malware campaign and usually the mostly likely target for takedown,  it makes sense that this operator would have a large quantity of such domains to rotate into campaigns as needed. Details showed this was a proxy network as well, so the use of compromised servers as a front-line helps to prevent takedown of the back-end servers feeding the system.

Based on the gathered intelligence as a whole, the operator was likely making money off of this scheme in a number of ways:

• Multiple Bredolab C2 domains indicate a segregated botnet which suggests that the operator rented portions of the botnet out to end-users.
• Executable delivery as part of second-stage after Bredolab installation.
• Executable delivery outside the observed infection chain (directly from a domain subdirectory) suggests hosting services for other malware campaigns.
• Proxying of third-party sites indicates spam-related hosting services for items that are of high risk for takedown. (pharmacy, gambling, pornography, etc.).
• Proxying of the “Scan4you.net” service.

Conclusions 

The intelligence gathered on this system show the continuing advancement of criminal exploit systems and detail the following points:

1. The continued abuse of online hosting and registration services, and the associated lack of action by ICANN and Regional Registries in suspending organizations associated with criminal activity, despite overwhelming evidence of abusive, permissive or neglectful activity.
2. The use of automation to stymie researcher takedown efforts and creatively weighting points in the malware-infection cycle to predict takedown activity (high number of exploit domains compared to others).
3. The use of compromised credentials to inject scripts into benign sites and direct visiting browser systems.
4. The use of compromised servers to host spam-related content and further monetize fraud activity outside of malware infection.
5. The use of proxy networks to obfuscate primary hosts in the infrastructure.

Special thanks to the following researchers, who played a key role in helping us understand this system:

Vitaly Kamluk – Kaspersky Lab, Japan
Steven Burn – Ur I.T. Mate Group

Happy Hunting!

Alex Cox, Principal Research Analyst