ZeroAccess/Sirefef (The same rootkit) two common names for this malware. We have been observing ZeroAccess since 2010, but it was hardly a factor back then. Variants observed in 2012 have shown that it has completely shifted and now operates completely in user mode! It now resides completely in memory and trojans services.exe and other system [...]
ZeroAccess/Sirefef (The same rootkit) two common names for this malware. We have been observing ZeroAccess since 2010, but it was hardly a factor back then. Variants observed in 2012 have shown that it has completely shifted and now operates completely in user mode! It now resides completely in memory and trojans services.exe and other system processes (64bit and most 32bit infections).
In June, 2012 we saw a new publisher program launched and from information peaked from some of the darkest channels on EFNET top affiliates were earning as much as $300 per 1000 infections and pushing past the $10k/month mark. The updated version of ZA doesn’t use kernel-mode drivers, as was done previously, and doesn’t have hidden file storage either. The affiliate program substitutes its own choices for the results of popular search engines–a form of click fraud–as a means of monetization.
The ZA rootkit has a hardcoded list of 256 P2P IP addresses that it passes onto each infected host and transmits the data throughout the P2P network non-stop 24 hours a day at an average of a one second packet delay and fixed 16 byte packet length. We observed in our lab that each infected host was consuming .1 Mbits/sec which adds up to about 32Gigabytes a month per infection! There were several different UDP ports that were observed and confirmed for this pattern matching to ZA and those ports were 15437, 16461 ,16464,16465,16470 and 16471
If you capture thirty or so consecutive UDP packets sent out with a packet length of 16 to unique destination IPs to one of these ports (15437, 16461, 16464, 16465, 16470 or 16471) there is a high probability that ZeroAccess/Sirefef is running a muck on the system!
The variation in the ports used for the P2P network is for segregation of the botnets. Research suggest that ports 16470 and 16471 are for 64bit infected hosts and they participate in a bitcoin operations. 16464/16465 have mainly been seen used in click fraud and with 32bit machines.
-ZeroAccess does not use “typical” C2 servers, most of the C2 communication is done via UDP on the P2P network.through obfuscated commands. Hidden in the traffic we noticed time and again some of the same servers - 184.108.40.206 is one of the many IPs used which the infected host calls back to on port 53 UDP and port 123 to 220.127.116.11 also UDP.
Sirefef.EZ/Sirefef.EU and Sirefef.AE Variants have been observed using a special plugin feature to load affiliate clickservers.
The clickserver downloads a list of URLs to redirect the bots and the affiliates will be paid a percentage of the revenue earned or a flat rate ($.30 per infection). Clickservers can be used with many different malware infections making it hard sometimes to link them to any specific malware. We have observed these clickservers being loaded with ZeroAccess/Sirefef, ZeuS, Kelios and FakeAV malware.
Trying to decipher the source of the malware from just the GET request, here is an example of a ZeroAccess GET string from a clickserver:
We can decode this string and we get the following result:
Breaking it down we can see the following:
id=b7cc1f3c (Bot identifier?)
aid=30348 (Affiliate ID presumably)
sid=5 (Site ID, could be the Advertising site ID – we noticed the use of Voodoo and other Domain Parking Publishers being used or part of the click fraud which seemed to commonly lead back to the Google Domain Publisher program)
os=5.1-32 (Stands for Windows NT 5.1 which is Windows XP and the 32 is 32 bit OS)
Here you will see some clickserver links we pulled from traffic logs from different variants ZA/Sirefef infections over time:
Other known ZeroAccess/Sirefef callbacks and activities:
ZeroAccess.B/Sirefef.P – Last Seen: 8-17-12 (UDP/16471 Beacon)
URL: http://promos.fling.com/geo/txt/city.php TYPE: GET UA: None URL: http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=1&digits=10&siteId=31151618 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86)
promos.fling.com (18.104.22.168) www.google.com (22.214.171.124)
126.96.36.199:80 188.8.131.52:80 184.108.40.206:16471
220.127.116.11:53 18.104.22.168:53 22.214.171.124:16471
ZeroAccess.P/SireFef.EW - Last Seen: 8-17-12 (UDP/16464 Beacon)
URL: http://promos.fling.com/geo/txt/city.php TYPE: GET UA: None URL: http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=1&digits=10&siteId=554 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86) URL: http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=2&digits=10&siteId=675 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86) URL: http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=3&digits=10&siteId=685 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86) URL: http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=4&digits=10&siteId=555 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86)
126.96.36.199:80 188.8.131.52:80 184.108.40.206:16464 220.127.116.11:16464
<MACHINE_DNS_SERVER>:53 18.104.22.168:53 (Google DNS) 22.214.171.124:53 126.96.36.199:53
ZeroAccess.FN/Sirefef.M - Last Seen 8-15-12 (UDP/16471 Beacon)
URL: http://promos.fling.com/geo/txt/city.php TYPE: GET UA: None URL: http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=1&digits=10&siteId=31236608 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86) URL: http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=2&digits=10&siteId=31236729 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86) URL: http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=3&digits=10&siteId=31236739 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86) URL: http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=4&digits=10&siteId=31236609 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86) URL: http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=5&digits=10&siteId=31236628 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86)
URL: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0) URL: http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0) URL: http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_cab_ax_sgn.z TYPE: GET UA: Flash Player Seed/3.0
promos.fling.com (188.8.131.52) www.google.com (184.108.40.206) fpdownload.macromedia.com (220.127.116.11) fpdownload2.macromedia.com (18.104.22.168)
22.214.171.124:80 126.96.36.199:80 188.8.131.52:16471 184.108.40.206:80 220.127.116.11:80 18.104.22.168:80
<MACHINE_DNS_SERVER>:53 22.214.171.124:53 126.96.36.199:53 188.8.131.52:16471 184.108.40.206:123
ZeroAccess.ER/Sirefef.P – Last Seen: 6-28-12 – (UDP/16471 Beaconing)
URL: http://promos.fling.com/geo/txt/city.php TYPE: GET UA: None URL: http://livecounter.co/count.php?id=31186432&c=1&d=7&s=0 TYPE: GET UA: Opera/9 (Windows NT 5.1; DE; x86)
promos.fling.com (220.127.116.11) www.google.com (18.104.22.168)
22.214.171.124:80 126.96.36.199:80 188.8.131.52:16471
<MACHINE_DNS_SERVER>:53 184.108.40.206:53 220.127.116.11:53 18.104.22.168:16471 22.214.171.124:123 126.96.36.199:16471 188.8.131.52:16471 184.108.40.206:16471 220.127.116.11:16471 18.104.22.168:16471 22.214.171.124:16471 126.96.36.199:16471 188.8.131.52:16471 184.108.40.206:16471 220.127.116.11:16471 18.104.22.168:16471 22.214.171.124:16471
ZAccess.CV Last Seen: 3-22-2012 - Infected host beaconing to port 16470
On August 13th, 2012 the students of two major East Coast, USA Universities were back in session and network admins were simply not prepared for what the students had brought onto their network. They reported that there were over 850 different student computers all beaconing at the same time allowing the Universities to participate in the ZeroAccess peer botnet. The total bandwidth reportedly consumed due to the ZeroAccess botnet at these two campuses within 24 hours was 1.59 Terabits!
By Chris Hadnagy
20 years. Hard to believe, but Defcon has been around for 2 decades. And Black Hat has been doing its thing for 15 years and continues to buck the conference trend and grow in attendance each year. These two security conferences are some of the pace setting events for our [...]
By Chris Hadnagy
20 years. Hard to believe, but Defcon has been around for 2 decades. And Black Hat has been doing its thing for 15 years and continues to buck the conference trend and grow in attendance each year. These two security conferences are some of the pace setting events for our industry. For the last few years, the crew at Social-Engineer have been a part of these events, and this year is no different.
As you may know, we have 2 arms of our organization. Social-Engineer.org is the free web portal that strives to achieve “Security Through Education” not only with our core crew but also with many excellent contributors. Social-Engineer.com is our commercial arm offering social engineering services (such as penetration tests) and training. Here are some of the events, happenings and schedule for us during the annual pilgrimage to Vegas.
Discuss in Forums
Social Engineering is not an easy topic to teach. Because it is so human-based, much of the training that was, tended to be very much like lectures. It was this fact that created the challenge that my old mentor put upon me.
Quickly I began running ideas by my partner in SEORG (at the time), Jim O’Gorman. He had a good mind for telling me when I was just full of BS, and when I was hitting a good note. As I began to run my ideas for the way to perform a social engineering class, he helped me mold and shape the good as well as trim the bad ideas.
1.5 years later, what was born was “Social Engineering For Penetration Testers,” the 5-day, non-stop thrill ride that challenged everything we knew about SE training. Now came the challenge: to present this to the board at Black Hat and see what they thought.
Well this is not new news, but we got accepted and are conducting the first ever social engineering training in BH’s 15 year history. That is kinda huge for us, but not as great as seeing the class sell out with a small waiting list, too.
We are truly excited to have this opportunity. We will let you know how it goes after.
After only a few hours of rest we will be heading over to the Rio to take part in the mayhem called Defcon. Whatever “free” time we thought we had before will be quickly dispatched with an amazingly full schedule. We are running two capture the flag events: The 3rd annual Social-Engineering CTF: Battle of the SExes and the 2nd annual Social-Engineering CTF for Kids: Return of the Schmooze. These two very differing events, have one common goal: To be fun and educational.
First to mention is the SECTF for Kids. Last year was our first attempt to help run Defcon Kids. We came up with a “Treasure Hunt” Social Engineering Style. Kids had to crack ciphers, pick locks, read microexpressions, race against the clock while gathering clues. And what was the one major complaint we got from the kids???
“IT WAS TOO EASY!”
Well my young social engineering friends, wipe those thoughts from your tiny little heads. This year I have had no mercy on your souls. The ciphers are harder, the clues are more difficult, the track is longer, the locks are more tedious… Oh and parents, we enforce a lunch break. Wait until you see how. This year will prove to challenge the most advanced child hacker, while teaching skills that will be useful for the rest of their lives.
The main event for us is the SECTF. Each year we try to make it bigger, badder and better. The last two years we saw a trend… a lot of women in the audience and none on the stage. Yet I know that 1) there are women in SE/IT and 2) they are usually better than us guys at it.
I set out on a year long campaign (starting from last Defcon) to promote, talk about, survey and blog on the role women play in SE. Then we launched this year’s SECTF – Battle of the SExes… yes a battle not just of SE prowess, but also of who could win head to head – men against women.
The results are amazing so far. 10 men pitted against 10 women in a heated battle to prove not only is social engineering still a legitimate threat in 2012, but also which gender is better at it. The targets have been assigned, and the reports are already in. What is amazing to us this year is the quality of the reports. It seems we have hit some professionals this year. The report writing is of epic quality, and the flags found online prove again that social engineering is a huge threat that is just not being addressed.
All of this fun is not set to end there. Sunday AM will mark a momentous event for the crew at Social-Engineer as we record our 3 year anniversary podcast. For us this is a milestone, as so much has changed from Day 1, but we are happy to have made it this far.
We will celebrate with a room full of friends when each gets a special gift… that is all I can say… if you want to see and hear the podcast you have two options. First, be there. That is the best option. Seating will be limited as the room we have this year is smaller, much smaller (boooo Defcon), but that means our podcast will be packed out. Oh, I almost forgot the second option… yes another first for SEORG… we will be LIVE STREAMING our podcast complete with chat functionality.
Check out http://www.social-engineer.org/defcon-schedule/ for the latest schedule and URLs.
Enough? You want more? Maybe there will be a few extra surprises… to find out, find me in Vegas. See you then… till next month.
If you have comments or questions – please feel free to reach out to me at
Chris Hadnagy, aka loganWHD, has been involved with computers and technology for over 14 years. Presently his focus is on the “human” aspect of technology such as social engineering and physical security. Chris has spent time in providing training in many topics around the globe and also has had many articles published in local, national and international magazines and journals. He is also the lead developer of Social-Engineer.Org as well as the author of the best-selling book, Social Engineering: The Art of Human Hacking.
He has launched a line of professional social engineering training and pen testing services at Social-Engineer.Com. His goal is to help companies remain secure by educating them on the methods the “bad guys” use. Analyzing, studying, dissecting then performing the very same attacks used by malicious hackers on some of the most recent attacks (i.e. Sony, HB Gary, LockHeed Martin, etc), Chris is able to help companies stay educated and secure. Chris can be found online at http://www.social-engineer.org/, http://www.social-engineer.com/ and twitter as @humanhacker.
Article source: http://www.ethicalhacker.net/content/view/436/24/