Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 164

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 167

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 170

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 173

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 176

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 178

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 180

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 202

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 206

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 224

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 225

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 227

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 56

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 49
Convered PCAP Traffic Samples | Certified Ethical Hackers Security Analyst Malware Hacking Information | Page 2
Currently viewing the category: "Convered PCAP Traffic Samples"

ZeroAccess/Sirefef (The same rootkit)  two common names for this malware. We have been observing ZeroAccess since 2010, but it was hardly a factor back then. Variants observed in 2012 have shown that it has completely shifted and now operates completely in user mode! It now resides completely in memory and trojans services.exe and other system processes (64bit and most 32bit infections).

In June, 2012 we saw a new publisher program launched and from information peaked from some of the darkest channels on EFNET top affiliates were earning as much as $300 per 1000 infections and pushing past the $10k/month mark. The updated version of ZA doesn’t use kernel-mode drivers, as was done previously, and doesn’t have hidden file storage either. The affiliate program substitutes its own choices for the results of popular search engines–a form of click fraud–as a means of monetization.

The ZA rootkit has a hardcoded list of 256 P2P IP addresses that it passes onto each infected host and transmits the data throughout the P2P network non-stop 24 hours a day at an average of a one second packet delay and fixed 16 byte packet length. We observed in our lab that each infected host was consuming .1 Mbits/sec which adds up to about 32Gigabytes a month per infection! There were several different UDP ports that were observed and confirmed for this pattern matching to ZA and those ports were 15437, 16461 ,16464,16465,16470 and 16471

If you capture thirty or so consecutive UDP packets sent out with a packet length of 16 to unique destination IPs to one of these ports (15437, 16461, 16464, 16465, 16470 or 16471) there is a high probability that ZeroAccess/Sirefef is running a muck on the system!

The variation in the ports used for the P2P network is for segregation of the botnets. Research suggest that ports 16470 and 16471 are for 64bit infected hosts and they participate in a bitcoin operations. 16464/16465 have mainly been seen used in click fraud and with 32bit machines.

-ZeroAccess does not use “typical” C2 servers, most of the C2 communication is done via UDP on the P2P network.through obfuscated commands. Hidden in the traffic we noticed time and again some of the same servers - 83.133.123.20 is one of the many IPs used which the infected host calls back to on port 53 UDP and port 123 to 195.3.145.57 also UDP.

Sirefef.EZ/Sirefef.EU and Sirefef.AE Variants have been observed using a special plugin feature to load affiliate clickservers.

The clickserver downloads a list of URLs to redirect the bots and the affiliates will be paid a percentage of the revenue earned or a flat rate ($.30 per infection). Clickservers can be used with many different malware infections making it hard sometimes to link them to any specific malware. We have observed these clickservers being loaded with ZeroAccess/Sirefef, ZeuS, Kelios and FakeAV malware.

Trying to decipher the source of the malware from just the GET request, here is an example of a ZeroAccess GET string from a clickserver:

/mfg437RPPwJxdj01LjUmaWQ9YjdjYzFmM2MmYWlkPTMwMzQ4JnNpZD01Jm9zPTUuMS0zMiZmcD0wJmFkPTE=45oIlHWm6w

We can decode this string and we get the following result:

[~]#  ™ø8ß´O?qv=5.5&id=b7cc1f3c&aid=30348&sid=5&os=5.1-32&fp=0&ad=1ã”u¦

Breaking it down we can see the following:

id=b7cc1f3c (Bot identifier?)

aid=30348 (Affiliate ID presumably)

sid=5 (Site ID, could be the Advertising site ID – we noticed the use of Voodoo and other Domain Parking Publishers being used or part of the click fraud which seemed to commonly lead back to the Google Domain Publisher program)

os=5.1-32 (Stands for Windows NT 5.1 which is Windows XP and the 32 is 32 bit OS)

Here you will see some clickserver links we pulled from traffic logs from different variants ZA/Sirefef infections over time:

http://217.23.9.139/CsxI66RhMCKfdj01LjUmaWQ9OWNhNTVjZmImYWlkPTMwNDIxJnNpZD0xJm9zPTUuMS0zMiZmcD0wJmFkPTE=54YIlc4z8m

ÌHë¤a0″Ÿv=5.5&id=9ca55cfb&aid=30421&sid=1&os=5.1-32&fp=0&ad=1ç

http://217.23.9.139/ihfe56JEKkfxdj01LjUmaWQ9MmQ3M2NmODcmYWlkPTMwNDIxJnNpZD0yJm9zPTUuMS0zMiZmcD0wJmFkPTE=14UvHcyz8w

ŠÞç¢D*Gñv=5.5&id=2d73cf87&aid=30421&sid=2&os=5.1-32&fp=0&ad=1×…/̳ó

http://217.23.9.139/2faW34Hhhw1Fdj01LjUmaWQ9MmQ3M2NmODcmYWlkPTMwNDIxJnNpZD0yJm9zPTUuMS0zMiZmcD0wJmFkPTE=45xYlu2c7S

Ev=5.5&id=2d73cf87&aid=30421&sid=2&os=5.1-32&fp=0&ad=1

http://217.23.9.139/Axfp58ZMMZCMdj01LjImaWQ9NzMyMTcwN2MmYWlkPTMwNDk0JnNpZD0wJm9zPTUuMS0zMiZmcD0wJmFkPTE=46ovfcvf5c

v=5.2&id=7321707c&aid=30494&sid=0&os=5.1-32&fp=0&ad=1

———————

 

Other known ZeroAccess/Sirefef callbacks and activities:

ZeroAccess.B/Sirefef.P – Last Seen: 8-17-12 (UDP/16471 Beacon)

HTTP requests…
URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=1&digits=10&siteId=31151618
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
DNS requests
promos.fling.com (208.91.207.10)
www.google.com (173.194.35.82)
TCP
208.91.207.10:80
213.108.252.185:80
68.97.87.253:16471
UDP
8.8.8.8:53
83.133.123.20:53
117.254.254.254:16471

ZeroAccess.P/SireFef.EW - Last Seen: 8-17-12 (UDP/16464 Beacon)

URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=1&digits=10&siteId=554
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=2&digits=10&siteId=675
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=3&digits=10&siteId=685
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=4&digits=10&siteId=555
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
TCP connections…
208.91.207.10:80
213.108.252.185:80
99.230.4.251:16464
76.173.180.248:16464
UDP communications…
<MACHINE_DNS_SERVER>:53
8.8.8.8:53 (Google DNS)
194.50.116.54:53
66.85.130.234:53
ZeroAccess.FN/Sirefef.M - Last Seen 8-15-12 (UDP/16471 Beacon)
URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=1&digits=10&siteId=31236608
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=2&digits=10&siteId=31236729
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=3&digits=10&siteId=31236739
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=4&digits=10&siteId=31236609
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=5&digits=10&siteId=31236628
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
URL:  http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TYPE: GET
UA:   Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)

URL:  http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TYPE: GET
UA:   Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)

URL:  http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_cab_ax_sgn.z
TYPE: GET
UA:   Flash Player Seed/3.0
DNS requests…
promos.fling.com (208.91.207.10)
www.google.com (173.194.39.20)
fpdownload.macromedia.com (2.18.34.70)
fpdownload2.macromedia.com (77.67.27.27)
TCP
208.91.207.10:80
213.108.252.185:80
67.184.54.251:16471
2.18.66.70:80
80.239.221.41:80
2.18.34.70:80
UDP
<MACHINE_DNS_SERVER>:53
8.8.8.8:53
83.133.123.20:53
67.184.54.251:16471
195.3.145.57:123

ZeroAccess.ER/Sirefef.P – Last Seen: 6-28-12 – (UDP/16471 Beaconing)

URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://livecounter.co/count.php?id=31186432&c=1&d=7&s=0
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
DNS requests…
promos.fling.com (208.91.207.10)
www.google.com (173.194.69.99)
TCP connections…
208.91.207.10:80
184.172.204.122:80
69.244.121.249:16471
UDP communications…
<MACHINE_DNS_SERVER>:53
8.8.8.8:53
83.133.123.20:53
69.244.121.249:16471
195.3.145.57:123
117.254.254.254:16471
88.254.254.254:16471
75.254.254.254:16471
1.254.254.254:16471
197.253.254.254:16471
190.253.254.254:16471
94.253.254.254:16471
180.252.254.254:16471
95.252.254.254:16471
88.252.254.254:16471
79.251.254.254:16471
201.250.254.254:16471

ZAccess.CV Last Seen: 3-22-2012 - Infected host beaconing to port 16470

------

On August 13th, 2012 the students of two major East Coast, USA Universities were back in session and network admins were simply not prepared for what the students had brought onto their network. They reported that there were over 850 different student computers all beaconing at the same time allowing the Universities to participate in the ZeroAccess peer botnet. The total bandwidth reportedly consumed due to the ZeroAccess botnet at these two campuses within 24 hours was 1.59 Terabits!

——-

Tagged with:
 

04/22/2007 10:33:08.982203 arp reply 192.168.23.234 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:08.984112 arp who-has 192.168.23.234 tell 192.168.23.234

……….”3DU…………………………………………………………..
04/22/2007 10:33:09.204033 arp reply 192.168.22.238 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:09.829725 arp reply 192.168.22.238 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:09.829732 arp who-has 192.168.22.238 tell 192.168.22.238

……….”3DU…………………………..
04/22/2007 10:33:10.113653 arp reply 192.168.23.215 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:10.673444 arp reply 192.168.22.218 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:10.674406 arp who-has 192.168.22.218 tell 192.168.22.218

……….”3DU…………..
04/22/2007 10:33:11.036496 arp reply 192.168.22.113 is-at 0:11:22:33:44:55

……….”3DU…q……….
04/22/2007 10:33:11.050290 arp reply 192.168.22.250 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:11.860959 arp reply 192.168.23.234 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:11.861958 arp who-has 192.168.23.234 tell 192.168.23.234

……….”3DU…………………………………………………………..
04/22/2007 10:33:11.961929 arp reply 192.168.22.250 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:11.961935 arp who-has 192.168.22.250 tell 192.168.22.250

……….”3DU…………………………..
04/22/2007 10:33:12.320784 arp reply 192.168.22.113 is-at 0:11:22:33:44:55

……….”3DU…q……….
04/22/2007 10:33:12.812602 arp reply 192.168.23.169 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:12.812669 arp who-has 192.168.23.169 tell 192.168.23.169

……….”3DU…………………………..
04/22/2007 10:33:13.820203 arp reply 192.168.22.113 is-at 0:11:22:33:44:55

……….”3DU…q……….
04/22/2007 10:33:14.092177 arp reply 192.168.23.234 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:14.093079 arp who-has 192.168.23.234 tell 192.168.23.234

……….”3DU…………………………………………………………..
04/22/2007 10:33:14.288011 arp reply 192.168.22.237 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:14.288977 arp who-has 192.168.22.237 tell 192.168.22.237

……….”3DU…………………………..
04/22/2007 10:33:15.207627 arp reply 192.168.23.234 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:15.208609 arp who-has 192.168.23.234 tell 192.168.23.234

……….”3DU…………………………………………………………..
04/22/2007 10:33:15.319633 arp reply 192.168.22.113 is-at 0:11:22:33:44:55

……….”3DU…q……….
04/22/2007 10:33:15.518591 arp reply 192.168.22.170 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:15.518597 arp who-has 192.168.22.170 tell 192.168.22.170

……….”3DU…………………………..
04/22/2007 10:33:16.294231 arp reply 192.168.22.190 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:16.295197 arp who-has 192.168.22.190 tell 192.168.22.190

……….”3DU…………..P…U…..@..#….
04/22/2007 10:33:16.323204 arp reply 192.168.23.234 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:16.324188 arp who-has 192.168.23.234 tell 192.168.23.234

……….”3DU…………………………………………………………..
04/22/2007 10:33:16.498141 arp reply 192.168.22.17 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:16.499125 arp who-has 192.168.22.17 tell 192.168.22.17

……….”3DU…………………………..
04/22/2007 10:33:16.819988 arp reply 192.168.22.113 is-at 0:11:22:33:44:55

……….”3DU…q……….
04/22/2007 10:33:17.536675 arp reply 192.168.23.11 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:18.319493 arp reply 192.168.22.113 is-at 0:11:22:33:44:55

……….”3DU…q……….
04/22/2007 10:33:19.903019 arp reply 192.168.22.238 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:19.903775 arp who-has 192.168.22.238 tell 192.168.22.238

……….”3DU…………………………..
04/22/2007 10:33:20.179665 arp reply 192.168.23.234 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:20.180081 arp who-has 192.168.23.234 tell 192.168.23.234

……….”3DU…………………………………………………………..
04/22/2007 10:33:21.837018 arp reply 192.168.22.218 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:21.837999 arp who-has 192.168.22.218 tell 192.168.22.218

……….”3DU…………..
04/22/2007 10:33:21.979954 arp reply 192.168.22.250 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:21.979960 arp who-has 192.168.22.250 tell 192.168.22.250

……….”3DU…………………………..
04/22/2007 10:33:22.949559 arp reply 192.168.23.169 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:22.950561 arp who-has 192.168.23.169 tell 192.168.23.169

……….”3DU…………………………..
04/22/2007 10:33:24.329210 arp reply 192.168.22.237 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.252778 arp reply 192.168.22.237 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.253626 arp who-has 192.168.22.237 tell 192.168.22.237

……….”3DU…………………………..
04/22/2007 10:33:25.517547 arp reply 192.168.22.170 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.518540 arp who-has 192.168.22.170 tell 192.168.22.170

……….”3DU…………………………..
04/22/2007 10:33:25.766434 arp reply 192.168.22.122 is-at 0:11:22:33:44:55

……….”3DU…z……….
04/22/2007 10:33:25.766440 arp reply 192.168.22.158 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.766445 arp reply 192.168.22.164 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.776448 arp reply 192.168.23.149 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.776453 arp reply 192.168.22.1 is-at 0:11:22:33:44:55

……….”3DU……..c…..
04/22/2007 10:33:25.777435 arp reply 192.168.23.253 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.777440 arp reply 192.168.22.172 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.781442 arp reply 192.168.23.15 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.781447 arp reply 192.168.23.165 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.782451 arp reply 192.168.23.169 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.783459 arp reply 192.168.22.175 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.784430 arp reply 192.168.22.62 is-at 0:11:22:33:44:55

……….”3DU…>……….
04/22/2007 10:33:25.785443 arp reply 192.168.22.136 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.786429 arp reply 192.168.23.206 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.786445 arp reply 192.168.22.115 is-at 0:11:22:33:44:55

……….”3DU…s……….
04/22/2007 10:33:25.787438 arp reply 192.168.22.116 is-at 0:11:22:33:44:55

……….”3DU…t……….
04/22/2007 10:33:25.787664 arp reply 192.168.22.144 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.788437 arp reply 192.168.22.182 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.789442 arp reply 192.168.22.196 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.790441 arp reply 192.168.22.213 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.790458 arp reply 192.168.22.180 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.791430 arp reply 192.168.22.200 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.792429 arp reply 192.168.23.158 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.792434 arp reply 192.168.22.170 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.793421 arp reply 192.168.22.190 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.794432 arp reply 192.168.22.234 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.794438 arp reply 192.168.23.107 is-at 0:11:22:33:44:55

……….”3DU…k……….
04/22/2007 10:33:25.795436 arp reply 192.168.23.0 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.795519 arp reply 192.168.22.17 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.796417 arp reply 192.168.23.23 is-at 0:11:22:33:44:55

……….”3DU…………..
04/22/2007 10:33:25.797416 arp reply 192.168.22.65 is-at 0:11:22:33:44:55

……….”3DU…A……….

Set your Twitter account name in your settings to use the TwitterBar Section.