Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 164

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 167

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 170

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 173

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 176

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 178

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 180

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 202

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 206

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 224

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 225

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 227

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 56

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 49
information | Certified Ethical Hackers Security Analyst Malware Hacking Information
Currently viewing the tag: "information"

ZeroAccess/Sirefef (The same rootkit)  two common names for this malware. We have been observing ZeroAccess since 2010, but it was hardly a factor back then. Variants observed in 2012 have shown that it has completely shifted and now operates completely in user mode! It now resides completely in memory and trojans services.exe and other system processes (64bit and most 32bit infections).

In June, 2012 we saw a new publisher program launched and from information peaked from some of the darkest channels on EFNET top affiliates were earning as much as $300 per 1000 infections and pushing past the $10k/month mark. The updated version of ZA doesn’t use kernel-mode drivers, as was done previously, and doesn’t have hidden file storage either. The affiliate program substitutes its own choices for the results of popular search engines–a form of click fraud–as a means of monetization.

The ZA rootkit has a hardcoded list of 256 P2P IP addresses that it passes onto each infected host and transmits the data throughout the P2P network non-stop 24 hours a day at an average of a one second packet delay and fixed 16 byte packet length. We observed in our lab that each infected host was consuming .1 Mbits/sec which adds up to about 32Gigabytes a month per infection! There were several different UDP ports that were observed and confirmed for this pattern matching to ZA and those ports were 15437, 16461 ,16464,16465,16470 and 16471

If you capture thirty or so consecutive UDP packets sent out with a packet length of 16 to unique destination IPs to one of these ports (15437, 16461, 16464, 16465, 16470 or 16471) there is a high probability that ZeroAccess/Sirefef is running a muck on the system!

The variation in the ports used for the P2P network is for segregation of the botnets. Research suggest that ports 16470 and 16471 are for 64bit infected hosts and they participate in a bitcoin operations. 16464/16465 have mainly been seen used in click fraud and with 32bit machines.

-ZeroAccess does not use “typical” C2 servers, most of the C2 communication is done via UDP on the P2P network.through obfuscated commands. Hidden in the traffic we noticed time and again some of the same servers - 83.133.123.20 is one of the many IPs used which the infected host calls back to on port 53 UDP and port 123 to 195.3.145.57 also UDP.

Sirefef.EZ/Sirefef.EU and Sirefef.AE Variants have been observed using a special plugin feature to load affiliate clickservers.

The clickserver downloads a list of URLs to redirect the bots and the affiliates will be paid a percentage of the revenue earned or a flat rate ($.30 per infection). Clickservers can be used with many different malware infections making it hard sometimes to link them to any specific malware. We have observed these clickservers being loaded with ZeroAccess/Sirefef, ZeuS, Kelios and FakeAV malware.

Trying to decipher the source of the malware from just the GET request, here is an example of a ZeroAccess GET string from a clickserver:

/mfg437RPPwJxdj01LjUmaWQ9YjdjYzFmM2MmYWlkPTMwMzQ4JnNpZD01Jm9zPTUuMS0zMiZmcD0wJmFkPTE=45oIlHWm6w

We can decode this string and we get the following result:

[~]#  ™ø8ß´O?qv=5.5&id=b7cc1f3c&aid=30348&sid=5&os=5.1-32&fp=0&ad=1ã”u¦

Breaking it down we can see the following:

id=b7cc1f3c (Bot identifier?)

aid=30348 (Affiliate ID presumably)

sid=5 (Site ID, could be the Advertising site ID – we noticed the use of Voodoo and other Domain Parking Publishers being used or part of the click fraud which seemed to commonly lead back to the Google Domain Publisher program)

os=5.1-32 (Stands for Windows NT 5.1 which is Windows XP and the 32 is 32 bit OS)

Here you will see some clickserver links we pulled from traffic logs from different variants ZA/Sirefef infections over time:

http://217.23.9.139/CsxI66RhMCKfdj01LjUmaWQ9OWNhNTVjZmImYWlkPTMwNDIxJnNpZD0xJm9zPTUuMS0zMiZmcD0wJmFkPTE=54YIlc4z8m

ÌHë¤a0″Ÿv=5.5&id=9ca55cfb&aid=30421&sid=1&os=5.1-32&fp=0&ad=1ç

http://217.23.9.139/ihfe56JEKkfxdj01LjUmaWQ9MmQ3M2NmODcmYWlkPTMwNDIxJnNpZD0yJm9zPTUuMS0zMiZmcD0wJmFkPTE=14UvHcyz8w

ŠÞç¢D*Gñv=5.5&id=2d73cf87&aid=30421&sid=2&os=5.1-32&fp=0&ad=1×…/̳ó

http://217.23.9.139/2faW34Hhhw1Fdj01LjUmaWQ9MmQ3M2NmODcmYWlkPTMwNDIxJnNpZD0yJm9zPTUuMS0zMiZmcD0wJmFkPTE=45xYlu2c7S

Ev=5.5&id=2d73cf87&aid=30421&sid=2&os=5.1-32&fp=0&ad=1

http://217.23.9.139/Axfp58ZMMZCMdj01LjImaWQ9NzMyMTcwN2MmYWlkPTMwNDk0JnNpZD0wJm9zPTUuMS0zMiZmcD0wJmFkPTE=46ovfcvf5c

v=5.2&id=7321707c&aid=30494&sid=0&os=5.1-32&fp=0&ad=1

———————

 

Other known ZeroAccess/Sirefef callbacks and activities:

ZeroAccess.B/Sirefef.P – Last Seen: 8-17-12 (UDP/16471 Beacon)

HTTP requests…
URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=1&digits=10&siteId=31151618
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
DNS requests
promos.fling.com (208.91.207.10)
www.google.com (173.194.35.82)
TCP
208.91.207.10:80
213.108.252.185:80
68.97.87.253:16471
UDP
8.8.8.8:53
83.133.123.20:53
117.254.254.254:16471

ZeroAccess.P/SireFef.EW - Last Seen: 8-17-12 (UDP/16464 Beacon)

URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=1&digits=10&siteId=554
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=2&digits=10&siteId=675
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=3&digits=10&siteId=685
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=4&digits=10&siteId=555
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
TCP connections…
208.91.207.10:80
213.108.252.185:80
99.230.4.251:16464
76.173.180.248:16464
UDP communications…
<MACHINE_DNS_SERVER>:53
8.8.8.8:53 (Google DNS)
194.50.116.54:53
66.85.130.234:53
ZeroAccess.FN/Sirefef.M - Last Seen 8-15-12 (UDP/16471 Beacon)
URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=1&digits=10&siteId=31236608
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=2&digits=10&siteId=31236729
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=3&digits=10&siteId=31236739
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=4&digits=10&siteId=31236609
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=5&digits=10&siteId=31236628
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
URL:  http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TYPE: GET
UA:   Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)

URL:  http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TYPE: GET
UA:   Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)

URL:  http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_cab_ax_sgn.z
TYPE: GET
UA:   Flash Player Seed/3.0
DNS requests…
promos.fling.com (208.91.207.10)
www.google.com (173.194.39.20)
fpdownload.macromedia.com (2.18.34.70)
fpdownload2.macromedia.com (77.67.27.27)
TCP
208.91.207.10:80
213.108.252.185:80
67.184.54.251:16471
2.18.66.70:80
80.239.221.41:80
2.18.34.70:80
UDP
<MACHINE_DNS_SERVER>:53
8.8.8.8:53
83.133.123.20:53
67.184.54.251:16471
195.3.145.57:123

ZeroAccess.ER/Sirefef.P – Last Seen: 6-28-12 – (UDP/16471 Beaconing)

URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://livecounter.co/count.php?id=31186432&c=1&d=7&s=0
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
DNS requests…
promos.fling.com (208.91.207.10)
www.google.com (173.194.69.99)
TCP connections…
208.91.207.10:80
184.172.204.122:80
69.244.121.249:16471
UDP communications…
<MACHINE_DNS_SERVER>:53
8.8.8.8:53
83.133.123.20:53
69.244.121.249:16471
195.3.145.57:123
117.254.254.254:16471
88.254.254.254:16471
75.254.254.254:16471
1.254.254.254:16471
197.253.254.254:16471
190.253.254.254:16471
94.253.254.254:16471
180.252.254.254:16471
95.252.254.254:16471
88.252.254.254:16471
79.251.254.254:16471
201.250.254.254:16471

ZAccess.CV Last Seen: 3-22-2012 - Infected host beaconing to port 16470

------

On August 13th, 2012 the students of two major East Coast, USA Universities were back in session and network admins were simply not prepared for what the students had brought onto their network. They reported that there were over 850 different student computers all beaconing at the same time allowing the Universities to participate in the ZeroAccess peer botnet. The total bandwidth reportedly consumed due to the ZeroAccess botnet at these two campuses within 24 hours was 1.59 Terabits!

——-

Tagged with:
 

Last month I attended an event at the Brookings Institute about the Air-Sea Battle concept, which I mentioned in China’s High-Tech Military Threat and Air Sea Battle yesterday. A good companion to the briefing is the article Air-Sea Battle: Promoting Stability in an Era of Uncertainty published in February in the journal The American Interest. In that article, General Norton A. Schwartz, USAF (at right in the picture) Admiral Jonathan W. Greenert, USN write:


When Secretary of Defense Leon Panetta introduced the new strategic guidance for the Department of Defense, he stated that the “smaller and leaner” Joint Force of the future must be prepared, in conjunction with allies and partners, to confront and defeat aggressors anywhere in the world, “including those seeking to deny our power projection.”

The new strategic guidance directs U.S. forces to maintain the “ability to project power in areas in which our access and freedom to operate is challenged” and to be “capable of deterring and defeating aggression by any potential adversary…

With Air-Sea Battle, we are reinvigorating the historic partnership between our two departments to protect the freedom of the commons and ensure operational access for the Joint Force.

Air-Sea Battle provides the concepts, capabilities and investments needed to overcome the challenges posed by emerging threats to access like ballistic and cruise missiles, advanced submarines and fighters, electronic warfare and mines…

Air-Sea Battle relies on highly integrated and tightly coordinated operations across warfighting domains—for example, using cyber methodologies to defeat threats to aircraft, or using aircraft to defeat threats on and under the sea.

During the Brookings event, the General and the Admiral were careful not to mention China at all. In fact, I checked the transcript and didn’t read either of them saying that word, although reporters asked them about China.

I don’t have a problem with that, although I think it’s a little disingenuous. The remainder of the American Interest article explains a variety of so-called A2AD scenarios, while also never saying “China.” It does mention Iran, however.

Article source: http://taosecurity.blogspot.com/2012/07/thoughts-on-air-sea-battle-briefing-at.html

Tagged with:
 
Set your Twitter account name in your settings to use the TwitterBar Section.