2013-04-20

We all know about what had happened in US recently, it is a very sad & unfortunate situation. People died during the accident and the malware scums used this for their opportunity, we just can't tolerate it. Dropping the previous tasks, we started to investigate this infection right away. By the good help from all members, within 14hours the first draft was posted successfully.

The point of this post is exposing the malware components (in this case is RedKit Exploit Kit infector & Kelihos Botnet malware) used network pre and post infection for the dismantling purpose. The information will be added frequently for some deep investigation to mitigate the overall malicious scheme is still on going, and please bear for some details just cannot be published yet.

To make things clear. This is the pilot analysis of the current mass-infection, so many variation in the RedKit redirector URLs (the one with the regex: [a-z{4}.html), JARs (same logic, different regex of binary downloads w/regex: [a-z]{2}.html ), Kelihos downloaders (the one who download newbos3.exe, using hard-coded url in binary), range of the new botnets used (The Flux is growing/changing still now). So, what has been written here is not everything! There are more of these bad-stuff out there online now, so if you may (to researchers. law enforcement and AV industry), please use this post as a lead to dig and nail deeper. Please also bear me for the regular updates and several "additionals". I will post

All samples with captured data are shared as usual is in the bottom of this post, as soon as I can get time to re-organize back my stuff.
OK, here we go..

NEW UPDATES: | Date: Thu Apr 25 22:14:39 JST 2013
We proceed the TANGO-DOWN for .RU domains used in distributing main Kelihos Trojan.
Today's suspended domains in total: 103 domains (in progress = 0)
Thank you to Cert-GIB for good cooperation in dismantling "bulen-proof" registrar used.
The list of #TangoDown result is updated regularly in this link-->>[HERE]
You can participate to inform us more .RU domains served Kelihos Trojan (newboss*.exe)
Be sure to check the list to make sure the domain is still ALIVE beforehand.
These .RU domains is one or two step ahead the CnC #TOBENAIL further.

Big picture of current infection

#MalwareMustDie - Big Picture of the current #Kelihos Family infection components - Use this pic for your purpose. twitter.com/MalwareMustDie…

— Malware Crusaders (@MalwareMustDie) April 20, 2013

Samples used for analysis:


Source of infection

Redkit Exploit Kit was used in this scheme, the crocodiles was finally coming to the surface for the chance to perform a mass hit in timing like this.
You'll see the front infector in spams with the below rules:

We can find it in spam emails as I tweeted previously:


Every "decent" researchers worked together by doing great job to put the infector URL in URLquery.
You shall see it in here : [1] [2] [3], or the newly listed IP Addresses used for spam landing page (thank's to Conrad Longmore) here -->>[PASTEBIN], and also a NEW round URL downloader od Kelihos "Momma" Trojan (newboss*.exe series) here-->>[PASTEBIN] (Thank's to @nyxbone)

I took first pattern of URLQuery posted urls above in unique IP as "analysis sample":

In random I took one infector:

..to find the code HTML below:

See the link leads to wesq.html implied of the RedKit pattern of infection..
If this is RedKit, we're dealing with something in server side, so do not trust just into one access and tested again to find...let's see↓

It changed into oesr.html, smells bad like RedKit.
Can't stop myself to try for the 3rd time:

And another one..

Latest spotted by @it4sec (w/thanks, friend!):

One more spotted by @itsuugo (thanks!):

Via browser, the page looks like this in at the iframe part of code:

↑What was said "Unexpected error is a fake message, so user will think the video was inaccessible, BUT! actually if we follow the trail of code to the target of IFRAME we will find the malicious code executed in the background, let's call this the 2nd layer infector, see below:

↑There it is, our fake "Unexpected Error" code, is a trick to make people wait and watch other video while in the background the JAR exploit infector was called into an action. Upon successs it will show the java icon a bit in that spot which user will think a movie start to pay..

To be noted, all of these redirection occured as a result of RedKit Exploit Kit infected sites. One of our team explained in details the impact in the server side, what file was spotted and obfuscation used as per follows:

#MalwareMustDie - @stopmalvertisin exposed Boston/Texas Scams on #RedKit's hacked server side x90.es/6Na twitter.com/MalwareMustDie…

— Malware Crusaders (@MalwareMustDie) April 23, 2013

Back to the main story, let's see the hard evidence of this the downloaded jar is described in following PCAP snapshots.

The first access recorded:
Looking deeper I downloaded the JAR, the first scenario of IFRAME redirection mentioned above downloading you:

While the second example is leading to the same JAR:

Snapshot as proof:

We can see the code inside the JAR looks like this -->>[PASTEBIN]

Our analysis of this JAR proofing the exploit, downloadable link + infection action as per below:
1. Exploit info: CVE-2012-1723 + AES crypto + obfuscated strings of variable values.
2. Point is download ./42.html to be saved as .exe file in local & run by winexec
3. In this case (2nd one) URL is h00p://balimaps.net/42.html (a binary file) + saved file: xywewey.exe

@Cephrurs of our #CrackTeam with help from @rjacksix @EricOpdyke simplify the variables as per below tweet:

@malwaremustdie did a few replaces, a little cleaner: pastebin.com/FdQNHJmn @ericopdyke @rjacksix

— WT4N6 (@Cephurs) April 20, 2013

And found interesting puzzle in Jar leads to a twitter account:

While @rjacksix decode other JAR's chiper to expose the download URL written in the applet link/code:

@malwaremustdie dc406.com/component/cont… #Malwaremustdie @cephurs cracking the Kelihos URL code

— Robin Jackson (@rjacksix) April 21, 2013

The proof of 1st time malware was downloaded via RedKit:

↑At this moment the infection has just been started.

The infection

Snapshots upon infection:

The process is as simple as per above snapshots, upon successful the exploitation Java will save the downloaded binary & run it, usually was %n%n.html (which actually a binary) to be saved as [random].exe (the name depend on the obfuscation logic), then it downloaded and run the Kelihos botnet installer & run client with name of Temp%n%n.exe, and start the capture interface as [random].exe.

If the browser closed, the java parent processes will be stopped (successfully or fail.. in my case Dr. Watson was kicked up), and the Kelihos botnet client trojan will run after self injected in another PID, as per below:

You'll see the malware files as per below picture saved in the %temp% directory:

While the Kelihos trojan/botnet client will be saved in C:\Windows\Temp

The cmd command used to run the trojan is:

The Callbacks
At first, the downloader was connecting to the the below host detail via HTTP:

And in its binary was planted the download source of "Momma" Kelihos :

go back to the PCAP result, it is proved performing the download of the Kelihos trojan:

To be re-produced:

The second attempt was different malware host, same "Momma" Kelihos:

Log↓

This explains that each downloader is pointing to SEVERAL .RU download server to get the "Momma" Kelihos :-)

Let's take a look into the capture trojan used :-)
A simple reversing will reveal the callback CnC info:

The PoC in PCAP are:

↑This communication is showing the attempt to infect the victim's PC with another Trojan, some other reports like the good writing in here-->>[LINK] is mentioning these urls are for downloading the Trojan PWS Win32/Fareit (thank's to eternal-todo.com blogger for information).
I just realized that now: Wed Apr 24 12:28:56 JST 2013, these URL are UP and ALIVE!

Moving on..↓there are also data sent as the PING and PONG from Kelihos botnet network's node:

This "capture" trojan is using NPF technique via libpcap to record internet traffic, below is my memory capture of the "capture" on going process/as log:

For the "Temp%n%n.exe" made callbacks communication to the botnets, you won't imagine the amount of connections. Snapshot is as per two pictures below:

In these communication made, the binary responsible are Temp%n%n.exe, interestingly every HTTP connection was conducted using the different user-agent. So I dig into the binary further and found the list of user agent used by Temp%n%n.exe (Kelihos Botnet Trojan) for communicating with the other botnet host as per following:

To aim the CnC of these botnet used, I used special method to grab all of the calls this botnet made, I posted all in here (the TCP ones) -->>[PASTEBIN]
The botnet client sent tons of UDP communications too, I counted more than 50,900+ callbacks made to so many various IP. Anyway I will share the PCAP of my research, can't list all of these IP so soon. Below is the snapshot:

The full-recorded process of this botnet client trojan is here -->>[HERE]

Reversing the inary further I found the method used by Kelihos Botnet Client to communicate with the packet capture interface:

by using the libpcap library.

What has been stolen this time?

I'll make it short, reversed the botnet binary and found so many information explained following.

The credentials targeted are mostly FTP accounts, also browser saved passwords and remote access logins:

The POST traffic sent some data, 1st case I split into 3 groups:

↑first group was calling to the Kelihos bot infected web server, looks a bit suspicious communication.

Second one and third one was asking for download the malware, the second one was returning 404 and third one was downloading more malware imporant component: the Kelihos Botnet Configuration File.

The Botnet Function

Same reversing made us know these informations planted in the Temp%n%n.exe binary. Mail/SMTP data sender functionality:

HTTP header used for botnet request:

HTTP/Bot Services

Domains, ID & Network Information

Below are the suspicious domain used in this series that I can positively verdict so far, first two's are the source of the installer (Kelihos Momma) & config used domains, and the last one is used to spam expecting REPLY_TO. I won't pointing to Russian, since by the usage of strings, variable names, filenames we suggest the bad actors is reside in East Europe with Slavic to Mid-Asia culture, but AGAIN, the Russian .RU domains was used for the important parts of this infection, please be noted on this matter (To: .RU TLD Authority!).

By the unique infector IP listed in the URLquery & in the beginning of this post. Added by the information from fellow US research group SANS here-->>[Link] and our comrade Dynamoo Blog here-->>[Link] and-->>[HERE], below is the TOP rank of country used for infector via spam (first level infection):

When the second infector (RedKit EK infected sites) are varied to all over countries around the globe with the hosts under VPS/hosting services that got hacked (strongly suspected FTP account leaked)

Additionally our friends during this analysis event, suggested very good data of this infection flux as per below tweets information:

Momma Kelihos infectors (fastflux network) /cc @malwaremustdie @rjacksix twitter.com/jgouv/status/3…

— João Gouveia (@jgouv) April 20, 2013

Ooops, need to correct my previous Kelihos size estimate. Make that 250K IPs.

— hugbomb (@hugbomb) April 21, 2013

Samples & Research Material

To be shared & exposed "ALL" soon, after fixing my environment back to usual.
In the mean time please just block the necessary malware network (domains and/or IP) data exposed in the above post. PS: So many infected PC is functioned as Bots here, please be careful in executing IP/sinkhole, dismantling effort only to be performed to motherships only, not to aim botnets.

The samples and research materials are as per below list

With the below hashes:

Additional new infection spotted by crusader:

Malware sites to block 22/4/13 blog.dynamoo.com/2013/04/malwar…

— Conrad Longmore (@ConradLongmore) April 22, 2013

"Video of Explosion at the Boston Marathon 2013" REDKIT infection pastebin.com/raw.php?i=Sx0P… #MalwareMustDie !!

— Alberto Ortega (@a0rtega) April 17, 2013

URL list of infected pages, that participate in current #Redkit attack pastebin.com/raw.php?i=1VB6… cc: @rjacksix

— Denis Laskov (@it4sec) April 20, 2013

#MalwareMustDie - If see video page w/source like PIC.Access differently 3-4 times & see RedKit url changed, infm us. twitter.com/MalwareMustDie…

— Malware Crusaders (@MalwareMustDie) April 21, 2013

@malwaremustdie, source was spam with link to hxxp://182.235.147.164/texas.html, I hope i can explain it better here pastebin.com/guLaHSQW

— Itsuugo (@Itsuugo) April 21, 2013

@malwaremustdie Some more links used in the Boston/Texas themed RedKit EK attack: pastebin.com/gE1sx7wTcc @unixfreaxjp#malware

— Bart (@bartblaze) April 22, 2013

Show more