Disclosure of an interesting Botnet - The Server (Part 2)

So let's try to shed light onto the C&C server.

At first I want again to thank Chae Jong Bin! With his brief network analysis of this botnet, he gave me a solid background.

The first thing you realize when visiting http://xlamzju-lrychj.info is directory listing was activated. This gives us the chance to explore files and folders.
There are a lot of PHP Scripts, 3 .dat files and 3 subfolders.

Figure 1: Directory Listing of ".com/.info" unit

The 3 .dat files are PHP sourcecode files from the "Zemra DDoS Bot". Maybe they were modified and then reused for own Bot. I compared the files to the leaked version of Zemra DDoS Bot and they look slightly different. Also I don't see any other PHP files of Zemra DDos Bot, thus my assumption.
If we look into the "mpk" subdirectory, we see it is empty. The "mpk1" subdirectory contains a huge amount of <MD5 hash>.dat files (~100.000 files - 900 MB). Every file contains data in the following form:

"<date> <time> <Window Caption> <File Path of Program>"
"...<keylogged data>..."

"<date> <time> <Window Caption> <File Path of Program>"
"...<keylogged data>..."
...

Obviously these files were created and uploaded from the botnet zombies. What also immediately catches someone's eye is the fact that all data is cyrillic. This indicates the botnet only operates in Russian Federation and neighboring states.
The "put" subdirectory contains also several .dat files with the MD5 hash as their names. If we take a deeper look into these files (Hex Editor), we can recognize them as images, PE files and a single Word document:

Figure 2: Content of "put" subdirectory

0fe09b2733fe1ad6d59ef00ea6239f5a.dat -> JPEG Image (.jpg)
1ba1ea696e4ce62ba452f92e96a1a90b.dat -> JPEG Image (.jpg)
1d3b430df78a7a6cd846724069727bf5.dat -> Portable Executable (.exe)
2c6f48f42100ae6bff485415645b781d.dat -> Portable Executable (.exe)
8ae36fcc162566b7af488d0bfe6c15d5.dat -> Portable Executable (.exe)
8dead72ce572910ffb9db6d00fef872b.dat -> JPEG Image (.jpg)
9de4979f47162326c21940b2346bd7ec.dat -> Portable Executable (.exe)
565fb79dd2e5fdfa9c3f5cc40461012f.dat -> Portable Executable (.exe)
5544d3a4b0498abade8719f621c8bf2d.dat -> Portable Executable (.exe)
56287bbdde532541935a67f89e30c5d3.dat -> Portable Executable (.exe)
57591ce6d15c041c30c982d259046bd9.dat -> JPEG Image (.jpg)
add8743c7fb4e3cbcf90ab3b2966e6e3.dat -> JPEG Image (.jpg)
baad12535a31bce2b8f83304c13f1258.dat -> Portable Executable (.exe)
c859f84c276f0d20e7e85f091f7618e9.dat -> JPEG Image (.jpg)
ca46f4f7f7dfcb38095b55a4d4586ee5.dat -> Word Document (.docx)
e4d70061c2b981907f02bf1a865b160c.dat -> JPEG Image (.jpg)
e84410a9dda0abf04d80a4007ba7f980.dat -> Portable Executable (.exe)
f6ba5b1a196cd8d1a45c82810b810539.dat -> JPEG Image (.jpg)
f8510343b721c6971091f52a0fb60c7c.dat -> JPEG Image (.jpg)
fc6180cf861e93a6dfdf83f5d918a686.dat -> JPEG Image (.jpg)

The image files show a young girl with long black hair and white skin. The Word document is a résumé from a russian speaking girl, maybe the same as we see in the pictures. I haven't analyzed the PE files in detail yet, but some of them seem legit programs while other clearly are malicious.

So after I had analyzed the content of the domain xlamzju-lrychj.info, I was curious if any of the PE files are already known to AntiVirus databases. A search on Virustotal (now part of Google) showed me the MD5 hashes of the suspicious files were unknown and thus probably undetected from most AVs. I also did a quick search on Google, suprisingly the result was another domain name which pointed to the same server with the exact same directory listing -> http://mapbo-jragnrw.info
Another search on Google, this time with the MD5 hash of the Word document, also gave me a domain name which pointed to this server -> http://aodpcm-foub.com
Obviously there are more domain names which all point to the same server, but let's see what else we can obtain...

Thereafter I did a Whois search with domain "xlamzju-lrychj.info":

"Domain ID:D44540674-LRMS
Domain Name:XLAMZJU-LRYCHJ.INFO
Created On:16-Dec-2011 12:44:36 UTC
Last Updated On:11-Apr-2012 13:50:05 UTC
Expiration Date:16-Dec-2012 12:44:36 UTC
Sponsoring Registrar:DomainContext Inc. (R524-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:ID#10760, PO Box 16
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Nobby Beach
Registrant State/Province:
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:contact@privacyprotect.org
..."

Because the identity is protected I switched to the panel "Server Stats", which gave me the following interesting information:

"Server Type: Apache/2.2.16 (Debian)
IP Address: 91.233.244.102
ASN: AS57636
IP Location: Russian Federation - Russian Federation - Olborg Ltd.
Response Code: 200
Domain Status: Registered And Active Website"

A search for the String "Olborg Ltd." didn't result in any interesting findings, beside some malware information sites. The search for the IP address of the server (91.233.244.102) lead to a more interesting source of information. Note that this service only tracks top-level domains ".com", ".org" and ".info":

http://bgp.he.net/net/91.233.244.0/23#_whois
http://bgp.he.net/net/91.233.244.0/23#_dns

The Whois information is probably fake, otherwise the server owner would be pretty dumb, but who knows...
As you can see on DNS register "Olborg Ltd." owns two other IP addresses (91.233.244.103, 91.233.244.106) with additional domain names, but that's not part of this analysis.

On 91.233.244.103 all domain names with a "-" between the two random strings and with top-level domains ".com" and ".info" lead to the directory listing you can see in Figure 1. The 2 domain names with top-level domains ".org" are different than the rest, because they end up on an other directory listing. If we search on Google for the string "bn_login.php", we find some additional domain names with top-level domain ".in". These again have another directory listing than the other top-level domains. As we see later the botnet owner logically seperated the botnet into 3 different units:

1) top-level domains ".com" + "info"
2) top-level domain ".org"
3) top-level domain ".in"

The complete list is as follows:

http://aodpcm-foub.com
http://aodpcm-foubfkmp.info
http://cqfreoz-qwdhmor.com
http://cqfreoz-qwd.info
http://drgsfp-irxei.com
http://ftiuhrc-tzgk.info
http://kynzmwh-yelpu.com
http://kynzmwh-y.info
http://mapbo-jra.com
http://mapbo-jragnrw.info
http://thwiv-qyhnuydf.info
http://vjykxh-ajp.info
http://vjykxh-ajpwafh.com
http://vogxnkg-vgqz.in
http://xlamzju-lr.com
http://xlamzju-lrychj.info
---
http://eaxrm-xnesh.org
http://iebvqib-iwl.org
---
http://dwofvs-jdoyhpe.in
http://fyqhxu-lfq.in
http://kdvmczv-k.in
http://vogxnkg-vgqz.in
http://yrjaq-jeyjtckzn.in

If we take a look at the directory listing of the ".in" unit we again see some PHP files, a "mpk" subfolder (empty) and a "k" subfolder. The "k" subfolder contains also some PHP files, the Botnet binary "telnet.exe", a subfolder named "mpk" (empty) and a subfolder which contains information of every Bot ("data").

If we look at the directory listing of the ".org" unit we see there are again a number of PHP files, a "maps" subdirectory and an interesting file named "termuser2.tar.gz". :-P
The maps subdirectory contains an IP geolocation service (https://www.maxmind.com/app/geolite). But the most interesting file is "termuser2.tar.gz" which contains the source code of the PHP files:

bn_city.php
bn_city2.php
bn_city3.php
bn_common.php
bn_config.php
bn_enum.php
bn_import.php
bn_install.php
bn_log.php
bn_login.php
bn_stat.php
bn_task.php
error.php
export.php == giper.php == giper3.php == krez.php == vovka.php == wipenew.php == wp-login.php == xtfg.php == zalupko.php == zalupok.php

Many of these files are the same and were just renamed, one for each bot executable to contact to. What particularly is of interest to us is the file "bn_config.php", because it contains the username and password of the webpanel named "bn_login.php". If we take a look into it we see the login name is "botnet" and the password is "kukuruku500". The username and password are valid for all the above mentioned top-level domains (.com, .info, .org, .in). After logging into one of the domains we see the following overview:

Figure 3: Overview of the Botnet zombies

Figure 4: Geolocation of the Botnet zombies (works only in ".org" unit)

Figure 5: Botnet statistics (+ existing Bot versions)

Figure 6: Additional data of a Bot zombie

So let's pick up the interesting information (numbers are at time of this writing):

1) The Map (Figure 4)
It shows the vast majority of infections are in Russian Federation, some in Europe, some in Middle East and even one in Australia

2) Statistics (Figure 5)
If we take a look at the statistics we see the several Bot versions counted. It goes from early version of "2.1.20" to version "4.3.5". Most of the infections by Bot version:
".com/.info" unit - version "3.4.17" (1122 counts)
".in" unit - version "4.2.6" (103 counts)
".org" unit - version "4.3.4" (1301 counts)

And if we look at the dates by registration the peaks are:
".com/.info" unit - 2012-04-20 (870 counts)
".in" unit - 2012-04-23 (177 counts)
".org" unit - 2012-05-04 (216 counts)

3) Total Bots (Figure 3)
If we add up the total Bot numbers from ".com/info", ".in" and ".org" units we have: 2310 + 499 + 1383 = 4192 Bots
The Bots payload (telnet.exe) is still being spread, so the numbers may increase in future.

4) Overview (Figure 3)
Here we see the MD5 hash of every single Bot, the registration time, the current status, the IP address at registration time, which domain/URL was contacted, ...
What's interesting is the current status of the Bots. If we take a look into the sourcecode of the file "bn_enum.php" we can see if the IP is in red it means the Bot contacted the server less than 10 minutes ago, if gray the contact time is longer than 1 hour and black means the time in between. So we see this botnet or part of it is still alive.

5) Additional Bot information (Figure 6)
If we click on one of the Bot's MD5 hash we can see additional information such as the OS version the Bot is running on, the local IP address, the remote IP adresses, the local keyboard layout, the logged in user account, ...
The table on the right side shows the logged data (Window caption, keylogged data) as described at the beginning (see folder "mpk1"), anyway the links don't work anymore.

That's all on the server side. What is a bit strange is the server 91.233.244.102 looks orphaned, because we learned from Part 1 of this analysis that the PHP Scripts aren't responding properly. If we take a look at the other domain names (the ones without a "-"), except 2 of them all other show a blank page. The 2 domain names I refer two show me the string "ZEUS SINKHOLE" (http://ylbaugjnfutivfupbojcybabmrax.com and http://hhmsobscuoxgqwkhtugpnr.com), thus indicating they were used for infamous "Zeus Bot" and are now under control of AV guys.


So to sum up a bit:
- The botnet owner(s) probably is/are from russian federation, because of only cyrillic collected data
- The botnet is divided into 3 units (".com/.info", ".in" and ".org" domain names)
- The domains and the modification dates of the files on server indicate there was a malware campaign from february to june/july 2012
- The server with IP address 91.233.244.102 is obviously only used for spreading malware
- There is other malware on this server beside the one I analyzed (see "put" subdirectory)
- There is the option that the server owner just rented his webspace to the bad guys (see IP address 91.233.244.102 at http://secniche.blogspot.com/2012/04/flashback-malware-has-been-used.html)

Note:
After completion of my analysis I found the following statement from Boris Sharov, CEO at Doctor Web (https://twitter.com/b_sharov):
"The address you mentioned - 91.233.244.102 is ours. Disregard the previous, please”
Maybe this is an explanation why all operations on the server ended on June/July 2012 (see "Last modified" field of files on server). Anyway the domain names I listed above are all publicly accessible, with all the sensitive information from the malware victims, so I doubt 91.233.244.102 is Dr.Web's. ;-)

Update (15 September 2012):

In the meantime Dr.Web sinkholed the domains I posted above. Thanks for not informing me at least!

Update 2 (22 September 2012):
Now the domains I posted above respond with HTTP status code "404 Not Found". Also the two "ZEUS SINKHOLE" domains show a blank page. It seems Dr.Web cleaned up their operations on this server. Thanks to Jack Simin for pointing that out!

Share: